PREPARED BY:

Mr.B.Ramji,
Sr.AssistantProfessor
Cryptography and Network security

ATTACKS ON COMPUTERS
AND
COMPUTER SECURITY
 Definitions

Definitions

Computer Security - generic name for the collection of


tools designed to protect data and to thwart hackers
Network Security  - measures to protect data during
their transmission
Internet Security - measures to protect data during
their transmission
 over a collection of interconnected
networks
 Aspects of Security
Aspect of Security

Consider 3 aspects of information security:


Security attack

Security mechanism
Security service
 Security Attack

Security Attack
Any action that compromises the security
 of
information owned by an organization
Information security is about how to prevent
attacks, or failing that, to detect
 attacks on
information-based systems

Often threat & attack used to mean same thing

 Have a wide range of attacks

 Can focus of generic types of attacks


Passive Attack
Active Attack
Passive Attacks
Active Attacks
 Security Service
Enhance security of data processing
systems and information transfers of an

organization

Intended to counter security attacks
Using one or more security mechanisms

Often replicates functions normally associated with

physical documents
Which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; be notarized or witnessed; be
recorded or licensed
 Security Services
X.800:

“A service provided by a protocol layer of
communicating open systems, which ensures
 adequate security of the systems or of data transfers”

RFC 2828:

“A processing or communication service provided by a
system to give a specific kind of protection to system
resources”
 Security Services (X.800)
Authentication - assurance that the 
communicating entity is the one claimed
Access Control
 - prevention of the unauthorized use of a
resource
Data Confidentiality – protection
 of data from
unauthorized disclosure
Data Integrity - assurance
 that data received is as sent by
an authorized entity
Non-Repudiation - protection against denial by one of the
parties in a communication
 Security Mechanism

Featuredesigned to detect, prevent, or recover from a security

attack
No single
mechanism that will support all services
required
However one particular element
 underlies many of the
security mechanisms in use:
Cryptographic techniques

Hence our focus on this topic
 Security Mechanisms (X.800)

specific security mechanisms:
encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding,
routing control, notarization

pervasive security mechanisms:
trusted functionality,
 security labels, event
detection,

security audit trails, security recovery
Model for Network Security
 Model for Network Security
 
Using this model requires us to:
Design a suitable algorithm for the security
transformation
Generate the secret information (keys) used
by the algorithm
Develop methods to distribute and share the secret
information
Specify a protocol enabling the principals to
use the transformation and secret
information for a security service
Model for Network Access Security
 Model for Network Access Security

 Using this model requires us to:
Select appropriate gatekeeper functions
to identify users
Implement security controls to ensure only
authorised users access designated
information or resources
Trusted computer systems
 may be useful to help
implement this model
 Techniques

Many savages at the present day regard their

names as vital parts of themselves, and therefore
take great pains to conceal their real names, lest
these should give to evil-disposed persons a handle
by which to injure their owners.
—The Golden Bough, Sir James George Frazer
 Symmetric Encryption

Conventional / private-key/ single-key

 Sender and recipient share a common key

 All classical encryption algorithms are private-key
 Was only type prior to invention of public-key in
 1970’s

And by far most widely used
 Some BasicTerminology
Plaintext - original message
 Ciphertext - coded message
Cipher - algorithm for transforming plaintext to
ciphertext
Key - info used in cipher known only to ender/receiver
 Encipher (encrypt) - converting plaintext to ciphertext
Decipher (decrypt) - recovering ciphertext from
plaintext
Cryptography - study of encryption rinciples/methods
Cryptanalysis (codebreaking) - study of principles/ methods
of deciphering ciphertext without knowing key
Cryptology - field of both cryptography and
 
cryptanalysis
 Cryptography

Characterize cryptographic system by:
 Type of encryption operations used

 substitution / transposition / product
 Number of keys used 
 single-key or private / two-key or public
 Way in which plaintext
 is processed
block / stream
 Cryptanalysis

Objective to recover key not just message

 General approaches:


Cryptanalytic attack
Brute-force attack
 Cryptanalytic Attacks

Ciphertext only
Only know algorithm & ciphertext,
 is statistical, know
or can identify plaintext

Known plaintext

 know/suspect plaintext & ciphertext

 Chosen plaintext

 Select plaintext and obtain ciphertext

 Chosen ciphertext

 Select ciphertext and obtain plaintext

 Chosen text

Select plaintext or ciphertext to en/decrypt
 More Definitions

Unconditional security
No matter how much computer power or time is available,
the cipher cannot be broken since the ciphertext provides
insufficient information to uniquely determine the
corresponding plaintext

Computational security
Given limited computing resources (eg time needed for
calculations is greater than age of universe), the cipher

cannot be broken
 Brute Force Search

 Always possible to simply try every key

 Most basic attack, proportional to key size

Assume either know / recognize plaintext
Key Size (bits) Number of Time required at 1 Time required at
Alternative 106
Keys decryption/µs decryptions/µs

32 232 = 4.3 ´ 109 231 µs = 35.8 2.15 milliseconds

minutes
56 256 = 7.2 ´ 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 ´ 1038 2127 µs = 5.4 ´ 1024 5.4 ´ 1018 years
years
168 2168 = 3.7 ´ 1050 2167 µs = 5.9 ´ 1036 5.9 ´ 1030 years
years
 Classical Substitution Ciphers
Where letters of plaintext are replaced
 by other
letters or by numbers or symbols
if plaintext is viewed as a sequence of bits, then
substitution involves replacing
 plaintext bit patterns
with ciphertext bit patterns
 Caesar Cipher

Earliest known substitution cipher by Julius Caesar
First attested use
 in military affairs replaces each letter
by 3rd letter on

Example:

meet me after the toga party

PHHW PH DIWHU WKH WRJD SDUWB

 Caesar Cipher

can define transformation as:

abcdefghijklmnopqrstuvwxyz

DEFGHIJKLMNOPQRSTUVWXYZABC mathematically
give each letter a number

a b c d e f g h i j k l mn o p q r s t u v w x y 0 1 2 3 4 5 6
z
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as:

c = E(p) = (p + k) mod (26)
 
p = D(c) = (c – k) mod (26)
 Cryptanalysis of Caesar Cipher

Only have 26 possible ciphers



A maps to A,B,..Z 


Could simply try each in turn 


A brute force search 


Given ciphertext, just try all shifts of letters

Do need to recognize when have plaintext
eg. break ciphertext "GCUA VQ DTGCM"
 Monoalphabetic Cipher

Rather than just shifting the alphabet

 Could shuffle
(jumble) the letters arbitrarily
Each plaintext
 letter maps to a different random ciphertext
letter
Hence key is 26 letters long
 Plain: abcdefghijklmnopqrstuvwxyz
 Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
 Plaintext: ifwewishtoreplaceletters

Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
 Playfair Cipher
Not even the large number of keys in a 
monoalphabetic cipher provides security
One approach to improving security was to encrypt
multiple letters

The Playfair Cipher is an example
Invented by Charles Wheatstone
 in 1854, but named after
his friend Baron Playfair
 Play fair Key Matrix

 A 5X5 matrix of letters based on a keyword

 Fill in letters of keyword (sans duplicates)

 Fill rest of matrix with other letters

Eg. using the keyword MONARCHY

M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
 Encrypting and Decrypting

Plaintext is encrypted two letters at a time
if both letters fall in the same row, replace
each with letter to right(wrapping back to
 start from end)
if both letters fall in the same column,
replace each with the letter below it (again
 wrapping to top from bottom)
otherwise each letter is replaced by the letter
in the same row and in the column of the
 other letter of the pair
 if a pair is a repeated letter, insert filler like
'X’
 Security of Playfair Cipher

Security much improved overmonoalphabetic since

 have 26 x 26 = 676 diagrams
Would need a 676 entry frequency table to analyse
(verses 26 for a monoalphabetic) and correspondingly

more ciphertext was widely used for many years
eg. by US & British military in WW1 
it can be broken, given a few hundred letters
since still has much of plaintext structure
 Polyalphabetic Ciphers

Polyalphabetic substitution ciphers

 Improve security using multiple cipher alphabets
Make cryptanalysis harder with more alphabets to guess
and flatter frequency distribution
Use a key to select
 which alphabet is used for each letter
of the message

Use each alphabet in turn

Repeat from start after end of key is reached
 Transposition Ciphers

Now consider classical

transposition or
permutation ciphers

These hide the message by rearranging the letter order

Without altering the actual letters used
Can recognise these since have the same frequency
distribution as the original text
 Rail Fence cipher

Write message letters out diagonally over a number of rows

Then read off cipher row by row

eg. write message out as:

mematrhtgpry
e t e f e t e oa a t
Giving ciphertext

MEMATRHTGPRYETEFET
AAT
 Row Transposition Ciphers
A more complex transposition
Write letters of message out in rows over a specified number
of columns

Then reorder the columns according to some key
before reading off the rows
Key: 3421567
Plaintext: a t t a c k p o s t
poneduntil
twoamxyz
Ciphertext:
TTNAAPTMTSUOAODWCOIXKNLYPETZ
 Product Ciphers

Ciphers using substitutions or transpositions

 are not
secure because of language characteristics
Hence consider using
 several ciphers in succession to
make harder, but:
two substitutions make a more

complex substitution
two transpositions make more

complex transposition
but a substitution followed by a transposition
 makes a new much harder cipher 
This is bridge from classical to modern ciphers
 Steganography

An alternative to encryption
Hides existence of message
using only a subset of letters/words in a
 longer message marked in some way

using invisible ink
hiding in LSB

in graphic image or sound file
Has drawbacks
High overhead to hide relatively few info bits
SYMMETRIC KEY CIPHERS

