Availability Lecture 4 Implementation SSL and TLS HTTP

Lecture 1 Patch adoption is slow Redundancy and failover Firewall reduces attack surface & segments networks. •Software – Slower, but easier to • Secure Sockets Layer (SSL) and • No verification of identity.
Confidentiality • Design systems with backup to •Firewalls divide the untrusted outside of a network deploy on single machines. Transport Layer Security (TLS)-1995
Encryption from the more trusted interior of a network . • All data is sent in plain-text.
mitigate single points of failure. •Hardware – Faster, safer, expensive. • It gives the S to HTTPS(ecure).
• Ensure that data cannot be read Load balancing •Ran on dedicated devices: no compilers, linkers. loaders, Firewalls can differ in the amount of • It can encrypt, secure, and
HTTPS
when someone gets their hands on it. •Distribute traffic across various debuggers, programming libraries, or other tool • Verifies that the ip address indeed
Network Layers they process: authenticate communications on the
Access control systems resources. •Easier to maintain with a few accounts. belongs to the domain.
• Packet size (data link layer), web by adding security to the
• Make it hard to get the data when Monitoring and alerting •Physically divide the inside from outside of a network • MAC (data link layer) & IP (IP layer) • Sets up end-to-end encryption
transport layer.
the user is unauthorized. • Monitor for early signs of •Compare network traffic to a set of rules. To match the filtering, between the client and server.
• Relies on cryptographic certificates.
Policies and governance problems to identify system rules to the traffic, it must process several packet layers • Port filtering (transport layer), Deep • Certificates are signed by trusted
• Mandate secure data practices failures before they to obtain the needed data. packet (application layer) parties
Integrity become a large issue. Firewall Type Packet filtering firewall DNSSEC
Data validation Coordinated Vulnerability Disclosure •Packet filtering Stateful inspection firewall DNS poisoning
•Simplest: compares packet header •Maintains state between packets, • DNSSEC doesn’t encrypt DNS but protects
• Validate data at various stages to CVD is an ethical practice where security researchers or •Stateful inspection information to a set of rules. allowing for more complex rules. integrity of the DNS information.
ensure that it is still intact. individuals who discover vulnerabilities in a system •Application-level •Very fast, Network layer •Similar to packet filtering but remembers • DNSSEC creates a chain of trust to a root server
• Tools include Checksums, Digital responsibly report them to the affected organization •Circuit-level rules are needed
signatures, Error detection and Threat model Circuit-level gateway •Many •Allows access to services
past events, allowing for rules that allow Email
correction codes. •Called circuit-level proxy traffic from outside if the connection was
A framework that identifies potential attacks and based on network data, • POP (Post Office Protocol): One-way that Email spoofing
Change management & version •Relays application layer data. does not allow for the started from inside the network.
adversaries a system aims to safeguard against downloads emails from the server. • SMTP allows users to send mail with any source
control •Does not parse the application blocking of specific •Keeps track of TCP sequence numbers
• IMAP (Internet Message Access Protocol): Two- address.
layer contents, but determines application commands. •Inspect a limited amount of application-
• Control and document changes to Physical layer threats layer data
way protocol that synchronizes emails between • Adversaries can send spam from any email address.
data to ensure transparency and which connections are allowed. client and server.
• Physical inspection • can forge email addresses to impersonate a trusted
accountability. •E.g SOCKS. Works session layer Virtual Private Network (VPN) • SMTP (Simple Mail Transfer Protocol): Responsible for the
• Signal strength analysis sender, making it more likely that a victim will act on
Lecture 2 • Cable testing
Application-level gateway • Required to link multiple facility networks over transfer of emails between clients and servers.
•Called application proxy. the Internet the email and open attachments.
The physical layer • Electromagnetic Interference (EMI) • TLS provides end to end encryption between the different
DomainKeys Identified Mail (DKIM)
•Relays application layer data. • A VPN used encrypt data on lower layers to servers, not between you and the recipient.
