Department of Informatics
Lecture MINF4221: IT Security
FS 2021 / Course No. 3089 Prof. Dr. Rolf Oppliger Version: 8.3.2021 Department of Informatics
Lecturer
− University of Zurich (adjunct professor) − eSECURITY Technologies Rolf Oppliger (founder and owner) − Swiss National Cyber Security Centre NCSC (scientific employee) − Artech House (author and series editor for information security and privacy)
→ rolf-oppliger.ch or rolf-oppliger.com
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 2 Department of Informatics
Terms of Use
This work is published with a Creative Commons Attribution No Derivatives (CC BY-ND) 4.0 license
→ http://creativecommons.org/licenses/by-nd/4.0/
No Derivative Work
Attribution
Creative Commons (version 4.0)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 3 Department of Informatics
Schedule
– February 22, 2021 (~ slides 1 – 61) – March 8, 2021 (~ slides 62 – 107) – March 22, 2021 (~ slides 108 – 156) – March 29, 2021 (~ slides 157 – 208) The lectures are recorded in MS Teams and the – April 26, 2021 (~ slides 209 – 246) recordings are made available for later use. – May 10, 2021 (~ slides 247 – 299) If you want to ask questions without being recorded, – May 17, 2021 (~ slides 300 – 341) then you can either use the chat function or ask the – May 31, 2021 (reserve) question off-the-record (e.g., using phone or e-mail).
– June 21, 2021 (exam)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 4 Department of Informatics
Recommended Reading
– Matt Bishop, Computer Security: Art and Science, 2nd Edition, ISBN 9780321712332, Addison-Wesley Professional, 2019 – Matt Bishop, Introduction to Computer Security, ISBN 9780321247445, Addison- Wesley Professional, 2004 – Charles P. Pfleeger and Shari L. Pfleeger, Security in Computing, 5th Edition, ISBN 9780134085043, Prentice Hall, 2015 – Charles P. Pfleeger and Shari L. Pfleeger, Analyzing Computer Security: A Threat / Vulnerability / Countermeasure Approach, ISBN 9780132789462, Prentice Hall, 2012 – William Stallings and Lawrie Brown, Computer Security: Principles and Practice, 4th Edition, ISBN 9780134794105, Pearson, 2017
Specific topics → Artech House’s book series on information security and privacy
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 5 Department of Informatics
Table of Contents Challenge me !
1. Introduction [~ 10%] 2. Computer Security [~ 25%] 3. Communication Security [~ 25%] 4. Operational Environments and Applications [~ 25%] 5. Privacy and Data Protection [~ 10%] 6. Conclusions and Outlook [~ 5%]
– The lecture mandates a self-study of the cryprographic fundamentals based on two chapters of a draft version of an upcoming book entitled «Cryptography 101: From Theory to Practice» – Questions can be asked during the lecture – Presentation of partiular cryptosystems (e.g., AES, RSA, DH, … ) is optional and available on request – Collective and individual execises are marked with a blue blackground
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 6 Department of Informatics
Cryptography is everywhere
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 7 Department of Informatics
Operation schedule of cryptography
– Make precise statements about a practical (security) problem, e.g., protect the confidentiality of a message → definitions and assumptions – Propose solutions (i.e., algorithms or protocols) that solve the problem under the given assumptions – Prove the security of these solutions → proofs
Cryptosystem
Keyless Secret Key (symmetric) Public Key (asymmetric) • Random generators • Pseudorandom generators (e.g., key derivation) • Key exchange • Random functions • Pseudorandom functions • Asymmetric encryption • One-way functions • Symmetric encryption • Digital signatures • Cryptographic hash functions • Message authentication • Cryptographic protocols • Authentic encryption
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 8 Department of Informatics
Limitations of cryptography
– An implementation of a theoretically secure cryptosystem need not be secure in practice – Mind experiment / puzzle (due to Artur Ekert) → page 14, mind experiment 2 – Two rooms – One with 3 light switches and the other with 3 light bulbs – The wiring of the light switches and bulbs is unknown – The adversary has to find out the wiring, but he or she can enter each room only once
A B C 1 2 3 – Theorist (e.g., mathematician): (Provably) impossible to solve (even for n>2 room entries and n+1 switches/bulbs) – Prcatitioner (e.g., physician): Permanently light on one bulb, light on another bulb for some time → the second one can be identified due to its heat – Beware of side channels and new ways of solving problems and breaking systems
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 9 Department of Informatics
Quotes … (still related to cryptography)
Necessity is the mother of invention, and computer networks are the mother of modern cryptography
- Ronald L. Rivest (1997*)
* In: CRYPTOGRAPHY AS DUCT TAPE → http://people.csail.mit.edu/rivest/Ducttape.txt
Any sufficiently advanced technology is indistinguishable from magic
- Arthur C. Clarke (1917 - 2008)
James L. Massey, 2001 Dieter Gollmann, 2011 Cryptography – Science Cryptography – Magic, Science, or or Magic? Science Fiction? FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 10 Department of Informatics
1. Introduction
1.1 Terminology 1.2 Problem Statement 1.3 Security Metrics 1.4 Security Process 1.5 Security Principles 1.6 Standards and Best Practices
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 11 Department of Informatics
Collective Exercise
– Who has experienced a cyber attack? – Who remembers a cyber attack (from the media)?
Alcoholics Anonymous
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 12 Department of Informatics
Introduction 1.1 Terminology
– The term security is hard to define → unanymously agreed definition – It is a state in which one experiences no (relevant) threat or security breach – It is neither possible to enumarate all possible (relevant) threats nor to verify their nonexistence → security can not be attested objectively or measured in a meaningful way – Instead, the notion of security is highly subjective Perceived security – What is «secure» or «insecure» depends on the per- son and his or her willingness to take risks – This may be perceived differently by different people – Characteristic function for the (subjective) perception of security (in approximated form) – Also, the notion of security is situational and always Time depends on many factors and circumstances 1st event 2nd event
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 13 Department of Informatics
Introduction Terminology
– In the English language, there are two related (complementary) terms – Safety refers to protection against unintended incidents → availlability, reliability, and stability – Security refers to protection against intended incidents and attacks → lack of security breaches – In the German language, the terms «Verlässlichkeit» or «Resilienz» («Widerstandsfähigkeit») are sometimes used to refer to safety and security – Information is a fourth production factor (in addition to ground, Information capital, and work) – As we are moving from an industrialized information society, infor- Work mation technology (IT) is getting more and more important – This also applies to IT security and the need to protect IT resources Ground against incidents and attacks
Capital
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 14 Department of Informatics
Introduction Terminology
– IT security mainly focuses on the secure storage, processing, and transmission of data that encodes information in one way or another – Security goals – Availability – Confidentiality / secrecy – Integrity – Authenticity – Nonrepudiation / transparency – Accountability / traceability (CIA) – Anonymity – Pseudonymity – ...
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 15 Department of Informatics
Introduction Threats Terminology
– The following terms are important to meaningfully argue about (IT) security – Threat Vulnerability or – Vulnerability / weakness weakness – Countermeasure – Security breach Layers of defense (~ countermeasures)
– The Swiss cheese model (attributed to James Reason) can be used to explain the terms and Security breach put them into perspective
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 16 Department of Informatics
Individual Exercise
– Take a real-world situation of your choice (e.g., a house, a stay in a foreign city, … ) and use the Swiss cheese model to discuss the relevant – Threats – Vulnerabilities – Countermeasures – Possible security breaches
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 17 Department of Informatics
Introduction 1.2 Problem Statement
– Key question in IT security How can one protect a computer system and its resources (mainly data) against attacks from the inside or outside? – Due to the asymmetric workload, it is possible and very likely that many attacks are mounted and that some of them are successful – There are many possibilities to attack a computer system (e.g., DDoS) – Direct attacks can sometimes be mitigated using technical means and countermeasures
– Indirect attacks are simple to mount but difficult to mitigate → tend to be very powerful (e.g., social engineering attacks)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 18 Department of Informatics
Introduction Problem Statement
– It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the ma- chine and its terminals in a shielded room, and post a guard at the door.
Fred T. Grampp and Robert H. Morris, UNIX Operating Security. AT&T Bell Laboratories Technical Journal, Vol. 63, No. 8, October 1984, pp. 1649-1672
– Due to the existence of indirect attacks, one may even add …, remove or disable all user accounts, and make sure that no user can get physically close to the system. – It goes without saying that such a computer system is not particularly useful – In almost all cases, there is a nontrivial tradeoff to make between functionality and security (this is a general theme in IT security)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 19 Department of Informatics
Introduction Problem Statement
– Many people think of attackers as uniformly dressed and stereotype hackers – But there is a continuum of different attacks and attackers
Intelligence agencies
Spear phishing Advanced persistent
threats (APT) – Attack attribution remains a major challenge Precisely targeted Precisely – Is a nation state adversary (NSA) mounting an attack or a «script kiddie»?
Targeted precision Targeted Opportunistic
«Skript kiddies» hackers Not targeted Not Trivial Highly skilled Sophistication / Skill FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 20 Department of Informatics
Introduction Problem Statement
– «Natural» enemies of IT security – (Human) users – Complexity
– The Windows OS has > 50 millions lines of code (Linux > 15 millions, Facebook > 62 millions, … ) – Assuming a security-minded programmer who makes one security- related mistake in 1‘000 lines of code → 50‘000 security-related bugs – Only a small percentage of these bugs are usually found and patched – Speed
– Production and «time to market» cycles get shorter – Beta testing has replaced «normal» software testing
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 21 Department of Informatics
Introduction Problem Statement
– Against this background, one cannot reasonably expect a short-time solution or significant improvement in IT security – There is no «holy grail» or «silver bullet» (there is not even evidence for its existence) – Neverthelss, there are many companies that try to market products or services as holy grails or silver bullets – The respective (marketing) claims are often wrong and must be taken with a grain of salt – A product or service can be useful or snake oil (e.g., Virus Shield for Android), and it is usually difficult to tell the difference (→ security is neither visible nor measurable) – Even in the first case is it difficult to assess the true usefulness – This is (part of) the job of an IT security professional (security officer) – The security market resembles a «lemon market» with almost no regulation
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 22 Department of Informatics
Introduction 1.3 Security Metrics
vs.
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 23 Department of Informatics
Collective Exercise
– Do you think that the security of an IT system can be measured? – If yes, how and with what type of metrics?
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 24 Department of Informatics
Introduction Security Metrics
– There are no generally agreed metrics for IT security – Since the 1980s, people have tried to define evaluation and certification criteria – Trusted Computer System Evaluation Criteria (TCSEC, Orange Book), USA, 1983 – Kriterien für die Bewertung der Sicherheit von Systemen der Informationstechnik, Germany, 1989 – Information Technology Security Evaluation Criteria (ITSEC), Europe (D, F, UK, and NL), 1990 – Common Criteria (CC), since 1996 (→ http://www.commoncriteriaportal.org, adopted in ISO/IEC 15408) – All such initiatives (including the CC) have not been successful – The complexity to define and apply such criteria (or CC protection profiles) is prohibitively high – It takes too long to evaluate a system (and is too expensive) – The certificate is valid for only one version (reevaluation is only moderately less difficult) – The commercial incentive to evaluate and certify systems is too weak – … FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 25 Department of Informatics
Introduction Security Metrics
– Instead of evaluating and certifying the security of systems, products, or services, people use all kinds of «cops and robber» games to approximate IT security (i.e., attacks → countermeasures → counterattacks → countermeasures … ) – Such games have a long tradition (and many examples) in the real world – Secure money transports in the Wild West – Burglar-proof safes – Escape-proof prisons – ... – This also applies to IT security → penetration testing and ethical hacking are «en vogue» – The results and the respective «security guarantees» must be taken with a grain of salt
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 26 Policy level
Department of Informatics
Introduction
1.4 Security Process Security policy Politic level – Security management is a process to manage the security of an organization or company Security strategy Strategic level – IT security management refers to the security management of a given IT infrastructure Implementation guidelines Tactic level – There are many possibilities to describe or specify the Act security management process Plan Security measures – It must always start with a security policy that specifies Teechnical the long-term (security) goals Organizational Legal – The security policy need to be refined in a security Do Check strategy and implementation guidelines for the security measures («controls») that are put in place PDCA cycle
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 27 Department of Informatics
Introduction … Performance Security Process Usability Security Functionality – The specification of an appropriate security policy is challenging – It requires a tradeoff between security and functionality (as well as usability, performance, … ) – Example: Access to external mailboxes (→ malware import)
Mail Server Mail Server
Mail Client Mail Client Tunneling Server ("Proxy")
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 28 Department of Informatics
Introduction Security Process
– The selection process for «appropriate» security measures is discussed controversially Simpler approach – In a classic approach, a complete risk analysis (based on analyses of vulnerabilities and threats) is performed to select the security measures Classic approach – In a simpler approach, security measures are selected directly from a vulnerability analysis – The underlying problem is that the notion of a risk is not particularly useful (and hardly works) in IT – Consequently, all risk-based approaches for IT security don’t properly work in practice
R. Oppliger, Quantitative Risk Analysis in Information Security Management: A Modern Fairy Tale, IEEE Security & Privacy, Vol. 13, No. 6, November/December 2015, pp. 18–21
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 29 Department of Informatics
Introduction Security Process
– In theory, there is a simple formula to quantify a risk Question: What is the fundamental difference between these two events? Risk = (Probability of an event) • (Expected loss)
– In practice, this formula hardly works for several reasons – The set of relevant events is neither well-defined nor closed Heartbleed – All categorizations of such events are ad-hoc and somehow (2014) arbitrary – For a particular event, the probability (or likelihood) and the expected loss are difficult (if not impossible) to quantify (→there are no meaningful statistics) – It is not even clear why the two values should be multiplied – Probability theory is often seductive and counterintuitive Answer: The availability of statistics (e.g., birthday problem, Monty Hall problem, … )
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 30 Department of Informatics
– Events
Collective Exercise – Pi = Prize is behind gate i
– Mj = Moderator has opened gate j – Situation – Explain and solve the Monty Hall problem – The candidate has selected gate 1 and the moderator has opened gate 3 – Should the candidate change his or her selection (1 → 2)?
– Alternatively speaking: Is Pr(P2 | M3) > 1/3 – We know
– Pr(P1) = Pr(P2) = Pr(P3) = 1/3
– Pr(M3 | P1) = ½
– Pr(M3 | P2) = 1
– Pr(M3 | P3) = 0 – According to Bayes’ Theorem (German)
Pr(M3 | P2) Pr(P2) – Pr(P2 | M3) = = 2/3 Pr(M3 | P1) Pr(P1) + Pr(M3 | P2) Pr(P2) + Pr(M3 | P3) Pr(P3) → Changing the selection is always advantageous (2/3 > 1/3)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 31 Department of Informatics
Introduction Security Process
– This is similar to many situations in daily life
– Designing security and safety measures in a house (e.g., locks, alaram systems, fire-extinguishers, … ) – Visiting dangerous places (e.g., in a foreign city) – ….