UNIT-2
SYMMETRIC KEY CIPHERS
 Modern Block Ciphers

Now look at modern block ciphers
One of the most widely used
 types of
cryptographic algorithms

Provide secrecy /authentication services

Focus on DES (Data Encryption Standard)

To illustrate block cipher design principles
 Block vs Stream Ciphers

Block ciphers process

messages in blocks, each of which
is then en/decrypted
Like a substitution 
on very big characters
64-bits or more
Stream ciphers process
 messages a bit or byte at a time
when en/decrypting

Many current ciphers are block ciphers

Broader range of applications
 Block Cipher Principles

Most symmetric  block ciphers are based on a Feistel

Cipher Structure
Needed since must be able todecrypt ciphertext to
recover messages efficiently
Block cipherslook like an extremely large
substitution
Would need table of 264 entries for a 64-bit block
Instead create from smaller building blocks using idea

of a product cipher
Ideal Block Cipher
 Claude Shannon and Substitution -
Permutation Ciphers
Claude Shannon introduced idea of substitution-

permutation (S-P) networks in 1949 paper 


Form basis of modern block ciphers 
S-P nets are based on the two primitive

Cryptographic operations seen before:

substitution (S-box)

permutation (P-box)
Provide confusion & diffusion of message & key
 Confusion and Diffusion

CApher needs to completely obscure

statistical properties of original message
A one-time pad does this
More practically Shannon suggested combining S
& P elements to obtain:
Diffusion – dissipates statistical structure
of plaintext over bulk of ciphertext
Confusion – makes relationship between
ciphertext and key as complex as possible
 Feistel Cipher Structure

Horst Feistel devised the feistel cipher
 based on concept of invertibleproduct cipher
partitions input block into two halves


process through multiple rounds which

perform a substitution on left data half

based on round function of right half & subkey
then have permutation swapping 
halves 
implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Design Elements
Block size
Key size
Number of rounds
Subkey generation algorithm
Rround function
Fast software en/decryption

Ease of analysis
Feistel Cipher Decryption
 Data Encryption Standard (DES)

Most widely used block cipher in world

Adopted in 1977 by NBS (now NIST) as FIPS PUB 46

Encrypts 64-bit data using 56-bit key has widespread use

Has been considerable controversy over its security
DES Encryption Overview
 DES Design Controversy

Although DES standard is public

Was considerable controversy over design

 in choice of 56-bit key (vs Lucifer 128-bit)

and because design criteria were classified

Subsequent events and public analysis show in fact design
was appropriate 
Use of DES has flourished
 especially in financial applications
still standardised for legacy application use
 Initial Permutation IP

First step of the data computation

IP reorders the input data bits

Even bits to LH half, odd bits to RH half

Quite regular in structure (easy in h/w)
Example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
 DES Round Structure

Uses two 32-bit L & R halves

As forany Feistel cipher can describe as: Li =
Ri–1
Ri = Li–1 F(Ri–1, Ki)

F takes 32-bit R half and 48-bit subkey:

 Expands R to 48-bits using perm E


Adds to subkey using XOR
 Passes through 8 S-boxes to get 32-bit result
Finally permutes using 32-bit perm P
DES Round Structure
 Substitution Boxes

Have eight S-boxes which map 6 to 4 bits

Each S-box is actually 4 little 4 bit boxes

 outer bits 1 & 6 (row bits) select one row of 4


inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits
Row selection depends on both data & key
 feature
 known as autoclaving (autokeying)
Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
 DES Key Schedule

Forms subkeys used in each round
 initial permutation of the key (PC1) which selects
56-bits in two 28-bit halves 16 stages consisting of:

rotating each half separately either 1 or 
2 places
 depending onthe key rotation schedule K
 selecting 24-bits from each half &permuting them
by PC2 for use in round function F
Note practical use issues in h/w vs s/w
 DES Decryption

Decrypt must unwind steps of data computation
With Feistel design, do encryption steps
 again using
subkeys in reverse order (SK16 … SK1)


IP undoes final FP step of encryption

1st round with SK16 undoes 16th encrypt round
16th round with SK1 undoes 1st encrypt round

then final FP undoes initial encryption IP
thus recovering original data value
 Avalanche Effect


key desirable property of encryption algorithm
where a change of one input or key bit results

in changing approx half output bits 
making attempts to “home-in” by guessing

keys impossible
DES exhibits strong avalanche
 Strength of DES – Key Size


56-bit keys have 256 = 7.2 x 1016 values

brute force search looks hard 


recent advances have shown is possible

in 1997 on Internet in a few months

in 1998 on dedicated h/w (EFF) in a few days

in 1999 above combined in 22hrs!

still must be able to recognize plaintext
must now consider alternatives to DES
 Strength of DES – Analytic Attacks

Now have several analytic attacks on DES

These utilise some deep structure of the cipher


by gathering information about encryptions
can eventually recover some/all of the sub-
 key bits
if necessary then exhaustively search

for the rest
Generally these are statistical attacks

Include

 differential cryptanalysis
 linear cryptanalysis
related key attacks
Strength of DES – Timing Attacks

Attacks actual implementation of cipher
Use knowledge of consequences of implementation
 to
derive information about some/all subkey bits
specifically use fact that calculations can take varying times

depending on the value of the inputs to it

Particularly problematic on smartcards
 Differential Cryptanalysis
One of the most
 significant recent (public) advances in
cryptanalysis 
Known by NSA in 70's cf DES design

Murphy, Biham & Shamir published in 90’s

Powerful method to analyse block ciphers
Used to analyse most current block
 ciphers
with varying degrees of success 
DES reasonably resistant to it, cf Lucifer
 Differential Cryptanalysis
A statistical attack against Feistel ciphers uses

 cipher structure not previously used
Design of S-P networks has output of function f
 influenced by both input & key
Hence cannot trace values back through
 cipher
without knowing value of the key
Differential cryptanalysis
 compares two related pairs
of encryptions
Differential Cryptanalysis Compares
Pairs of Encryptions
With a known difference in the input
searching for a known difference in
output when same subkeys are used
 Differential Cryptanalysis

Have some input difference giving

 some output
difference with probability p
If find instances of some higher
 probability input / output
difference pairs occurring

can infer subkey that was used in round
then must iterate processover many rounds (with
decreasing probabilities)
Differential Cryptanalysis
 Differential Cryptanalysis
Perform attack by repeatedly encrypting plaintext pairs with
known input XOR until obtain desired output XOR
When found 
if intermediate rounds match required XOR have a right
pair if not then have a wrong pair, relative ratio is S/N
for attack
Can then deduce keys values for the rounds


 right pairs suggest same key bits

wrong pairs give random values

For large numbers of rounds, probability isso low that more pairs
are required than exist with 64-bit inputs
Biham and Shamir have shown how a 13-rounditerated
characteristic can break the full 16-round DES
 Linear Cryptanalysis

Another recent development also a statistical

method
must be iterated over rounds, with
decreasing probabilities
developed by Matsui et al in early 90's
based on finding linear approximations
can attack DES with 243 known plaintexts,
easier but still in practise infeasible
 Linear Cryptanalysis
Find linear approximations with prob p != ½

P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K

Gives linear equation for key bits

Get one key bit using max likelihood alg

Using a large number of trial encryptions

Effectiveness given by: |p–1/2|
 AES Requirements

Private key symmetric block cipher

128-bit data, 128/192/256-bit keys

Stronger & faster than Triple-DES

Active life of 20-30 years (+ archival use)

Provide full specification & design details

Both C & Java implementations
NIST havereleased all submissions & unclassified
analyses
 AES Evaluation Criteria

Initial criteria:
 Security – effort for practical cryptanalysis

Cost – in terms of computational efficiency
Algorithm
& implementation characteristics
Final criteria
 General security

Ease of software & hardware implementation

Implementation attacks
Flexibility (in en/decrypt, keying, other factors)
 AES Shortlist

After testing and evaluation, shortlist in Aug-99:
 MARS (IBM) - complex, fast, high security margin

RC6 (USA) - v. simple, v. fast, low security margin
 Rijndael (Belgium) - clean, fast, good security margin

Serpent (Euro) - slow, clean, v. high security margin
Twofish (USA) - complex, v. fast, high security margin
Then subject to further analysis & comment

Saw contrast between algorithms with

 few complex rounds verses many simple rounds

which refined existing ciphers verses new proposals
 The AES Cipher - Rijndael

Designed by Rijmen-Daemen in Belgium

Has 128/192/256 bit keys, 128 bit data

An iterative rather than feistel cipher

 Processes data as block of 4 columns of 4 bytes

Operates onentire data block in every round
Designed to be:
 Resistant against known attacks

Speed and code compactness on many CPUs
Design simplicity
 Rijndael

Data block of 4 columns of 4 bytes is state

Key is expanded to array of words

Has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)

shift rows (permute bytes

between groups/columns)

mix columns (subs using matrix multipy of groups)

add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes

Initial XOR key material & incomplete last round

With fast XOR & table lookup implementation
Rijndael
 Byte Substitution

A simple substitution of each byte
Uses one table of 16x16 bytes containing
 a
permutation of all 256 8-bit values
Each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row
9 column 5 which has value {2A}

S-box constructed using defined transformation of
values in GF(28)

Designed to be resistant to all known attacks
Byte Substitution
 Shift Rows

A circular byte shift in each each
 1st row is unchanged
 2nd row does 1 byte circular shift to left

3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left

Decrypt inverts using shifts to right since state is
processed by columns, this step permutes bytes
between the columns
Shift Rows
 Mix Columns

