DOCSLIB.ORG

Advanced Computer and Network Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Advanced Computer and Network Security Course Proposal: CMSC ### : Advanced Computer and Network Security April 2017 Background and Motivation This proposal is for a permanent, graduate-level course in computer and network security. Although security is an increasingly popular area of study for our PhD students, there remains no core graduate-level course on the topic. The overall goal of this course is to provide a broad foundational knowledge to prepare students to begin research in security. Dave Levin is currently teaching an iteration of this course as CMSC 818O. For more detailed information (including example attack presentations), please see the course website: https://www.cs.umd.edu/class/spring2017/cmsc818O/ Course Description This course will cover advanced topics in computer and network security, including: anonymity, privacy, memory safety, malware, denial of service attacks, trusted hardware, security design principles, and empirically measuring security "in the wild". This will be a largely paper-driven course, preparing students for research in (or around) the broad area of security. Students will gain first-hand experience launching attacks in controlled environments. The bulk of the grade will be based on a final, semester-long group project. Prerequisites Computer Science, Electrical Engineering, or Computer Engineering student or permission of the instructor. Having taken an undergraduate course in security (or cryptography or networking) is not necessary, but would help, as the class will go considerably deeper than a typical undergraduate security course. Rationale: Unfortunately, there are no consistent cybersecurity courses offered at most undergraduate institutions — it is therefore unlikely that many students would meet a prerequisite of a CMSC 414-equivalent course. Textbooks None (this is a largely paper-driven course). There is a list of sample papers at the end of this document. Rationale: At this time, there are no appropriate graduate-level textbooks on security. ​ Attack Presentations At the beginning of (almost) every class, a group of 1-2 students will present an attack they have implemented and launched that is relevant to that class's topic. For example, a class on web security might begin with a group demonstrating a website they created that launches a clickjacking attack against its visitors. The attacks will be assigned by the instructor early in the semester. Each student will present at least one attack during the semester. Rationale: This provides students with the hands-on, demystifying experience of launching attacks. Within the lecture, it makes the abstract notions of the attacks more concrete for all students in the class. Syllabus This course covers a very broad range of topics within computer security, with the goal of instilling a security mindset, and teaching some of the core principles of security that will allow ​ ​ students to pursue research in the field upon completion. The following list of tentative lecture topics may vary in terms of pace (see below for an example list of papers): ● Security background and definitions ● The ethics of security research ● Systems security (attacks and defenses) ○ Memory safety (buffer overflows, ROP) ○ Malware (viruses, worms) ○ Web-based attacks (CSS, XSRF, clickjacking) ○ Isolation and lack thereof (side channels, rowhammer) ● The human element of security ● Applications and analysis of cryptography ○ Public key infrastructures (certificates, TLS/SSL) ○ Anonymous communication ○ Empirical measurements of cryptographic abuse ● Network security ○ Attacks and defenses for TCP/IP and DNS ○ Network control (firewalls, VPNs) ○ Censorship and censorship resistance ● Economic incentives and underground economies Sample Grade Breakdown Meet your instructor 1% Class participation 9% Weekly reading responses 10% Attack presentation 10% Midterm exam 10% Final exam 20% Final project 40% Note: This is the grade breakdown from the Spring 2017 offering. In retrospect, it may have been useful to increase the percentage for weekly reading responses, or to decrease the number of required reading responses per week. Instructors of future offerings should adjust these as they see appropriate. Comparison to Other CMSC Courses Security inherently lies at the intersection of multiple domains. In particular, as this course is designed, it has the potential to overlap with courses in cryptography, networking, and programming languages. Here, we describe the extent of this overlap, and why iterations of this course can be designed to complement, not reiterate, other graduate-level courses we offer. ● Cryptography: The graduate-level course on Introduction to Cryptography (CMSC ​ 858K) comprises the construction and analysis of cryptographic mechanisms. The proposed security course focuses predominantly on the application of these ​ mechanisms: how to build systems using them, and measuring their (mis)application in practice. ● Networking: Our graduate-level networking course (CMSC 711) focuses on networking ​ writ large, including the systems-level aspects of global and local communication. This proposed course does cover some aspects of networking, but only insofar as to discuss security-centric topics such as anonymous communication, virtual private networks (VPNs), botnets, and so on. ● Programming languages: The most relevant PL course is Program Analysis and ​ Understanding (CMSC 631), which covers the broad range of automated