• Physical security is the first line of Guided vs unguided media •Can be used to block specific create a “transparent” tunnel allows to connect • DKIM is designed to sign the email on a domain-
defence against unauthorized access, •Guided medium is a communication channel SPF: Sender Policy Framework level and distribute the key via DNS.
features of an application. securely to a LAN network over Internet.
environmental hazards, and theft. where the signals are guided along a physical • Domain owners to specify which servers are authorized to send
•Requires a lot of processing and • IPSec adds an extra part to the Network layer,
• Without adequate physical security, path. mail using the domain.
even the most robust cybersecurity •Eg Copper cables, fibre cables,
does not scale well as it needs to be connect through a firewall.
• A TXT record is added at the DNS server of the organization, Reference Monitors
able to parse the application context. • Cheaper than private Internet cables • Invoked whenever a subject attempts
measures can be compromised •Physical access is needed to tamper with the stating which IP addresses are authorized to send mail.
data on the cable. De-Militarized Zone (DMZ) • SPF validates whether the sender is legitimate, not that the to access resource
Signal security Common in network architectures to allow content is authentic. • 𝑅𝑒𝑓𝑀𝑜𝑛𝑖𝑡𝑜𝑟 (𝑠𝑢𝑏𝑗𝑒𝑐𝑡, 𝑜𝑏𝑗𝑒𝑐𝑡,
• Spread signals over multiple •An unguided medium refers to a
communication channel where the signals some services to be reached from the Internet.
Lecture 6 Access Control 𝑎𝑐𝑡𝑖𝑜𝑛) ⇒ 𝑂𝐾 𝑜𝑟 𝑁𝑂𝑇_𝑂𝐾
frequencies to counter jamming. The Internal network is separated from using • Login Process
• Frequency hopping aims to change propagate freely through the air or space.
a second firewall.
Trusted Computing Base • Performs initial identification
frequencies very fast in a pattern that is •Eg Radio waves; Infrared waves Honeypots • Components OS relies upon to provide
unknown to an attacker. Protocol attack • Decoy system designed to lure potential attackers security guarantees
authentication of users Discretionary
• Spawns a shell for the user
• Authenticating and encrypting data •These attacks do not need as much away from critical systems. • Must be correct and untampered Access Control
• Reference Monitors
• Checks every access to resource (DAC)
sent over wireless signals can ensure bandwidth as volumetric attacks but do • Set up such that no reason to contact them, if • Threats to correctness:
integrity and confidentiality & need some exploitable element in a contacted, chance that it is malicious. • Security bugs/vulnerabilities
• Authorizes or prevents the access• Owner of an object
Lecture 3 protocol. •Goals • Tampering risks:
• Auditing: decides access control
•Targets the Network and Transport layer. •Divert attackers away from accessing real systems. • Modification of OS binaries,
Types of DoS attacks A common attack TCP SYN Flood •Collect information about the goals of an attacker. Rootkits, Backdoors
• Registers access control decisions policy
• Volumetric Attacks • Access control decisions
Volumetric: Amplification attack •Alert administrators of strange behaviour. Login Process based on identity of the
• Overwhelm victims with a high
• Requirements for this attack are: • Identifies and authenticates users subjects
volume of traffic.