Each column is processed separately
Each byte is replaced
 by a value dependent on all 4 bytes
in the column
Effectively a matrix multiplication in GF(28) using
8 4 3 
prime poly m(x) =x +x +x +x+1
Mix Columns
 Mix Columns

Can express each col as 4 equations
 to derive each new byte in col 
Decryption requires use of inverse matrix
with larger coefficients, hence
a little harder
Have an alternate characterisation

each column a 4-term polynomial

with coefficients in GF(28)
and polynomials multiplied modulo (x4+1)
 Add Round Key

XOR state with 128-bits of the round key
Again processed by column (though effectively a series
of byte operations)

Inverse for decryption identical
 since XOR own inverse, with 
reversed keys
designed to be as simple as possible


A form of Vernam cipher on expanded key
requires other stages for complexity / security
Add Round Key
AES Round
 AES Key Expansion
Takes 128-bit (16-byte) key and expands into

array of 44/52/60 32-bit words

Start by copying key into first 4 words
Then loop creating words that depend on

values in previous & 4 places back

in 3 of 4 cases just XOR these together
1st word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back
AES Key Expansion
 Key Expansion Rationale

Designed to resist known attacks

Design criteria included

 knowing part key insufficient to find many more

 invertible transformation
 fast on wide range of CPU’s

use round constants to break symmetry

diffuse key bits into round keys

enough non-linearity to hinder analysis
simplicity of description
 AES Decryption
AES decryption is not 
identical to encryption since
steps done in reverse
But can define an equivalent
 inverse cipher with
steps as for encryption


but using inverses of each step
with a different key schedule
Works since result is unchanged when
 swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
AES Decryption
 Multiple Encryption & DES

Clear a replacement for DES was needed


theoretical attacks that can break it

demonstrated exhaustive key search attacks 


AES is a new cipher alternative 
Prior to this alternative was to use multiple

encryption with DES implementations
Triple-DES is the chosen form
 Double-DES?

Could use 2 DES encrypts on each block
 C = EK2(EK1(P)) 
Issue of reduction to single stage

and have “meet-in-the-middle” attack

 works whenever use a cipher twice


since X = EK1(P) = DK2(C)

attack by encrypting P with all keys and store

then decrypt C with keys and match X value
can show takes O(256) steps
 Triple-DES with Two-Keys
Hence must use 3 encryptions

would seem to need 3 distinct keys
But can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))

nb encrypt & decrypt equivalent in security

if K1=K2 then can work with single DES
Standardized in ANSI X9.17 & ISO8732
No current known practical attacks
 Triple-DES with Three-Keys
Although are no practical attacks
 on two-key Triple-
DES have some indications
Can use
 Triple-DES with Three-Keys to avoid even
these
C = EK3(DK2(EK1(P)))
Has been adoptedby some Internet applications,
eg PGP, S/MIME
 Blowfish
A symmetric block cipher
 designed by Bruce
Schneier in 1993/94

Characteristics
fast implementation on 32-bit CPUs, 18
 clock cycles per byte

compact in use of memory, less than 5KB
 simple structure for analysis/implementation
variable security by varying key size
Allows tuning for speed/security tradeoff
 Blowfish Key Schedule

Uses a 32 to 448 bit key

Used to generate


18 32-bit subkeys stored in P-array: P1 to P18
S-boxesstored in Si,j,
 i=1..4

j=0..255
 Blowfish Encryption

Uses two primitives: addition & XOR

Data is divided into two 32-bit halves L0 & R0

for i = 1 to 16 do
Ri = Li-1 XOR Pi;
F[Ri] XOR Ri-1;
Li =
=R XOR P18;
L17 16

= L16 XOR i17;

R17
where
F[a,b,c,d] = ((S1,a + S2,b) XOR
S3,c) + S4,a
Break 32-bit Ri into (a,b,c,d)
 Modes of Operation

Block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks with 56-bit key
Need some
 way to en/decrypt arbitrary amounts of data in
practise
ANSI X3.106-1983 Modes of Use (now FIPS 81)
defines 4 possible modes

Subsequently 5 defined for AES & DES
have block and stream modes
 Electronic Codebook Book (ECB)
Message is broken
 into independent blocks which
are encrypted
Each block is a value which
 is substituted, like a
codebook, hence name
Each block
 is encoded independently of the other
blocks
Ci = DESK1(Pi) 
Uses: secure transmission of single values
Electronic Codebook Book (ECB)
 Advantages and Limitations of ECB

Message repetitions may show in ciphertext
 if aligned with message block

particularly with data such graphics
or with messages that change very little,

which become a code- book analysis problem
Weakness is due to the encrypted message
blocks being independent

Main use is sending a few blocks of data
 Cipher Block Chaining (CBC)

Message is broken into blocks

Linked together in encryption operation
Each previous cipher blocks ischained with current
plaintext block, hence name
Use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1= IV

Uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
 Message Padding

At end of message must handle a possible last short block


which is not as large as blocksize of cipher

pad either with known non-data value (eg nulls)
or pad last block along with count of pad size

eg. [ b1 b2 b3 0 0 0 0 5]
 pad+count 
means have 3 data bytes, then 5 bytes

this may require an extra entire block over


those in message
There are other, more esoteric
 modes, which avoid the
need for an extra block
 Advantages and Limitations of CBC

Aciphertext block depends on all blocks before it
Any change to a block
 affects all following
ciphertext blocks

Need Initialization Vector (IV)
 which must be known to sender & receiver
if sent in clear, attacker can change bits of first
block, and change IV to compensate hence IV

must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB
mode before rest of message
 Cipher FeedBack (CFB)

Message is treated as a stream of bits

added to the output of the block cipher

Result is feed back for next stage (hence name)
Standard allowsany number of bit (1,8, 64 or 128 etc)
to be feed back
denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

Most efficient to use all bits in block (64 or 128)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV 
Uses: stream data encryption, authentication
Cipher FeedBack (CFB)
 Advantages and Limitations of CFB

Appropriate when data arrives in 

bits/bytes most common stream mode
Limitation is needto stall while do block encryption
after every n-bits
Note that the block cipher is used in encryption
mode at both ends

Errors propogate for several blocks after the error
 Output FeedBack (OFB)

Message is treated as a stream of bits

Output of cipher is added to message

Output is then feed back (hence name)

Feedback is independent of message
Can be computed in advance
Ci= Pi XOR Oi
Oi= DESK1(Oi-1) O-1
IV 
Uses: stream encryption on noisy channels
 Advantages and Limitations of OFB

Bit errors do not propagate

More vulnerable to message stream modification

Avariation of a Vernam cipher
hence must never reuse the same
 sequence (key+IV) 
Sender & receiver must remain in sync

Originally specified with m-bit feedback
Subsequent research has shown that only full block

feedback (ie CFB-64 or CFB-128) should ever be used
 Counter (CTR)

A “new” mode, though proposed early on
Similar to OFB but encrypts
 counter value rather than
any feedback value
Must have a different key & counter
 value for every
plaintext block (never reused)

Ci = Pi XOR Oi
 Oi= DESK1(i) 
Uses: high-speed network encryptions
Counter (CTR)
ADVANTAGES and Limitations of CTR

Efficiency


can do parallel encryptions in h/w or s/w

can preprocess in advance of need
good for bursty high speed links
Random access to encrypted data blocks

Provable security (good as other modes)
But must ensure never reuse key/counter
 values,
otherwise could break (cf OFB)
 Stream Ciphers

Process message bit by bit (as a stream)

Have a pseudo random keystream

Combined (XOR) with plaintext bit by bit
Randomness of stream key completely  destroys
statistically properties in message
Ci = Mi XOR StreamKeyi 
But must never reuse stream key
otherwise can recover messages (cf book cipher)
Stream Cipher Structure
 Stream Cipher Properties

Some design considerations are:


long period with no repetitions

statistically random

depends on large enough key
large linear complexity

Properly designed, can be as secure as a block cipher

with same size key but usually simpler & faster
 RC4


A proprietary cipher owned by RSA DSI 


Another Ron Rivest design, simple but effective 


Variable key size, byte-oriented stream cipher 


Widely used (web SSL/TLS, wireless WEP)
Key forms random permutation of all 8-bit

values
Uses that permutation to scramble input
info processed a byte at a time
 RC4 Key Schedule

Starts with an array S of numbers: 0..255

use key to well and truly shuffle
S forms internal state of the cipher
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
 RC4 Encryption

Encryption continues shuffling array values
Sum of shuffled pair selects "stream key" value from
permutation
XOR S[t] with next byte of message to en/decrypt
 
i=j=0

 for each message 

byte Mi i = (i + 1)
 (mod 256)

j = (j + S[i]) (mod 256)

swap(S[i], S[j])

t = (S[i] + S[j]) (mod 256) Ci =
Mi XOR S[t]
RC4 Overview
 RC4 Security
Claimed secure against known attacks
have some analyses, none practical

Result is very non-linear


Since RC4 is a stream cipher, must never reuse a key

Have a concern with WEP, but due to key handling rather
than RC4 itself
 Placement of Encryption

Have two major placement alternatives

Link encryption

 encryption occurs independently on every link


implies must decrypt traffic between links
requires many devices,

but paired keys
End-to-end encryption
encryption occurs between original source
 and final destination
need devices at each end with shared keys
Placement of Encryption
 Placement of Encryption
When using end-to-end
 encryption must leave
headers in clear
so network can correctly route information