– Instead of complete risk analyses, people often use qualitative risk analyses or baseline require- ments (to select appropriate security measures) – This is sometimes impossible due to regulation (e.g., financial industry) – Risk analyses are often done in the reverse direction – This defeats their original purpose
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 32 Department of Informatics
Individual Exercise
– Perform a risk analysis for your Internet banking Web site – Determine the relevant events and the respective risks – Analyze the results
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 33 Department of Informatics
Introduction Security Process
– People sometimes argue that a security architecture is needed – This argument is questionable, because a security architecture needs to address (and be restricted to) a particular problem or application, e.g., messaging, SAP, or Internet gateways – In the real world, there is no single architecture that is applicable to all situations – This also applies to the digital world, and hence the job of an IT security officer is comparable to the job of an architect in civil engineering – The bottom line is that security architectures are important (but only for particular problem areas) – In contrast, security and penetration tests are less important (except for awareness and fund raising) – In the real world, there are no «ethical burglars» or resepective service offerings, but there are offerings related to control and supervision services (e.g., Securitas or Protectas in Switzerland)
R. Oppliger, IT Security: In Search of the Holy Grail, Communications of the ACM, Vol. 50, No. 2, February 2007, pp. 96-98)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 34 Department of Informatics
Introduction 1.5 Security Principles
– In 1975, Jerry Saltzer and Michael Schroeder published a paper in which they specified principles for the design of secure systems – Economy of mechanism: Keep the design as simple and small as possible – Fail-safe defaults: Base access decisions on permission rather than exclusion (→ whitelisting) – Complete mediation: Every access to every object must be checked for authority – Open design: The design should not be secret – Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key (→ defense in depth) – Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job – Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users (→ this somehow contradicts common wisdom in economy)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 35 Department of Informatics
Introduction Security Principles
– Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly – Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker – Compromise recording: It is sometimes suggested that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss (→ detection instead of prevention)
– Most design principles still apply – The list is not comprehsive – There are other lists of principles and lists of misconceptions
R. Oppliger and B. Wildhaber, Common Misconceptions in Computer and Information Security, IEEE Computer, Vol. 45, No. 6, June 2012, pp. 102-104)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 36 Department of Informatics
Introduction Security Principles
– Complementary principles – There is no absolute security – Every system is subject to attack (e.g., run a bot) – Security requirements must be considered and taken into account as early as possible – Security measures must be economical, usable, and equally strong (→ there are many tradeoffs to make) → Work factor – Security measures are mostly circumvented not broken – «Defense in depth» is important – Access controls must implement the «need to know»-principle → Least privilege – «Security through obscurity» seldom works → Open design – Simplicity and minimal systems are advantageous («keep it simple») → Economy of mechanism
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 37 Department of Informatics
Introduction 1.6 Standards and Best Practices
– The more complex a topic is, the more people want to refer to standards and best practices – This also applies to IT security – Consequently, there are many standards in this area – In particular, there are many standards that specify best practices or address information security management systems (ISMS) according to ISO/IEC 27001 – Sometimes, standards are adopted or adapted by specific industries or communities, such as the Payment Card Industry Data Security Standard (PCI DSS) – The more specific an IT security standard is, the better is its starting position – It is reasonable to assume that PCI DSS will be successfully deployed – In contrast, it is open whether ISO/IEC 27001 will be successfully deployed (in the long term) – Its success also depends on political and economic factors, as well as effects related to group dynamics (similar to ISO 9000)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 38 Department of Informatics
Introduction Standards and Best Practices
– In Switzerland, there have recently been a few initiatives to improve the cyber security and resilience of small and medium sized enterprises (SME)
Alternative from Lichtenstein
(cybercheck.li) © Federal Officce for National Economic Suppy Economic National for Officce Federal ©
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 39 Department of Informatics
Introduction Standards and Best Practices
– In the real world, we are aware of the fact that absolute security (or safety) does not exist – In the case of road safety, for example, we combine different measures to achieve a reasonable level of security (or safety) – Driver examiniations – Vehicle examinations – Educational programs – Awareness raising – Traffic laws – Police controls – ... – A similar line of argumentation is applicable to IT security, and one may employ different security measures that complement each other (→ defense in depth)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 40 Department of Informatics
2. Computer Security (COMPUSEC)
2.1 Authentication 2.2 Authorization and Access Control 2.3 Software Security 2.4 Intrusion Detection and Prevention 2.5 Trusted Computing
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 41 Department of Informatics
Computer Security 2.1 Authentication
– Authentication is about verifying a claimed identity – Approaches – «Have something» – «Know something» – «Be somehow» – «Be somewhere» – All approaches have advantages and disadvantages – They can be combined in multiple ways (→ multi-factor authentication, MFA)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger © https://de.wikipedia.org/wiki/U2F Slide 42 Department of Informatics
Computer Security Authentication
– The «have something» approach requires a (physical) token to be verified during authentication – The token can be anonymous and need not be personalized (i.e., assigned to a particular person) – The verification can be done by a human or a machine (device) – Such tokens are omnipresent in daily life – Key (e.g, house, office, … ) – Ticket (e.g., bus/tram, cinema, theater, concert, … ) – Cash – RFID card – ... – The main problem is that the token is not assigned to a particular person, and hence that it may be given away (to anybody) by its owner
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 43 Department of Informatics
Computer Security Authentication – The «know something» approach requires some secret (authen- tication) information to be verified during authentication – The information can be anonymous and need not be assigned to a particular person – The verification can be done by a human or a machine (device) – This approach is most frequently used in IT – Personal identification number (PIN) – Password, passphrase, … – Cryptographic secret (key)
– Again, the main problem is that the information is not assigned to a particular person, and hence that it can be given away (to anybody) by its owner – This can be done on purpose or as the result of a social engineering attack (→ video 0:42 – 2:32)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 44 Department of Informatics
Computer Security Authentication
– The «be something« approach is based on some (personal) biometric charactersitics to be verified during authentication – The charactersitics are unique to a particular person and cannot be given away – The verification can be done by a human or a device – Exemplary charactersitics
– Face recognition – Fingerprint – Iris recognition – Hand geometry – DNA – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 45 Department of Informatics
Computer Security Authentication
– Difficulties in practice – A user can only be authenticated, if his or her templates are stored in the database – Errors (→ FAR and FRR must be adjusted to meet the requirements of the application) FAR = False Acceptance Rate – Privacy concerns FRR = False Rejection Rate – Biometrics is an authentication technology (rather than an identification technology) – It is a «high-end» technology, but it can also be used for «low-end» applications (e.g., Apple Touch ID or Face ID) – Here, it has to compete with relatively weak authentication technologies, e.g., passwords or PINs
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 46 Department of Informatics
Computer Security Authentication
– The «be somewhere» approach is based on information about the current location of a person → location-based authentication (LBA) – This information may serve as additional evidence that complements other authentication approaches – The verification (of the location information) is typically done by a device – But the information need not be authentic and can often be forged – Examples
– Telephone numer recognition and call back systems – Berkeley r-tools (rlogin, rsh, rexec, … ) – Verification systems for IP addresses – GPS-based location systems – WLAN-based location systems – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 47 Department of Informatics
Computer Security Authentication
– In practice, the «know something» approach and – more specifically – passwords dominate the field – Passwords need not be stored in plaintext on the server side – Instead, passwords can be stored as images that are mapped with a one-way function f – The password verification can be done by checking whether the respective images match
pw’ f(pw’) ? = f(pw‘) f(pw)
pw = password of user pw’ = password provided by the user
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 48 Department of Informatics
Computer Security Authentication – Example: UNIX (Robert Morris and Ken Thompson, 1979) – The one-way function f is crypt() – Crypt() implements a (modified) version of DES encryption iterated 25 times – The nullstring is encrypted and the user password serves as the encryption key – Today, other one-way functions are used (e.g., SHA-256) – To make off-line dictionary attacks more difficult to mount, salt is used – The idea is to additionally parametrize the function f with a 12-bit salt value (→ there are 212 = 4‘096 possible functions f), but the size of the salt value is a parameter – The salt value is stored in plaintext, so it does not serve as a key – The password file used to be publicly readable (in earlier versions), but is shadowed nowadays and can only be read by privileged processes (e.g., login process) – It is sometimes recommended to use pepper (another secret value that is the same for all users) in the password hashing process
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 49 Department of Informatics
Computer Security Authentication
– Problems related to passwords – Users tend to select simple and easy-to-guess passwords (→ «password aging», proactive password checker, password generators, password managers, ... ) – Knowledge of a password file or a password file entry allows an off-line password guessing or dictionary attack (→ «salt» mechanism) – If a password is transmitted in a network, then it can either be eavesdropped or be subject to a dictionary attack (→ strong authentication mechanisms)
– The usefulness of password aging is controversially discussed in the community, and many organizations move away from Refer to https://www.passwortcheck.ch for a recommending or enforcing it proactive password checker operated by the data protection officer of the canton of Zürich
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 50 Department of Informatics
Collective Exercise
– Determine (e.g., by a poll) how many students would enforce password aging in their area of responsibility at first sight, i.e., prior to a discussion – Discuss the advantages and disadvantages of password aging – Determine again how many students would enforce password aging, i.e., after a discussion
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 51 Department of Informatics
Computer Security Authentication – The possibility to hand over a password leads to many forms of social engineering attacks (e.g., phishing)
© Goscinny/Uderzo, Grosser Asterix-Band X, „Asterix als Legionär“, EHAPA-Verlag GmbH, Stuttgart, 1973, p. 41
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 52 ( 2017 )
Department of Informatics
Computer Security
Authentication Well known attempt to obfuscate Due to the English keyboard a trivial password layout (y and z swapped) – Also, most passwords are suceptible to brute-force attacks
© Goscinny/Uderzo, Grosser Asterix-Band X, „Asterix als Legionär“, EHAPA-Verlag GmbH, Stuttgart, 1973, p. 40
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 53 Department of Informatics
Computer Security Authentication
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 54 Department of Informatics
Individual Exercise
– Install a network monitoring tool like – Use various TCP/IP applications and log the respective network traffic – Find the login sequences in the respective logs and retrieve the respective user credentials (e.g., passwords) sent in the clear
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 55 Department of Informatics
Computer Security Authentication
– There is no unanimously agreed metric for the strength of an authentication mechanism – Some people call it strong, if it supports multiple factors (→ MFA) or if it is based on biometric authentication – Other people use other crieria and metrics – Exemplary metric for «know something» approaches (not standardized) – An authentication mechanism is weak, if the authentication information in use is static and suceptible to an eavesdropping and replay attack (e.g., username/password, HTTP basic authentication, … ) – It is medium, if the authentication information in use is dynamicly changing and not suceptible to an eavesdropping and replay attack (e.g., scratch lists, one-time passwords, challenge-response mechanisms, software certificates, HTTP digest authentication, …) – It is strong, if it is medium and the authentication information is additionally held in a tamper-resistant device (e.g., one-time password tokens, challenge-response tokens, hardware certificates, … )
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 56 Department of Informatics
Computer Security Authentication
– A conceptually simple one-time password scheme that only employs a one-way function (e.g., cryptographic hash function) was originally proposed by Leslie Lamport in 1981 (paper) – The Lamport scheme was specified in informational RFC 1760 (S/KEY from Bellcore) and – in more general terms – Standards Track RFC 2289 – It was also implemented in another system called One-time Passwords In Everything (OPIE)
1000 h (pw) = a0 999 h (pw) = a1 ht(pw) 998 h (pw) = a2 ... 2 h (pw) = a998 Authentication with ht-i(pw) for i=1, ..., t-1 h(pw) = a999 Replacement of ht-i+1(pw) with ht-i(pw) in the ? password file h(ai) = ai-1
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 57 Department of Informatics
Computer Security Authentication
– Today, there are many one-time password (OTP) systems (besides S/KEY and OPIE) – The RSA SecurID suite has a partcularly high market
share (implemented in hardware or software) securid/
– In 2011, RSA experienced a major system compro- - rsa mise (most likely, the token seed record database was - compromised and exfiltrated) – The company had to replace most hardware tokens in use – SecOVID from Kobil Systems uses a similar design
and yields a viable alternative © © https://www.shc.eu/loesungen/datensicherheit/emc
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 58 Department of Informatics
Computer Security Authentication
– Today, people prefer standardized and open (non-proprietary) solutions – The initiative for Open AuTHentication (OATH) develops open standards for authentication (not to be confused with OAuth that deals with the delegation of authorized accesses for Web applications) – Standards developed so far
– HMAC-based One-time Password (OATH-HOTP) → RFC 4226 Google Authenticator – Time-based One-time Password (OATH-TOTP) → RFC 6238 – OATH Challenge-Response Algorithm (OCRA) → RFC 6287
OTP(K,n) = truncate(HMAC(K,n)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 59 Department of Informatics
Computer Security Authentication
– Since 2014, the Fast IDentity Online (FIDO) Alliance has two standards (UAF → biometry, U2F → MFA) – More recently, the FIDO Alliance has started to combine UAF and U2F in FIDO2
Login Request User
Web Client App ID, Challenge (Browser) Counter, Response Web Server WebAuthn (W3C) (Relying Party) Optional: Optional: «User (Presence) Verification» «Device Attestation»
Client-To-Authenticator Protocol 2 (CTAP2) Public key pair for a particular app (App ID) to digitally sign challenges Authenticator
FS 2021 «Built in» or «Roaming» IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 60 Department of Informatics
Computer Security Authentication
– From a more theoretical perspective, a «proof of knowledge»-based authentication system can be seen as an interactive proof system (IPS) – Ideally, the participant uses an (interactive) protocol to prove knowledge of a secret key (without revealing it or leaking any information about it) – As such, it basically implements a factual proof – There are many factual proofs one can think of in daily life – «Pepsi test» (i.e., capability to distinguish Coca Cola and Pepsi) – Capability to read one‘s mind – Knowledge of a mathematical formula – … – In contrast to a «normal» (noninteractive) proof, an interactive proof (representing a factual proof) is non-transferable, meaning that it cannot be used to convince somebody else
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 61 Department of Informatics
Computer Security Authentication
– In 1985, Silvio Micali, Shafi Goldwasser, and Charles Rackoff introduced the notion of an IPS that leaks (provably) no information about the fact that is proven except the fact that the proof is true (cf. original paper) → Gödel Prize, 1993 (together with László Babai and Shlomo Moran) – Such a system is said to have the zero-knowledge property (in addition to the completeness and soundness properties) – The property can be proven by showing that the IPS can be simulated – It is obvious that the zero-knowledge property has many practical advantages for a «proof of knowledge»-based authentication system, such as password-based authentication – For such a system, it can be proven that somebody knows a secret key without leaking any infor- mation about this key – This suggests that the respective (authentication) protocol can be executed arbitrarily many times without leaking any information about the secret key (that is used for the authentication)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 62 Department of Informatics
Computer Security Authentication
– Examples – (1) The Strange Cave of Ali Baba or How to Explain Zero-Knowledge Protocols to Your Children
© Scott Twombly (YouTube channel)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 63 Department of Informatics
(a) = 1 (b) = 6 Computer Security (c) = 8 (d) = 3 Authentication (g) = 5 (h) = 2 (i) = 4 – (2) Knowledge of a solution for 3COLOR(G) for graph G (j) = 7
– Prover P generates a graph G‘ that is isomorphic to G ( represents the isomorphism) – P sends G‘= (G) to the verifier V • 3COLOR is NP-complete – V challenges P to either reveal a solution for 3COLOR(G‘) or • Since 2017 it is known that the graph isomorphism (GI) – P sends the respective response to V problem can be solved in quasipolynomial time – This is repeated until V is convinced that P knows a solution for 3COLOR(G) – In 1987, Amos Fiat and Adi Shamir proposed the first practical authentication protocol that has the zero-knowldge property → Fiat-Shamir protocol – The protocol is based on the modular square (one-way) function – Many other protocols have been proposed meanwhile (with partly different properties)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 64 Department of Informatics
* Computer Security r R Zn s = r2 Authentication e {0,1} – Fiat-Shamir protocol Prover t = r·(x )e P Verifier – Assumptions ? e = 0: t = r 2 e – Publicly known RSA modulus n = pq (p and q are secret and t = s·(y P ) not reused) e = 1: t = r·xP
– Prover P has a private key xP that is a randomly selected ele- * ment from Zn 2 – Verifier V has the respective public key (n,yP) with yP xP (mod n) * – On can show that it is equally difficult to compute square roots in Zn and factorize n – Hence, the security of the Fiat-Shamir protocol is based on the difficulty of the integer factorization problem that is conjectured to be hard (the RSA public key cryptosystem is based on the same conjecture) – The protocol is executed in multiple (k) rounds (e.g., k = 20) – The success probability for an adversary can be made arbitrarily small (by increasing k)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 65 Department of Informatics
Computer Security Authentication
– If somebody can correctly respond to both possible values of e (e=0 and e=1), then he or she can trivially
compute xP (i.e., xP = r·xP/r) → this cannot be the case – An adversary can only prepare himself or herself to one value in each round
– Guess e = 0 → «normal« protocol execution (but if e = 1, then xP is missing) 2 – Guess e = 1 → t is randomly selected; s = t /yP; protocol is started with s (but if e = 0, then r is missing and cannot be computed because this requires to compute a modular square root) – This also means that arbitrarily many protocol transcripts can be generated (→ simulation) 2 -1 – Example: p = 3, q = 5, n = pq = 15, xp = 7, yp 7 mod 15 49 mod 15 4, yp 4 (44 = 16 1 mod 15) – Round 1: e = 0 → r = 2, s = 4, t = 2 4 4 mod 15 (4,0,2) – Round 2: e = 1 → t = 3, s = 324 36 mod 15 = 6 9 64 mod 15 (6,1,3) – Round 3: e = 1 → t = 7, s = 724 196 mod 15 = 1 49 14 mod 15 (1,1,7) – Round 4: e = 0 → r = 8, s = 4, t = 8 64 4 mod 15 (4,0,8) – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 66 Department of Informatics
Computer Security Authentication
– The bottom line is that arbitrarily many protocol transcripts can be generated without interaction with P
(and hence knowldge of xp) → Security results from interaction (and the selection of e) – This is similar to the «Pepsi test»
– It also means that a protocol execution and the respective transcript do not leak any information about xp – This is not true for a «normal» authentication protocol (where protocol transcripts cannot be generated
without knowldge of xp) – In the case of the Fiat-Shamir protocol, the adversary can cheat with a success probability of ½ in each round – After k rounds, the success probability for an adversary is (1/2)k = 1/2k – This probability can be made arbitrarily small (with a sufficiently large value of k) – But the larger k is, the more messages must be sent back and forth – There are variants of the Fiat-Shamir protocol that require less messages to sent back and forth – The high level of interaction remains a major problem → the protocols are not used in the field
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 67 Department of Informatics
Computer Security Authentication
– To enable single sign-on (SSO), the operating system needs to store some credentials that allow the system to authenticate to other systems (or services) on the user‘s behalf – Without such credentials, the user would have to enter his or her password over and over again – Examples of such credentials are passwords, password hashes, Kerberos tickets, or anything else – In Windows, the SSO feature is enforced by the Local Security Authority Subsystem (LSASS) and the respective system process – If an adversary can read out the credentials from system memory, then he or she can take over the user‘s identity and spoof him or her at will → Pass-the-Hash (PtH) attack – For Windwos, there are several tools that can be used to mount PtH attacks (e.g., Windows Credentials Editor, Mimikatz, … ) – Microsoft has taken steps to make the attack more difficult to mount (but remains feasible)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 68 Department of Informatics
Computer Security Authentication
– Note that the use of smartcards or biometrics does not help – Even if such technologies are put in place and used, the respective credentials are still routinely installed and stored locally on the client systems (where they can be read out and misused) – If an adversary has compromised a user account, it is usually simple to compromise other accounts and systems (until an administror‘s account) – The PtH vulnerability is the price to pay for SSO – It is probably the most important problem in network security today – It cannot be patched or fixed – It is very difficult to implement countermeasures that work – Restricting access rights and using one-time credentials seem to be the only protection mechanisms that partially work against PtH attacks
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 69 Department of Informatics
Computer Security Authentication
– Any authentication system must be usable – Otherwise, users will be very ingenious in finding ways to circumvent it (them)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 70 Department of Informatics
Computer Security 2.2 Authorization and Access Control
– Authorization is to specify access rights (privileges) to resources related to information security and computer security in general and to access control in particular – Resources can be data, devices, software, applications, or any functionality in IT – Access control is to enforce these access rights (privileges) – In contrast to authentication, authorization and access control is less rigorously defined (and cryptography does not really help) – Authorization mainly refers to an administrative task, whereas access control refers to a technical task (enforcement) – A policy must govern both tasks – Historically, there have been access control models to address authorization and a reference monitor to address access control
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 71 Department of Informatics
Computer Security Authorization and Access Control – Principals – Users (humans) – Subjects (i.e., processes executing on behalf of particular users) → active – Objects (resources) → passive
– Access control is to determine, grant or prevent, possibly revoke, and audit the access of subjects to objects – Access control models – Discretionary access control (DAC) Relatively old and historically relevant (→ TCSEC) – Mandatory access control (MAC) – Role-based access control (RBAC) Most widely deployed in the field Takes into account arbitrary attributes related to subjects, objects, and the environment – Attribute-based access control (ABAC) (in addition to subject roles) and allow more fine-grained access control decisions – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 72 Department of Informatics
Computer Security Authorization and Access Control
– In a DAC, the owner of an object can specify the access rights (privileges) of all subjects – Authorization is at the discretion of the object owner → Ownership paradigm – Example (UNIX) – The set of access rights is {read,write,execute}, or {r,w,x}, in short – The owner of a file can specify the access rights for himself or herself (user), his or her colleagues (group), and everybody else (others) – Consequently, a directory listing for a file test.txt may comprise rwxr-xr-x
– Instead of executing a program file with the access rights of user group others the actual user, it is sometimes required to expand these rights to those of the program owner – The setuid («set user ID upon execution») and setgid («set group ID upon execution») flags can be used for this purpose
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 73 Department of Informatics
Computer Security o1 o2 oj om
Authorization and Access Control s1
– Components of a DAC si Rij – S = Set of all subjects si (i = 1,...,n)
– O = Set of all objects oj (j = 1,...,m) sn – R = Set of access rights / priviledges rk (j = 1,...,l)
– A DAC is to specify the access rights Rij for si and oj
– Abstractly speaking, a DAC has to answer the question «does si have right rk for object oj?» for all possible subjects, access rights, and objects – The information needed to answer this question yields a mathematical relation D on S, O, and R:
(si,oj,rk) is in D si has right rk for oj – Conceptually, the information can be represented as an access control matrix (ACM)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 74 Department of Informatics
o o o o Computer Security 1 2 j m Authorization and Access Control
– Real systems typically store the information from the ACM either by columns or by rows Example: Windows or UNIX file system – Columns → Access control list (ACL) – Rows → Priviledge or capability list – With ACLs, it’s generally difficult to decide what objects a subject s1 can access, but simple to decide which subjects can access an object – With privilege lists, it’s simple to decide what objects a si subject can access, but it's generally difficult to decide which subjects can access an object – The approaches can be combined sn
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 75 Department of Informatics
Computer Security Authorization and Access Control – A priviledged user can always circumvent and bypass a DAC (simply by granting access rights) – There are situations in which this behaviour is dangerous, and where information flows need to be controlled in some way or another – This is where the notion of a MAC comes into play – In a MAC, there are rules that authorize information flows (instead of object owners) – This means that object owners cannot influence the outcome of access control decisions, and hence that these decisions cannot easily be circumvented and bypassed – A MAC requires the clearance of subjects (i.e., subjects need to be cleared) and the classification of objects (i.e., objects need to be classified) – Furthermore, there are access rules that specify the conditions under which a cleared subject can access a classified object – Historically, a MAC has been strongly associated with multilevel security (MLS) as a means of protecting US classified information (→ TCSEC)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 76 Department of Informatics
Computer Security Authorization and Access Control
– Example 1: Military access control model (aka lattice-based TOP SECRET access control) SECRET CONFIDENTIAL
– All possible security classes refer to the elements of a product INTERNAL lattice (i.e., the product of a totally ordered lattice and a subset lattice) – If an object with classificaton (SECRET,{A}) is given, then a subject cleared as (TOP SECRET,{A}) or (SECRET,{A,B}) can {A,B,C} access the object, whereas a subject cleared as (CONFIDENTIAL,{A}) or (SECRET,{B,C}) cannot access it {A,B} {A,C} {B,C}
– This access control model is mathematically and practically well {A} {B} {C} understood
{0}
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 77 Department of Informatics
Computer Security Authorization and Access Control
– Example 2: Bell-LaPadula (BLP) model David Elliott Bell and Leonard J. LaPadula (MITRE, 1973) → Confidentiality protection – Simple security property («no read up»)
– si is allowed to read oj iff C(si) C(oj) – *-property («no write down»)
– si is allowed to write oj iff C(si) C(oj)
The *-property is to avoid the situation in which si writes data to objects that are less highly classified (than the clearance of si), where it could be read by a subject with low clearance
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 78 Department of Informatics
Computer Security Authorization and Access Control
– Example 3: Biba model Kenneth J. Biba (MITRE, 1977) → Integrity protection (dual to the Bell-LaPadula model) – Simple integrity property («no read down»)
– si is authorized to read oj, iff I(si) I(oj) WRITE READ – *- integrity property («no write up»)
– si is authorized to write oj, iff I(si) I(oj)
– MACs, information flow controls and MLS have S i relatively bad track records when it comes to
actual deployment and use in the field READ WRITE – They have silently sank into oblivion Bell-LaPadula model Biba model
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 79 Department of Informatics
Computer Security Authorization and Access Control
– Today, group-based DACs and RBACs are most widely deployed – In an RBAC, access rights (privileges) are assigned to roles (instead of subjects), and roles are assigned to users (or groups) – This allows an indirect authorization of users – The bottom line is that – Subjects act in certain roles – Objects can be accessed by subjects acting in certain roles – Role engineering and management remain challenging tasks – ABACs introduce other attributes than roles © 2018 Hitachi ID Systems, Inc.