program analysis. This proposed course touches on these topics, particularly in the context of statically and dynamically analyzing a potentially malicious executable. Again, this proposed course focuses predominantly on the application of these techniques in a security context, and their use within a broader security context. The proposed class does not preclude covering security in these (or other) classes; because the security class covers such a broad range of topics, even if there does end up being some redundancy between classes, it will constitute a small percentage of the overall material. Sample Readings Example required readings are in bold. Introduction ● The Security Mindset, Bruce Schneier ​ ● Why Information Security is Hard – An Economic Perspective, Ross Anderson ​ Ethics in Security Research ● All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks, Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda ​ ● Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests, Sam Burnett, Nick Feamster ​ ● Conducting Cybersecurity Research Legally and Ethically, Aaron J. Burstein ​ ● Federal guidelines for research involving human subjects ● UMD's IRB process ● Menlo Report ● The Moral Character of Cryptographic Work, Phillip Rogaway ​ ● Keys Under Doormats: Mandating Security by Requiring Government Access to All Data and Communications, Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, ​ Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, Daniel J. Weitzner Classic Memory Attacks & Defenses ● Smashing the Stack for Fun and Profit, Aleph One ​ ● StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve ​ Beattie, Aaron Grier, Perry Wagle, Qian Zhang, Heather Hinton ● SoK: Eternal War in Memory, Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song ● Basic Integer Overflows, blexim ​ ● Exploiting Format String Vulnerabilities, scut ​ Modern Memory Attacks ● The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86), Hovav Shacham ​ ● A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, ​ David Wagner, Jeffrey S. Foster, Eric A. Brewer, Alexander Aiken ● EXE: Automatically Generating Inputs of Death, Cristian Cadar, Vijay Ganesh, Peter M. ​ Pawlowski, David L. Dill, Dawson R. Engler ● On the Effectiveness of Address-Space Randomization, Hovav Shacham, Matthew Page, ​ Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh ● Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Jonathan Pincus, ​ Brandon Baker ● AEG: Automatic Exploit Generation, Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze ​ Hao, David Brumley ● Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors, Periklis Akritidis, Manuel Costa, Miguel Castro, Steven Hand ​ ● English Shellcode, Joshua Mason, Sam Small, Fabian Monrose, Greg MacManus ​ ● Low-Level Software Security by Example, Ulfar Erlingsson, Yves Younan, Frank Piessens ​ Modern Memory Defenses ● Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, James Newsome, Dawn Song ​ ● Control-Flow Integrity: Principles, Implementations, and Applications, Martin ​ Abadi, Mihai Budiu, Ulfar Erlingsson, Jay Ligatti ● SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes, Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig ​ ● Nozzle: A Defense Against Heap-spraying Code Injection Attacks, Paruj Ratanaworabhan, ​ Benjamin Livshits, Benjamin Zorn ● Symbolic Execution for Software Testing: Three Decades Later, Cristian Cadar, Koushik ​ Sen ● Control Flow Integrity for COTS Binaries, Mingwei Zhang, R. Sekar ​ ● How to Make ASLR Win the Clone Wars: Runtime Re-Randomization, Kangjie Lu, Stefan ​ Nürnberger, Michael Backes, Wenke Lee Classic Web Security ● Robust
Load more

Recommended publications
  • Crypto Wars of the 1990S
    Danielle Kehl, Andi Wilson, and Kevin Bankston DOOMED TO REPEAT HISTORY? LESSONS FROM THE CRYPTO WARS OF THE 1990S CYBERSECURITY June 2015 | INITIATIVE © 2015 NEW AMERICA This report carries a Creative Commons license, which permits non-commercial re-use of New America content when proper attribution is provided. This means you are free to copy, display and distribute New America’s work, or in- clude our content in derivative works, under the following conditions: ATTRIBUTION. NONCOMMERCIAL. SHARE ALIKE. You must clearly attribute the work You may not use this work for If you alter, transform, or build to New America, and provide a link commercial purposes without upon this work, you may distribute back to www.newamerica.org. explicit prior permission from the resulting work only under a New America. license identical to this one. For the full legal code of this Creative Commons license, please visit creativecommons.org. If you have any questions about citing or reusing New America content, please contact us. AUTHORS Danielle Kehl, Senior Policy Analyst, Open Technology Institute Andi Wilson, Program Associate, Open Technology Institute Kevin Bankston, Director, Open Technology Institute ABOUT THE OPEN TECHNOLOGY INSTITUTE ACKNOWLEDGEMENTS The Open Technology Institute at New America is committed to freedom The authors would like to thank and social justice in the digital age. To achieve these goals, it intervenes Hal Abelson, Steven Bellovin, Jerry in traditional policy debates, builds technology, and deploys tools with Berman, Matt Blaze, Alan David- communities. OTI brings together a unique mix of technologists, policy son, Joseph Hall, Lance Hoffman, experts, lawyers, community organizers, and urban planners to examine the Seth Schoen, and Danny Weitzner impacts of technology and policy on people, commerce, and communities.