Hence although contents protected, traffic pattern flows
are not
Ideally want both at once
end-to-end protects data contents over
 entire path and provides authentication
link protects traffic flows from monitoring
 Placement of Encryption
Can place encryption
 function at various layers in OSI
Reference Model


link encryption occurs at layers 1 or 2
end-to-end can occur at layers 3, 4, 6, 7

as move higher less information is encrypted
but it is more secure though more complex with
more entities and keys
 Private-Key Cryptography
Traditional private/secret/single key

 cryptography uses one key
Shared by both sender and receiver
If this key is disclosed
communications are compromised
Also is symmetric, parties are equal
Hence does not protect sender from receiver
forging a message & claiming is sent by sender
 Public-Key Cryptography
Probably most significant
 advance in the 3000 year history
of cryptography

Uses two keys – a public & a private key

Asymmetric since parties are not equal
Uses clever
 application of number theoretic concepts to
function

Complements rather than replaces private key crypto
 Why Public-Key Cryptography?
Developed to address two key issues:
key distribution – how to have secure
communications in general without having to
 trust a KDC with your key
digital signatures – how to verify a message
 comes intact from the claimed sender
Public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
known earlier in classified community
 Public-Key Cryptography
Public-key/two-key/asymmetric
cryptography involves the use of two keys:
a public-key, which may be known by anybody,
and can be used to encrypt messages, and verify
 signatures
a private-key, known only to the recipient,
 used to
 decrypt messages, and sign (create) signatures
Is asymmetric because
those who encrypt messages or verify
 signatures cannot
decrypt messages or create signatures
Public-Key Cryptography
 Public-Key Characteristics
Public-Key algorithms rely on two keys where:

it is computationally infeasible to
 find decryption key
knowing only algorithm & encryption key

it is computationally easy to en/decrypt
messages when the relevant (en/decrypt) key
is known

either of the two related keys can be used for
encryption, with the other used for decryption
(for some algorithms)
Public-Key Cryptosystems
 Public-Key Applications

Can classify uses into 3 categories:


encryption/decryption (provide secrecy)

digital signatures (provide authentication)

key exchange (of session keys)
Some algorithms are suitable for all uses, others
are specific to one
 Security of Public Key Schemes
Like private key schemes brute force
exhaustive search attack is always
theoretically possible
But keys used are too large (>512bits)
Security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
More generally the hard problem is known,
but is made hard enough to be impractical to
break
Requires the use of very large numbers
hence is slow compared to private key
schemes
 RSA

By Rivest, Shamir & Adleman of MIT in 1977

best known & widely used public-key scheme
Based on exponentiationin a finite (Galois) field over
integers modulo a prime
nb. exponentiation takes O((log n)3)
 operations (easy)

Uses large integers (eg. 1024 bits)

Security due to cost of factoring large numbers
nb. factorization takes O(e log n log log
n) operations (hard)
 RSA Key Setup

Each user generates a public/private key pair by:

selecting two large primes at random – p,q

Computing their system modulus n=p.q


note ø(n)=(p-1)(q-1)
Selecting at random the encryptionkey e
 where 1<e<ø(n), gcd(e,ø(n))=1

Solve following equation to find decryption key d
 e.d=1 mod ø(n) and 0≤d≤n 
Publish their public encryption key: PU={e,n}

Keep secret private decryption key: PR={d,n}
 RSA Use
To encrypt a message M the sender:

obtains public key of recipient PU={e,n}

computes: C = Me mod n, where 0≤M<n
To decrypt the ciphertext C the owner:

uses their private key PR={d,n}
computes: M = Cd mod n

Note that the message M must be smaller than
the modulus n (block if needed)
 Why RSA Works
Because of Euler's Theorem:
 aø(n)mod
n = 1 where gcd(a,n)=1
in RSA have:
 n=p.q
ø(n)=(p-1)(q-1)
 carefully chose e & d to be inverses mod ø(n)
 hence

e.d=1+k.ø(n) for some k
Hence :

Cd = Me.d = M1+k.ø(n)= M1.(Mø(n))k

= M1.(1)k = M1 = M mod n
 RSA Example - Key Setup

Select primes: p=17 & q=11

Compute n = pq =17 x 11=187

Compute ø(n)=(p–1)(q-1)=16x10=160

Select e: gcd(e,160)=1; choose e=7

Determine d: de=1 mod 160 and d <160 Value is

d=23 since 23x7=161=10x160+1

Publish public key PU={7,187} Keep
 secret private key PR={23,187}
 RSA Example - En/Decryption

Sample RSA encryption/decryption is:

Given message M = 88(nb. 88<187)

Encryption:

 C = 887 mod 187 = 11

Decryption:

M = 1123 mod 187 = 88
 Key Management
Public-key
encryption helps address key distribution
problems

Have two aspects of this:
distribution of public keys

use of public-key encryption to distribute
secret keys
 Distribution of Public Keys
Can be considered as using one of:

public announcement

publicly available directory

public-key authority
public-key certificates
 Public Announcement
Users distribute public keys
torecipients or broadcast to
community at large
eg. append PGP keys to email messages
 or post to news groups or email list
Major weakness is forgery
anyone can create a key claiming to
 be someone else and broadcast it
until forgery is discovered can masquerade
as claimed user
 Publicly Available Directory
Can obtain greater security by registering keys
with a public directory
Directory must be trusted with properties:

contains {name,public-key} entries

participants register securely with directory

participants can replace key at any time

directory is periodically published

directory can be accessed electronically
Still vulnerable to tampering or forgery
 Public-Key Authority
Improve security by tightening control over
distribution of keys from directory has properties
of directory and requires users to know public key
for the directory
then users interact with directory to obtain any
desired public key securely
does require real-time access to directory
when keys are needed
Public-Key Authority
 Public-Key Certificates
Certificates allow key exchange without real-
time access to public-key authority
A certificate binds identity to public key
usually with other info such as period
 of validity, rights of use etc
With all contents signed by a trusted Public-Key
or Certificate Authority (CA)
Can be verified by anyone who knows the
public-key authorities public-key
Public-Key Certificates
Public-Key Distribution of Secret Keys

Use previous methods to obtain public-key

Can use for secrecy or authentication

But public-key algorithms are slow
So usually want to use private-key encryption to protect

 message contents hence need a session key

Have several alternatives for negotiating a suitable session
 Simple Secret Key Distribution

Proposed by Merkle in 1979


A generates a new temporary public key pair
A sends B the public key and their identity

B generates a session key K sends it to A

encrypted using the supplied public key
A decrypts the session key and both use

Problem is that an opponent can intercept
 and
impersonate both halves of protocol
Public-Key Distribution of Secret Keys

if have securely exchanged public-keys:
 Hybrid Key Distribution

Retain use of private-key KDC

Shares secret master key with each user

Distributes session key using master key

Public-key used to distribute master keys
especially

useful with widely distributed users
Rationale


performance
backward compatibility
 Diffie-Hellman Key Exchange

First public-key type scheme proposed
By Diffie & Hellman in 1976 alongwith the
exposition of public key concepts
note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970

is a 
practical method for public exchange of a secret
key

used in a number of commercial products
 Diffie-Hellman Key Exchange

A public-key distribution scheme
 cannot be used to exchange an arbitrary message

rather it can establish a common key
known only to the two participants

Value of key depends on the participants
 (and their
private and public key information)
Based on exponentiation in a finite (Galois)
 field
(modulo a prime or a polynomial) - easy
Security relies on the difficulty of computing
 discrete
logarithms (similar to factoring) – hard
 Diffie-Hellman Setup

All users agree on global parameters:


large prime integer or polynomial q
a being a primitive root mod q

Each user (eg. A) generates their key
chooses a secret key (number): xA <q
compute their public key: y = axA modqA

Each user makes public that key yA
 Diffie-Hellman Key Exchange

shared session key for users A & B is KAB:
a
yA
yBxA mod q(which A can compute)
KAB is used as session key in private-key
 encryption
scheme between Alice and Bob
if Alice and Bob subsequently communicate, they will
have the same
 key as before, unless they choose new
public-keys
modqKABxBmodq(whichBcancompute)
attacker needs an x, must solve discrete logxA.xB 
 Diffie-Hellman Example
Users Alice & Bob who wish to swap keys:

Agree on prime q=353 and a=3
Select random secret keys:
A chooses xA=97, B chooses xB=233
compute respective public keys:
 
yA=3 97 mod 353 = 40 (Alice)
 yB=3233 mod 353 = 248 (Bob)
compute shared session key as:
K = y xA mod 353 = 24897 = 160 (Alice)
AB B

KAB= yA xB mod 353 = 40233 = 160 (Bob)
 Key Exchange Protocols
users could create random
 private/public D-H keys each time
they communicate
users could create a known private/public D-H key and
publish in a directory, then
 consulted and used to securely
communicate with them
both of these are vulnerable to a meet-in-the-Middle
Attack

authentication of the keys is needed
 Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) use either integer
or polynomial arithmetic with very large

numbers/polynomials
imposes a significant
 load in storing and processing keys
and messages

an alternative is to use elliptic curves

offers same security with smaller bit sizes

newer, but not as well analysed
MESSAGE AUTHENTICATION ALGORITHM
AND HASH FUNCTIONS
 Message Authentication

Message authentication is concerned with:
 protecting the integrity of a message

validating identity of originator
non-repudiation of origin (disputeresolution)
Will consider the security requirements

Then three alternative functions used:

 message encryption

message authentication code (MAC)
hash function
 Security Requirements

Disclosure

Traffic analysis

Masquerade

Content modification

Sequence modification

Timing modification

Source repudiation

Destination repudiation
 Message Encryption
Mmessage encryption by itself
 also provides a
measure of authentication

If symmetric encryption is used then:


receiver know sender must have created it

since only sender and receiver now key used
know content cannot of been altered

if message has suitable structure, redundancy or
a checksum to detect any changes
 Message Encryption

