CS 6623, Data Security

Instructor: Robert F. Rossa
Textbook: Kaufman, Perlman and Speciner, Network Security: Private Communication in a Public World, Prentice-Hall, 1995.
There are course topics that are not covered in the textbook.

Final - Wednesday, December 10 - 12:30

Course topics

Introductory: networks, viruses, worms, trojan horses, access controls.
Cryptography in general; traditional ciphers.
Secret key cryptography: DES, IDEA, CBC, OFB, CFB, MICs.
Hashes and message digests.
Number Theory.
Public key cryptography.
Authentication.
Security in operating systems.

Homework

Resources

Brief lecture outlines

August 18
- Threats to computer systems and networks
  1. Passive wiretapping, eavesdropping, browsing
    - Threats to secrecy
    - Includes eavesdropping on RF transmissions by equipment
    - Includes exploitation of operating system holes
  2. Traffic analysis
  3. Active wiretapping, tampering
    - Threats to authenticity
    - Injection
    - Replay
    - Modification of messages
    - Deletion of messages
  4. Leakage
  5. Inference
  6. Accidental destruction
  7. Masquerading
  8. Trojan horses, viruses, worms
  9. Denial of service
August 20
- Firewalls
- Key escrow, Clipper
- Viruses
  - Example: Alameda virus
  - Antivirus software types
    1. scanner
    2. integrity checker
    3. behavior blocker
  - Polymorphic virus
  - Stealth virus
  - False alarms by virus checkers
- Access controls
  - Bell-La Padula model
  - Discretionary and nondiscretionary
  - Security levels
  - Compartments
  - Covert channels
- Orange Book ratings
August 22
- Caesar cipher
- Monoalphabetic substitution ciphers
- Methods for analysis of substitution ciphers
- Transposition ciphers
- Running key ciphers
  - Methods for analysis
- One-time pad
  - If a one-time pad is used more than once, it is vulnerable to the methods used against running key ciphers.
- Brief overview of RSA; secrecy and authentication
August 25
- Polyalphabetic substitution ciphers
- Periodic substitution ciphers
  - Methods for analysis
    1. Kasiski method
    2. Index of coincidence
- Size of the keyspace and brute force methods
August 27
- Kinds of attack
  - Ciphertext only
  - Known plaintext
  - Chosen plaintext
- Information theory concepts
  - Entropy
  - Rate of a language
  - Absolute rate
  - Redundancy
  - Unicity distance
- Uses of secret key cryptography
August 29
- Uses of public key cryptography
- DES
  - Encryption overview
  - Proof that using the 16 per-round keys in reverse order does decryption
September 3
- DES
  - Key schedule computation
  - Function f
  - S-boxes
  - No cryptographic value to IP
  - Weak keys
  - Differential cryptanalysis and number of rounds
September 5
- Number Theory
  - Divisibility
    - a | b (definition)
    - If m | a and m | b, then m | ax + by
  - GCD
    - Definition of (a,b)
    - Characterization: smallest positive value of ax + by
    - euclidean algorithm
    - extended euclidean algorithm
    - If m | ab and (m,a) = 1, then m | b.
September 8
- Number Theory
  - Mathematica support for big integer arithmetic
  - Primes
  - Unique factorization theorem
  - There are infinitely many primes
  - Difficulty of factorization
    - Factorization of F₇
  - Linear congruences
    - Definition of a = b (mod m)
    - Simple properties
September 10
- Number Theory
  - Solving linear congruences
  - d'Alembert's Theorem
  - Euler's phi-function
    - Computation
  - Euler's theorem
September 12
- Number Theory
  - Multiplicative inverses
  - Applications of number theory to RSA
  - Chinese remainder theorem
- IDEA
  - Basic structure
  - Key schedule
  - Basic operations
September 15
- IDEA
  - Odd round computations
  - Even round computations
  - Key schedule for decryption
  - ssl support for idea
- Problems with ECB
  - Ciphertext searching
  - Replay
  - Insertion
  - Deletion
- CBC
September 17
- CBC
  - Changing the initialization vector
  - Threats to CBC
  - Changing one field requires reenciphering all following fields.
- OFB
  - ssleay support
  - Effect of transmission errors - synchronization