    [Show full text]
  • The Legacy of Export-Grade Cryptography in the 21St Century
    The legacy of export-grade cryptography in the 21st century Nadia Heninger University of Pennsylvania October 6, 2016 International Traffic in Arms Regulations April 1, 1992 version Category XIII--Auxiliary Military Equipment ... (b) Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefore, including: (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems, except cryptographic equipment and software as follows: (i) Restricted to decryption functions specifically designed to allow the execution of copy protected software, provided the decryption functions are not user-accessible. (ii) Specially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions. Machines for banking or money transactions include automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions. ... Timeline of US cryptography export control I Pre-1994: Encryption software requires individual export license as a munition. I 1994: US State Department amends ITAR regulations to allow export of approved software to approved countries without individual licenses. 40-bit symmetric cryptography was understood to be approved under this scheme. I 1995: Netscape develops initial SSL protocol. I 1996: Bernstein v. United States; California judge rules ITAR regulations are unconstitutional because \code is speech" I 1996: Cryptography regulation moved to Department of Commerce. I 1999: TLS 1.0 standardized. I 2000: Department of Commerce loosens regulations on mass-market and open source software. Commerce Control List: Category 5 - Info.
    [Show full text]
  • Lest We Remember: Cold Boot Attacks on Encryption Keys
    Lest We Remember: Cold Boot Attacks on Encryption Keys J. Alex Halderman*, Seth D. Schoen†, Nadia Heninger*, William Clarkson, William Paul‡, Joseph A. Calandrino*, Ariel J. Feldman*, Jacob Appelbaum and Edward W. Felten* *Princeton University †Electronic Frontier Foundation ‡Wind River Systems USENIX Security Symposium, 2008 Presented by: Andra-Maria Ilieș Seminar in Computer Architecture 1 Executive summary ■ Problem: DRAMs lose their data gradually after the power is cut ■ Goal: Present a new type of attack which exploits remanence effect ■ Method: ■ Acquire usable full-system memory image ■ Extract cryptographic key ■ Gain access to secret data ■ Evaluation: succeeded on most popular disk encryption systems 2 Background, Problem & Goal 3 DRAM ■ A DRAM cell consists of a capacitor and an access transistor. ■ It stores data in terms of change in the capacitor. wordline access transistor bitline bitline storage bitline capacitor 4 DRAM refresh ■ DRAM capacitor charge leaks over time ■ Each DRAM row is refreshed periodically to restore charge ■ Period usually is 64 ms ■ Retention time: maximum time a cell can go without being refreshed while maintaining its stored data ■ Decay: bit flips caused by charge leak ■ Cell leak = cell decays to ground state ■ When powered off DRAM loses its data completely 5 Retention time and temperature ■ Contents survive at some extent even at room temperature ■ LINK, W., AND MAY, H. Eigenschaften von MOS - Ein Transistorspeicherzellen bei tiefen Temperaturen. Archiv fur Elekotronik und Ubertragungstechnik 33 (June 1979), 229–235 ■ DRAM showed no data loss for a full week without refresh when cooled with liquid nitrogen ■ Retention time can be increased by cooling 6 Retention time and booting ■ Chow, Jim & Pfaff, Ben & Garfinkel, Tal & Rosenblum, Mendel.
    [Show full text]
  • Case 2:16-Cv-06287-PD Document 8 Filed 12/06/16 Page 1 of 74
    Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 1 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 2 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 3 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 4 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 5 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 6 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 7 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 8 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 9 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 10 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 11 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 12 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 13 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 14 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 15 of 74 Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 16 of 74 Exhibit A Case 2:16-cv-06287-PD Document 8 Filed 12/06/16 Page 17 of 74 J.