If public-key encryption is used:
 Encryption provides no confidence of sender

Since anyone potentially knows public-key
However if 
 sender signs message using their private-key

 then encrypts with recipients public key

 have both secrecy and authentication

 Again need to recognize corrupted messages

But at cost of two public-key uses on message
Message Authentication Code (MAC)
Generated by an algorithm that creates a small
fixed- sized block

depending on both message and some key

like encryption though need not be reversible
Appended to message as a signature
Receiver performs same computation on
message and checks it matches the MAC
Provides assurance that message is unaltered
and comes from sender
Message Authentication Code
Message Authentication Codes

As shown the MAC provides authentication

Can also use encryption for secrecy


generally use separate keys for each
can compute MAC either before or
 after encryption
is generally regarded

as better done before 
Why use a MAC?
 sometimes only authentication is needed
sometimes need authentication to persist
 longer than the encryption (eg. archival
 use)
Note that a MAC is not a digital signature
 MAC Properties
a MAC is a cryptographic checksum
 MAC = CK(M)

condenses a variable-length message M

using a secret key K
to a fixed-sized authenticator


is a many-to-one function

potentially many messages have same MAC
but finding these needs to be very difficult
 Requirements for MACs

Taking into account the types of attacks

Need the MAC to satisfy the following:
knowing a message and MAC, is infeasible

to find another message with same MAC
MACs should be uniformly distributed

MAC should depend equally on all bits of
the message
 Using Symmetric Ciphers for MACs
Can use any block
 cipher chaining mode and use final
block as a MAC
Data Authentication Algorithm (DAA) is a
widely used MAC based on DES-CBC


using IV=0 and zero-pad of final block

encrypt message using DES in CBC mode
and send just the final block as the MAC
or the leftmost M bits (16≤M≤64)  of final block
But final MAC is now too small for security
Data Authentication Algorithm
 Hash Functions

condenses arbitrary message to fixed size

 h = H(M)
usuallyassume that the hash function is public and not
keyed
cf. MAC which is keyed 
hash used to detect changes to message

can use in various ways with message

most often to create a digital signature
Hash Functions & Digital Signatures
 Requirements for Hash Functions

Can be applied to any sized message
 M Produces fixed-length output h
is easy to compute h=H(M)for anymessage M
Given his infeasible to find xs.t. H(x)=h
 one-way property 
Given xis infeasible to find ys.t. H(y)=H(x)
 weak collision resistance 
Is infeasible to find any x,y s.t. H(y)=H(x)
strong collision resistance
 Simple Hash Functions
There are several proposals for simple
 functions
 based on XOR of message blocks
not secure since can manipulate any message
 and either
not change hash or change hash also
need a stronger
 cryptographic function (next
chapter)
 Hash and MAC Algorithms

Hash Functions
 condense arbitrary size message to fixed size

by processing message in blocks

through some compression function
either custom or block cipher 
based
Message Authentication Code (MAC)
 fixed sized authenticator for some message

to provide authentication for message
by using block cipher mode or hash function
 Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993

was revised in 1995 as SHA-1

US standard for use with DSA signature scheme


standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS

based on design of MD4 with key differences

produces 160-bit hash values
recent 2005 results on security of SHA-1  have raised
concerns on its use in future applications
 Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002
Adds 3 additional versions of SHA 
SHA-256, SHA-384, SHA-512
Designed for compatibility with increased security
provided by the AES cipher

Structure & detail is similar to SHA-1

Hence analysis should be similar

But security levels are rather higher
SHA-512 Overview
 SHA-512 Compression Function

Heart of the algorithm

Processing message in 1024-bit blocks

Consists of 80 rounds
updating a 512-bit buffer

using a 64-bit value Wt derived from the
current message block

and a round constant based on cube root of
first 80 prime numbers
SHA-512 Round Function
SHA-512 Round Function
 Whirlpool

Now examine the Whirlpool hash function

Endorsed by European NESSIE project
Uses modified
 AES internals as compression
function
Addressingconcerns on use of block ciphers seen
previously
With performance comparableto
dedicated algorithms like SHA
Whirlpool Overview
 Whirlpool Block Cipher W

Designed specifically for hash function use

With security and efficiency of AES

But with 512-bit block size and hence hash

Similar structure & functions as AES but


input is mapped row wise

has 10 rounds

a different primitive polynomial for GF(2^8)
uses different S-box design & values
Whirlpool Block Cipher W
Whirlpool Performance & Security

Whirlpool is a very new proposal

Hence little experience with use

But many AES findings should apply
Does seem to need more h/w than SHA, but with better
resulting performance
 Keyed Hash Functions as MACs

Want a MAC based on a hash function


because hash functions are generally faster
code for crypto hash functions widely

available
Hash includes a key along with message

Original proposal:


KeyedHash = Hash(Key|Message)
 some weaknesses were found with

this
Eventually led to development of HMAC
 HMAC

Specified as Internet standard RFC2104

Uses hash function on the message:

HMACK = Hash[(K+ XOR opad) ||

Hash[(K+ XOR ipad)||M)]]
Where K+ is the key padded out to size

And opad, ipad are specified padding constants

Overhead is just 3 more hash calculations than the
message needs alone

Any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC Overview
 HMAC Security
Proved security of HMAC relates to that of the
underlying hash algorithm

Attacking HMAC requires either:
 brute force attack on key used
birthday attack (but since keyed would need

to observe a very large number of messages)
Choose hash function used based on speed verses
security constraints
 CMAC


Previously saw the DAA (CBC-MAC)

Widely used in govt & industry

But has message size limitation

Can overcome using 2 keys & padding 
Thus forming the Cipher-based Message

Authentication Code (CMAC)
Adopted by NIST SP800-38B
CMAC Overview
 Digital Signature Standard

(DSS)
US Govt approved signature scheme

Designed by NIST & NSA in early 90's

Published as FIPS-186 in 1991

Revised in 1993, 1996 & then 2000

Uses the SHA hash algorithm

DSS is the standard, DSA is the algorithm
FIPS 186-2 (2000) includes
 alternative RSA & elliptic curve
signature variants
 Digital Signature Algorithm (DSA)

Creates a 320 bit signature

With 512-1024 bit security

Smaller and faster than RSA

A digital signature scheme only
Security depends ondifficulty of computing
discrete logarithms

Variant of ElGamal & Schnorr schemes
Digital Signature Algorithm (DSA)
 DSA Key Generation

Have shared global public key values (p,q,g):
 choose q, a 160 bit
choose a large prime p = 2L

where L= 512 to 1024 bits and is a multiple
of 64 
 and q is a prime factor of (p-1)
 choose g = h(p-1)/q 
 where h<p-1, h(p-1)/q (mod p) > 1

Users choose private & compute public key:


choose x<q
compute y = gx (mod p)
 DSA Signature Creation

To sign a message Mthe sender:
generates a random signature key k, k<q

nb. k must be random, be destroyed after
 use, and never be reused

Then computes signature pair:

 r = (gk(mod p))(mod q)

 s = (k-1.H(M)+ x.r)(mod q)

Sends signature (r,s) with message M
 DSA Signature Verification

Having received M & signature (r,s)

To verify a signature, recipient computes: w
= s-1(mod q)

u1= (H(M).w)(mod q)
u2= (r.w)(mod q)

v = (gu1.yu2(mod p)) (mod
q)
If v=rthen signature is verified

see book web site for details of proof why
 Kerberos

trusted key server system from MIT
provides centralised private-key third-party

authentication in a distributed network
allows users access to services

distributed through network

without needing to trust all workstations
rather all trust a central

authentication server
two versions in use: 4 & 5
 Kerberos Requirements

Its first report identified requirements as:


secure

reliable

transparent
scalable

Implemented using an authentication
 protocol based
on Needham-Schroeder
 Kerberos v4 Overview

A basic third-party authentication scheme

Have an Authentication Server (AS)
users initially negotiate with AS to identify self

AS provides a non-corruptible authentication
 credential (ticketgranting ticket

TGT)
Have a Ticket Granting server (TGS)
users subsequently request access to other
services from TGS on basis of users TGT
 Kerberos v4 Dialogue

Obtain ticket granting ticket from AS
 once per session 
Obtain service granting ticket from TGT
 for each distinct service required
Client/server exchange to obtain service
on every service request
Kerberos 4 Overview
 Kerberos Realms

A Kerberos environment consists of:


a Kerberos server

a number of clients, all registered with server
application servers,

sharing keys with server 
This is termed a realm
typically a single administrative domain

If have multiplerealms, their Kerberos servers must share
keys and trust
Kerberos Realms
 Kerberos Version 5

Developed in mid 1990’s

Specified as Internet standard RFC 1510

Provides improvements over v4
Addresses environmental shortcomings

 network protocol, byte order,
Encryption alg,
 ticket lifetime,
 authentication forwarding, interrealm auth
And technical deficiencies

double encryption, non-std mode of use,
session keys, password attacks
 X.509 Authentication Service

Part of CCITT X.500 directory service standards
Distributed servers maintaining user info

database
Defines framework for authentication services
directory may store public-key certificates

with public key of user signed by certification
 authorityalso defines authentication protocols

uses public-key crypto & digital signatures
algorithms not standardised, but
 RSA recommended

X.509 certificates are widely used
 X.509 Certificates

Issued by a Certification Authority (CA), containing:
version (1, 2, or 3)serial number (unique

within CA) identifying certificate
signature algorithm identifier issuer X.500
 name (CA)period of validity (from - to dates)

Subject X.500 name (name of owner)
Subject public-key info (algorithm, parameters,
key),Issuer unique identifier (v2+),Subject unique

identifier (v2+)
Extension fields (v3),Signature (of hash of

all fields in certificate)

Notation CA<<A>> denotes certificate for A signed by CA
X.509 Certificates
 Obtaining a Certificate
Any user with access to CA can get any
certificate from it