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 80 Department of Informatics
Computer Security Authorization and Access Control
– Sometimes people want to implement access control services with encryption mechanisms (sometimes required by law) – This is particularly true for business process management systems («Geschäftsverwaltungs- systeme») – This approach is problematic and leads to solutions that are overly complex to manage – If all data are encrypted the same way (i.e., using the same key), then the protection is not particularly useful – If users can selectively encrypt data for specific users or groups of users, then the respective key management is highly involved (depending on the complexity of the access control) – The bottom line is that encryption may be the wrong tool to implement access control in this setting (→ research question and topic)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 81 Department of Informatics
Computer Security 2.3 Software Security
– (Hoaxes) – Bugs – Trojan horses – Computer worms – Computer viruses – Rootkits – Bots and botnets – Advanced persistent threats (APTs) – Software liability
© Schlagseite c't 1/2003 FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 82 Department of Informatics
Computer Security Software Security
– Hoaxes do not represent malware – They still represent a major problem in the field – Hoaxes exist in all possible forms (not necessarily related to IT) – They represent a social problem (rather than a technical one)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 83 Department of Informatics
Computer Security Software Security – There are different terms to denote a software anomaly or mistake (according to IEEE 1044-2009) – An error is identified by the developer – A bug is identified by the tester and accepted by the developer – A fault is identified by the customer – A program that has a bug does not behave correctly, i.e., its behavior does not conform to the specification – Exemplary bugs – Buffer overflows – «Goto fail»-Bug (Apple) – Heartbleed – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 84 Department of Informatics
Computer Security Software Security
– Due to the fact that every nontrivial piece of software comprises many bugs, there is a lot of room for exploitation and attack – If a bug is revealed, then it must be corrected as soon as possible – If the software is available in source code, then the bug can be corrected and the code can be recompiled – Otherwise, the respective machine code needs to be patched by the software vendor – The window of exposure is as large as the time it takes to correct the bug and to distribute the corrected software – Zero-day exploits become known in the window of exposure → they are particularly dangerous – Software engineering in general, and software patching (and hence patch management) in particular, are very important topics
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 85 Department of Informatics
Computer Security Software Security
– A Trojan horse is a program or piece of software that comprises one or several hidden (often mali- cious) functions that are neither specified nor documented – The aim of the Trojan horse is to compromise a system and/or to install a trapdoor – Trojan horses used to be distributed with games, utilities, and otherwise popular application programs – Today, most Trojan horses are distributed with e- mail attachments and active Web content (→ «drive-by» infections)
https://blog.botfrei.de/2012/02/drive-by-downloads/
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 86 Department of Informatics
Computer Security Software Security
– A computer worm or worm is a computer program or piece of software that can replicate and distribute itself in a computer network or distributed system (e.g., Internet) – Normally, the distribution employs some running processes (mostly without user interaction) – The worm can (but need not) implement some arbitrary damage function – In any case, the worm binds some resources for its replication and distribution (so there is least some economic damage) – The idea of a computer worm first occured in 1975 in John Brunner’s novel «The Shockwave Rider» – In the 1980s, researchers at Xerox PARC did some early experiments with computer worms for distributed computations and autoconfigurations of computer systems – In the 1990s, people started to reconsider the worm technology in the realm of software agents – Even today, the worm technology is a popular research topic (e.g., automatic patch management) – The worm technology is dual-use
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 87 Department of Informatics
Computer Security Software Security
– On November 2, 1988, Robert Tappan Morris Jr. showed that computer worms can cause dramatic damages on the Internet – The Internet or Morris-worm came out of an experiment and implemented four ways to replicate itself over the Internet – Expolit remote shell (rsh) – Exploit bugs in sendmail and the finger daemon (fingerd) – Try out > 400 internally stored passwords – The worm was very successful and infected approximately 50,000 systems (multiple times) – It gave birth to the first Computer Emergency Response Team (CERT) at Carnegie Mellon University (today known as CERT Coordination Center) – The Forum of Incident Response and Security Teams (FIRST) has more than 500 member organizations
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 88 Department of Informatics
Computer Security Software Security
– Examples – Melissa (1999) – ILOVEYOU (2000) – Code Red (2001) – SQL Slammer (2003) – W32.Blaster (2003) – Sobig (2003) – Mydoom (2004) – Sasser (2004)
– Alternatively (and more in line with biology), one could also call a computer worm a bacterium
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 89 Department of Informatics
Computer Security Software Security
– A (computer) virus is very similar to a computer worm – There are two major differences – The program code of a computer virus cannot be executed by itself, but requires a victim program (e.g., operating system or application software) – A computer virus generally requires some human interaction for replication – In general parlance, the term computer virus is frequently used to also refer to Trojan horses and computer worms – The first computer virus that appeared in the field carried the identification of its creators in the source – This has changed and todays virus creators try to stay anonymous
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 90 Department of Informatics
Computer Security Software Security
– Parts of a computer virus – Replication part (including a detection mechanism for already infected victim programs) – damage function part (including a trigger) – Camouflage part – There are many macro viruses and polymorphic viruses – Similar to a computer worm, a computer virus can also implement some arbitrary damage functions – In the case of computer viruses, effective damage functions occur even more frequently – Ransomware represents a huge problem (e.g., CryptoLocker)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 91 Department of Informatics
Computer Security Software Security
– A rootkit is a set of software tools that is installed after successfully compromising a computer system to hide future accesses and/or processes and files – The term was coined in the UNIX world, but it is not restricted to UNIX systems – The distinction between a rootkit and a Trojan horse is fuzzy – The aim of a rootkit is to hide the existence of malware against a user or antivirus software
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 92 Department of Informatics
Computer Security Software Security
– A (software) bot is a computer program or piece of software that allows a computer system to be remotely controlled – A botnet is a network of synchronized bots (may consist of 100,000s or millions of bots) – A botnet is typically operated by a botmaster (.e.g, using a command and control server) – More recently, we have seen botnets that are organized as a peer-to-peer (2P2) network, and that have no command Heart - lung machine running on Windows XP and control server (e.g., storm worm) found in a hospital (also representing a bot) – Also, communications between the bots can be encrypted – Countermeasure against botnets are challenging and sometimes impossible – Botnets can be rented to mount DDoS attacks, send spam, or do anything else
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 93 Department of Informatics
Computer Security Software Security
– The term advanced persistent threat (APT) represents the latest buzzword – It does not refer to a new class of software anomalies and manipulations, but rather to a new type of using them – So far: 1 attack vector Entire population („low hanging fruits“) – APT: n attack vectors 1 target – The attack vectors need not be ingenious or new (but they are often combined in ingenious and new ways) – Historically, the most important example was Stuxnet (2010) that targeted programmable logic controllers (PLCs) manufactured by Siemens and used, for example, in nuclear facilities located in Natanz (Iran) – Stuxnet had a lot of press coverage
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 94 Department of Informatics
Computer Security Software Security
– Providing protection against malware is a difficult problem – The core of the problem is how to distinguish «good» and «bad» software – There are no criteria to make this distinction – The situation is comparable to distinguishing «good» and «bad» IP packets (cf. RFC 3514 contributed by Steven M. Bellovin) – In his 1983 ACM Turing Award lecture, Ken Thompson showed that every piece of software may contain malware, and that source code inspection does not help in general (because the malware can be introduced in every step of the software development process) → CACM paper – For example, a compiler can be modified to introduce malware on the fly (so there is no evidence for the malware in the respective source code) – This argument is still valid and bounds the effectiveness of source code inspection
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 95 Department of Informatics
Computer Security Software Security
– In theoretical computer science, the halting problem refers to the problem of deter- mining, from a description of an arbitrary computer program and an input, whether the program will finish running or run forever – In 1936, Alan Turing proved that a general algorithm to solve the halting problem for all possible program-input pairs cannot exist (i.e., the halting problem is undeci- dable over Turing machines) – In 1951, Henry G. Rice generalized Turing’s result (in his Ph.D. thesis) and proved by reduction that all non-trivial, semantic («functional») properties of programs are undecidable in nature (→ Rice’s theorem) – This includes, for example, the virus detection problem (input = program; output = input behaves like a virus, i.e., it copies its code into another program) – This means that it is impossible to write a program that can decide for any other program whether it contains a virus (impossibility result)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 96 Department of Informatics
Computer Security Software Security
– Hence, the best one can do is to apply some pattern matching algorithms to look for known malware in any given piece of software – The quality of an antivirus software depends on the quality and completeness of the database (of virus patterns) that is used – Machine learning algorithms may help improving pattern matching – Integrity check programs yield a viable alternative – Before a program is executed, its integrity needs to be checked (using cryptographic hash functions and respective checksums) – From a commercial perspective, integrity check programs are less attractive than pattern matching-based antivirus software – Integrity checking is an integral part of trusted computing
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 97 Department of Informatics
Computer Security Software Security
– The following points are important for software engineering and development – Use libraries (e.g., NaCl, OpenSSL or LibreSSL, Bouncy Castle, ... ) to implement cryptographic functions – Apply the principles of «secure coding»
– OWASP Secure Coding Principles – CERT (Top 10) Secure Coding Practices – ... – This is particularly true for Web applications that must be made resistant against attacks like Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and many more (→ Web security) – There are tools that can be used for static or dynamic program analysis and security testing – Hypothetical «security benchmark» – Extend «Hello World» with authentication and authorization (before any other extension or modification)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 98 Department of Informatics
Computer Security Software Security
– According to the current software licensing terms, vendors are not liable for their products – People usually disagree whether this is good or bad – Software liability is an open issue, and there is an ongoing controversy about it – The proponents of software liability argue that the software market does not have proper incentives to produce more secure software, and hence that the vendors should be made liable for the software they produce (to correct the incentives) – The opponents of software liability argue that it is up to the buyers to favor more secure software, and hence to correct the incentives (this, in turn, should lead to more secure software) – Anyway, software liability would lead to a market for liabiliy insurancs and many disclaimers (about how not to use a particular software product)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 99 Department of Informatics
Computer Security 2.4 Intrusion Detection and Prevention
– In the past, the focus on security considerations has been on prevention and preventive security mechanisms (e.g., antivirus software, firewalls, encryption, … ) – This is about to change, and the current trend is to focus more on detection and response
Prevention
Detection Response
– If something happens, then it is ultimatively important to be able to detect it and respond in an appropriate way
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 100 Department of Informatics
Computer Security Intrusion Detection and Prevention
– An intrusion detection system (IDS) is a hardware and/or software system that can be used to detect attacks – Types – Host-based IDS (HIDS) → operates on the operating system level – Network-based IDS (NIDS) → operates on the network level – Hybrid IDS → combines HIDS and NIDS and operates on either level – Technologies (HIDS/NIDS) – Detection of known attack signatures (→ «pattern matching»)
– Statistical analysis (→ detection of anormal user or system © 2007 http://de.wikipedia.org/wiki/Intrusion_Detection_System behavior)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 101 Department of Informatics
Computer Security Intrusion Detection and Prevention – Error types related to an IDS – False positives (i.e., the IDS classifies a harmless event as an attack → alarm) – False negatives (i.e., the IDS classifies an attack as a harmless attack → no alarm) – The two error types work in the opposite direction, i.e., it is not possible to minimize both error types simultaneously (this is similar to biometric authentication) – An intrusion prevention system (IPS) is an IDS that can also act preventively and actively take protection measures (e.g., drop IP packets that fulfill specific requirements) – Many IDS/IPS are based on Snort – Snort was originally developed as open source software, but later commercialized by Sourcefire (acquired by Cisco in 2013) – The developers of IDS/IPS often employ honeypots (to gather intelligence)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 102 Department of Informatics
Arithmetic Logic Unit Computer Security 2.5 Trusted Computing
– Modern computer systems follow the von Neumann architecture, in which one (shared) memory is used for data and instructions – An alternative would be the Harvard architecture, in which the memory is separated for data and instructions – This means that today’s computer systems are software-open, i.e., arbitrary software can be installed and executed – This includes malicious software (aka malware) – In the past, there have been many proposals to make computer systems software-closed or software-controlled (in an attempt to mitigate software-based attacks) – This is important to enforce intellectual property rights and implement digital rights management (DRM) – DRM is an emotional and controversial topic («treacherous computing»)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 103 Department of Informatics
© https://en.wikipedia.org/wiki/Trusted_Platform_Module Computer Security Trusted Computing – Trusted Computing (TC) originates from the Trusted Computing Group (TCG), formerly known as Trusted Computing Platform Alliance (TCPA) – The aim was to control the authenticity and integrity of every software module that is loaded into memory and executed on a computer system (using digital signatures) – A similar mechanism is used to securely download and install software from app stores – The TCG started TC with a hardware module called Trusted Platform Module (TPM) → similar to a smartcard but bound to a hardware device (instead of a user) – The TPM specification has been adopted in the multipart-standard ISO/IEC 11889 – Most motherboards in use today can be equipped with a TPM – But the software (e.g., operating system) must be enabled to make use of the TPM (e.g., BitLocker)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 104 Department of Informatics
Computer Security Trusted Computing
– TPM-based TC is important for Industrial Process Control (IPC) and Supervisory Control and Data Acquisition (SCADA) systems – In the mass market for personal computing, however, it is less likely to prevail (e.g., Oppliger, R., und R. Rytz, Does Trusted Computing Remedy Computer Security Problems? IEEE Security & Privacy, Vol. 3, No. 2, March/April 2005, pp. 16 – 19) – Today, people are looking into TC based on enclaves (instead of TPMs) – While a TPM has been used to secure an entire computer system, an enclave is used to secure a container running on a remote computer and Intel SGX Explained operated in a virtual environment – The aim is to solve the «secure remote computation» problem – An enclave can be seen as the opposite of a sandbox, i.e., a software module must be secured from the execution environment that may be
hostile Victor Costan and Srinivas Devadas, © ©
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 105 Department of Informatics
Computer Security Trusted Computing
– TC requires trusted hardware and must provide some form of remote software attestation – The aim is to make it impossible for the owner of the remote
computer to learn the contents of a secure container Intel Intel SGX Explained – This yields a solution for the security problems related to cloud computing – But the owner of the data must trust the software provider and the hardware manufacturer
– TC based on enclaves is supported by Intel’s Software Guard Victor Victor Costan and Srinivas Devadas,
Extensions (SGX) © – Note, however, that this provides a huge market power for Intel
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 106 Department of Informatics
3. Communication Security (COMSEC)
3.1 Introduction 3.2 Firewall Technologies 3.3 Cryptographic Security Protocols
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 107 Department of Informatics
Communication Security 3.1 Introduction
# of security-related – Major incidents events (CERT/CC) – Internet worm (1988) – Sniffing attacks (1994) – Sequence number guessing attacks (1995) – Denial-of-service (DoS) attacks (1996) – Distributed DoS attacks (since 2000) – ...
Time CERT Coordination Center FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 108 Department of Informatics
Communication Security Introduction
– The OSI security architecture represents part 2 of ISO/IEC 7498 (1989) and ITU-T X.800 (1991)
– Security services – Specific security mechanisms – Pervasive security mechanisms – Authentication services – Encipherment – Trusted functionality – Access control services – Digital signature mechanisms – Security labels – Data confidentiality services – Access control mechanisms – Event detection – Data integrity services – Data integrity mechanisms – Security audit trail – Nonrepudiation services – Authentication exchange – Security recovery mechanisms – Traffic padding mechanisms – Routing control mechanisms – Notarization mechanisms
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 109 Department of Informatics
Communication Security Introduction
– During Cold War, one of the major research challenges was to design and come up with networking technologies that are as reliable and re- silient as possible – Packet switching was considered to be a viable solution – In packet switching, messages are packetized and each packet is routed individually through the network (analogy: postal mail delivery) – In the late 1960s, the TCP/IP protocol suite was developed and proto- typed in the US ARPANet (that later became the Internet) – In the world of of the telecom operators, a similar packet switching technology was developed and became known as X.25 (disappeared in the late 1990s) © Leonard Kleinrock – The core protocols of the TCP/IP protocol suite have remained almost unchanged (only IPv4 is being upgraded to IPv6 after 25 years)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 110 Department of Informatics
Communication Security Introduction
Internet backbone
Router LAN
Link IP packet
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 111 Department of Informatics
Communication Security – Passive eavesdropping («sniffing») – Traffic analysis Introduction
– Passive attack
– Data manipulation, extension, and/or deletion – Active attacks – Spoofing attacks – ARP cache poisoning – IP spoofing und sequence number guessing – DNS spoofing – … – Denial of Servive (DoS) attacks and distributed DoS (DDoS) attacks FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 112 Department of Informatics
Communication Security C (= Adversary) Introduction
– Example: IP spoofing and sequence number guessing (cf. paper written by Robert T. Morris Jr. in 1985) A accepts commands from B without user authentication (i.e., A (Client) B (Server) without password)
SYN(X) The server A established B status infor- mation for the TCP connec- A «trusts» B ACK(X+1), SYN(Y) tion
ACK(Y+1)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 113 Department of Informatics
Communication Security Introduction
Phase 1(b) C floods B with TCP SYN messages (TCP session establishment requests)
A Phase 1(a) C establishes TCP sessions to A B (using its true IP address). The aim is to collect enough information to successfully predict an initial sequence number Y chosen by A in the future.