- CFB
  - Effect of transmission errors
  - Decryption starting in midrecord
September 19
- Hellman's time-memory tradeoff
September 22
- MICs for integrity
- MICs with security and integrity
  - Ideas that won't work
  - Weak cryptographic checksum
  - Cryptographic hash
  - Encryption and checksum with two keys
- Multiple encryption
  - Encrypting twice with same key not much more secure
  - Encrypting twice with two keys (meet in the middle attack)
  - Triple encryption - why not three keys
  - Multiplying the size of the keyspace doesn't necessarily multiply the difficulty of attack
September 24
- The birthday problem
- Desirable properties of a hash
- MD2
- Applications of hashes
  - Authentication
  - Computing a MIC with a hash
  - Encryption - ofb technique
  - Encryption - cfb technique
September 26
- Unix password hash
  - Cracker programs
  - Use of the salt
- Hashing large messages
- MD4
  - Design goals
  - Details of the algorithm
  - Attacks on MD4
- MD5, SHS
September 29
- Inverses mod n
- Fast exponentiation mod n
- RSA basics
  - Selection of p, q, e; then find n, d
  - Security
  - Authenticity
  - Both security and authenticity: problem with different moduli
October 3
- Primality testing
  - Pseudoprimes
  - Carmichael numbers
October 6
- Miller-Rabin test
- Probable prime generation
October 8
- Pollard's p-1 factorization method
- Problems with public exponent 3 (and solutions)
October 10
- PKCS
- Optimizing private key operations
- Mental poker
October 13
- Diffie-Hellman
  - Protocol for key exchange
  - Bucket brigade attack
  - Published public keys
  - Encryption with Diffie-Hellman
- El Gamal
October 15
- PGP, brief overview
- DSS, key selection and signatures
October 17
- Coin flip protocol and related number theory
  - If 4 | (p+1) then x = a^(p+1)/4 (mod p) satisfies x² = a (mod p).
  - Let p and q be distinct primes, n=pq.
    If x² = y² (mod n) and x != y or -y (mod n),
    then (x+y, n) = p or q.
  - Square rooting (mod n) is as hard as factoring n.
  - The coin flip protocol
October 20
- Zero knowledge proofs
  - Using graph isomorphism
  - Using squares (mod pq)
- Zero knowledge signatures
- mail introduction - general operation of sendmail
October 22
- Distribution lists, remote exploders, local exploders
- Forwarders, MTAs, UAs
- Possible security services for electronic mail
  - Privacy
  - Authentication
  - Integrity
  - Non-repudiation
  - Proof of submission
  - Proof of delivery
  - Message flow confidentiality
  - Anonymity
    - Anonymous remailers
  - Containment
  - Audit
  - Accounting
  - Self-destruct
  - Sequence integrity
October 24
- Establishing keys
- End-to-end privacy
- Privacy with distribution list exploders
- Source authentication
  - With public keys
  - With secret keys
  - With distribution lists
- Non-repudiation
- Plausible deniability
- Proof of submission
- Proof of delivery
- Message flow confidentiality
October 27
- Text format issues
  - Canonicalization
  - uuencode and uudecode
  - Consequences of encoding for PEM and PGP
- Addresses
- Old messages and notaries
- PEM message structure
October 29
- PEM
  - Certificate hierarchy
  - Certificate contents
  - Reformatting
  - Message structure
  - Encryption
  - Reason for initialization vector
October 31
- PEM
  - Authentication
  - Multiple recipients
  - Bracketing messages
  - Nesting
  - Exploders using public keys
  - Forwarding and enclosures
  - Unprotected mail components
  - Message formats
November 3
- PGP
  - Methods
    - For message encryption
    - For signatures
    - Compression
    - Email compatibility
    - Segmentation
  - Authentication flowchart
  - Encryption flowchart
  - Flow for authentication and encryption
  - Why sign before compression?
  - Why encrypt after compression?
  - Compare encoding with PEM
  - Certificates and signing
November 5
- PGP
  - Key rings
  - Encryption of private keys
  - Anomalies
  - Generation of session keys
- Unauthorized access without passwords
  - Examples
- Eavesdropping
  - Feasibility - promiscuous mode on ethernet interface