Only the CA can modify a certificate
Because cannot be forged,  certificates can be
placed in a public directory
 CA Hierarchy
If both users share a common CA then they are
assumed to know its public key

Otherwise CA's must form a hierarchy
Use certificates linking
 members of hierarchy to
validate other CA's
Each CA has certificates for clients (forward)
 and parent (backward) 
Each client trusts parents certificates
Enable verification of any certificate
 from one CA by
users of all other CAs in hierarchy
CA Hierarchy Use
 Certificate Revocation

Certificates have a period of validity

May need to revoke before expiry, eg:


user's private key is compromised

user is no longer certified by this CA
CA's certificate is compromised 
CA’s maintain list of revoked certificates
 the Certificate Revocation List (CRL) 
Users should check certificates with CA’s CRL
 Authentication Procedures
X.509 includes
 three alternative authentication
procedures:

One-Way Authentication

Two-Way Authentication

Three-Way Authentication

all use public-key signatures
 One-Way Authentication

1 message ( A->B) used to establish

the identity of A and that message is from A

message was intended for B
integrity & originality of message
message must include timestamp,
 nonce, B's
identity and is signed by A
may include additional
 info for B
eg session key
 Two-Way Authentication
2 messages (A->B, B->A) which also establishes in
addition:


the identity of B and that reply is from B

that reply is intended for A
integrity & originality of reply

Reply includes original nonce from A, also
timestamp and nonce from B

May include additional info for A
 Three-Way Authentication
3 messages (A->B, B->A, A->B) which enablesabove
authentication without synchronized clocks
has reply fromA back to B containing signed copy of
nonce from B
means that  timestamps need not be checked or
relied upon
 X.509 Version 3
Has been recognised
 that additional information is needed
in a certificate
email/URL, policy details, usage constraints

Rather than explicitly naming new fields defined a general
extension method

Extensions consist of:
 extension identifier

criticality indicator
extension value
 Certificate Extensions
Key and policy information
convey info about subject & issuer keys,
plus indicators of certificate policy

Certificate subject and issuer attributes
support alternative names, in alternative formats
 for certificate

 subject and/or issuer
Certificate path constraints

 allow constraints on use of certificates by other

CA’s
Public Key Infrastructure
UNIT-4
E-MAIL SECURITY
 Email Security

Email is one of the most widely used and


regarded network services

Currently message contents are not secure

may be inspected either in transit
or by suitably privileged users on
destination system
 Email Security Enhancements

Confidentiality
 protection 
from disclosure
Authentication
 of sender of message


Message integrity
 protection from modification


Non-repudiation of origin
protection from denial by sender
 Pretty Good Privacy (PGP)
Widely used de facto secure email
Developed by Phil Zimmermann
Selected best available crypto algs to use
Integrated into a single program
On Unix, PC, Macintosh and other systems
Originally free, now also have commercial
versions available
 PGP Operation – Authentication
sender creates message
use SHA-1 to generate 160-bit hash of message
signed hash with RSA using sender's private
key, and is attached to message
receiver uses RSA with sender's
 public key to decrypt
 and recover hash code
receiver verifies received message using
 hash of it and
compares with decrypted hash code
PGP Operation – Confidentiality
Sender generates message and 128-bit
 random number as session key for it
Encrypt message using CAST-128 / IDEA /
 3DES in CBC mode with session key
Session key encrypted using RSA with
 recipient's public key, & attached to msg
Receiver uses RSA with private key to
 decrypt and recover session key
Session key is used to decrypt message
PGP Operation – Confidentiality & Authentication

can use both services on same message


Create signature & attach to message

Encrypt both message & signature
Attach RSA/ElGamal encrypted session key
PGP Operation – Compression
By default PGP compresses message after

signing but before encrypting 
so can store uncompressed message

& signature for later verification

& because compression is non deterministic
Uses ZIP compression algorithm
 PGP Operation – Email Compatibility
When using PGP will have binary data to send

(encrypted message etc) 


However email was designed only for text 
Hence PGP must encode raw binary data into

printable ASCII characters

Uses radix-64 algorithm

maps 3 bytes to 4 printable chars
also appends a CRC
PGP also segments messages if too big
PGP Operation – Summary
 PGP Session Keys

need a session key for each message
of varying sizes: 56-bit DES, 128-bit CAST or
 IDEA, 168-bit
 Triple-DES 
generated using ANSI X12.17 mode
uses random inputs taken from previous uses and
from keystroke timing of user
 PGP Public & Private Keys

since many public/private keys may be in use, need to

identify which
 is actually used to encrypt session key in a
message


could send full public-key with every message
but this is inefficient 
rather use a key identifier based on key
 is least significant 64-bits of the key
will very likely be unique


also use key ID in signatures
PGP Message Format
 PGP Key Rings

Each PGP user has a pair of keyrings:

public-key ring contains all the public-keys
of other PGP users

known to this user, indexed by key ID
private-key ring contains the public/private
key pair(s) for this user, indexed by key ID &
encrypted keyed from a hashed passphrase
Security of private keys thus depends on the
pass- phrase security
PGP Message Generation
PGP Message Reception
 PGP Key Management

Rather than relying on certificate authorities

In PGP every user is own CA

 can sign keys for users


they know directly
Forms a “web of trust”
trust keys have signed

can trust keys others have signed if have a chain
 of signatures to them

key ring includes trust indicators

Users can also revoke their keys
S/MIME (Secure/MultipurposeMailExtensions) Internet


Security enhancement to MIME email
original Internet RFC822 email was text only

MIME provided support for varying content

types and multi- part messages

with encoding of binary data to textual form
S/MIME added security enhancements

Have S/MIME support in many mail agents
eg MS Outlook, Mozilla, Mac Mail etc
 S/MIME Functions

Enveloped data
 encrypted

content and associated keys
Signed data
 encoded message

+ signed digest
Clear-signed data
cleartext message +
encoded signed digest
Signed & enveloped data
nesting of signed & encrypted entities
 S/MIME Cryptographic Algorithms

Digital signatures: DSS & RSA

Hash functions: SHA-1 & MD5

Session key encryption: ElGamal & RSA

Message encryption: AES, Triple-DES, RC2/40 and others

MAC: HMAC with SHA-1

Have process to decide which algs to use
 S/MIME Messages
S/MIME secures a MIME
 entity with a signature,
encryption, or both

Forming a MIME wrapped PKCS object

Have a range of content-types:


enveloped data

signed data

clear-signed data

registration request
certificate only message
 S/MIME Certificate Processing

S/MIME uses X.509 v3 certificates
Managed using a hybrid of a strict X.509 CA
hierarchy & PGP’s web of trust

Each client has a list of trusted CA’s certs

And own public/private key pairs & certs

Certificates must be signed by trusted CA’s
 Certificate Authorities

Have several well-known CA’s

Verisign one of most widely used

Verisign issues several types of Digital IDs

Increasing levels of checks & hence trust

Class Identity Checks Usage

1 name/email check web browsing/email
2 + enroll/addr check email, subs, s/w validate
3 + ID documents e-banking/service access
 IP Security
Have a range of application specific

security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPS

However there are security concerns that cut

across protocol layers 
Would like security implemented by the
network for all applications
 IPSec

General IP Security mechanisms

Provides


authentication

confidentiality
key management

Applicable to use over
 LANs, across public & private WANs,
& for the Internet
IPSec Uses
 Benefits of IPSec
In a firewall/router provides strong security to all traffic
crossing the perimeter

In a firewall/router is resistant to bypass
Is below transport
 layer, hence transparent to
applications

Can be transparent to end users

Can provide security for individual users

Secures routing architecture
 IP Security Architecture

Specification is quite complex

Defined in numerous RFC’s


incl. RFC 2401/2402/2406/2408
many others, grouped by category


Mandatory in IPv6, optional in IPv4

Have two security header extensions:


Authentication Header (AH)
Encapsulating Security Payload (ESP)
 IPSec Services
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
A form of partial sequence integrity
Confidentiality (encryption)
Limited traffic flow confidentiality
 Security Associations
A one-way relationship between sender & receiver that
affords security for traffic flow

Defined by 3 parameters:
 Security Parameters Index (SPI)
 IP Destination Address
Security Protocol Identifier
Has a number of other parameters
seq no, AH & EH info, lifetime etc 
Have a database of Security Associations
 Authentication Header (AH)
Provides support
 for data integrity & authentication
of IP packets
end system/router can authenticate user/app

prevents address spoofing attacks by
 tracking sequence numbers
 
Based on use of a MAC
 HMAC-MD5-96 or HMAC-SHA-1-96  
Parties must share a secret key
Authentication Header
Transport & Tunnel Modes
 Encapsulating Security Payload (ESP)
Provides message content
 confidentiality & limited traffic
flow confidentiality
Can optionallyprovide the same authentication
services as AH

Supports range of ciphers, modes, padding
 incl. DES, Triple-DES, RC5, IDEA, CAST etc
CBC & other modes

padding needed to fill blocksize, fields, for
traffic flow
Encapsulating Security Payload
 Transport vs Tunnel Mode ESP
Transport mode is used
 to encrypt & optionally
authenticate IP data


data protected but header left in clear

can do traffic analysis but is efficient
good for ESP host to host traffic
Tunnel mode encrypts entire IP packet


add new header for next hop
good for VPNs, gateway to gateway security
 Combining Security Associations

SA’s can implement either AH or ESP

To implement both need to combine SA’s

 form a security association bundle

 may terminate at different or same endpoints
combined by

transport adjacency

 iterated tunneling

Issue of authentication & encryption order
Combining Security Associations
 Key Management