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 114 Department of Informatics
Communication Security Introduction C
Phase 2 C establishes a TCP connection to A (using the IP address of B) Afterwards, C provides a command to compromise the security of the system (e.g., «delete filesystem«) SourceIP = IPB SYN(X) ACK(Y+1)
A ACK(X+1), SYN(Y) B
Nachricht geht verloren
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 115
Department of Informatics hardware/
Communication Security -
cisco
- on
Introduction -
cookies
- syn
– Protection mechanisms -
tcp - – The initial sequence numbers are randomly or pseudorandomly gene- rated (so that the Y values are unpredicatable from the adversary‘s perspective) – All incoming IP packets with an internal source address are dropped at the perimeter TCB = Transmission Control – The use of SYN cookies (→ originally proposed by Dan Berstein in 1996, Block (server - side state) specified in Appendix A of RFC 4987, implemented for some operating systems) – Today, TCP/IP implementations employ initial sequence numbers that are pseudoranomly generated – Also, it makes a lot of sense to drop all incoming IP packets with an internal source address (→ best practice) © https://www.globalknowledge.com/blog/2010/12/20/implementing
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 116 Department of Informatics
Communication Security 3.2 Firewall Technologies
– Internet connectivity is symmetric by default – A system with Internet connectivity can, in principle, be addressed (and hence attacked) from the Internet – This situation may be critical for systems with poor security – In the real world, firewalls are used to stop a fire from propagating from one building to another – In the digital world, the notion of a firewall has been adapted – The aim of an (Internet) firewall is to make Internet connectivity asymmetric – A firewall represents a blockade between (at least) two networks – A private and protected network that is assumed to be secure and trustworthy (→ intranet) – A public and unprotected network that is assumed to be insecure and not trustworthy (→ Internet) – The firewall is to disable any unwanted and unauthorized data flow from or to the intranet
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 117 Department of Informatics
Communication Security Firewall Technologies
– A firewall is a collection of components placed between two networks that collectively have the following properties – All traffic from inside to outside, and vice versa, must pass through the firewall – Only authorized traffic, as defined by the security policy, will be allowed to pass – The firewall itself is immune to penetration – A firewall always requires a security policy (this is sometimes ignored) – Only if a security policy is given, can one reasonably discuss about the security of a firewall – Analogies – Hotel lobby – Reception in a business building – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 118 Department of Informatics
Communication Security Firewall Technologies
– Firewall technologies – Static packet filters – Dynamic packet filters – Circuit-level gateways – Application-level gateways – Sometimes, people use the term «firewall» only to refer to a packet filtering device – Today, the trend goes towards decentralized firewall functionalities (→ decentralized and personal firewalls) – There is an increasingly large number of «firewall-friendly» applications (port 80) that put the usefulness of firewalls (packet filters) into question
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 119 Department of Informatics
Communication Security Firewall Technologies
– A router is a device that transmits IP packets from one network (or network interface) to another – Most routers can filter IP packets based on the network interfaces and the information found in packet headers («screening routers») © https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-29/anatomy.html
IP Transport Application header layer protocol protocol Application data header header
Protocol Source port number Source IP address Destination port number Destination IP address TCP connection flags Other options
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 120 Department of Informatics
Communication Security Firewall Technologies
– By default, a packet filter is stateless – It must decide for every IP packet in-
dividually (and independently from all © https://www.cisco.com/c/en/us/td/docs/ios - xml/ios/sec_data_acl/configuration/xe -3s/sec -data -acl -xe - 3s -book/sec-create-ip-apply.pdf other IP packets) whether to forward or drop the packet – This decision is usually based on some packet filter rules – sometimes called ACLs – that must be written in a vendor-specific syntax (e.g., Cisco) – The complexity of a ruleset is inversely proportional to the efficiency of the packet filter, i.e., the more complex the rules, the less efficient the packet filter, and vice versa – The need to run an audit trail impacts efficiency in another negative way – Nevertheless, packet filtering in high-speed networks is feasible
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 121 Department of Informatics
Communication Security Firewall Technologies
– An increasingly large number of applications employ multiple connections and dynamically allocated ports – This complicates the specification of the packet filter rules – Example: FTP
# r1 (e.g., 1565) # 21 ftp-control (outbound)
# r2 (e.g., 1567) # 20 ftp-data (inbound) Client
Server
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 122 Department of Informatics
Communication Security Firewall Technologies
– For FTP, passive mode yields a solution – The problem is more general and applies to an increasingly large number of applications (e.g., UDP-based realtime applications) – One possibility to solve the problem is to use packet filters that maintain state information to more intelligently filter IP packets → dynamic packet filtering or stateful packet inspection (SPI) – Implementations – Check Point Firewall-1 – pf (OpenBSD) – ipfw (FreeBSD – iptables (Linux) – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 123 Department of Informatics
Target server Communication Security Firewall Technologies
Circuit-level gateway (e.g., SOCKS server)
User 1. The client establishes a TCP connection to the circuit-level gateway and requests a second TCP connection to the target server Client 2. The circuit-level gateway verifies the client’s IP address, and authenticates and authorizes the user according to a security policy 3. The circuit-level gateway connects to the target server and copies data back and forth between the two TCP connections
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 124 Department of Informatics
Target server Communication Security Firewall Technologies
Cache
Application-level gateway (proxy server)
User 1. The client establishes a TCP connection to the proxy server and Client requests a service from the target server 2. The proxy server verifies the client’s IP address, and authenticates and authorizes the user according to a security policy 3. The proxy server connects to the target server and copies data back and forth between the two TCP connections (according to the application protocol that is proxied)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 125 Department of Informatics
Communication Security Firewall Technologies
– «Dual-homed» configuration
– «Screened subnet» configuration
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 126 Department of Informatics
Communication Security Subnet part
Firewall Technologies Host part – Many firewalls support Network Address Translation (NAT) – An organization can internally use private IPv4 addresses according to RFC 1918 – 10.0.0.0 - 10.255.255.255 (Class A → 1 network with 224 = 16‘777‘216 addresses)
Byte 1 (10) Byte 2 Byte 3 Byte 4
– 172.16.0.0 - 172.31.255.255 (Class B → 24 = 16 networks with 220 = 1‘048‘576 addresses)
Byte 1 (172) Byte 2 Byte 3 Byte 4
– 192.168.0.0 - 192.168.255.255 (Class C → 28 = 256 networks with 28 = 256 addresses)
Byte 1 (192) Byte 2 (168) Byte 3 Byte 4
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 127 Department of Informatics
Communication Security Firewall Technologies
Capital letters = IP addresses Small letters = Port numbers
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 128 Department of Informatics
Communication Security Firewall Technologies
– Most firewalls in use today are transparent to the user – Otherwise, i.e., if a firewall is not transparent to the user, then the application programs must be configured to invoke the respective proxy server(s)
– This is particularly true for data traffic with external peers You can either manually specify a Proxy Auto-Config (PAC) file here or have the browser find it semi-auto- matically via the Web Proxy Auto-Discovery (WPAD) protocol (using DHCP, DNS, or something similar)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 129 Perimeter security that didn’t work (Maginot line in WW II) Perimeter security that may work
Department of Informatics
Communication Security
Linie#/media/File:CarteLigneMaginot.png - Firewall Technologies
– Firewalls are useful to provide perimeter security and access control services
– Deperimeterization is a buzzword https://de.wikipedia.org/wiki/Maginot © – Limitations and vulnerabilities – Unauthorized network interfaces (e.g., WLAN access points) – Insider attacks (e.g., HTTP tunneling) – No protection against data-driven attacks (e.g., computer viruses and malicious mobile code) – Challenges – Proprietary protocols (e.g., Oracle, SAP, .… ) – UDP-based applications and application protocols (in particular for realtime communication and IP multicast)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 130 Department of Informatics
Communication Security Firewall Technologies
Middle Ages
Stone Age Modern age
Rolf Oppliger, Internet Kiosk: Internet security enters the Middle Ages, IEEE Computer, Vol. 28, No. 10, 1995, pp. 100-101
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 131 Department of Informatics
Communication Security 3.3 Cryptographic Security Protocols
E2EE Messaging (e.g., S/MIME, OpenPGP, OTR, Signal, MLS, …) XML Security
S-HTTP Kerberos Application layer DNSSEC
SSH SSL / TLS / DTLS Transport layer
IPsec / IKE Internet layer
PPTP / L2TP WEP / WPA / WPA2 Network access layer MACsec
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 132 Department of Informatics
Individual Exercise
– Try to find out how the IP security (IPsec) protocol works and how the Internet Key Exchange (IKE) protocol can be used for key exchange and management – Find out what implementations of IPsec and IKE are available and deployed in the field
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 133
8
-
998
-
60807
-
1 -
Department of Informatics 978
Communication Security
Cryptographic Security Protocols (SSL/TLS) © Artech © Artech House (2016) ISBN
– There are many possibilities to use cryptographic techniques to implement security mechansims and services at the transport layer
S-HTTP = Secure HTTP PCT = Private Communication Technology PCT/STLP STLP = Secure Transport Layer Protocol TLS 1.1 SSL 3.0 DTLS 1.2 SSL 1.0/2.0 DTLS 1.0 TLS 1.0 TLS 1.2 TLS 1.3
S-HTTP
1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018 2020 2022
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 134 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The SSL protocol was developed by Netscape Communications in the 1990s (→ historic RFC 6101) – It provides the following security services – Peer entity authentication service – Data authentication service – Connection confidentiality service – Connection integrity service (without recovery) – It uses the following security mechanisms – Encipherment – Digital signature mechanisms – Data integrity mechanisms – Authentication exchange mechanisms
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 135 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 136 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The SSL protocol is application-layer protocol independent – For a particular application, there are two strategies to distinguish between services that employ SSL and services that don’t – Separate port strategy (→ RFC 2818) – Upward negotiation strategy (→ RFC 2817) – Historically, most protocols have employed the separate port strategy – This also applies to SSL/TLS – Nowadays, the IETF is strategically heading to- wards upward negotiation (e.g., STARTTLS for SMTP)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 137 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The SSL Record Protocol employs the Authenticate-then-Encrypt (AtE) approach – Each SSL record consists of – Type (1 byte)
– Version (2 bytes) 0x0300 = 3,0 – Length (2 bytes) < 214-1 = 16,384 – Fragment (variable length)
20 = Change Cipher Spec 21 = Alert 22 = Handshake 23 = Application Data
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 138 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
SSL_
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 139 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The key derivation function (KDF) of SSL is hand- crafted Premaster secret (48 bytes)
Master secret (48 bytes)
Key block (arbitrary length)
– The KDF of TLS is based on a PRF that uses the HMAC construction in an ad-hoc and nonstandard ad-hoc way
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 140 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– SSL message encryption uses a stream cipher (e.g., RC4) or a block cipher (e.g., RC2, IDEA, DES, 3DES, and FORTEZZA) – If a block cipher is used, then it must operate in the cipher-block chaining (CBC) mode
Encryption: C0 = IV and Ci = EK(Pi Ci-1) for i>0
Decryption: C0 = IV and Pi = DK(Ci) Ci-1 for i>0
Ci-1 Ci-1
+ E D + Pi Ci Pi
FS 2021 K IT Security (MINF4221), Prof. Dr. Rolf Oppliger K Slide 141 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Any block cipher operated in CBC mode requires a padding scheme and a way to determine an IV – SSL employs a simple padding scheme that can be exploited in an efficient padding oracle attack (→ POODLE attack) – SSL employs the last block of the previously encrypted record to become the IV for the encryption of the next record (→ BEAST attack) – Both attacks pose a huge problem, because the SSL protocol does not support any other mode of operation for block ciphers – The only alternative is to use the stream cipher RC4 – But RC4 has security problems of its own (i.e., statistical defects and RC4 NOMORE attack)
Numerous Occurrence MOnitoring & Recovery Exploit
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 142 Department of Informatics Client Server
ClientHello Flight #1 Communication Security ServerHello
Cryptographic Security Protocols (SSL/TLS) CertificateCertificate ServerKeyExchange – SSL Handshake Protocol CertificateRequest Flight #2 ServerHelloDone
Client Server CertificateCertificate ClientHello Flight #1 ClientKeyExchangeServerHello
ServerKeyExchangeCerificateVerify ServerHello ChangeCipherSpec ChangeCipherSpec Finished Flight #3 Flight #2 Finished
ChangeCipherSpec ChangeCipherSpec Flight #4 Finished Finished Flight #3
Application Data Application Data
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 143 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Multiple handshake messages (type 22) can be sent in a single SSL record (messages from other subprotocols cannot be packed into the same record)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 144 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 145 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 146 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 147 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
CT = certificate type
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 148 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 149 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– RSA → Sign(MD5(H)║SHA-1(H)) – DSA → Sign(SHA-1(H))
H
k = master secret
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 150 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
Client → 0x434C4E54 Server → 0x53525652
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 151 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The Change Cipher Spec Protocol consists of a single message (that is packed in a distinct record)
– The message triggers the state machine – The protocol is removed in TLS 1.3
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 152 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Alert Protocol
1 → warning 2 → fatal
No decryption_failed alert message in the SSL protocol
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 153 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Application Protocol
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 154 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The SSL/TLS protocols ≤ TLS 1.2 are structurally very similar – There are only a few subtle differences – Parameters and state elements for SSL/TLS sessions and connections – Key derivation – Cipher suites (e.g., AEAD ciphers, ECC, … ) – TLS 1.2 extension mechansim – … – TLS version 1.3 is fundamentally different
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 155 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Attacks, Countermeasures, and Counterattacks – Bleichenbacher (1998) + DROWN (2016), ROBOT (2017), CAT (2018) – Vaudenay (2002) – Renegotiation Attack (2009) + Triple Handshake Attack (2014) – BEAST (2011) – CRIME (2012) + TIME and BREACH (2013), HEIST (2016) – Lucky 13 (2013) + Lucky Microseconds (2016) – POODLE (2014) – Attacks against particular cryptographic algo-rithms (e.g.,RC4 NOMORE, Sweet32, SLOTH, …) are not – FREAK and Logjam (2015) considered – RACCOON (2020) – The same is true for attacks caused by imple-mentation – … bugs (e.g., Heartbleed) and certifi-cate management issues (e.g., Superfish)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 156 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Bleichenbacher (1998) – In 1998, Daniel Bleichenbacher proposed a padding oracle attack against PKCS #1 (block type 2) used for the encryption of SSL/TLS ClientKeyExchange messages
– It is an adapaptive chosen ciphertext attack (CCA2) – The adversary can send arbitrary ciphertexts c to the oracle – For every such c, the oracle returns one bit of information, namely whether the respective plaintext message m (after decryption) is correctly padded or not
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 157 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– If a plaintext message m is correctly padded, then its leading 2 bytes must be 0x00 and 0x02 – This can be translated in a specific size (when interpreted as integer) – In particular, if the oracle confirms proper padding for c, then m must be in the interval [2B,3B-1] = [2B,3B) for B = 28(k-2), k = |n| (in bytes), and 28(k-1) n < 28k – This is the starting point and the adversary can try to find nested intervals for m e – More specifically, he or she can send arbitrary ciphertexts ci c∙ri (mod n) to the oracle d e d – For every ci, the oracle returns one bit of information, namely whether mi ci (c∙ri ) d ed c ∙ri m∙ri (mod n) is correctly padded
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 158 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– If this is the case (for a particular ri), then some information about m = mi/ri leaks through – This information may help the adversary to narrow down possible interval(s) for m – This is continued, until there is one interval left with a single value – Using the Bleichenbacher attack, an adversary must invoke the oracle ~ 220 ≈ 106 times to decrypt an RSA-encrypted message (e.g., a ClientKeyExchange message) and extract the respective premaster secret – In some situations, it is possible to improve the efficiency of the attack or to use another side-channel – In 2003, for example, Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa demon- strated how to use a bad-version oracle (BVO) to mount a Bleichenbacher attack
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 159 Department of Informatics
Communication Security if (padding not correct) then use R Cryptographic Security Protocols (SSL/TLS) else use M – Patch – Since TLS 1.0, it is informally required that an implementation avoids leaking information about the correctness of the padding (including, for example, error messages and timing information) – Since TLS 1.2, it is formally required that an implementation generates a random string anyway, and that this string is used instead of the premaster secret in case of a padding error (the protocol aborts later)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 160 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– In March 2016, a group of researchers showed that the patch is incomplete – They came up with a Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack – It is a cross-protocol attack that exploits the fact that many servers still support SSL 2.0 (using the same RSA key and certificate) – The DROWN attack starts from the observation that the patch can be circumvented, if the adversary can send a ciphertext to the server multiple times and he or she can recognize whether the master secret used by the server is always the same (only in this case is the ciphertext properly padded) – In SSL 2.0, this can be done for two reasons – The master secret is derived deterministically from the decrypted ciphertext (since SSL 3.0, the decrypted ciphertext refers to a premaster secret that takes into account addional randomness to derive the master secret) – 40-bit export ciphers are supported by default (and the respective keys can be found in an exhaustive search)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 161 DB = h(L) || PS || 01 || m seed Department of Informatics
Communication Security + MGF Cryptographic Security Protocols (SSL/TLS) MGF +
– Countermeasures maskedDB maskedSeed – Make PKCS #1 secure against CCA2 – This was done in PKCS #1 version 2 by adopting a padding scheme EM = 00 maskedSeed maskedDB known as Optimal Asymmetric Encryption Padding (OAEP) for RSA encryption (→ RSA-OAEP) – PKCS #1 version 2 (and hence RSA-OAEP) is mandatory since TLS 1.2 – Unfortunately, even a CCA2-secure encryption scheme cannot defeat all possibilities to mount a Bleichenbacher attack (due to the existence of side-channels) – A respective attack was shown by James Manger in 2001 – In 2017 (ROBOT) and 2018 (CAT), it was shown that Bleichenbacher attacks still remain an issue
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 162 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Vaudenay (2002) – The Bleichenbacher attack (and its variants) only affect asymmetric encryption (i.e., RSA) – In 2002, Serge Vaudenay proposed a similar (padding oracle) attack that affects symmetric encryption using a block cipher in CBC mode – The original attack was purely theoretical, and it was not clear whether it could be mounted in practice – In 2003, however, it was shown that it can be used to decrypt an IMAP4 password sent every 5 minutes over an SSL/TLS connection – Since then, many researchers have found possibilities to mount similar attacks in many other application settings – The bottom line is that padding oracle attacks remain an issue (whenever padding is used)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 163 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– In CBC mode, the plaintext length must be a multiple of the block size k (e.g., k = 16 bytes for AES) – In theory, there are many padding schemes – In practice, PKCS #7 (RFC 5652) is the most widely used padding scheme (PKCS #5 is similar but uses 0x01, 0x0202, … as padding and is restricted to a block length of 8 bytes)
PL = Padding length -1 RB = Random Byte
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 164 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– In a Vaudenay attack, the adversary tries to decrypt a ciphertext block Ci that may comprise a secret value, e.g., password, bearer token, …
– The k bytes of Ci = Ci[1]Ci[2]Ci[3]…Ci[k] can be attacked individually
– The adversary knows Ci-1‖Ci and mounts a CCA2
– In each step, the adversary replaces Ci-1 with a specifically crafted ciphertext block C’ and submits the two-block ciphertext C’‖Ci as payload of an SSL/TLS record to the (padding) oracle
– For each submission, the oracle reveals one bit of information, namely whether DK(C’‖Ci) is properly padded or not – This information can be revealed either by a particular error message (decryption_failed vs. bad_record_mac) or a timing (side-) channel – Note that the MAC is computed iff the record is properly padded, and that the MAC is going to fail anyway (with a very high probability)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 165 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– To attack Ci[16], the adversary tries out all possible byte values for C’[16], until the padding oracle responds in the affirmative way – In this case, the adversary knows that the decrypted block has a valid padding (most likely 0x00)
– This means that DK(Ci)[16] C’[16] = 0x00 and – because Ci = EK(Pi Ci-1) – DK(EK(Pi Ci-1))[16] C’[16] = 0x00
– This, in turn, means that (Pi Ci-1)[16] C’[16] = 0x00, Pi[16] Ci-1[16] C’[16] = 0x00, and hence Pi[16] = Ci-1[16] C’[16]
– The adversary can determine Pi[16], because he or she knows Ci-1[16] and C’[16]
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 166 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The same attack can be continued for Ci[15],…,Ci[1] – Care must be taken so that all padding bytes are properly set
– To attack Ci[15], for example, the proper padding must be 0x0101 – This means that C’[16] need to be adjusted in a particular way
– From Pi[16] Ci-1[16] C’[16] = 0x01 and knowledge of Pi[16], it follows that C’[16] must be set to 0x01 Pi[16] Ci-1[16] – With this setting, the adversary can try out all possible values for C’[15], until decryption yields the padding 0x0101
– With this value, he or she can decrypt Ci[15]
– From Pi[15] Ci-1[15] C’[15] = 0x01 it follows that Pi[15] = 0x01 Ci-1[15] C’[15]
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 167 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The attack works similarly for Ci[14] – The adversary must first update C’[16] and C’[15], and then try out all possible byte values for C’[14] until the
decryption of Ci[14] yields the padding 0x020202
– Ci[14] can be decrypted according to Pi[14] = 0x02 Ci-1[14] C’[14]
– This can be repeated for Ci[13], Ci[12] , … , Ci[1] – For k = 16, the attack requires 16∙28 = 24∙28 = 212 = 4’096 oracle queries – This is highly efficient
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 168 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– It is important to note that the attack does not directly target the key (and runs independently from it) – This means that the attack can be mounted even if Ci is encrypted with different keys, e.g., in multiple sessions
– The only requirement is that the secret always occurs at the same place within Ci – This makes the attack perfectly feasible in practice (e.g., password transmission in IMAP4 over SSL/TLS) – The feasibility and efficiency of the attack also depend on the padding scheme in use (the simpler the scheme, the more feasible and efficient the attack) – SSL employs a simpler padding scheme than TLS → POODLE (2014) – But the attack story against TLS continues → Lucky 13 (2013), Lucky Microseconds (2016), …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 169 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Renegotiation Attack (2009) – There are several reasons why a TLS session may need to be renegotiated (e.g., client authentication) – In 2009, Marsh Ray and Steve Dispensa found a way to exploit TLS session renegotiation to mount a renegotiation attack
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 170 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Patch – Disable client-initiated renegotiation (not always possible) – Countermeasure – Handshake recognition → ensure that both parties have the same view of the previous handshake – This can be achieved by the TLS renegotiation_info extension (RFC 5746) – The data field of this extension must comprise the verify_data field(s) from the Finished handshake message(s) of the session that is being renegotiated
– ClientHello → client’s verify_data field – ServerHello → client and server’s verify_data fields
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 171 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The protection the TLS renegotiation_info extension provides is not foolproof – In 2014, it was shown by Karthikeyan Bhargavan, Antoine Delignat-Lavaud et al. that a Triple Handshake Attack remains feasible – In this attack, the MITM – Mounts an unknown key-share attack to establish two TLS sessions that share the same master key and session ID – Proxies a client-side session resumption – Mounts a «normal» renegotiation attack (with the proper TLS renegotiation_info extension in place)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 172 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The bottom line was that renegotiation attacks remain feasible (in spite of the TLS renegotiation_info extension) – The IETF TLS WG was looking for a renegotiation mechanism that is inherently more secure – An obvious possibility is to make sure that an unknown key-share cannot take place → all TLS connections use a unique master secret – This can be achieved with the TLS extension extended_master_secret (RFC 7627)
– TLS 1.3 no longer supports renegotiation
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 173 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– BEAST (2011) – In 2004, Gregory Bard published an attack against CBC encryption and the way an initialization vector (IV) is used – In theory, CBC encryption requires a fresh and unpredictable IV for every message (record) that is encrypted – In practice, however, SSL 3.0 and TLS 1.0 employed an explicit IV only for the first record (in a connection) and all subsequent IVs are implicit and taken from the final block of the preceding record – An adversary can therefore predict the IV that is used to encrypt the next record – This can be turned into a blockwise chosen plaintext attack (CPA) that allows an adversary to determine a low-entropy string, such as a password or a bearer token
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 174 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Assume an adversary is observing a ciphertext C = C0,C1,. . . (where C0 represents the explicit IV) and ⋆ wants to verify whether a particular plain-text block Pi is equal to P
Ciphertext record Ci-1 Ci Cj-1 Cj ? * Pi = P – The adversary can mount a blockwise CPA (not trivial) ⋆ – He or she generates a first block for a new record Pj = Cj−1 ⊕ Ci-1 ⊕ P – This block gets encrypted to ⋆ Cj = Ek(Pj ⊕ Cj−1) = Ek(Cj−1 ⊕ Ci-1 ⊕ P ⊕ Cj−1) ⋆ ⋆ = Ek(Ci-1 ⊕ P ) = Ek(P ⊕ Ci-1)
– The «normal» CBC encryption formula is Ci = Ek(Pi ⊕ Ci-1) ⋆ – This means that Ci = Cj iff Pi = P (can be tested)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 175 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
⋆ – If Ci = Cj, then P is the proper value of Pi – Otherwise, the procedure can be repeated for another value P⋆, until the correct value is found – In general, this procedure works at the block level (for a block length of 128 bits, there are 2128 possible values to test) – This is beyond the capabilities of a «normal» adversary
– Either Pi must be a low-entropy value or the attack must be modified so that each byte of Pi can be attacked individually – This is where the chosen-boundary blockwise CPA comes into play
– The plaintext message is modified in a way that Pi comprises known data except for the last byte (that may represent, for example, the first character of an HTTP cookie) – Inside P⋆, an exhaustive search must then only find the last byte – This is feasible and efficient (it requires only 256 tries)
– This procedure can be repeated for every byte of Pi
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 176 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– In 2011, Thai Duong and Juliano Rizzo presented a tool named Browser Exploit Against SSL/TLS (BEAST) at a security conference – The tool consisted of JavaScript code that was able to mount a chosen-boundary blockwise CPA inside a browser (to decrypt a Paypal token) – Due to its effectiveness and efficiency, the BEAST tool attracted a lot of media attention – Even today, the acronym makes people nervous when they argue about the security of SSL/TLS – Patch – «1/n−1 record splitting» → A dummy record randomizes the IV that is used to encrypt the main record – Countermeasure – Replace the implicit IV with an explicit one (since TLS 1.1)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 177 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– CRIME (2012) – In 2002, John Kelsey published a research paper in which he claimed that combining compression and encryption may be dangerous (in contrast to «normal» intuition) – Again, this went unnoticed until Rizzo and Duong presented a Compression Ratio Infoleak Made Easy (CRIME) attack in 2012 – CRIME effectively turned the vulnerability found by Kelsey into a side-channel attack against the TLS protocol (with compression invoked at the TLS level) – The side-channel is due to the message size (i.e., differently compressed messages have different sizes) – The DEFLATE compression algorithm (cf. RFC 1951) is widely deployed on the Internet (also for HTTP) – It combines LZ77 (Jacob Ziv and Abraham Lempel, 1977) and Huffman (David A. Huffman, 1952) encoding – The CRIME attack targets LZ77 – For each character in the target string, the attack looks for the possibility that compresses most
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 178 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
Cookie=XYZ… Cookie=XYZ… Cookie=XYZ… Cookie=XYZ… Round 1 … … … … Cookie=A Cookie=B Cookie=X Cookie=Y … … ……… … …
Cookie=XYZ… Cookie=XYZ… Cookie=XYZ… Cookie=XYZ… Round 2 … … … … Cookie=XA Cookie=XB Cookie=XX Cookie=XY … … ……… … …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 179 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The CRIME attack is possible, because … – … the encryption does not hide the message length – … each character can be attacked individually – The attack exploits the properties of LZ77 – Any other compression algorithm may make the attack more difficult or even impossible to mount – This also applies to Huffman encoding (that is part of DEFLATE) – The attack can be mitigated by disabling TLS-level compression (i.e., compression method null) – But this does not solve the problem entirely – If compression is done at the application level (e.g., HTTP), then the effect may be similar → TIME and BREACH (both in 2013) and HEIST (2016)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 180 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Lucky 13 (2013) – There are commonly agreed countermeasures against padding oracle (i.e., Vaudenay) attacks – Make it impossible for an adversary to distinguish between a padding error and a MAC error
– Since TLS 1.1, there is a single alert message (i.e., bad_record_mac) to signal both errors – Also, to avoid a timing (side-) channel, the TLS 1.1 specification requires that «implementations must ensure that record processing time is essentially the same whether or not the padding is correct. In general, the best way to do this is to compute the MAC even if the padding is incorrect, and only then reject the packet. For instance, if the pad appears to be incorrect, the implementation might assume a zero-length pad and then compute the MAC. This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.»