• A server that provides large responses on • Access control subjects r software entities! • Most common access
• Protocol Attacks Three Au’s
• Exploit vulnerabilities in
small queries. Types of intrusion detection systems • Users are not subjects control policy for file
• The ability to spoof an IP address. • Different ways: Something you • Authenticate access checks
network protocols. •Heuristic – Matches data to pre-defined • Authorize
• Over UDP Host-based IDS • Host-based (HIDS) – Monitors • Have: smart card, security token
• Application Layer Attacks rules. • Audit
•Target specific applications to DDoS Mitigation • Monitors activity on a events on a host, eg system logs. • Know: password, pin,
exhaust resources. • Redundant network infrastructures system. E.g, virus scanner. • Network-based (NIDS) – Monitors •Signature – Matches data to known • Are: fingerprint, voice authentication, iris scan
• Common data sources for a network data and can use deep- indicators (e.g.flagged IP addresses) • Where you are: geographic location, topological
Application layer attack • Traffic filtering aims to identify malicious
•Anomaly – Determines what is “normal
HIDS include: System call packet inspection to identify location, proximity,
• target the highest layer of the OSI packets and block them. data” and identifies data that deviates
traces, Log files, Integrity malicious activity. Access Control Lists (ACLs)
model, the application and services • Content Delivery Networks cache content from the norm.
provided to end-users. network, can absorb and mitigate the DDoS checksums, Registry access Distributed HIDS • Separate list of actions each subject can perform • (confidentiality) => information
• The traffic by this attack is hard to traffic by serving from distributed servers. patterns
• Collects of various systems in the Location of sensors in a network • Stored with/attached directly to the object cannot flow to a lower security level
identify as malicious traffic, closely • Web Application Firewalls can protect •Behind or the level of the border firewall. Capability Lists • Prevent secrets from leaking to
same place to create a more
resembles normal user. against application layer attacks. •DMZ. • List of permitted actions stored with the subject unprivileged subjects
effective IDS.
• An example of this traffic is a HTTP Network-based IDS • Requires devices in network to •Specific part of the network, Eg a network • Typically used to give subjects permissions to • Privileged subjects cannot share
Flood • Monitors activity on a network. collect telemetry send it to a segment with employee devices. perform specific (normally privileged) actions information lesser privileged subjects
Botnet • Two types of sensors: Inline & Passive central location. •The traffic collected is different at every Mandatory Access Control (MAC) • Cannot enforce integrity
•Definition: a network of compromised computers • The location of the sensor matters a lot. • Privacy concerns point, depending on the threat profile • OS sets the access control policy • Hard to handle changes in security
(bots) that are under the control of a single entity. • Ensures that organizational security levels (tranquility)
•Purpose: used for various malicious activities, Mitigating botnets Lecture 5 policies cannot be overridden by users • (integrity) => subjects at lower integrity
including distributed denial of service (DDoS) • Securing many devices to make harder to compromise Protocols Secure Protocols & Standards • Used in Multilevel Security: level cannot modify objects at higher level
attacks, spreading malware, and stealing sensitive a large number of devices. But eg Mirai was successful • Set of rules that governs the • Interoperability – different systems can • Assign security labels to all objects and • protect system processes against malicious
information due to trivial security measures. communication and exchange of communicate securely and effectively. subjects (creation time) user processes
Architecture of a botnet • Taking down command and control infrastructure. data over the internet. • Baseline security –establish a min level • Reference Monitor allows or denies • High integrity subjects cannot receive
•Infected devices: IoT, PCs, Phones etc • The servers are often located in multiple countries • Both the sender and receiver follow of security. actions based solely on security label of information from lower-integrity subjects
•Command and control (C2 or C&C) infrastructure and require collaboration between law-enforcement same protocols to communicate. • Regulatory compliance –protocols and object and subject • Cannot enforce confidentiality
•Receive commands through the C2 infrastructure agencies. • Many not secure by default standards that incorporated in legal • Cannot handle changes in integrity levels
•Communication channels: IRC, HTTP, P2P, • Blocklisting devices that are infected by a botnet so framework, ensuring that org implement
Blockchain that owners clean them.