- Masquerading
November 7
- UNIX passwords
- Authentication sites and methods
  - Per system
  - Server stores password information, local authentication
  - Authentication by server
- On-line and off-line attacks
- Address-based authentication
  - Example: UNIX rsh
  - Trusted hosts (/etc/hosts.equiv)
  - .rhosts files
  - proxy database
  - Security issues
- Network address impersonation
November 10
- KDC's
- Example: IBM key management scheme
  - Key hierarchy
  - Tamper-resistant modules
  - Operations
    - smk(km0)
    - rfmk(E_km1(kt),E_km0(ks)) = E_kt(ks)
    - emk(K) = E_km0(K)
    - ecph(E_km0(K),M) = E_K(M)
    - dcph(E_km0(K),C) = D_K(C)
    - rtmk(E_km2(knf),E_knf(K)) = E_km0(K)
  - Why is kmt stored under a separate key km1?
  - Generation of session keys
  - Setting up a session between two terminals on a single host
  - Setting up a session between two terminals on different hosts
November 12
- Multiple KDCs
- CRLs
- Access-matrix model of access control
  - Any system object may be protected:
    - Files
    - Records
    - Fields in a database
    - Peripheral devices
    - IPC objects
    - Stacks
  - Subjects
  - Objects
  - Rights
  - Access matrix
  - States
  - Primitive operations
    - Enter right into A[s,o]
    - Delete right from A[s,o]
    - Create subject s
    - Create object o
    - Destroy subject s
    - Destroy object o
  - Commands
  - Examples of commands
    - createFile
    - conferRead
    - transfer a right to an unowned object
    - transfer a right, but only if the subject gives it up
    - controlling rights of subordinate processes
  - Protection policies
  - Safe systems
  - It is undecidable whether a given state of a given protection system is safe.
November 14
- Computers can have high-quality passwords
- Bad habits of humans
- On-line guessing
  - Account locking
  - Password difficulty checks
  - Password aging
  - Deliberate slowing of password check
- Off-line attacks
  - hacker, cracker, etc.
  - Purpose of the salt
- Eavesdropping
- Trojan horses
- Smart cards, etc.
- Biometrics
November 17
- What protocols should do
  - Example - Otway-Rees
- Simple challenge (Protocol 9-1)
  - Authentication is not mutual
  - hijacking
  - off-line attack
  - vulnerability of server database
  - may use hash function
- Encrypted challenge
  - off-line attack
  - mutual authentication
- Encrypted timestamp, one-way
  - synchronized clocks
  - clock skew
  - no volatile state
  - replay
  - multiple servers
  - protection of system clock
- Challenge and response, public key version
  - trick user into signing arbitrary message
November 21
- Lamport's hash
  - Method
  - Small n attack
  - No mutual authentication
  - Problems with multiple servers
  - Benefits of adding a salt
- Protocol 9-8
- Protocol 9-9
  - Reflection attack
  - Off-line password guessing attack
  - Public key version (protocol 9-13)
  - Timestamps
- General principles
  - Don't have initiator and server do the same thing.
  - Initiator should prove identity first.
November 24
- Establishing a session key
  - Using a shared secret
    - Can't use K_ab(Challenge)
    - Can't use K_ab(Challenge+1)
  - Using two-way public keys
    - Flaw in A->B: {R}_B
    - A->B: [{R}_B]_A
    - Overrunning
    - Two protocols that take care of overrunning
  - Using a KDC
    - KDC operation in principle and in practice
  - Burrows-Abadi-Needham formalism
    - Notation
    - Postulates
- November 26
  - Needham-Schroeder
  - Expanded Needham-Schroeder
  - Otway-Rees
- December 1
  - Kerberos
  - Bellovin-Merritt I
    - Why this is safe from a password-guessing attack
    - Why the Diffie-Hellman exchange is encrypted
  - Bellovin-Merritt II
  - Network login and password guessing
    - The problem: retrieval of a high-quality password from a database
    - First technique:
      A -> B: A
      B -> A: Password_A{Key_A}
    - Second technique:
      A -> B: hash(password_A)
      B -> A: Password_A{Key_A}
    - Third technique:
      1. A and B exchange a session key K
      2. B -> A: K{Key_A}
      - Example: Novell 4.0