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 181 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– With this patch in place, it was commonly believed that an implementation is secure against Vaudenay-type of attacks – This changed in 2013, when Nadhem J. Al-Fardan and Kenny Paterson demonstrated an attack known as Lucky 13 – The attack exploits the fact that the running time of the hash functions that are currently deployed (in particular, SHA-1) depends on the length of the input messages – There is notable difference in the running time if a 55-byte message is hashed compared to a 56 and more bytes message – This can be turned into a Vaudenay-type of attack
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 182 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Because the Lucky 13 attack requires a pair of bytes to be found that lead to a padding of 0x0101, the workload of the attack seems worse than a «normal» Vaudenay attack – There are similar attacks, such as Lucky Microseconds (2016)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 183 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Countermeasures (to mitigate Lucky 13 and other Vaudenay-type of padding oracle attacks) – Avoid any timing side-channel (even for the MAC generation) → constant-time programming that is hard (beware of compilers!) – Avoid any block cipher in CBC mode (in SSL 3.0, TLS 1.0, and TLS 1.1, this means that RC4 must be used – but RC4 has security problems of its own!) – Use Encrypt-then-Authenticate (EtA) instead of AtE (→ encrypt-then-mac extension) – Since TLS 1.2, the use of an AEAD cipher is highly recommended, such as counter mode and CBC- MAC (CCM), Galois/counter mode (GCM) or ChaCha20-Poly1305 (RFC 7539) – TLS 1.3 mandates the use of an AEAD cipher – Furtunately, the attacks can easily be detected on the server side
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 184 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– POODLE (2014) – In 2002, Bodo Moeller posted a way to turn SSL padding into a plaintext recovery attack for the last byte of any given block – In 2014, Moeller teamed up with Thai Duong and Krzysztof Kotowicz to turn this vulnerability into a full-fledged and devastating attack against SSL (CVE2014-3566) – The attack was acronymed Padding Oracle dOwngradeD Legacy Encryption (POODLE)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 185 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The POODLE attack has a different adverserial setting than «normal» padding oracle attacks (e.g., Bleichenbacher, Vaudenay, … ) – It requires an adversary who can act as a man-in-the-middle (MITM) – Similar to the BEAST attack, he or she can execute JavaScript code in the browser (to compile and send out HTTP request messages that comprise bearer tokens at some specific locations) – Also, he or she can manipulate SSL records on the fly
POST /path Cookie: name=value \r\n\r\n body ‖ MAC ‖ padding
Adversary (MITM)
Web client (browser)
Web server
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 186 Department of Informatics
Communication Security Ci Cn Cryptographic Security Protocols (SSL/TLS)
– The adversary has the browser compile an HTTP request message that is specifically crafted when
CBC-encrypted as ciphertext C = C1,C2, …,Cn (e.g., block length 16) POST /path Cookie: name=value \r\n body ‖ MAC ‖ padding Ci Cn
– The last block Cn is a full block of padding and the first character of the cookie value appears encrypted as the last byte in some block Ci
– This means that Pn[16] = 15 and all other bytes of the padding block, i.e., Pn[1],…,Pn[15], comprise a radom value, and that the attack tries to decrypt the last byte of Ci , i.e., Ci[16]
– The adversary manipulates C on the fly by copying Ci to Cn, actually constructing C1,C2,…,Ci-1,Ci, Ci+1,…,Cn-1,Ci – This (manipulated) ciphertext is sent to the server that tries to decrypt it
– The last block decrypts to Pn = DK(Ci) Cn-1
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 187 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The decryption of the last byte of this block, i.e., Pn[16], behaves pseudorandomly – With a probability of 1/256 it yields 15 (= 0x0F) – With the complement probability of 1 - 1/256 = 255/256 it yields another value – Only in the first case is the padding correct – This means that the MAC is taken from the correct position and can thus be verified → the protocol can be executed (without a MAC failure) – Otherwise (i.e., second case), the padding is incorrect, and hence the MAC is taken from a wrong position and cannot be verified → the protocol execution aborts with a MAC failure – In this case, the adversary has to reestablish an SSL connection and repeat the attack
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 188 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Every once in a while, the adversary is lucky and decrypts Pn[16] to yield 15
– In this case, he or she knows that Pn[16] = 15 and can use this knowledge to decrypt Pi[16]
– From Pn = DK(Ci) Cn-1 and Ci = EK(Pi Ci-1) it follows that Pn = DK(EK(Pi Ci-1)) Cn-1, and hence Pn = Pi Ci-1 Cn-1 – This equation holds at the block level, but it also holds at the byte level,
i.e., Pn[16] = Pi[16] Ci-1[16] Cn-1[16]
– Pn[16] = 15 suggests that Pi[16] Ci-1[16] Cn-1[16] = 15, and hence Pi[16] = 15 Ci-1[16] Cn-1[16] – The POODLE attack is efficient (it requires ~ 256 tries to recover a byte)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 189 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– The POODLE attack only works with SSL → the adversary must enforce the use of this protocol – He or she can perform a «downgrade dance» to mount a protocol version downgrade attack – If the client suggests the use of SSL but is able to support TLS, then it can add the signaling cipher suite TLS_FALL-BACK_SCSV in its list of supported cipher suites (ClientHello message) – If the server receives this value but supports TLS, then it knows that some-thing fishy is going on – In this case, the server is to abort the connection and send a fatal alert message to the client – Due to the POODLE attack, the IETF deprecated SSL 3.0 in June 2015 –
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 190 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– FREAK and Logjam (2015) – There are some key exchange downgrade attacks against export-grade cryptography – The FREAK attack against RSA_EXPORT (exploiting a bug in some browsers) – The Logjam attack against DHE_EXPORT – The mere support of any export-grade cryptography is dangerous
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 191 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– RACCOON (2020) – In September 2020, a group of re- searchers published a paper, in which they describe a subtle timing vul- nerability against the DH(E) key exchange mechanism used by TLS servers ( version 1.2) – The attack is very difficult to exploit in a so-called Raccoon attack
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 192 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Since the official release of TLS 1.2 in 2008, the IETF TLS WG had been working hard on the next version of the TLS protocol – The work was strongly influenced by the OPTLS protocol proposed by Hugo Krawczyk and Hoeteck Wee in 2015 – In August 2018, TLS 1.3 was specified in RFC 8446 (with version number 0x0304) and submitted to the IETF standards track – The protocol improves efficiency and security
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 193 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– With regard to efficiency, the ultimate goal was to reduce the number of roundtrip times (RTTs) required to establish a secure session (mainly because network latency is an increasingly important problem) – To achieve 1-RTT, the designers of TLS 1.3 adapted ideas from False Start and Snap Start originally developed by Google in 2010 – In short, the client tries to opportunistically guess the key exchange method preferred by the server and provide its respective key share in the first flight (i.e., as part of the ClientHello message) – If the client and server share a PSK, then the ClientHello message may already comprise some encrypted data («early data»), and hence provide 0-RTT – In this case, no certificate handling is required (because it is assumed that the entities have already authenticated themselves before)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 194 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– 0-RTT has security disadvantages (and its use should therefore be considered with care) – It is susceptible to replay attacks → anti-replay mechanisms and applications must be idempotent (i.e., messages sent multiple times should not change the server state) – It is susceptible to DoS attacks → amount of «early data» must be limited to a reasonable size – The «early data» is not forward secure → application must be aware of this fact and take it into account – This requires a lot of care and responsibility on the side of the application software developers – The usefulness of 0-RTT is controversially discussed in the community
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 195 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– With regard to security, TLS 1.3 is simplified (to make it less susceptible to implementation and configuration flaws) – Also, it only uses cryptographic primitives and options that are known (or believed) to be secure – No compression (other than NULL) – No session resumption or renegotiation (PSK-based key exchange instead of session IDs and session tickets) – Key exchange is always based on PSK, (EC)DHE, or a combination of the two (→ no static RSA or DH) – Authentication is based on PSK, RSA ( RSASSA-PSS), ECDSA, or EdDSA (e.g., Curve25519, Ed448- Goldilocks, … ) – The TLS PRF is replaced with a HMAC-based Key Derivation Function (HKDF) that is in line with RFC 5869 (using SHA256 or SHA384)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 196 Department of Informatics
Communication Security MUST implement Cryptographic Security Protocols (SSL/TLS)
– TLS 1.3 cipher suites comprise only an AEAD cipher (+ key length) and a hash function for the HKDF (no key exchange mechanism)
– TLS_AES_128_GCM_SHA256 (0x13,0x01) – TLS_AES_256_GCM_SHA384 (0x13,0x02) – TLS_CHACHA20_POLY1305_SHA256 (0x13,0x03) – TLS_AES_128_CCM_SHA256 (0x13,0x04) – TLS_AES_256_CCM_8_SHA256 (0x13,0x05)
Protocol HKDF Hash Algorithm AEAD Cipher
– The TLS 1.3 cipher suites are itemized in the same TLS parameters repository maintained by the IANA (first byte is 0x13)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 197 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– In TLS 1.3, all handshake messages after the ServerHello are encrypted – This improves the confidentiality of the handshake – It means, for example, that certificates are no longer sent in the clear – This makes it more important to send the SNI in encrypted form (→ ESNI) – Since July 2020, the Great Firewall (GFW) of China has been blocking TLS 1.3 connections using ESNI – More generally, all extensions that carry sensitive information should no longer be sent in the hello messages (that are sent in the clear) – Instead, they should be sent in a new EncryptedExtensions message (that is encrypted by default)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 198 Department of Informatics
In addition to the usual extensions, this message may also Communication Security include • pre_shared_key → PSKs known to the client Cryptographic Security Protocols (SSL/TLS) • psk_key_exchange_modes → PSK alone or with (EC)DHE Client Server • supported_groups → supported (EC)DHE groups ClientHello Flight #1 • key_share → (EC)DHE key shares for some or all of the supported groups ServerHello • signature_algorithms → RSA, ECDSA, and/or EdDSA EncryptedExtensionsServerHello If a PSK is used, then some «early data» can be encrypted CertificateRequest and included in the ClientHello message (0-RTT) CertificateCertificate
ServerKeyExchangeCerificateVerify
Finished Client Server Flight #2 ServerKeyExchangeApplication Data ClientHello
CertificateCertificate HelloRetryRequestServerHello ServerKeyExchangeCerificateVerify
Finished Flight #3 ClientHello
Application Data TLS 1.3 message flow (simplified overview)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 199 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
Available in TLS 1.3
→ «supported_groups»
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 200 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– New extensions in TLS 1.3 (→ IANA) – supported_groups (10) → RFC 4492, RFC 7919 → groups for (EC)DHE – padding (21) → RFC 7685 → to overcome bugs related to the message length – token_binding (24) → as already specified for TLS 1.2 (since October 2018) – pre_shared_key (41), early_data (42), supported_versions (43) – cookie (44) → adapts anti-clogging mechanism from IPsec and DTLS – psk_key_exchange_modes (45) → PSK with/without (EC)DHE – certificate_authorities (47) → replaces trusted_ca_keys extension – oid_filters (48) → certificate extension OIDs (e.g., 2.5.29.15 for Key Usage) – post_handshake_auth (49) → client signals support for post-handshake auth. – signature_algorithms_cert (50) → complements the signature_algorithms extension for certificates – key_share (51) → (EC)DHE parameter
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 201 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– TLS 1.3 version negotaion is slightly different than in previous versions – The ClientHello and ServerHello messages have a legacy_version field that is constantly set to 0x0303 (standing for TLS 1.2) – In addition, there is a supported_versions extension that comprises the value 0x0304 (standing for TLS 1.3) – In previous versions of the SSL/TLS protocols, the TLS_FALLBACK_ SCSV was used to protect against some protocol downgrade attacks (mainly to mitigate the POODLE attack) – TLS 1.3 provides another (simple) anti-downgrade mechanism – Client must check that neither of the two values occurs in the random value of the server (otherwise something fishy is going on)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 202 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS) – Prior to RFC 8446, there was some controversy regarding the discontinuation of static key exchange and a few changes with regard to their impact on inspection proxies (middleboxes) – It was claimed that these changes would require a major redesign and reconfiguration of their entire data center infrastructure – An Internet-Draft entitled «Data Center use of Static Diffie-Hellman in TLS 1.3» explained how fully ephemeral (EC)DH keys could be replaced with static ones on the server side → «static (EC)DHE» vs. «ephemeral (EC)DHE» – This was in line with TLS 1.3, but did not end the controversy – Finally, a «middlebox compatibility mode» was specified in appendix D.4 of RFC 8446 to minimize the impact of TLS 1.3 on middleboxes – In this mode, a TLS 1.3 handshake is made to look as similar as possible to a TLS 1.2 handshake − The client always provides a non-empty session ID in the ClientHello message − The client and the server send back and forth dummy ChangeCipherSpec messages
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 203 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– More recently (October 2018), the European Telecommunications Stan-dards Institute (ETSI) specified a Middlebox Security Protocol (MSP) for «enterprise TLS» (originally acronymed eTLS) in ETSI TS 103 523-3 V1.1.1 (2018-10) – The protocol is to support «passive decryption of TLS sessions by authorized entities» – After a dispute with the IETF regarding the name, eTLS was chaned to Enterprise Transport Security (ETS) – ETS remains a contraversionally discussed topic – It is even listed in the NIST Vulnerabily Databse (CVE-2019-91919)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 204 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Statistics about the use and deplyoment of SSL/TLS are available from several sources (e.g., Qualys’ SSL Labs, ICSI Cerificate Notary, … ) – There are many vulnerabilities and respective attacks reported in the media → one always has to look behind the scenes – There are a few complementary documents that elaborate on how to properly configure SSL/TLS- enabled software (i.e., Apache Web servers) – TLS 1.3 is a true milestone in the evolution of a cryptographic security protocol for the transport layer – The «cops and robbers» game is likely to continue (so far, the only reported problems refer to «early data» in 0-RTT TLS 1.3)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 205 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Recommendations and best practices – TLS Recommendations of the IETF (RFC 7525, BCP 195) – Security/Server Side TLS recommended configurations of the Mozilla Project – SSL/TLS Best Practice of the German BSI – SSL/TLS Deployment Best Practices of Qualys’ SSL Lab – Rules of the Open Web Application Security Project (OWASP) – Revised guide about the use of TLS of the U.S. NIST – Security controls guidelines for SSL/TLS management of the SANS Institute – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 206 Department of Informatics
Communication Security Cryptographic Security Protocols (SSL/TLS)
– Key recommendations from RFC 7525 (BCP 195) – Don’t support SSL (v2 or v3) anymore – Support TLS 1.0 or 1.1 only if needed – Support TLS 1.2 (or TLS 1.3 if possible) – Disable SSL/TLS compression, unless the application takes care of the res-pective vulnerabilities – Don’t truncate HMAC values – Always provide forward secrecy (→ no static RSA or Diffie-Hellman key exchange) – Enforce the use of the following cipher suites
– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 – TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 207 Department of Informatics
Communication Security
Cryptographic Security Protocols (Kerberos) © Artech House (1996) ISBN 978-0-89006-510-5
– Kerberos is an authentication and key distribution system that was developed at the Massachusetts Institute of Technology (MIT) as part of the Athena project – It has been in use since 1986 (> 30 years) – It is a … – single sign-on (SSO) system – ticketing system – The designers and developers of the Kerberos system intentionally avoided the use of public key cryptography (mainly because of patent claims) – Kerberos is based on the Neeham-Schroeder protocol and requires a completely trusted authentication server (AS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 208 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– Needham-Schroder protocol (nonce-based version)
1) A → AS : A,B,Na
2) AS → A : {Na,B,Kab,{Kab, A}Kb}Ka
3) A → B : {Kab,A}Kb
4) B → A : {Nb}Kab
5) A → B : {Nb-1}Kab – Version 5 of Kerberos was specified in July 2005 (RFC 4210) by the IETF Kerberos WG (KRB-WG) – The MIT reference implementation is available as open source software (OSS) – There are many proprietary implementations of Kerberos version 5
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 209 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– Kerberos is used in security domains that are called «realms» – Each realm has a key distribution center (KDC)
– The KDC hosts a database with a secert key KP for every principal P
– If P is a human user, then KP is a hash value of the user password – Security services provided by Kerberos – Authentication services – S and C are the server and client‘s principal names – Data confidentiality services – IPC is the IP address of C – Data integrity services – T is a timestamp (→ requires synchronized time) – A Kerberos ticket has the following structure – L is the required lifetime of the ticket
– KCS is the session key to be used by C and S TC,S = {S,C,IPC,T,L,KCS,…}KS – KS is the secret key of S
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 210 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– Tickets are always sent together with an authenticator – The aim of the authenticator is to make sure (or to prove, respectively) that the originator of a ticket is its authorized owner – This means that passively eavesdropped tickets cannot be replayed – An authenticator has the following structure AS AC,S = {C,IPC,T}KCS Authentication Server – A Kerberos KDC needs to be physically protected and consists of – An Authentication Server (AS) TGS – A Ticket Granting Server (TGS) Ticket Granting Server
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 211 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– The Kerberos protocol comprises 3 pairs of messages («exchanges») – Authentication Service (AS) Exchange [1,2] → AS authenticates user and grants a ticket granting ticket (TGT) – Ticket Granting Service (TGS) Exchange [3,4] → TGS verifies TGT and authenticator, and – in the positive case – generates a session key and a (service) ticket – Client/Server (CS) Exchange [5,6] → Client authenticates itself to the target server with the service ticket and authenticator
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 212 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
1) KRB_AS_REQ: C → AS : U,TGS,L1
2) KRB_AS_REP: AS → C : U,TC,TGS,{TGS,K,Tstart,Texpire}Ku
3) KRB_TGS_REQ: C → TGS : S,L2,TC,TGS,AC,TGS
4) KRB_TGS_REP: TGS → C : U,TC,S,{S,K',T'start,T'expire}K
5) KRB_AP_REQ: C → S : TC,S,AC,S 6) KRB_AR_REP: S → C : {T'}K'
TC,TGS = {TGS,C,IPC,T,L,K}KTGS AC,TGS = {C,IPC,T}K
TC,S = {S,C,IPC,T’,L’,K’}Ks AC,S = {C,IPC,T'}K'
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 213 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– If multiple realms are to be interconnected, then so-called «interrealm keys» need to be established between KDCs
– If a user authentictes himself or herself in realm1, then a special TGT (a so-called «referral ticket») is granted – The referral ticket is encrypted with the respective interrealm key – It can be decrypted by the KDC of
realm2
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 214 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– Microsoft Windows Extension – Client requests a TGT from the KDC – The user security identifier (SID) and group SID are signed by the KDC and included in the TGT authorization data field, representing a privilege attribute certificate (PAC) – Client requests a service ticket from the TGS – The TGS copies the authorization data field from the TGT into the authorization data field of the service ticket – The question whether the Microsoft Windows implementation conforms to the Kerberos specification (RFC 4120 and several updates) was controversially discussed within the open source community – The Microsoft Windows implementation supports client preauthentication of the KRB_AS_REQ messages based on public key cryptography (→ PKINIT according to RFCs 4556 and 4557)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 215 Department of Informatics
Communication Security Cryptographic Security Protocols (Kerberos)
– Major problems areas and challenges – Client and server need to be «Kerberized» (→ the use of a standardized API is important → GSS-API) – The Kerberos protocol(s) is (are) involved – The operator of the KDC has full access (→ users need to unconditionally trust him or her) – Unless PKINIT is used, «verifiable password guessing» attacks are feasible for anybody who has access to the KRB_AS_REP messages – Even with the use of PKINIT, «pass-the-hash» attacks remain feasible – A similar attack named «Kerberoasting» targets service tickets
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 216 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
Old problem / «Use Case»
Marian Alan Turing Rejewski
© https://de.wikipedia.org/wiki/Enigma_(Maschine)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 217 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
IoT
Non-programmable / «Hardware defined» crypto Programmable / «Software defined» crypto Key storage: external (e.g., code book, brain, … ) Key storage: mostly internal (or some sort of HSM)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 218 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Text-based messaging (e-mail) has been one of the first (asynchronous) applications on the Internet (message format is speci- fied in RFC 5322) – The Internet mail architecture is specified in informational RFC 5598 – SMTP (RFC 5321), POP3 (RFC 1939), and IMAP4 (RFC 2060) are the core protocols