Handles key generation & distribution

Typically need 2 pairs of keys

 2 per direction for AH

 & ESP
Manual key management
 sysadmin manually configures
 every system
Automated key management
automated system for on demand creation
 of keys for SA’s in large systems
has Oakley & ISAKMP elements
 Oakley

A key exchange protocol

Based on Diffie-Hellman key exchange

Adds features to address weaknesses
cookies, groups (global params), nonces, DH
key exchange with authentication


Can use arithmetic in prime fields or elliptic curve fields
 ISAKMP
Internet Security
 Association and Key Management
Protocol

Provides framework for key management
Defines procedures and packet formats  to
establish, negotiate, modify, & delete SAs
Independent of key exchange
 protocol, encryption alg, &
authentication method
ISAKMP
 ISAKMP Payloads & Exchanges
Have a number of ISAKMP payload types:
Security, Proposal, Transform, Key, Identification,
Certificate, Certificate, Hash, Signature, Nonce,

Notification, Delete
ISAKMP has framework for 5 types of message
exchanges:
base, identity protection, authentication only,
 aggressive,

informational
UNIT-5 UNIT-V
WEB SECURITY
 Web Security
Web now widely
 used by business, government,
individuals

but Internet & Web are vulnerable

have a variety of threats

 integrity
 confidentiality

denial of service
authentication 
need added security mechanisms
 SSL (Secure Socket Layer)

Transport layer security service

Originally developed by Netscape

Version 3 designed with public input
Subsequently became Internet standard known as TLS
(Transport Layer Security)

Uses TCP to provide a reliable end-to-end service

SSL has two layers of protocols
SSL Architecture
 SSL Architecture

SSL connection


A transient, peer-to-peer, communications link
Associated

with 1 SSL session
SSL session


An association between client & server

Created by the Handshake Protocol

Define a set of cryptographic parameters
May be shared by multiple SSL connections
 SSL Record Protocol Services

Message integrity
 using a MAC with shared secret key
similar to HMAC

but with different padding
Confidentiality
using symmetric encryption with a shared
 secret key definedby Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES,
 Fortezza, RC4-40, RC4-128
message is compressed before encryption
SSL Record Protocol Operation
 SSL Change Cipher Spec Protocol
One of 3 SSL specific protocols which use the SSL Record
protocol

A single message

Causes pending state to become current

Hence updating the cipher suite in use
 SSL Alert Protocol

Conveys SSL-related alerts to peer entity

Severity warning or fatal

Specific alert
fatal: unexpected message, bad record mac,
 failure, handshake failure, illegal
decompression
parameter

warning: close notify, no certificate, bad
certificate, unsupported certificate, certificate
revoked, certificate expired, certificate

unknown
Compressed & encrypted like all SSL data
 SSL Handshake Protocol


Allows server & client to:

authenticate each other

to negotiate encryption & MAC algorithms

to negotiate cryptographic keys to be used

Comprises a series of messages in phases

Establish Security Capabilities

Server Authentication and Key Exchange

Client Authentication and Key Exchange
Finish
SSL Handshake Protocol
 TLS (Transport Layer Security)

IETF standard RFC 2246 similar to SSLv3

with minor differences

 in record format version number


uses HMAC for MAC
 a pseudo-random function expands secrets

has additional alert codes

some changes in supported ciphers

changes in certificate types & negotiations
changes in crypto computations & padding
 Secure Electronic Transactions (SET)

Open encryption & security specification

To protect Internet credit card transactions

Developed in 1996 by Mastercard, Visa etc

Not a payment system

Rather a set of security protocols & formats


secure communications amongst parties

trust from use of X.509v3 certificates
privacy by restricted info to those who need it
SET Components
 SET Transaction
customer opens account
customer receives a certificate
merchants have their own certificates
customer places an order
merchant is verified
order and payment are sent
merchant requests payment authorization
merchant confirms order
merchant provides goods or service

merchant requests payment
 Dual Signature

Customer creates dual messages

order information (OI) for merchant
payment information (PI) for bank


Neither party needs details of other

But must know they are linked

Use a dual signature for this
signed concatenated hashes of OI &

PI DS=E(PRc, [H(H(PI)||H(OI))])
 SET Purchase Request
SET purchaserequest exchange consists of four
 messages


Initiate Request - get certificates

Initiate Response - signed response

Purchase Request - of OI & PI
Purchase Response - ack order
Purchase Request – Customer
 Purchase Request – Merchant

Verifies cardholder certificates using CA sigs
Verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
 using cardholder's private signature key
Processes order and forwards the payment
information to the payment gateway
 for
authorization (described later) 
Sends a purchase response to cardholder
Purchase Request – Merchant
 Payment Gateway Authorization
Verifies all certificates
Decrypts digital envelope of authorization block
to obtain symmetric key & then decrypts
 authorization block
Verifies merchant's signature on authorization
block decrypts digital envelope of payment
block to obtain symmetric key & then decrypts
 payment block
Verifies dual signature on payment block
Verifies that transaction ID received from
merchant matches that in PI received
 (indirectly) from customer
Requests & receives an authorization from
issuersends authorization response back to
 Payment Capture
Merchant sends payment gateway a payment
capture request

Gateway checks request
Then causes funds to
 be transferred to
merchants account

Notifies merchant using capture response
 Intruders

Clearly a growing publicized problem


from “Wily Hacker” in 1986/87
to clearly escalating CERT stats 
May seem benign, but still cost resources
May usecompromised system to launch other
attacks
Mwareness
 of intruders has led to the development of
CERTs
 Intrusion Techniques

Aim to gain access and/or increase privileges on a system

Basic attack methodology
 target acquisition and information gathering

initial access
 privilege escalation
covering tracks 
Key goal often is to acquire passwords

So then exercise access rights of owner
 Password Guessing

One of the most common attacks

Attacker knows a login (from email/web page etc)

Then attempts to guess password for it
defaults, short passwords, common word searches

user info (variations on names, birthday,

phone, common words/interests)
exhaustively searching all possible passwords

Check by login or against stolen password file

Success depends on password chosen by user

Surveys show many users choose poorly
 Password Capture

Another attack involves password capture


watching over shoulder as password is entered

using a trojan horse program to collect
monitoring an insecure network
 login
 eg. telnet, FTP, web, email
extracting recorded info after successful login
 (web history/cache, last number dialed etc)

Using valid login/password can impersonate user
Users need to be educated to 
use suitable
precautions/countermeasures
 Intrusion Detection

Inevitably will have security failures

So need also to detect intrusions so can


block if detected quickly

act as deterrent
collect info to improve security

Assume intruderwill behave differently to a
legitimate user
but will have imperfect distinction between
 Approaches to Intrusion Detection

Statistical anomaly detection


threshold

profile based 


Rule-based detection

anomaly
penetration identification
 Audit Records

Fundamental tool for intrusion detection

Native audit records


part of all common multi-user O/S

already present for use
may not have info wantedin desired form
Detection-specific audit records


created specifically to collect wanted info
at cost of additional overhead on system
 Statistical Anomaly Detection

Threshold detection

count occurrences of specific event over time

if exceed reasonable value assume intrusion

alone is a crude & ineffective detector

Profile based

characterize past behavior of users

detect significant deviations from this
profile usually multi-parameter
 Audit Record Analysis

Foundation of statistical approaches

Analyze records to get metrics over time
counter, gauge, interval timer, resource use

Use various tests on these
 to determine if current
behavior is acceptable
mean & standard deviation, multivariate,
 markov process, time series, operational


Key advantage is no prior knowledge used
 Rule-Based Intrusion Detection
Observe events on system & apply rules to decide if
activity is suspicious or not
Rule-based anomaly detection
Analyze historical audit records to identify usage
 patterns & auto-generate rules for them
Then observe current behavior & match
 against rules to see if conforms
Like statistical anomaly detection does not
require prior knowledge of security flaws
 Rule-Based Intrusion Detection

Rule-based penetration identification
uses expert systems technology

with rules identifying known
 penetration, weakness

 patterns, or suspicious behavior

compare audit records or states against rules
rules usually machine & O/S specific

rules are generated by experts who interview

& codify knowledge of security admins
quality depends on how well this is done
 Base-Rate Fallacy
Practically an intrusion detection system needs to detect
a substantial percentage of intrusions with few false
alarms


if too few intrusions detected -> false security
if too many false alarms -> ignore / waste time
This is very hard to do

Existing systems seem not to have a good record
 Distributed Intrusion Detection

Traditional focus is on single systems

But typically have networked systems
More effective defense
 has these working together to
detect intrusions

Issues


dealing with varying audit record formats

integrity & confidentiality of networked data
centralized or decentralized architecture
Distributed Intrusion Detection - Architecture
Distributed Intrusion Detection – Agent Implementation
 Honeypots

Decoy systems to lure attackers
 away from accessing critical systems
 to collect information of their activities
to encourage attacker to stay on system so
 administrator can

 respond 
Are filled with fabricated information
Instrumented to collect
 detailed information on
attackers activities 
Single or multiple networked systems

cf IETF Intrusion Detection WG standards
 Password Management

Front-line defense against intruders

Users supply both:


login – determines privileges of that user
password – to identify them
Passwords often stored encrypted


Unix uses multiple DES (variant with salt)
more recent systems use crypto hash function
Should protect password file on system
 Password Studies

Purdue 1992 - many short passwords

Klein 1990 - many guessable passwords

Conclusion is that users choose poor passwords too often

Need some approach to counter this
 Managing Passwords - Education

Can use policies and good user education

Educate on importance of good passwords

Give guidelines for good passwords
minimum length (>6)

require a mix of upper & lower case

letters, numbers,punctuation
not dictionary words 
But likely to be ignored by many users
Managing Passwords - Computer Generated