    [Show full text]
  • ACLU V. Clapper
    Case 1:13-cv-03994-WHP Document 27 Filed 08/26/13 Page 1 of 35 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK AMERICAN CIVIL LIBERTIES UNION; AMERICAN CIVIL LIBERTIES UNION FOUNDATION; NEW YORK CIVIL LIBERTIES UNION; and NEW YORK CIVIL LIBERTIES UNION FOUNDATION, Plaintiffs, DECLARATION OF PROFESSOR v. EDWARD W. FELTEN JAMES R. CLAPPER, in his official capacity as Director of National Intelligence; KEITH B. Case No. 13-cv-03994 (WHP) ALEXANDER, in his official capacity as Director of the National Security Agency and Chief of the ECF CASE Central Security Service; CHARLES T. HAGEL, in his official capacity as Secretary of Defense; ERIC H. HOLDER, in his official capacity as Attorney General of the United States; and ROBERT S. MUELLER III, in his official capacity as Director of the Federal Bureau of Investigation, Defendants. DECLARATION OF PROFESSOR EDWARD W. FELTEN I, Edward W. Felten, declare under penalty of perjury, pursuant to 28 U.S.C. § 1746, that the following is true and correct: 1. The plaintiffs in this lawsuit have challenged what they term the “mass call-tracking” program of the National Security Agency, and they have asked me to explain the sensitive nature of metadata, particularly when obtained in the aggregate. Below, I discuss how advances in technology and the proliferation of metadata-producing devices, such as phones, have produced rich metadata trails. Many details of our lives can be gleaned by examining those trails, which often yield information more easily than do the actual content of our communications. Case 1:13-cv-03994-WHP Document 27 Filed 08/26/13 Page 2 of 35 Superimposing our metadata trails onto the trails of everyone within our social group and those of everyone within our contacts’ social groups, paints a picture that can be startlingly detailed.
    [Show full text]
  • Proceedings of the 28Th USENIX Security Symposium
    USENIX Association Proceedings of the 28th USENIX Security Symposium August 14–16, 2019 Santa Clara, CA, USA Conference Organizers Program Co-Chairs Daniel Gruss, Graz University of Technology Nadia Heninger, University of Pennsylvania Joseph Lorenzo Hall, Center for Democracy & Technology Patrick Traynor, University of Florida Xiali (Sharon) Hei, University of Louisiana at Lafayette Thorsten Holz, Ruhr-University Bochum Program Committee The Pennsylvania State University Yasemin Acar, Leibniz University Hannover Trent Jaeger, U.S. Naval Research Laboratory Sadia Afroz, University of California, Berkeley/ Rob Jansen, International Computer Science Institute Mobin Javed, Lahore University of Management Sciences Devdatta Akhawe, Dropbox Chris Kanich, University of Illinois at Chicago Johanna Amann, International Computer Science Institute Vasileios Kemerlis, Brown University Adam Aviv, United States Naval Academy Yongdae Kim, Korea Advanced Institute of Science and Technology (KAIST) Michael Bailey, University of Illinois at Urbana–Champaign Google Adam Bates, University of Illinois at Urbana–Champaign Lea Kissner, University of Washington Vincent Bindschaedler, University of Florida Yoshi Kohno, University of California, San Diego Joseph Bonneau, New York University Farinaz Koushanfar, CISPA Helmholtz Center i.G. Nikita Borisov, University of Illinois at Urbana–Champaign Katharina Krombholz, Google Sven Bugiel, CISPA Helmholtz Center i.G. Ben Laurie, Google Kevin Butler, University of Florida Tancrède Lepoint, Technische Universität Wien
    [Show full text]
  • Cold Boot Attacks on Encryption Keys
    Lest We Remember: Cold Boot Attacks on Encryption Keys † ‡ J. Alex Halderman∗, Seth D. Schoen , Nadia Heninger∗, William Clarkson∗, William Paul , Joseph A. Calandrino∗, Ariel J. Feldman∗, Jacob Appelbaum, and Edward W. Felten∗ † ‡ ∗ Princeton University Electronic Frontier Foundation Wind River Systems jhalderm, nadiah, wclarkso, jcalandr, ajfeldma, felten @cs.princeton.edu { } [email protected], [email protected], [email protected] Abstract memory. They pose a particular threat to laptop users who rely on disk encryption products, since an adversary who Contrary to popular assumption, DRAMs used in most steals a laptop while an encrypted disk is mounted could modern computers retain their contents for several sec- employ our attacks to access the contents, even if the com- onds after power is lost, even at room temperature and puter is screen-locked or suspended. We demonstrate this even if removed from a motherboard. Although DRAMs risk by defeating several popular disk encryption systems, become less reliable when they are not refreshed, they including BitLocker, TrueCrypt, and FileVault, and we are not immediately erased, and their contents persist expect many similar products are also vulnerable. sufficiently for malicious (or forensic) acquisition of us- able full-system memory images. We show that this phe- While our principal focus is disk encryption, any sen- nomenon limits the ability of an operating system to pro- sitive data present in memory when an attacker gains tect cryptographic key material from an attacker with physical access to the system could be subject to attack. physical access. We use cold reboots to mount successful Many other security systems are probably vulnerable.