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 219 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The Extensible Messaging and Presence Protocol (XMPP) – formerly known as Jabber – is an open XML-based protocol for real-time communication – It enables many applications, including instant messaging, presence and collaboration – Instant messaging services operate synchronously and blurr the distinction between synchronous and asynchronous communication – XMPP can be layered on top of TLS to provide transport layer security – RFC 3923 specifies how to invoke S/MIME for message signing and encryption in an XMPP setting – There are only a few implementations (e.g., SixChat)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 220 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In spite of the existence of XMPP, most messenger apps use proprietary protocols and are based on a simple (and centralized) architecture – WhatsApp – Yahoo Messenger – Facebook Messenger – Google Messenger (Android Messages) – … – This is fundamentally different from e-mail – The architecture is susceptible to man-in-the-middle (MITM) attacks
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 221 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– During the past decade, instant messaging (in various forms) and proprietary messaging apps have become very successful – The empire (of telcos) strikes back and tries to revitalize the success story of SMS (and MMS) with the Rich Communication Services (RCS) standardized by the GSM Association in 2012 – On the technical side, RCS build on HTTP(S), SIP(S), (S)RTP, as well as the Message Session Relay Protocol (MSRP) and MSRPS – Google is also heading towards RCS with its Jibe platform and RCS client Messages (that replaces Google Allo) – The outcome of this power game is open – RCS is not further addressed
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 222 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– All approaches and solutions for secure Internet messaging are based on cryptography – The «conventional» approaches and solutions employ hybrid message encryption and digital signatures – The «modern» approaches and solutions employ – Ephemeral (Diffie-Hellman) key exchanges – Ratchet-based key derivation – Message authentication codes (MACs) instead of digital signatures – Other techniques to provide deniable authentication …
Hybrid message encryption (aka «digital enevlopes») k encrypted with Message symmetrically encrypted with the public key of the recipient randomly generated message key k
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 223 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The «conventional» approaches and solutions are based on hybrid message encryption and digital signatures – This is true for Privacy Enhanced Mail (PEM) and MIME Object Security Services (MOSS) – It is also true for PGP/OpenPGP and Secure MIME (S/MIME) – For more than 15 years (early 1990s to the mid-2000) it was thought that secure Internet messaging was a solved problem – But something went wrong and people did not really use the respective solutions
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 224 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– There are many usability concerns (related to PGP/OpenPGP) – Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 (1999) – Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express (2005) – Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client (2015) – … – S/MIME is better integrated into MUAs (e.g., Microsoft Outlook), and hence the usability concerns are less obvious – But S/MIME still requires users to make informed decisions and public key certificates to be available in the field – There are recent discussions about the security of S/MIME and PGP/ OpenPGP (e.g., EFAIL, signature spoofing attacks, … )
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 225 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Pretty Good Privacy (PGP) was originally developedby Phil Zimmermann in 1991 ( 30 years ago!) – It natively used IDEA, MD5, and RSA – Due to a patent litigation, PGP was modified to incorporate the RSAREF library of RSA Security – PGP was the focal point of the first crypto war in the early 1990s – In 1997, the IETF chartered an Open Specification for Pretty Good Privacy (openpgp) WG that remained active until 2017 – The result is OpenPGP that is currently specified in RFC 4880 (OpenPGP Message Format) and RFC 3156 (MIME Security with OpenPGP)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 226 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Today, there are many implementations of OpenPGP – for many MUAs on multiple platforms – Either the MUAs natively support OpenPGP, or plug-ins provide the respective functionality – Most importantly, there is a free software implementation known as GNU Privacy Guard (GnuPG or GPG) – GPG was originally developed by Werner Koch on behalf of a German ministry – It was later taken over by the GnuPG Project and raised € 36,732 in crowdfunding in February 2014 – Today, GnuPG is further developed and is currently the most widely deployed implemention of OpenPGP (at least in Europe)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 227 Department of Informatics
Communication Security
Cryptographic Security Protocols (E2EE Messaging)
64 64 - – The original PGP message format is speci- fied in informational RFC 1991 (1996) and Standards Track RFC 2440 (1998) – The new OpenPGP format is specified in Standards Track RFC 4880 (2007) – Each OpenPGP object (e.g., message, key-ring, certificate, … )
consists of packets that may recursively contain other packets bit bit CRC(prefixed with =)
– Each OpenPGP packet has a header (com-prising a 6-bit tag - 64 encoding 64 scheme encoding is base field and a variable-length length field) and a body -
– OpenPGP objects (consisting of packets) are compiled into a with 24
OpenPGP messages or files The radix The
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 228 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The message part is mandatory, whereas the signature and session key parts are optional – There is a session key part for every recipient of the message – This may also include an additional decryption key (ADK) for recovery (AKSs are controversially discussed) – In the simplest and most straightforward way, an OpenPGP message can be sent in the message body part of an RFC 5322-compliant message – Enrypted (digitally enveloped) message – Digitally signed message
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 229 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– It is advantageous to combine PGP and OpenPGP with the Multi-purpose Internet Mail Extensions (MIME) system – RFC 1847 specifies 2 security multiparts – multipart/encrypted – multipart/signed – RFC 3156 specifies 3 content types (or «protocol» parameters) – application/pgp-encrypted – application/pgp-signature – application/pgp-keys
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 230 Department of Informatics
Communication Security
Cryptographic Security decrypt Protocols (E2EE Messaging)
2 multiparts
– Exemplary message «This is a test message.» is digitally signed and enveloped
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 231 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Messages are always processed in the same order – Many implementations use the timing of keystrokes as entropy source and the ANSI X9.17 PRG (using CAST5 instead of 3DES) to generate keying material
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 232 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The first versions of PGP employed the MD5, IDEA, and RSA algorithms – OpenPGP is open to many different algorithms
Must implement Should implement
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 233 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– All symmetric encryption algorithms are block ciphers used in a special variant of the cipher feedback mode (CFB) – This mode is sometimes called OpenPGP CFB mode – It provides a feature known as «quick check» – If the block length is b bytes, then the IV is set to 0b and a b+2 byte string r is prefixed to the
message (that comprises b random bytes r1,…,rb and 2 repeated bytes rb-1 and rb) – During the decryption process, the 2 repeated bytes are verified (before the message is decrypted) – The «quick check» is to assure that the message encryption key is correct – There is a theoretical CCA against the «quick check» – A countermeasure is to use an AEAD mode of encryption (together with other improvements) – This requires an update and a major rewrite of RFC 4880 (→ Internet-Draft)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 234 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– PGP/OpenPGP employs public key cryptography (and keyrings) – Public keys are identified with a key ID – The key ID refers to the 64 least significant bits of the SHA-1 fingerprint of the key (written in hexadecimal notation) – For all practical purpuses, 64 bits are sufficiently unique – In the example, this refers to 8E50 BDB3 0AC2 9A5B – This refers to the long key ID – Sometimes, even only the lower 32 bits are used → 0AC2 9A5B – This refers to the short key ID
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 235 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In contrast to a «normal» X.509 certificate, multiple pieces of naming information can be bound to an OpenPGP certificate – In addition to a public key and the naming information, an OpenPGP certificate may comprise complementary information – Version number (currentlly 4) – Creation and expiration dates – Self-signature – Preferred encryption algorithm – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 236 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In contrast to the hierarchical trust model of X.509, PGP/OpenPGP originally employed a cumulative (and distributed) trust model (aka web of trust) – In a web of trust, each user (who is trusted) may serve as an introducer – PGP originally distinguished between users who are marginally or fully trusted users – This distinction has been adopetd by almost all imple- mentations of OpenPGP – Conceptually, introducers act as certification authorities (CAs) – The signatures are accumulated in the OpenPGP certificates
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 237 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In the second half of the 1990s, Secure MIME (S/MIME) evolved from PEM and MOSS – Version 1 (1995) – Version 2 (1998, RFCs 2311, 2312) – Version 3 (1999, RFCs 2630, 2631, 2632, 2633, 2634) – Version 3 was updated twice – Version 3.1 (2004, RFCs 3850, 3851) – Version 3.2 (2010, RFCs 5750, 5751, 5752) – S/MIME version 4.0 (RFCs 8550, 8551) was officially released in 2019
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 238 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The Cryptographic Message Syntax (CMS) has been adapted from PKCS #7 and evolved from RFC 2630 (current version is RFC 5652) – With regard to the functionality and the security services it provides, S/MIME is very similar to PGP/OpenPGP – There are (at least) two fundamental differences – Message format – Public key (and certificate) management → Trust model – Due to these differences, PGP/OpenPGP and S/MIME implementations do not easily and natively interoperate – There are some implementations that provide support for both standards, but this need not be the case – From a standardization viewpoint, one has two solutions for the same problem (this can be considered as a failure in standardization)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 239 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The CMS provides an encapsulation syntax for data protection that can be applied recursively – In contrast to OpenPGP, the order of the cryptographic operations does not matter – Hence, it is possible to digitally envelope a digitally signed MIME entity, or to digitally sign a digitally enveloped entity – Furthermore, the CMS allows attributes (e.g., signing time, signer capabi-lities and preferences, … ) to be signed along with a MIME entity – In general, the CMS uses ASN.1 and BER – Several content types are natively defined – S/MIME also uses the type CompressedData Mandatory to implement
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 240 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– S/MIME defines how to cryptographically protect a MIME entity and turn it into an S/MIME entity or CMS object – It uses the MIME content type multipart/signed and several subtypes of application – There are multiple ways of declaring a digital signa- ture – While the order of the cryptographic operations doesn’t matter in general, compression must always be done first – Since S/MIME 3.1, it is possible to only compress CMS objects
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 241 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Compressed-only MIME entity
– Enveloped-only MIME entity
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 242 Department of Informatics
micalg = message integrity check algorithm Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Signed-only MIME entity
Detached signature format («clear-signing format») can be viewed by any MUA (with or without S/MIME support) FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 243 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The CMS is just a syntax and does not mandate the use of specific cryptographic algorithms – S/MIME version 4 requires – SHA-256 and SHA-512 for hashing (SHA-224 and SHA-384 are optional) – ECDSA / P-256 and EdDSA / Curve25519 for signing (RSA is optional) – ECDH / P-256 and X25519 for key exchange (RSA is optional) – AES-128 and AES-256 in GCM mode for encryption (AES-128 CBC and ChaCha20-Poly1305 are optional) – DEFLATE and ZLIB for compression – As such, S/MIME version 4 uses state-of-the-art cryptographic algorithms
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 244 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– All implementations of the «conventional» approaches and solutions are somehow difficult to use and lack user deployment – There are some implementations that try to improve the user experience (e.g., OpenKeychain, R2Mail2, Horde/IMP, … ) – Furthermore, there are a few evolutionary improvements – Web Key Directory (WKD) and Web Key Service (WKS) – DNS-based Distribution of Public Keys (i.e., OPENPGPKEY and SMIMEA resource records) – Opportunistic Encryption (e.g., Autocrypt, Pretty Easy Privacy, LEAP Encryption Access Project, … ) – Web-based solutions (e.g., Hushmail, ProtonMail, Tutanota, … ) – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 245 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In the past decade, secure messaging has experienced a major shift from asynchronous (e-mail) to synchronous (instant) messaging – Design goals for a «modern» approach and solution – Session-oriented (but still supporting an asynchronous setting) – Forward secrecy and PCS – Deniability (in contrast to nonrepudiation provided by digital signatures) – Multi-device support – Efficient group communication – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 246 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In contrast to «conventional» wisdom in secure messaging, Nikita Borisov, Ian Goldberg, and Eric Brewer suggested the notion of off-the-record (OTR) messaging in 2004 – The goal was to «simulate» a personal (face-to-face) conversation held in private (e.g., in a private room) – Such a conversation provides (a slightly different notion of) privacy and plausible deniability – Design goals – PFS → Diffie-Hellman ratchet to establish short-lived keys – Deniable authentication → MACs instead of digital signatures, revelation of MAC keys after use, malleable encryption, …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 247 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– More specifically, OTR comprises – an authenticated key exchange (AKE) protocol to initialize a session and a session key k – DSA signatures and public key fingerprints for authentication (alternatively, a protocol to solve the Socialist Millionaires' Protocol (SMP) can be invoked for password-based authentication) – a Diffie-Hellman ratchet to constantly generate new keys (→ forward secrey and PCS) – a symmetric encryption system for message encryption (with
kenc = SHA-1(k)|128 and |kenc| = 128)
– MACs to authenticate messages (with kauth = SHA-1(kenc) and |kauth| = 160)
Whoever knows kenc also knows kauth → Anybody who can encrypt and decrypt a message can also generate and verify a MAC for that message (this improves deniability)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 248 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– When A wants to send a message m to B, it – determines the latest Diffie-Hellman parameters keyid (referring to y ) and keyidB (referring to y ) A ai bj – computes the respective Diffie-Hellman key k
– derives kenc and kauth
– uses kenc to encrypt m and kauth to generate a MAC – AES-128 in CTR mode is used for encryption, i.e., c = AES-128 (m) with counter ctr kenc – This construction is malleable – After generating c, A compiles a record T = (c,keyid ,keyid ,ctr,y ), where y is A’s next Diffie-Hellman A B ai+1 ai+1 ratchet parameter – A then uses k to compute a MAC tag t = HMAC-SHA256-160 (T) auth kauth – Finally, T and t are both transmitted to B, together with the old authentication keys that are no longer needed (→ improves deniability)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 249 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– After having received T and t, B
– uses keyidA and keyidB to compute the Diffie-Hellman key k
– derives kenc and kauth from k
– uses kauth to verify the MAC t (for T) – extracts c from T
– decrypts c with kenc and ctr – updates the Diffie-Hellman ratchet with y ai+1 – All of these steps need to be repeated for each message exchanged between A and B
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 250 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– In 2009, OTR was complemented with a multi-party OTR (mpOTR) protocol – The basic idea of mpOTR is to replace MACs with deniable digital signatures (generated with ephemeral signing keys) – This deviates from the original design goals of OTR – Furthermore, OTR (and mpOTR) has been designed to be used only in a synchronous setting – This limitation is overcome by the Signal protocol – The most current version of OTR (i.e., OTR v4) adapts techniques from the Signal protocol and can also be used in an asychronous setting (among other changes) – OTR remains important mainly for historical reasons
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 251 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Based on the work on OTR, Trevor Perrin and Moxie Marlinspike (Open Whisper Systems) developed an E2EE messaging protocol that also works in an asynchronous setting – The protocol was released in 2013 as Axolotl – It was used in TextSecure and RedPhone (renamed to Signal in November 2015) – The Signal protocol (as it is called today) is not patented and the specification is publicly and freely available – It stands for the state of the art in E2EE messaging today
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 252 Department of Informatics
Communication Security OTR AKE Cryptographic Security Protocols (E2EE Messaging)
– Core technologies – eXtended Triple Diffie-Hellman (X3DH) Key Agreement Protocol using elliptic
curves specified in RFC 7748, i.e., Curve25519 and Curve448
deniability/
- otr
– XEdDSA and VXEdDSA signature schemes - – SHA-2 (SHA-256 or SHA-512) and HMAC-based Extract-and-Expand Key Derivation Function (HKDF) specified in RFC 5869 – AES in CBC mode and PKCS #7 padding X3DH – Double ratcheting mechanism
– Diffie-Hellman (DH) ratchet from OTR – Symmetric key / hash ratchet from the Silent
Circle Instant Messaging Protocol (SCIMP)
https://signal.org/blog/simplifying © ©
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 253 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– When A installs the software, the following EC public key pairs are generated
ID ID – A long-term identity (ID) key pair (pkA , skA ) PK PK PK – A medium-term signed prekey (PK) pair (pka , ska ) of which the public key pka is digitally signed with ID skA OT OT OT OT OT OT – A pool of n ephemeral one-time (OT) prekey pairs (pka,1 , ska,1 ), (pka,2 , ska,2 ), … , (pka,n , ska,n ) – The n+2 public keys (and the signature of pkaPK ) are uploaded to the server, where they are stored together with the identifier of A (representing a «prekey bundle» for A) – The signed prekey pair must be renewed on a regular basis – The pool of one-time prekeys pairs must be refilled whenever needed
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 254 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The first time A establishes a session with B, the following steps are executed
ID PK – A requests B’s «prekey bundle» that comprises pkB , pkb OT (with signature), and optionally one pkb,j from B’s pool (1 ≤ j ≤ n) PK – A verifies the signature for pkb and continues if it is correct
– A generates an ephemeral public key pair (pka,ska) and uses B’s prekey bundle to compute a master secret s
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 255 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– A deletes its ephemeral private key ska and all ECDH outputs (→ perfect secrecy) – A generates associated data AD that comprises encodings of A and B’s public identity keys, i.e., ID ID AD = Encode(pkA ) || Encode(pkB ) – A sends an initial message to B that contains
ID – pkA
– pka OT – Index j specifying which pkb,j was used by A – Ciphertext encrypted with an AEAD scheme (where AD refers to the associated data that is not encrypted)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 256 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– After B receives the initial message, it performs the following steps
ID – It extracts pkA and pka ID PK – It loads its private identity key skB , and the private key(s) corresponding to the signed prekey skb and OT one-time prekey skb,j (if any) used by A – It repeats the ECDH computations to generate the master secret s (and deletes all intermediate values)
ID PK ID PK OT s = ECDH(pkA ,skb ) || ECDH(pka,skB ) || ECDH(pka,skb ) [ || ECDH(pka,skb,j ) || ]
ID ID – It uses pkA and pkB to construct AD – It decrypts the ciphertext with s and AD – If decryption succeeds,
– then it deletes any one-time private key that was used and continues to use s or keys derived from it in post-X3DH communication – otherwise, the protocol aborts (and may return an error message)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 257 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The valiation model for identity keys is trust on first use (TOFU) – Any time, A and B can compare pkAID and pkBID through an authentic channel (→ authentication ceremony) – Both keys are encoded in a 60-digit security number or a Quick Response (QR) code
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 258 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– After having executed the X3DH protocol and optionally verified the security number, A and B can use the Double Ratchet Algorithm to exchange encrypted messages and derive new keys – Each entity maintains three «key chains» (aka «KDF chains») – Root chain (Type I) – Sending chain (Type II) – Receiving chain (Type II) – The root chain ratchets forward a root key, whereas the sending and receiving chains ratchet forward a respective chain key
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 259 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
PK A selects an ephemeral public key pair (ska,pka) and uses pkb to comute a new PK DH output as ECDH(ska,pkb ) It triggers the KDF with this value and derives a new root key and a new chain key for the sending chain The new chain key is used to trigger the sending chain’s KDF and to derive a new chain key and a new message key Finally, the message is encrypted with the new message key and sent to B together with pka
PK B recomputes the same DH output as ECDH(pka,skb ) It triggers the KDF with this value and derives a new root key and a new chain key for its receiving chain The new chain key is used to trigger the receiving chain’s KDF and to derive a new chain key and a new message key Finally, the message is decrypted with the new message key