Let computer create passwords
If random likely not memorisable, so will be written down
(sticky label syndrome)

Even pronounceable not remembered

Have history of poor user acceptance

FIPS PUB 181 one of best generators

 has both description & sample code

generates words from concatenating
random pronounceable syllables
Managing Passwords - Reactive Checking

Reactively run password guessing tools
Note that good dictionaries
 exist for almost any
language/interest group

Cracked passwords are disabled

But is resource intensive

Bad passwords are vulnerable till found
Managing Passwords - Proactive Checking

Most promising approach to improving password

security

Allow users to select own password

But have system verify it is acceptable

 simple rule enforcement (see earlier slide)


compare against dictionary of bad passwords
use algorithmic (markov model or bloom filter)
to detect poor choices
Viruses and Other Malicious Content

Computer viruses have got a lot of publicity

One of a family of malicious software

Effects usually obvious
Have figured in
 news reports, fiction, movies (often
exaggerated)

Getting more attention than deserve

Are a concern though
Malicious Software
 Backdoor or Trapdoor
Secret entry point into a program allows those
 who know
access bypassing usual security procedures

Have been commonly used by developers
A threat when left in production programs allowing
exploited by attackers

Very hard to block in O/S

Requires good s/w development & update
 Logic Bomb

One of oldest types of malicious software

Code embedded in legitimate program

Activated when specified conditions met


eg presence/absence of some file

particular date/time
particular user 
When triggered typically damage system
modify/delete files/disks, halt machine, etc
 Trojan Horse

Program with hidden side-effects

Which is usually superficially attractive

 eg game, s/w upgrade etc

When run performs some additional tasks
allows attacker to indirectly gain access they do

not have directly
Often used to propagate a virus/worm or install a
backdoor

or simply to destroy data
 Zombie
Program which secretly takes over

another networked computer

Then uses it to indirectly launch attacks
Often used to launch distributed denial of service

(DDoS) attacks 
Exploits known flaws in network systems
 Viruses

A piece
 of self-replicating code attached to some other
code
cf biological virus 
Both propagates itself & carries a payload


carries code to make copies of itself
as well as code to perform some covert task
 Virus Operation

Virus phases:


Dormant – waiting on trigger event

Propagation – replicating to programs/disks

Triggering – by event to execute payload
Execution – of payload 
Details usually machine/OS specific
Exploiting features/weaknesses
 Virus Structure
program V :=
{goto
main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-
damage; goto next;}
next:
}
 Types of Viruses

Can classify on basis of how they attack

Parasitic virus

Memory-resident virus

Boot sector virus

Stealth

Polymorphic virus

Metamorphic virus
 Macro Virus

Macro code attached to some data file

Interpreted by program using file

 eg Word/Excel macros
esp. using auto command & command

macros 
Code is now platform independent

Is a major source of new viral infections

Blur distinction between data and program files

Classic trade-off: "ease of use" vs "security”

Have improving security in Word etc

Are no longer dominant virus threat
 Email Virus
Spread usingemail with attachment containing a
macro virus
cf Melissa
Triggered when user opens attachment
or worse even when mail viewed by using scripting
features in mail agent
Hence propagate very quickly
Usually targeted at Microsoft Outlook mail agent &
Word/Excel documents

Need better O/S & application security
 Worms

Replicating but not infecting program

Typically spreads over a network

cf Morris Internet Worm in 1988

led to creation of CERTs
Using users distributed privileges or by
exploiting system vulnerabilities
Widely used by hackers to create zombie
PC's, subsequently used for further attacks,
esp DoS
Major issue is lack of security of
permanently connected systems, esp PC's
 Worm Operation

Worm phases like those of viruses:


dormant
propagation

search for other systems to infect 
 establish connection to target remote system

 replicate self onto remote system

 triggering
execution
 Morris Worm

Best known classic worm

Released by Robert Morris in 1988

Targeted Unix systems

Using several propagation techniques


simple password cracking of local pw file

exploit bug in finger daemon
exploit debug trapdoor in sendmaildaemon
If any attack succeeds then replicated self
 Recent Worm Attacks
New spate of attacks from mid-2001
Code Red - used MS IIS bug
probes random IPs for systems running IIS
had trigger time for denial-of-service attack
 2nd wave infected 360000 servers in 14 hours
Code Red 2 - installed backdoor
Nimda - multiple infection mechanisms
SQL Slammer - attacked MS SQL server
Sobig.f - attacked open proxy servers
Mydoom - mass email worm + backdoor
 Worm Techology

Multiplatform

Multiexploit

Ultrafast spreading

Polymorphic

Metamorphic

Transport vehicles

Zero-day exploit
 Virus Countermeasures

Best countermeasure is prevention

But in general not possible

Hence need to do one or more of:


detection - of viruses in infected system

identification - of specific infecting virus
removeal - restoring system to clean state
 Anti-Virus Software
first-generation
 scanner uses virus signature to identify virus
 or change in length
 of programs
second-generation
 uses heuristic rules to spot viral infection
 or uses crypto
 hash of program to spot changes
third-generation
memory-resident programs identify virus
 by actions 
fourth-generation
 packages with a variety of antivirus techniques
 eg scanning & activity
 traps, access-controls
arms race continues
 Advanced Anti-Virus Techniques

Generic decryption

use CPU simulator to check program signature

& behavior before actually running it 

Digital immune system (IBM)

general purpose emulation & virus detection

any virus entering org is captured,
analyzed, detection/shielding created
for it, removed
Digital Immune System
 Behavior-Blocking Software
Integrated with host O/S monitors program

behavior in real-time 
eg file access, disk format, executable mods,

system settings changes, network access

For possibly malicious actions

if detected can block, terminate, or seek ok 


Has advantage over scanners 
But malicious code runs before detection
 Distributed Denial of Service
Attacks (DDoS)
Distributed Denial of Service (DDoS) attacks form a
 significant security threat

making networked systems unavailable

by flooding with useless traffic

using large numbers of “zombies”

growing sophistication of attacks

defense technologies struggling to cope
Distributed Denial of Service
Attacks (DDoS)
Contructing the DDoS Attack Network

Must infect large number of zombies

Needs:

Software to implement the DDoS attack

An unpatched vulnerability on many systems

Scanning strategy to find vulnerable systems
random, hit-list, topological, local subnet
 DDoS Countermeasures

Three broad lines of defense:
 attack prevention & preemption (before)
 attack detection & filtering (during)
attack source traceback & ident (after)

Huge range of attack possibilities
Hence evolving countermeasures
 What is a Firewall?

Achoke point of control and monitoring

Interconnects networks with differing trust

Imposes restrictions on network services

 only authorized traffic is 

allowed
Auditing and controlling access
 can implement alarms for 
abnormal behavior
Provide NAT & usage monitoring

Implement VPNs using IPSec

Must be immune to penetration
 Firewall Limitations

Cannot protect from attacks bypassing it
eg sneaker net, utility modems,
 trusted organisations, trusted

services (eg SSL/SSH) 
Cannot protect against internal threats
eg disgruntled or colluding employees

Cannot protect against
 transfer of all virus infected
programs or files
because of huge range of O/S & file types
 Firewalls – Packet Filters

Simplest, fastest firewall component

Foundation of any firewall system
Examine each IP packet (no context) and permit

or deny according to rules

Hence restrict access to services (ports)

Possible default policies

that not expressly permitted is prohibited
that not expressly prohibited is permitted
Firewalls – Packet Filters
Firewalls – Packet Filters
 Attacks on Packet Filters
IP address spoofing


fake source address to be trusted
add filters on router
 to block
Source routing attacks


attacker sets a route other than default
block source routed
 packets
Tiny fragment attacks


split header info over several tiny packets
either discard or reassemble before check
 Firewalls – Stateful Packet Filters
Traditional packet filters do not examine higher
layer context

ie matching return packets with outgoing flow
Stateful packet filters address this need
they examine each IP packet in context

keep track of client-server sessions

check each packet validly belongs to one
Hence are better able to detect bogus packets
out of context
 Firewalls - ApplicationProxy) Level Gateway

Have application specific gateway / proxy

Has full access to protocol


user requests service from proxy

proxy validates request as legal

then actions request and returns result to user
can log / audit traffic at application

level
Need separate proxies for each service


some services naturally support proxying
others are more problematic
Firewalls - Application Level
Gateway (or Proxy)
 Firewalls - Circuit Level Gateway

Relays two TCP connections
Imposes security by limiting
 which such
connections are allowed
Once created usuallyrelays traffic without
examining contents
Typically used when trust internal users 
by
allowing general outbound connections

SOCKS is commonly used
Firewalls - Circuit Level Gateway
 Bastion Host

Highly secure host system

Runs circuit / application level gateways

or provides externally accessible services

Potentially exposed to "hostile" elements

Hence is secured to withstand this


hardened O/S, essential services, extra auth
proxies small, secure, independent,
 non-privileged 
May support 2 or more net connections
May be trusted to enforce policy of trusted

separation between these net connections
Firewall Configurations
Firewall Configurations
Firewall Configurations
 Access Control

Given system has identified a user

Determine what resources they can access

General model is that of access matrix with


subject - active entity (user, process)

object - passive entity (file or resource)
access right – way

object can be accessed
Can decompose by


columns as access control lists
rows as capability tickets
Access Control Matrix
 Trusted Computer Systems

Information security is increasingly important 
Have varying degrees of sensitivity of

information
cf military info classifications:

confidential, secret etc 

Subjects (people or programs) have varying


rights of access to objects (information)

Known as multilevel security
subjects have maximum & current

security level 

objects have a fixed security

level classification
ThankYou