Lecture 7 Blind SQL Injection Counter Mode Attacks on Stream Ciphers MAC Properties Diffie Hellman Key Exchange + Mod
Memory errors • Database schema may be learned • Counter t
• Repetition attack • Unforgeability: Even after seeing many • x mod n is the remainder of the division of x by n =>29 mod 13 = 3
• bugs in handling memory in memory through returned error messages • Encryption: C[i] = EK (t+i) ⊕P[i] • Stream reuse yields XOR of plaintexts MAC-message pairs, an attacker cannot • axy mod n = (ax)y mod n = (ay)x mod n
unsafe languages => A program • Countermeasure prohibit display • No need to implement decryption • Cryptanalysis can recover the original plaintexts produce a valid MAC for a new message • Assume y = ax mod n & a and n are fixed public parameters
• Replacement attack • Modular power is easy: There is an efficient algorithm to compute
accesses memory of error messages Padding Stream Cipher • P = A B C, attacker knows B; Enc(P) = K L M • Integrity: If the MAC or the message is
• Application vulnerable to blind • Pad is a sequence of identical bytes, altered, the recipient can detect it y given x
• Advantages
SQL injection each indicating the length (in bytes)
•
• Fixed-length secret key
By B ⊕ L, part of the key stream is revealed. Implementing MACs • Modular logarithm is hard: No efficient algorithm is known to
Bypass Authentication • Trial and error of the padding • Block Ciphers: CBC-MAC, Using a block compute x given y X
• Plaintext can have arbitrary length (e.g., media stream)
• Observe behavior of website • Eg, for b = 128 (16 bytes) • Incremental encryption and Decryption cipher in CBC mode, encrypt a message Merkle trees
Data Corruption and use the last cipher block as a MAC • A tree over data xi i in [1,8].
• Plaintext: “Bernardo” (7 bytes) • Works for packets sent over an unreliable channel
• Cryptographic Hash Functions: HMAC, • Each node is the hash of two Y
• Padded plaintext: “Bernardo999999999” (16 • Disadvantages
Privilege Escalation bytes) • Key stream cannot be reused Use hash function and a shared secret. children: Eg H12 = h(x1, x2), H14
Stream Cipher Signing MAC order Theoretical construction: H(M||K) = h(H12, H34)
Julius Caesar’s Cipher • Key stream Key Stream Generation • MAC then Encrypt (E(Message || MAC(Message))== BAD • Application:
Lecture 8 • Encryption: • Pseudo-random bit sequence generated • Block cipher in counter mode • Encrypt then MAC (E(Message), MAC(E(Message)))== GOOD • Secure Cloud Storage
Cryptography • Forward alphabet shift: + 3 from a secret key K=>SK = SK[0], SK[1], SK[2], • Advantages: Simplicity, Speed Lecture 11
• Certificate Transparency Logs
• Ensures the confidentiality and • Decryption • Generated on-demand, one bit (or block) • Disadvantages: Very long key streams
integrity message NOT availability • Reverse alphabet shift: -3 at the time Merkle trees
can be distinguished from random
• Stream cipher • A tree over data xi i in [1,8].
Alphabet Shift Cipher Substitution Cipher • Each node is the hash of two
• Generalized Caesar’s cipher • XOR the plaintext with the key stream C[i]
• Permutation of the alphabet = SK[i] ⊕ P[i] children: Eg H12 = h(x1, x2), H14
• Try all possible values of key k, characters. Eg A=L, B=Z, C=Q etc = h(H12, H34)
find the one where the Public key Cryptography • Application:
• Key = permutation
decryption makes sense. • Key pair
• cracked by frequency analysis • Secure Cloud Storage
• Encryption • Public key PK: shared with everyone
• Certificate Transparency Logs
• Replace each character with One-Time Pad • Secret key SK: kept secret, hard to derive
the character k positions after • Key (bitwise or) from the public key
it in the alphabet. • Sequence of random bits • Sender encrypts(C = EncPK(M)) using PK
• Decryption • Same length as plaintext • Recipient decrypts(M = DecSK(C)) using SK
• Replace each character with • Encryption: C = K ⊕P • Properties
the character k positions • Decryption: P = K ⊕C • A single public-secret key pair allows