A’s sending chain and B’s receiving chain are now in sync (A’s receiving chain and B’s FS 2021 sending chain can be synchronized similarly) IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 260 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Group messaging in Signal employs a client-side fan-out mechanism – This improves privacy, because the server need not be aware of group memberships (→ groups cannot be administered by a server)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 261 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The security of the Signal protocol has become a major research topic – The generic protocol name is ratcheted key exchange (RKE) – Sometimes, people refer to an asynchronous RKE (to emphasize the fact that it is used in an asynchronous setting) or a bidirectional asynchronous RKE (to emphasize the fact that messages are exchanged in either direction) – The use of formal methods has not revealed serious vulnerabilities or security problems – The 2-party case is considered to be secure – In the case of group messaging (with more than 2 parties), a few subtle vulnerabilities and shortcomings have been found (→ nothing spectacular)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 262 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Privacy improvements – Encrypted profile
Some complementary user profile data (e.g., display name, picture, .. ) is stored in encrypted form and can be de- crypted only with a profile key that is sent with each E2EE message (→ profile data remains invisible for all other users) – Private contact discovery
Uses trusted hardware (i.e., Intel SGX enclaves) to protect the contact discovery process (→ the server doesn’t get any information about the users’ contacts) – Sealed sender
Hides information about the sender of a message (using short-lived sender certificates and delivery tokens that are part of the recipient’s encrypted profile)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 263 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The Signal protocol represents the state of the art in secure and E2EE messaging on the Internet – It is omnipresent and used in many other messengers and messenger apps (either natively or in minor variations) – WhatsApp – Facebook messenger’ «secret conversations» – Skype – Google Allo's «incognito mode» (before Google abandoned Allo in 2019) – Viber – Silent Circle’ Silent Phone – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 264 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– There are a few independent open source implementations, such as Proteus and Olm (C++) – Proteus is based on the cryptographic library libsodium (fork of NaCl) and is the basis of Wire (launched by Wire Swiss GmbH in 2014) – Olm is used, for example, in the Matrix project and its messenger Riot – Furthermore, the Signal protocol is the basis for an XMPP extension called Multi- End Message and Object Encryption (OMEMO) – OMEMO is implemented by several E2EE messengers, like Conversations, Cryptocat (discontinued in 2019), and ChatSecure
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 265 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging) Jan Koum
– WhatsApp is an instant messaging service provided by WhatsApp Inc. (founded in Brian Acton 2009 by two former Yahoo employees) – In 2014, Facebook acquired WhatsApp (19 billion USD) – After the revelations of Edward Snowden, there was a lot of market pressure to incorporate some form of encryption (preferrably end-to-end) into WhatsApp – In 2016, the Signal potocol was implemented in Whatsapp and activated by default – Today, WhatsApp is probably the most widely deployed E2EE app on the Internet (> 2 billion users worldwide) – WeChat does not provide E2EE messaging
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 266 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The technical white paper is not comprehensive and does not stand by itself – The mobile number serves as a user identifier (but is not verified again after the initialization) – Cryptographic implementation choices – The elliptic curve is Curve25519 – Message encryption uses AES-256 in CBC mode – Message authentication uses HMAC-SHA256 – Every root or chain key is 32 bytes long – Every message key is 80 bytes long
– 32 bytes for AES-256 – 32 bytes for HMAC-SHA256 – 16 bytes for IV
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 267 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The «normal» Signal HKDF is used in the root chain (Type I) – HMAC-256 is used in the sending and receiving chains (Type II) – message key = HMAC-SHA256(chain key, 0x01) – chain key = HMAC-SHA256(chain key, 0x02) Note that Encrypt-then-MAC defeats all known padding oracle – Message attachments of any type are also E2E-encrypted attacks against CBC mode; – The sender randomly generates an ephemeral 32-byte AES-256 key K Facebook messenger e alternatively uses AES-GCM and an ephemeral 32-byte HMAC-256 key Ka
– The sender encrypts the attachment with Ke using AES-256 in CBC mode and a random IV, and appends a MAC of the ciphertext using HMAC-256 and Ka – The sender uploads the now encrypted and authenticated attachment (denoted as attachment*) to a blob store
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 268 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– The sender sends a normally encrypted message to the recipient that comprises
– Ke and Ka – A SHA-256 hash of attachment* – A pointer to attachment* in the blob store – The recipient decryps this message and uses the pointer to retrieve attachment* from the blob store
– The recipient then verifies the SHA-256 hash value of attachment*, verifies the MAC with Ka and decrypts the attachment with Ke – Voice or video call – The initiator sets up an encrypted session to the recipient – The initiator generates a random 32-byte SRTP master secret – The initiator uses the session to send an encrypted message to the recipient (to signal the call and to transmit the master secret)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 269 Department of Informatics
SK = sender key Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Group messaging – WhatsApp uses the «Sender Keys» variant of the Signal protocol – Each user sends a sender key and a public signa- ture key to all other others (using E2EE channels) – Afterwards each group message is E2EE with the sender key and digitally signed – The server fans out the message – Each recipient can verify the signature and decrypt the message – When a member leaves the group, all group members have to clear the state and the protocol must start from scratch – Because groups are administered, the server must be trusted here
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 270 Department of Informatics
Communication Security Cryptographic Security Protocols (E2EE Messaging)
– Secure e-mail was one of the first applications for cryptography – OpenPGP and S/MIME dominated secure messaging in the 1990s and 2000s – The usefulness of these «simple» technologies was challenged by OTR David Chaum – OTR provides a solution for E2EE messaging in a synchronous setting («instant messaging») – Signal provides a solution that is suitable for both a synchronous and an asynchronous setting – Similar to the way OpenPGP and S/MIME have dominated secure messaging in the past, Signal dominates E2EE messaging today (few exceptions, e.g., iMessage, Wickr, Threema, Telegram, … ) – Most cryptographic primitives in use are up to date, i.e., double ratchet, ECC and AE(AD) – The IETF has chartered a Message Layer Security (MLS) WG – Other trends are to use blockchain technologies (DLTs) to improve the privacy with regard to meta- data (e.g., Bitmessage) and to complement messaging with payments (similar to WeChat Pay) – The most prominent example is Elixxir from David Chaum
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 271 Department of Informatics
4. Operational Environments and Applications
4.1 Web Applications 4.2 Virtualization and Cloud Computing 4.3 Digital Signatures and E-Commerce 4.4 Public Key Infrastructures and Identity Management 4.5 Digital Money 4.6 Internet Banking 4.7 E-Voting and Digital Democracy
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 272 Department of Informatics
Operational Environments and Applications 4.1 Web Applications
– Today, the Hypertext Transfer Protocol (HTTP) is the dominating application-layer protocol – It is mainly used for Web applications – It is a very simple client-server protocol layered on top of TCP – It is stateless, i.e., session state must be built and managed on top of HTTP (e.g., cookies) – HTTP was first introduced by Tim Berners-Lee (CERN) in 1991 – HTTP/1.0 was specified in 1996 (RFC 1945), HTTP/1.1 in 1999 (RFC 2616), and HTTP/2 in 2015 (RFC 7540) – There are many complementary RFCs that specify additional features of HTTP – With regard to security, there are two features that are widely used on the Internet – HTTP authentication (and authorizatuon) methods – HTTP layered on top of SSL/TLS (HTTPS)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 273 Department of Informatics
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 274 Department of Informatics
Operational Environments and Applications Web Applications – HTTP has two authentication (and authorization) methods – In HTTP Basic authentication, the server challenges the client with a WWW-Authenticate: Basic realm= RealmName header, whereas the client is to respond with a Authorization: Basic username:password Base64 Base 64 encoding of header
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 275 Department of Informatics
Operational Environments and Applications Web Applications
– In addition to HTTP and SSL/TLS, Web security also depends on the security of the Web applications – They are susceptible to many attacks (e.g., SQL injection attacks) – In an cross-site scripting (XSS) attack, for example, the adversary injects malicious content (e.g., a script) into a Web page that is viewed by other people – The content is then executed with the privileges of the respective user and can bypass access control that is put in place (e.g., same origin policy)
– There are many types of XSS attacks 1) Adversary inserts Javascript code 2) Server compiles user input into a – Due to their diversity, it is very instead of parameters in a Web form dynamically created Web page difficult to protect against all of them – The widespread use of active content (e.g., JavaScript) is a major source of problems
4) Web page is executed by other user (with his or her privileges) FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 276 Department of Informatics
Operational Environments and Applications Web Applications – In a cross-site request forgery (CSRF) attack, the adversary exploits the fact that HTTP is state- less, meaning that the authentication information is sent in every HTTP request (e.g., session token or cookie) – The adversary can therefore try to trick Mozilla Google UBS PostFinance the user‘s browser to submit an HTTP request destined for another site (basi- cally circumventing the same origin policy) – The respective HTTP request is then complemented by the browser with the appropriate authenticiation information – The user does not even recognize the attack while it is going on
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 277 Department of Informatics
Operational Environments and Applications 4.2 Virtualization and Cloud Computing
– With the general trend towards outsourcing, cloud computing has become an important topic – Types of cloud computing – Infrastructure as a Service (IaaS) – Platform as a Service (PaaS) – Software as a Service (SaaS) – Analogy: «Pizza as a Service» – All types of cloud computing have distinct security challenges
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 278 Department of Informatics
Operational Environments and Applications Virtualization and Cloud Computing
– The most important security challenge of cloud computing is related to the fact that the cloud service provider must have access to the data to process it (→ it must be trusted not to misuse the data) – If the data is encrypted, then the provider must decrypt it to process it – This means that it must have access to the keys (→ the use of cryptography is pointless here) – There are some certification schemes that try to justify this level of trust (their value is questionable) – In the short term, we may employ trusted computing technologies, like encalves based on Intel SGX – In the long term, we may employ sophisticated cryptographic techno- logies like fully homomorphic encryption (FHE) – Analogy (due to to Craig Gentry)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 279 Department of Informatics
Operational Environments and Applications Virtualization and Cloud Computing
C Encrypt (pk,•) M c1 m1
c2 m2
m3 c3 (pk,sk) KeyGen(λ) c4 m4
Evaluate(pk,f,c1,c2,c3,c4)
f
Decrypt(sk,•) c
f(m1,m2,m3,m4) = Decrypt(sk,Evaluate(pk,f,Encrypt(pk,m1),Encrypt(pk,m2),Encrypt(pk,m3),Encrypt(pk,m4)))
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 280 Department of Informatics
Operational Environments and Applications Virtualization and Cloud Computing
– Unless FHE is available, it is important to be aware that the cloud service provider has access to the data it processes (encryption can only help if trusted hardware and enclaves are put in place) – Encryption yields a solution to protect data that is stored and transmitted – There are technical, administrative, and legal controls that can be put in place to make sure that data access is controlled as thoroughly as possible → controls are not foolproof – This must be kept in mind in discussions related to outsourcing and cloud computing – Another major topic in cloud security is availability (of data) – How can one make sure that data is available at any time,
even if the cloud service malbehaves and acts dishonestly? Butler Lampson Butler – Backup copies defeat the original purpose of cloud computing Roger Needham If you think cryptography is the solution to your problem, then you don't understand cryptography and you don't understand your problem
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 281 ng
Department of Informatics Digital_Signature_diagram.svg.p Operational Environments and Applications - 4.3 Digital Signatures and E-Commerce
– Digital signatures are well understood in theory and practice – A digital signature system (or digital signature scheme) consists of 3 efficient algorithms – Key generation algorithm – Signature generation algorithm – Signature verification algorithm – With the advent of e-commerce, digital signatures and the legislation there of have become important – Most countries have a digital signature law in place © https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Digital_Signature_diagram.svg/2000px – This also applies to Switzerland (ZertES revised in 2016) → «Siegel» and server-based signatures
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 282 Department of Informatics
Operational Environments and Applications Digital Signatures and E-Commerce
– Accreditation Body (AB) – SAS – Certification Bodies (CB) – KPMG – Certification Service Providers (CSP) – Swisscom Solutions AG – QuoVadis Trustlink Schweiz AG – SwissSign AG (Post) – Federal Office of Information Technology, Systems and Telecommunication (FOITT)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 283 Department of Informatics
Operational Environments and Applications
Digital Signatures and E-Commerce ,
– Specifying an appropriate digital signature law is a challenging task – If the requirements are restrictive, then it is difficult (and expensive) to build and come up with respective products and services → the law Real object Digital object hardly has an impact in practice (e.g., German 010011100101101101001 digital signature law) 0100111110010101000... One representation
– If the requirements are loose, then conformance and Reality Dream DigitalEvidence:
, Vol. 1, No. 5, September/October 2003, 5, No. September/October 1, Vol. , Many representations to the law and the law itself are of minor interest One or only a few inter- pretations (that are plausible) Many interpretations (z.B. E-SIGN in the U.S.) – It is difficult to find a balance Digital
data Arguments to be signed 48 48
– The long-term perspective of all digital -
signature laws is questionable Signature
IEEE Security & & Privacy Security IEEE R. Oppliger and R. Rytz, R. and Oppliger R. 44 pp.
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 284 Department of Informatics
Operational Environments and Applications 4.4 Public Key Infrastructures and Identity Management
– When public key cryptography is used, the authenticity and integrity of the public keys need to be protected v1 – Public key certificates are used for this purpose – Most public key certificates in use today conform to ITU-T X.509 version 3 (PGP cerficiates yield an alternative) – The X.509 specification is open for arbitrary extensions – This makes it necessary to profile the specification for a specific application enviorment v2 – This also applies to the Internet, where profiling is done by the IETF PKIX WG v3
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 285 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– The terms «security» and «trust» are often mixed up in security discussions – This also applies to PKI discussions – Trust models – Direct trust → Every participant only trusts himself or herself – Web of trust (PGP) → Every participant only trusts himself or herself or specific persons of trust – Hierarchical trust (ITU-T X.509 PKI) → Every participant trusts one (or muliple) centralized party (parties)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 286 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management Directory service (e.g., LDAP server)
Certificate
Certification Authority (CA) incl. Registration Authority (RA) – Certificate revocation is difficult and the reason for many security problems Certificate issuance – Approaches
– Certificate revocation lists (CRLs) – Delta CRLs – Online certificate status protocol (OCSP) User – OCSP stapling
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger – … Slide 287 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– Many CAs and CSPs provide server certificates – It is important to have a certificate issued by a CA or CSP that is included in the certificate store of the major software vendors (e.g., Microsoft, Apple, Adobe, Mozilla, … ) – Types of certificates – Domain validation (DV) – Organization validation (OV) – Extended validation (EV) – Wildcard certificates – International Step-up (Netscape) and Server Gated Cryptography (SGC) certificates (Microsoft)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 288 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– In theory, there is no difference between a server and a client certificate – In practice, however, the markets are distinct – Client certificates are not widely deployed – The few client certificates that are deployed are either free certificates or certificates issued by local (or private) CAs – Free certificates are provided by the same companies that sell commercial ones (mainly for marketing reasons) – In many application settings, self-signed certificates are fine – But the problem is that users may get used to accepting self-signed certificates even in application settings in which such certificates are not fine
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 289 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– There are many problems and pitfalls related to X.509 and X.509-based PKIs – In 2009, it was shown that the encoding of an X.509 certificate is ambiguous, and that this ambiguity can be exploited in an attack – Also in 2009, it was shown that a special OCSP response code 3 («try later») causes many implementa- tions to fail softly (instead of fail safely) – Since a couple of years, many commercially operating CAs and CSPs are under attack – There are quite a few certificates that have been fraudulently issued (→ they need to BEFORE AFTER be revoked as soon as possible)
«Counterfeit» money «Print» money
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 290 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– Probability-theoretic Observation
– List of n commonly trusted root CAs (CA1, ..., CAn)
– Pr[CAi is compromised] = pi (for 0 ≤ pi ≤ 1)
– Pr[CAi is not compromised] = 1 – pi
n – Pr[no CA is compromised] = (1 – p1)(1 – p2)…(1 – pn) = ∏(1 – pi) i = 1 n – Pr[at least one CA is compromised] = Pr[we face a problem] = 1 – ∏(1 – pi) i = 1 n n – If all pi’s are the same value p, then 1 – ∏(1 – p) = 1 – (1 – p) i = 1 – As n grows steadily, we are almost certainly going to face severe problems (sooner or later)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 291 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– Problem areas – Revocation
– All currently deployed certificate revocation mechanisms (e.g., CRLs, OCSP, … ) implement a blacklist approach → they can address the problem of fraudulently issued certificates iff the fraud is discovered – Authorization
– All CAs are equal and authorized to issue certificates for any entity → it may be necessary to define who is authorized to issue certificates for a particular entity – Both problem areas are not independent but rather depend on each other (i.e., any approach to handling certificate authorization must also address certificate revocation, and vice versa) – Certificate revocation and authorization are both active areas of research in the PKI relam
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 292 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– Certificate revocation is known to be tricky and there are many subtle attacks to consider (e.g., OCSP response code «try later») – The PKI community (including the IETF PKIX WG) has traditionally believed that a blacklist approach is more appropriate to address certificate revocation than a whitelist approach – This design decision is now being revisited – For example, Google's Certificate Transparency project (→ RFC 6962) follows a whitelist approach – The blockchain technology yields an alternative approach – Whitelists and blacklists are not mutually exclusive and can be combined at will
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 293 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– The research community has come up with several new approaches to address certificate authorization – Trusted CA lists – Public key pinning (will become obsolete)
– Static (Google Chrome) – Dynamic → HTTP public key pinning (HPKP) → RFC 7469 – Trust assertions for certificate keys (TACK)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 294 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– Using DNS to distribute certificate authorization information
– DNS Certification Authority Authorization (CAA) → RFC 6844 – DNS-based Authentication of Named Entities (DANE/TLSA) → RFC 6698 – EFF Sovereign Keys project – … – Distributed trust models and notary servers
– Perspectives project – Convergence – …. – All approaches have advantages and disadvantages – Again, the approaches are not mutually exclusive and can be combined at will
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 295 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– Most countries have a digital signature law in place – In addition, many countries address the (political) question whether they should issue electronic ID (eID) cards to their citizens – Finland, Austria, Estland, and several other countries have answered this question in the affirmative (with different success) – The question periodically pops up in Switzerland – In 2010, the SuisseID initiative was launched – In May 2017, the SwissID was launched (original as a joint venture between Post and SBB) – Meanwhile, many other companies have joined the initiative – In addition, the Swiss federal administration (fedpol) has drafted a law on electronic identites (E-ID) – This draft is being discussed in politics (there will be a referendum)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 296 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management
– At first sight, one suggests that e-commerce and e-business are about authentication – But it is more about authorization – Approaches – Encoding of authorization information in certificates – Use of attribute certificates – Authorization information in database management systems – User of digital cash – ... «On the Internet, nobody cares you‘re a dog - unless you can‘t pay your debts.»