    [Show full text]
  • 12/07/16 Page 1 of 8
    Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 1 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 2 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 3 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 4 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 5 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 6 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 7 of 8 Case: 3:16-cv-00795-jdp Document #: 27 Filed: 12/07/16 Page 8 of 8 Case: 3:16-cv-00795-jdp Document #: 27-1 Filed: 12/07/16 Page 1 of 22 Exhibit A Case: 3:16-cv-00795-jdp Document #: 27-1 Filed: 12/07/16 Page 2 of 22 J. Alex Halderman 2260 Hayward Street Ann Arbor, mi 48109 usa Professor, Computer Science and Engineering (mobile) +1 609 558 2312 University of Michigan [email protected] November 4, 2016 J.AlexHalderman.com Research Overview My research focuses on computer security and privacy, with an emphasis on problems that broadly impact society and public policy. Topics that interest me include software security, network security, data privacy, anonymity, surveillance, electronic voting, censorship resistance, digital rights management, computer forensics, ethics, and cybercrime. I’m also interested in the interaction of technology with law, regulatory policy, and international affairs.
    [Show full text]
  • Practical State Recovery Attacks Against Legacy RNG Implementations
    Practical state recovery attacks against legacy RNG implementations Shaanan N. Cohney Matthew D. Green Nadia Heninger University of Pennsylvania Johns Hopkins University University of Pennsylvania [email protected] [email protected] [email protected] ABSTRACT 1 INTRODUCTION The ANSI X9.17/X9.31 pseudorandom number generator design was Random number generation is a vital component of any crypto- first standardized in 1985, with variants incorporated into numerous graphic system. While systems may survive subtle flaws in crypto- cryptographic standards over the next three decades. The design graphic algorithm implementation, the ability to predict the output uses timestamps together with a statically keyed block cipher to of a (pseudo)random number generator typically leads to the cata- produce pseudo-random output. It has been known since 1998 that strophic failure of any protocol built on top of it. In recent years the key must remain secret in order for the output to be secure. a number of cryptographic systems have been found to include However, neither the FIPS 140-2 standardization process nor NIST’s flawed random and pseudorandom number generation subsystems. later descriptions of the algorithm specified any process for key These flaws range from subtle weaknesses, e.g. biases that admit generation. sophisticated attacks against the protocol [49]; to catastrophic vul- We performed a systematic study of publicly available FIPS 140- nerabilities that allow for adversarial recovery of all random coins 2 certifications for hundreds of products that implemented the used in a protocol execution [16, 59]. In a particularly ominous ANSI X9.31 random number generator, and found twelve whose development, some of these flaws appear to have been deliberately certification documents use of static, hard-coded keys in source engineered.
    [Show full text]
  • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice by David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J
    research highlights DOI:10.1145/3292035 Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice By David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann Abstract support for obsolete 1990s-era “export-grade” cryptography. We investigate the security of Diffie-Hellman key exchange More critically, the common practice of using standardized, as used in popular Internet protocols and find it to be less hard-coded, or widely shared Diffie-Hellman parameters secure than widely believed. First, we present Logjam, a has the effect of dramatically reducing the cost of large-scale novel flaw in TLS that lets a man-in-the-middle downgrade attacks, bringing some within range of feasibility. connections to “export-grade” Diffie-Hellman. To carry out The current best technique for attacking Diffie-Hellman this attack, we implement the number field sieve discrete relies on compromising one of the private exponents (a, b) by logarithm algorithm. After a week-long precomputation for computing the discrete logarithm of the corresponding public a specified 512-bit group, we can compute arbitrary discrete value (ga mod p, gb mod p). With state-of-the-art number field logarithms in that group in about a minute. We find that sieve algorithms, computing a single discrete logarithm is 82% of vulnerable servers use a single 512-bit group, and more difficult than factoring a Rivest–Shamir–Adleman (RSA) that 8.4% of Alexa Top Million HTTPS sites are vulnerable modulus of the same size.