before it in the alphabet • Each bit of the ciphertext is random receiving confidential messages from
• Fully secure if key used only once multiple parties
Modern Symmetric • All messages possible given a • It should be infeasible to derive the
Encryption Standards ciphertext. secret key from the public key
• Data Encryption Standard (DES) • Key as large as plaintext • Conceptually complex
• Key is only 56-bits long • Difficult to generate and share • Slower performance than symmetric
• Attack: Exhaustive search over the cryptography Eg: RSA
key space (Weaker) Adversary Models
• Advanced Encryption Standard (AES) Hash Functions - Collisions • Ciphertext-only
• Key can be 128, 192 or 256 bits • Occurs when two messages have • Adversary sees all ciphertexts, but has vague
• Exhaustive search not possible (yet) the same hash value. information about the underlying plaintext
Hash Functions • Inevitable
• Known plaintext
• Short output: small and fixed length • two hashes are different, the • Adversary also knows part of / format of plaintext
(e.g. 256 bits). Hash Qualities inputs are different. messages
• One-way • Open design principle
• One-way: Given a hash value x, it is hard to find a
• Collision resistance plaintext P such that h(P) = x (Stronger) Adversary Models
• Public function • Weak collision resistance: Given a plaintext P, it is • Chosen plaintext
• MD5(128) hard to find a plaintext Q such that h(Q) = h(P) • Adversary can encrypt plaintexts of their choosing
• SHA-1(160) • Strong collision resistance: It is hard to find a and see the resulting ciphertexts
• SHA-2(different length) pair of plaintexts P and Q such that h(Q) = h(P) IND-CCA(2)
• Chosen ciphertext • Indistinguishability under Adaptive
• SHA-3(Keccak) • Adversary chooses ciphertexts and some Chosen Ciphertext Attack
Information Entropy info is revealed about the decryption
• Average value of information we obtain • Adversary has polynomially-bounded
• Experiment E, some output ei
• Higher probability → Less informa on by learning the result of Experiment E, IND-CPA access to an encryption oracle and a
with outcomes e0, e1,…, en-1 • Indistinguishability under Chosen decryption oracle
Lecture 9 Plaintext Attack • Even after the challenge.
Block Cipher • Adversary has polynomially-bounded
Signing Hashes
• Symmetric encryption scheme for access to an encryption oracle
• Sign S = DSK(h(M))
messages (blocks) of a given fixed • Adversary has polynomially-many (m,
• Verify h(M) == EPK (S)
c) pairs for m’s of their choosing
length CBC Mode • Security of signing hash
• The length of the block is • Previous ciphertext block combined with Lecture 10 • Security of digital signature
independent from the length of the current plaintext block Digital Signature • Collision resistance of hash function
key • C[i] = Ek(C[i −1] ⊕P[i]) • Goals : • Hash is short and fast to compute
• ECB Mode • C[−1] = V is a random block (ini aliza on • Authenticity(assurance of the signer), Signing Hashes order
• When plaintext is longer than vector) sent encrypted during setup Nonrepudiation(sender can't deny), • Encrypt then Sign == BAD
block size, b • Works well with any input plaintext Unforgeability(none else can forge), • Sign then Encrypt == GOOD
• Partition plaintext P into • Requires the reliable transmission of all blocks Integrity(signature can’t be taken)
sequence of m blocks P[0], …, • Not suitable for allow packet losses E.g., audio • With public key encryption:
P[m−1], where n/b ≤ m < n/b + 1 & video streaming • reverse the order of encryption and MACs Message Authentication Codes
• Assume n is multiple of b • Can’t parallelize like ECB mode. decryption • Similar to Digital Signatures, but symmetric
• Block P[i] encrypted into • EPK(DSK(M)) = M = DSK(EPK(M)) • Does not provide nonrepudiation
ciphertext block C[i] = EK(P[i]) • But Signature as long as the message • Provides a guarantee that a message came from
• Documents and images are not • Slow public-key encryption/decryption a certain sender and has not been changed
suitable for ECB