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 297 Department of Informatics
Operational Environments and Applications Public Key Infrastructures and Identity Management – Identity management (IM) – IM technologies – Kerberos-based approaches
Identificator Entity – PKI-based approaches
1 – Web services - mostly based on the Security Attribute 1 card Identity Identity Assertion Markup Language (SAML) Has Attribute 2 – .NET Passport n – Liberty Alliance … 1 n Identity Has – Shibboleth (z.B. SWITCH AAI) Attribute n 1 – OpenID
Has – Windows CardSpace (formely known as InfoCard) n Privilege
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 298 Department of Informatics
Operational Environments and Applications 4.5 Digital Money
– What is money? – Anything which is widely accepted in payments for goods or in discharge of other kinds of business obligations
– Anything that is generally acceptable as a means of exchange and that at https://en.wikipedia.org/wiki/Rai_stones#/media/File:Rai_stone_from_Yap_currency.jpg © the same time acts as a measure and a store of value – Money has a long and eventful history – There exist many forms of money – In some sense, Rai (stone) money from the island of Yap is a predecessor of Bitcoin – Money is subject to digitalization – Digital money is omnipresent today (e.g., SWIFT), and its importance is even increasing – In some countries it is politically discussed controversially whether pyhsical money (cash) should be abandoned (e.g., Canada, Sweden, … )
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 299 Department of Informatics
Operational Environments and Applications Digital Money
– Since the 1990s, digital money and electronic payments systems have been a research topic – Many systems have been developed, proposed, and some- times deployed in the field (usually with little success) – Distinguishing features – Prepaid (e.g., Paysafecard, Ukash, …), debit or credit – Existing currency or new currency – Anonymous, pseudonymous, nonanonymous – Centralized (online / offline), decentralized or distributed – Hardware requirements (e.g., smartcards, NFC, Bluetooth, … ) – Micropayments , «normal» payments and/or macropayments – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 300 Department of Informatics
Operational Environments and Applications Digital Money
– The field of digital money was (and still is) diverse and highly fragmented – The double-spending problem was (and still is) the predominant problem – In 2008, Satoshi Nakamoto published a paper entitled «Bitcoin: A Peer-to-Peer Electronic Cash System» that changed the field – Bitcoin is based on prior work – Timestamping (Haber-Stornetta, 1991) – Hashcash (Adam Back, 1997) – Bit gold (Nick Szabo, 1998) – B-money (Wei Dai, 1998) – Nakamoto withdrew from the public in 2011
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 301 Department of Informatics
Operational Environments and Applications Digital Money
– In contrast to most other technologies used on the Internet, there is neither a supervising body (e.g., IETF) nor an official Bitcoin protocol specification – Instead, Bitcoin Core is the reference implementation that stands for the specification (→ https://bitcoincore.org/en/team) – 1 bitcoin (BTC) = 100,000,000 = 108 satoshis – Bitcoins (satoshis) can be retrieved from specialized currency exchanges – They can be stored locally or on centralized servers (e.g., Coinbase) – There are different types of Bitcoin clients (with different analogons related to e-mail) – Full client (full or mining node) SMTP server → a few 10’000 nodes – Light client POP3/IMAP4 client → millions of nodes – Web client Webmail application
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 302 Department of Informatics
Operational Environments and Applications Digital Money
– Analogies – Money handover in public – «Bitcoin-like» game 18 Block 1 = {25,25,18,32} 32 25 2+5+2+5+1+8+3+2 = 28 5 Moderator 23 31 Block 2 = {28,…}{28,39,5,28}{28
2+8+3+9+5+2+8 = 37…
Block 2 = {37, … }
Players
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 303 Department of Informatics
Operational Environments and Applications Digital Money
– Bitcoin has no phyiscal representation – At the core of Bitcoin is a public ledger that contains all transactions ever made – All participants must have consensus about the ledger – If this is the case, then everybody can decide – whether a particular transaction is valid, i.e., the participant that issues the transaction has enough money – whether a particular transaction is double spent – This solves the double spending problem – The question is how to reach consensus – Traditional mechanisms and protocols do not work (due to «sybil» attacks)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 304 Department of Informatics
Operational Environments and Applications Digital Money
– Account-based ledger (with a lot of additional state)
– Transaction-based ledger (with some additional state)
UTXO = Unspent Transaction Output
Input not sufficient (7 < 8) → T4 is invalid (value < 0) → T4 is invalid
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 305 Department of Informatics
Operational Environments and Applications Digital Money
– A transaction-based ledger has the advantage that the validity of a transaction can more easily be verified within the ledger (especially with an UTXO cache) – In contrast, an account-based ledger requires a lot of additional state – Implementing either ledger in a centralized way is simple and straightforward (all banks do it in one way or another) – Implementing either ledger in a distributed way is involved and challenging – This is where Bitcoin and the blockchain technology come into play – The blockchain technology provides a possibility to implement a transaction-based ledger in a fully distributed way, i.e., using a peer-to-peer (P2P) network – The result is known as Bitcoin
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 306 Genesis Block Department of Informatics
Operational Environments and Applications Digital Money
– A blockchain is an append-only data structure that comprises an ordered back- linked list (chain) of blocks of valid transactions Fork – All transactions in a block are processed simultaneously
– Each transaction Ti has m 1 inputs Ti.I[0], Ti.I[1], … , Ti.I[m-1], n 1 outputs Ti.O[0], Ti.O[1], … , Ti.O[n-1], and a 4-byte locktime parameter L
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 307 Department of Informatics
Operational Environments and Applications Digital Money
– The blockchain can be read by anybody, but it is strictly controlled who can append a new block (and extend the blockchain accordingly) – Whoever provides a solution to a mathematically hard problem is authorized to append a new block (and get some reward for it) – This (write access control) mechanism is known as proof of work (PoW) – The process of providing a PoW is called (Bitcoin) mining – The miners are incentivized and rewarded with bitcoins that are generated in the mining process (up to a certain amount of bitcoins) – Bitcoin mining is a big business today (similar to a gold rush)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 308 Department of Informatics
Operational Environments and Applications Digital Money – To compile a block, a miner must find a nonce such that the hash value of the block header is less or equal than a certain value (= target) – The target is a 256 bit (32 byte) number adjusted every 2,016 blocks ( two weeks) so that a block is mined every 10 minutes on the average – Exemplary target (genesis block) – Hardware development – Central Processing Unit (CPU) 2009 - 2011 – Graphics Processor Unit (GPU) 2011 - 2012 – Field Programmable Gate Array (FPGA) 2012 - 2013 – Application-Specific Integrated Circuit (ASIC) since 2013 – All hardware solutions can be parallelized at will (→ Bitcoin mining centers) The Bitcoin wiki list of ASCIs comprises 27 products
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 309 Department of Informatics
Operational Environments and Applications Digital Money
– Whenever a miner finds a block, he or she is rewarded with some BTC – It started with 50 BTC and is halved every 210,000 blocks ( 4 years) – It was halved twice (November 2012 and July 2016) and is currently 12,5 BTC (→ 144 ∙ 12.5 = 1,800 BTC are generated each day) – The total amount of bitcoins (that will ever be generated) is n n lim ∑ 210,000*(50/2i) = 210‘000*50*lim ∑1/2i = 21‘000‘000 n→∞ n→∞ i = 0 i = 0 2 – The fact that an amount of money is upper bounded (to 21 millions) is entirely new – It restricts the power of central banks → Bitcoin is regulated or for-bidden in some countries
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 310 Department of Informatics
Operational Environments and Applications Digital Money
– The sense and nonsense of a PoW is controversially discussed – In the research community, a few other mechanisms are being discussed under the term «virtual mining» – Proof of stake (PoS) – Proof of activity (PoA) – Proof of Deposit (PoD) – Proof of Burn (PoB) – … – The creator of the next block is chosen via a combination of random selection, wealth, age, and/or some other parameter
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 311 Department of Informatics
Operational Environments and Applications 55334cf41359990530c66fb4b8696e28aa65211006a97f391758e88d0392b7e5 Digital Money (mined into block #468663) 2379324a8ed0799d33a9d2a827b430bf27b06ffe7cbdbbf72c9cf4a978791934 (mined into block #463298) Tj
0.00059887 0.01504966 0.01425079 (2) 167NpkLAw8F5zpCVd7HLYqnn4cxTNRgdNB
0.0002 Fee → 0.00059887 BTC (Test Transaction) 225 Bytes 1Ph7sLyVxWy7UXyxEp3t7vfQfwsiTh8ymV Ti 2017-05-24 → 0.01425079 BTC (Change) (1) 00:27:28 0.01504966 20.78037319 0.01484966 BTC → 0.0002 BTC 20.76497127 Tk Transaction fee 0.00035226 Fee 258 Bytes 0.00179772 0.01425079 2017-04-24 09:51:16 0.01194909
0.00050398 Fee 226 Bytes 1Gptgf59yPf9e8txEcNyuJiVxi7Y99vire 12n1PZPog9UmV9yQWUZT7SEe9U4BUYQW7u 2017-12-29 → 0.00179772 BTC (Transaction) 14:29:39 15yztwyKb7UKLKHntLmCmspnbf3LXykESZ → 0.01194909 BTC (Change) 18dtQFRtzoJSMFaiGLjL5LWjnizzptTWZP 0.01374681 BTC → 0.00050398 BTC 1Ph7sLyVxWy7UXyxEp3t7vfQfwsiTh8ymV Transaction fee (mined into block #501582)
bcf6d274fdbc0de9a74b07fbc3b3668a79d3dc4fd6bfcde3b65f9c15bfec8fa1 FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 312 Department of Informatics
Operational Environments and Applications
scriptSig Tj Digital Money PUSHDATA(71)[3044022030ce63606cd698c0b214a5f4b7249c1 Tj daf9b358ee73e097632f822ef9c708c28022060c5fe11e7aa9f1 4a3fcce9f9a6b55605d7b5ffb40a1fd5800508a33d3f576b101] 0.00059887 0.01504966 PUSHDATA(33)[03a9a232d39a75597faab5532a60698f059078a 0.01425079 732998dc40ae6c0b2791464aaec]
Public key (HEX)
Ti
0.01504966
20.78037319 20.76497127 ScriptPubKey Ti DUP HASH160 PUSHDATA(20)[53c2c32ad268e58a98a9ba7514a078e5025249ad] EQUALVERIFY CHECKSIG Public key (Hash)
18dtQFRtzoJSMFaiGLjL5LWjnizzptTWZP Scripts are executed on a stack (→ Reverse Polish Notation) Public key (Wallet Import Format)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 313 Department of Informatics
Operational Environments and Applications Digital Money
Tj
0.00059887 0.01504966
0.01425079
scriptSig Tk PUSHDATA(72)[3045022100c7a008984986f63b8fa6accb89c6fd92 44bb09d22dbee16390a786c83559da00022048ecdc8ffe014503a72 748b9b04cb054b175ed9320a4cc1711975400ce71ca7501] Tk PUSHDATA(33)[03bd58c6b9d9f038cc80cf851470a67041b2dafc6b ec603d926ef7fb0bafa8a76e] 0.00179772 0.01425079
0.01194909 ScriptPubKey Ti DUP HASH160 PUSHDATA(20)[f8e9238ae09cdd57d4da0e97f14a3e36cbac670a] EQUALVERIFY CHECKSIG
1Ph7sLyVxWy7UXyxEp3t7vfQfwsiTh8ymV
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 314 Department of Informatics
Individual Exercise
– Retrieve some Bitcoins from an SBB ticket machine – Spend some Bitcoins – Use one of the many Bitcoin blockchain explorers to study the respective transaction(s) – Blockchain – Smartbit – Blockexplorer – Insight – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 315 Department of Informatics
Operational Environments and Applications Digital Money
– The multi-signature feature of Bitcoin provides opportunities for new and innovative applications – Bitcoin can provide digital notarization services, such as a proof of existence (e.g., poex.io) or a digital timestamping service (e.g., OriginStamp) – It is also possible to use Bitcoin and its blockchain (ledger) to overlay additional functionality related to currencies or something else → metacoins – This is analog to the use of bills to provide some other functionality – The information related to the additional functionality must be en-
coded in Bitcoin transactions and the software must be enabled . . to handle it (e.g., Open Assets to implement «colored coins») . 15S2275822 – Exemplary Bitcoin-based metacoin platforms . . – Counterparty .
– Omni Layer (formerly known as Mastercoin) Database of valid tickets – … FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 316 Department of Informatics
Operational Environments and Applications Digital Money – Instead of using Bitcoin, one can also employ the blockchain technology to come up with something similar to Bitcoin (currency) → altcoins (e.g., Litecoin, Bytecoin, Firstcoin, … ) or something entirely new (non-currency) – Exemplary non-currency platforms (aka «altchains») – Ripple – Ethereum • Targets «smart» contracts and other «smart» applications • It uses a Turing-complete scripting language → «Internet of – … money», «Web 3.0», … ) – There are > 1,000 altcoins with respective market capitalizations – Bitcoin holds more than 50% – The ultimate goal of the blockchain technology is to make a trusted party or intermediary obsolete
– Beware of «bubble coins» © https://coinmarketcap.com/charts/
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 317 Department of Informatics
Operational Environments and Applications Digital Money
– Research challenges – Scalability (a few transactions per second vs. thousands of transactions per second in financial networks or even millions of transactions per second in the Internet of things) → e.g., Lightning Network – Economy of energy (due to the PoW) – Alternative designs (e.g. Algorand by Silvio Micali, IOTA Tangle, … ) – Optimal data structures (e.g., blockchain that also comprises the UTXO cache) – Resilience against network-based attacks – Convergence of users and miners – Cryptography agility (especially in the light of quantum computing) – Regulation (e.g., New York BitLicense) – Blockchain-as-a-Service (BaaS) – … FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 318 Department of Informatics
Operational Environments and Applications
4.6 Internet Banking Server (controlled by the attacker) – In Internet banking, the Internet is used for the client to commu- 2) Request for malware (incl. nicate with the banking server configuration and settings) – The client may be a «normal» 5) Control connection (optional)
Web browser or a specialized 1) Exploit (z.B. „Drive-by“-Infektion) application software (or app, respectively) 3) Delivery and configuration of malware – Most banking organizations support both possibilities Internet banking – From a security perspective, Server 4) „Normal“ connection with using a «normal» Web browser manipulated client is disadvantageous, because the Client browser may be susceptible to malware attacks
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 319 Department of Informatics
Operational Environments and Applications 357, 1981 357, Internet Banking -
User Server , Proceedings of the IEEE theof Proceedings ,
Communication channel Client «Classic» threats model (*) User interface is particularly vulnerable
Client
User -
Server protocolskey publicof security theOn Implemen
- Communication channel
verwundbar
Annual Symposium on Foundations of Computer Science, pp. 350 pp.Science, Computerof Foundations on Symposium Annual
tierungen tierungen sind Krypto
New threats model nd 22
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 320 (*) D. Dolev and A.C. Yao, A.C. and D. Dolev (*) Department of Informatics
Internet banking
– Attacks are getting increasingly better, more professional, and targeted – Social relationships and media are being exploited (→ spear phishing) – Trends (for higher-volume transactions) – User authentication is complemented by transaction authentication (and monitoring) – «General purpose» and universally useable client software is partly replaced with (application) specific software – There are many technologies that can be used for transaction authentication – All require hardware modules that are need to be assumed to be secure (difficult assumption in the case of mobile phones and smartphones)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 321 Department of Informatics
Collective Exercise
– Compile a list of Swiss banks and discuss the technologies they use for user and transaction authentication
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 322 Department of Informatics
Operational Environments and Applications 4.7 E-Voting and Digital Democracy
– In theory, there are different forms of e-voting – Poll-site Internet Voting – Kiosk Voting – Remote Internet Voting – In practice, remote Internet voting is the only form of e-voting that makes sense in Switzerland (as an alternative to postal voting) – But there are many security problems related to remote Internet voting – The client represents the Achilles heel (similar to Internet banking) – Most complementary security mechanisms that can be used in Internet banking to mitigate the risks (e.g., user profiling and monitoring) do not work or cannot be applied in remote Internet voting – It is not even clear how one can detect that something malicious has happened
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 323 Department of Informatics
Operational Environments and Applications E-Voting and Digital Democracy
– E-voting in Switzerland is called «Vote électronique» – Originally, there were three e-voting systems in Switzerland – Today, the system from Neuenburg, Scytl, and the Swiss Postal Services is the only system that is still in operation
2015
2020
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 324 © https://www.societybyte.swiss/2017/06/23/die-sichere-e-voting-infrastruktur-der-post/ Department of Informatics
Operational Environments and Applications E-Voting and Digital Democracy – End-to-end (E2E) verifiability is assumed to provide a solution for the client-side security problems – The overall goal is to make sure that the votes are tallied as intended by the respective voters «cast as intended» «cast as intended» «recorded as cast» Individual verifiability (IV) → Zero-knowledge proofs «tallied as cast» «tallied as recorded» Universal verifiability (UV) → Homomorphic encryption «tallied as intended» «tallied as intended»
– The two types are used incrementally in Switzerland (IV → 50%, UV → 100%) – Only with UV will e-voting be open for everybody to participate – Due to the results of a recent public intrusion test, the future of e-voting is currently at stake – If it continues, then better security and dematerialization are going to be the next challenges
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 325 Department of Informatics
Individual Exercise
– Visit the E-Voting site of the Swiss Post and go through the demo system – Find out how individual verifiability is implemented and try to explain it to a fellow student of yours – Discuss possibilities to attack the system and to mitigate these attacks – Find out what cantons are using the e-voting system of the Swiss Post © https://www.evoting.ch/en
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 326 Department of Informatics
5. Privacy and Data Protection
5.1 Introduction 5.2 Privacy-Enhancing Technologies
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 327 Department of Informatics
Privacy and Data Protection 5.1. Introduction
– Rain protection does not protect the rain, but the human who is exposed to the rain – Similarly, data protection does not to protect the data, but the human the data stored, processed, and transmitted refers to (→ personality protection) – On the legal side, there are data protection and privacy laws and respective directives – On the technical side, there are privacy-enhancing technologies (PETs) – If there are no personal data involved, then there is no need to argue about data protection and privacy – There are national and international certification programs for data protection and privacy (e.g., GoodPriv@cy® in Switzerland) – Most PETs employ cryptographic techniques in some unusual ways – Anonymous Web browsing – Anonymous Web publishing
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 328 Department of Informatics
Privacy and Data Protection 5.2. Privacy-Enhancing Technologies
– Web browsing is inherently nonanonymous (e.g., ip-check.info) – There are different PETs to hide the browser’s IP address and some related information – These technologies support anonmyous Web browsing – Anonymising HTTP proxy server (+/- VPN encryption)
– Anonymizer.com – Hidemyass.com – Proxify.com – …
– Crowds (Aviel D. Rubin and Michael K. Reiter, 1998) Attention: The browser’s IP address may also be revealed using JavaScript or other active content supported by the brower
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 329 Department of Informatics
Privacy and Data Protection Privacy-Enhancing Technologies – Mix networks (David Chaum, 1981)
-1 – Every node X holds a public key pair (kX,kX ) – The sender A prepares a message m for the reicipient B by encrypting it multiple times (once for every node en route) Guard Exit node Attention: The message m appears in plaintext between the exit node and B X3 m A m X1 m m B
Relay
X2
m = X ,{X ,{X ,{m}k }k }k – German research project AN.ON → Java Anon Proxy (JAP) / JonDo 1 2 3 X3 X2 X1 – Onion routing → The Onion Router (TOR) – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 330 Department of Informatics
Privacy and Data Protection Privacy-Enhancing Technologies
– Web publishing is inherently nonanonymous -1 – Every HTTP request must include some server name information (k,k ) – Nevertheless, there are a few PETs that can be used for {URL}k anonmyous Web publishing Origin server Resource – Rewebber (→ HTTP proxy server with a public key pair) Rewebber – Rewebber networks and URL translation servers (e.g., TAZ servers) – TOR hidden (onion) services (only within the TOR network) – …
– The market for anonymous Web publishing services has not taken off – There is hardly any use case (outside the Darknet)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 331 Department of Informatics
Privacy and Data Protection The use of the .onion TLD is specified in RFC 7686 Privacy-Enhancing Technologies
XYZ = Base32 encoded first half of the SHA-1 hash value of the onion service’s RSA public key Example: 3g2upl4pq6kufc4m.onion
© https://www.torproject.org/docs/onion-services.html.en 16 x 5 bits = 80 bits Public key (1024 bits) → hash (160 bits) → first half (80 bits) → 16 Base-32 characters
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 332 Department of Informatics
Privacy and Data Protection Privacy-Enhancing Technologies
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 333 Department of Informatics
Privacy and Data Protection Privacy-Enhancing Technologies
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 334 Department of Informatics
Hint: Follow the instructions on https://www.torproject.org/docs/tor-onion- Individual Exercise service.html.en or the YouTube video (in German only) to set up a TOR onion service using an nginx Web server – Set up a TOR onion service of your choice – Use the TOR browser to connect to it – Optionally, use Wirshark to capture the respective network traffic
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 335 Department of Informatics
Privacy and Data Protection Privacy-Enhancing Technologies
– Crowds has also fueled a lot of research and development in the realm of using peer-to- peer (P2P) technologies to provide anonymity services – An additional goal of some of these projects was to use caching to provide better resistance against censorship – Examples (alternatives to TOR onion services) – Freenet (since 2000) – GNUnet (since 2001) – Invisible Internet Project (I2P) (since 2003) – …
– Due to their P2P nature, these anonymizing networks have more active nodes than TOR, but far fewer users
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 336 Department of Informatics
6. Conclusions and Outlook
6.1 State of the Art 6.2 Future Trends
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 337 Department of Informatics
Conclusions and Outlook 6.1 State of the Art
– The state of the art in IT security is bad and is going to get worse – On the one hand, this is due to the «natural» enemies of IT security, i.e., (human) users, complexity, and speed (as mentioned before) – On the other hand, this is intensified by the facts that everything is a computer today, and most of these computers are interconnected to the Internet → Internet of Things (IoT), Internet+, … – This leads to a situation in which formerly physically separated computer systems are now running on the same systems or systems that are only logically separated (using, for example, only «software-defined» neworks) – This increases the attack surface considerably – If an adversary manages to compromise a system (e.g., a hypervisor), then he or she is able to control many (or possibly all) computer systems and networks (in a target environment)
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 338 Department of Informatics
Conclusions and Outlook 6.2 Future Trends
– On the one hand, some future trends are derived from emerging technologies – The use of blockchain – The use of technologies from artificial intelligence (AI) and/or machine learning (ML) – The use of «whatever is hyped tomorrow» – On the other hand, some future trends are derived from the real needs in IT security – Hardware security (e.g., protection against hardware-level attacks, like Spectre and Meltdown) – IT security management – Multilateral security (e.g., methods to handle conflicting or even seemingly mutually exclusive goals) – Scalability issues and agility – …
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 339 Department of Informatics
FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 340 Department of Informatics
Good luck with the exam and
FS 2021 your ongoing IT Security (MINF4221), Prof. Dr. Rolf Oppliger studies ! Slide 341