    [Show full text]
  • Matt Blaze 1
    MATT BLAZE 1 TESTIMONY BEFORE THE US HOUSE OF REPRESENTATIVES COMMITTEE ON HOUSE ADMINISTRATION HEARING ON “2020 ELECTION SECURITY – PERSPECTIVES FROM VOTING SYSTEM VENDORS AND EXPERTS” JANUARY 9, 2020 1 McDevitt Professor of Computer Science and Law, Georgetown University, 600 New Jersey Ave NW, Washington, DC 20001. [email protected]. Affiliation for identification only. 9 January 2020 Testimony of Prof. Matt Blaze INTRODUCTION Thank you for the opportunity to offer testimony on the important questions raised by the security of the technology used for elections in the United States. For more than 25 years, my research and scholarship has focused on security and privacy in computing and communications systems, especially as we rely on insecure platforms such as the Internet for increasingly critical applications. My work has focused particularly on the intersection of this technology with public policy issues. For example, in 2007, I led several of the teams that evaluated the security of computerized election systems from several vendors on behalf of the states of California and Ohio. I am currently the McDevitt Professor of Computer Science and Law at Georgetown University. From 2004 to 2018, I was a professor of Computer and Information Science at the University of Pennsylvania. From 1992 to 2004, I was a research scientist at AT&T Bell Laboratories. I hold a PhD in computer science from Princeton University, an MS in computer science from Columbia University, and a BS from the City University of New York. This testimony is not offered on behalf of any organization or agency. In this testimony, I will give an overview of the technical security risks facing elections in the United States today, with emphasis on vulnerabilities inherent in electronic voting machines, as well as the exposure of our election infrastructure to disruption by domestic as well as national security adversaries2.
    [Show full text]
  • AMERICAN CIVIL LIBERTIES UNION FOUNDATION; NEW YORK CIVIL LIBERTIES UNION; and NEW YORK CIVIL LIBERTIES UNION FOUNDATION
    Case 1:13-cv-03994-WHP Document 27 Filed 08/26/13 Page 1 of 35 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK AMERICAN CIVIL LIBERTIES UNION; AMERICAN CIVIL LIBERTIES UNION FOUNDATION; NEW YORK CIVIL LIBERTIES UNION; and NEW YORK CIVIL LIBERTIES UNION FOUNDATION, Plaintiffs, DECLARATION OF PROFESSOR v. EDWARD W. FELTEN JAMES R. CLAPPER, in his official capacity as Director of National Intelligence; KEITH B. Case No. 13-cv-03994 (WHP) ALEXANDER, in his official capacity as Director of the National Security Agency and Chief of the ECF CASE Central Security Service; CHARLES T. HAGEL, in his official capacity as Secretary of Defense; ERIC H. HOLDER, in his official capacity as Attorney General of the United States; and ROBERT S. MUELLER III, in his official capacity as Director of the Federal Bureau of Investigation, Defendants. DECLARATION OF PROFESSOR EDWARD W. FELTEN I, Edward W. Felten, declare under penalty of perjury, pursuant to 28 U.S.C. § 1746, that the following is true and correct: 1. The plaintiffs in this lawsuit have challenged what they term the “mass call-tracking” program of the National Security Agency, and they have asked me to explain the sensitive nature of metadata, particularly when obtained in the aggregate. Below, I discuss how advances in technology and the proliferation of metadata-producing devices, such as phones, have produced rich metadata trails. Many details of our lives can be gleaned by examining those trails, which often yield information more easily than do the actual content of our communications. Case 1:13-cv-03994-WHP Document 27 Filed 08/26/13 Page 2 of 35 Superimposing our metadata trails onto the trails of everyone within our social group and those of everyone within our contacts’ social groups, paints a picture that can be startlingly detailed.
    [Show full text]