ECEG-6530

Computer (and Network) Security

Access control, Security policies

1
Security Policy
 Policy partitions system states into:
– Authorized (secure)
• These are states the system can enter
– Unauthorized (nonsecure)
• If the system enters any of these states, it’s a
security violation

 Secure system
– Starts in authorized state
– Never enters unauthorized state
Security Policies
 Consider a computer system to be a finite-state
automaton with a set of transition functions that
change state :
 Definition 4–1. A security policy is a statement
that partitions the states of the system into a set of
authorized, or secure, states and a set of
unauthorized, or nonsecure, states.
– A security policy sets the context in which we can
define a secure system. What is secure under one policy
may not be secure under a different policy.

3
 Definition 4–2. A secure system is a system that starts in
an authorized state and cannot enter an unauthorized state.
– Consider the finite-state machine in Figure 4-1. It consists of four
states and five transitions. The security policy partitions the states
into a set of authorized states A = { s1, s2 } and a set of
unauthorized states UA = { s3, s4 }. This system is not secure,
because regardless of which authorized state it starts in, it can enter
an unauthorized state. However, if the edge from s1 to s3 were not
present, the system would be secure, because it could not enter an
unauthorized state from an authorized state.

4
Authorized System States

S1 S2 S3 S4

Fig : 4.1 : A simple finite-state machine. In this example, the authorized states are s 1 and s2
 Definition 4–3. A breach of security occurs when
a system enters an unauthorized state.
 Definition 4–4. Let X be a set of entities and let I
be some information. Then I has the property of
confidentiality with respect to X if no member of
X can obtain information about I.
– Confidentiality implies that information must not be disclosed to
some set of entities. It may be disclosed to others. The membership
of set X is often implicit—for example, when we speak of a
document that is confidential. Some entity has access to the
document. All entities not authorized to have such access make up
the set X.

6
 Definition 4–5. Let X be a set of entities and let I be some
information or a resource. Then I has the property of
integrity with respect to X if all members of X trust I.
– This definition is deceptively simple. In addition to trusting the
information itself, the members of X also trust that the conveyance and
storage of I do not change the information or its trustworthiness (this
aspect is sometimes called data integrity). If I is information about the
origin of something, or about an identity, the members of X trust that the
information is correct and unchanged (this aspect is sometimes called
origin integrity or, more commonly, authentication). Also, I may be a
resource rather than information. In that case, integrity means that the
resource functions correctly (meeting its specifications).

7
 Definition 4–7. A security mechanism is an
entity or procedure that enforces some part
of the security policy.
 Definition 4–8. A security model is a model
that represents a particular policy or set of
policies.

8
Types of Security Policies
 Each site has its own requirements for the levels of confidentiality,
integrity, and availability, and the site policy states these needs for that
particular site.
1. A military security policy (also called a governmental security policy)
is a security policy developed primarily to provide confidentiality.
2. A commercial security policy is a security policy developed primarily
to provide integrity.
3. A confidentiality policy is a security policy dealing only with
confidentiality.
4. An integrity policy is a security policy dealing only with integrity.
Both confidentiality policies and military policies deal with confidentiality;
however, a confidentiality policy does not deal with integrity at all, whereas a
military policy may. A similar distinction holds for integrity policies and
commercial policies.
 Access Control
 “The prevention of unauthorized use of a resource,
including the prevention of use of a resource in an
unauthorized manner“
 central element of computer security

 assume have users and groups

– authenticate to system
– assigned access rights to certain resources on system
Access Control
 Policy: Decides which subject can perform
what operations on which object
 Mechanism: Set of techniques used to
enforce the policy
Access Control Principles
 Access Control Requirements
 Reliable input
 Fine and coarse specifications
 Least privilege
 Separation of duty
 Open and closed policies
 Policy combinations, conflict resolution
 Administrative policies
 Access Control Elements
 Subject - entity that can access objects
– a process representing user/application
– often have 3 classes: owner, group, world
 Object - access controlled resource
– e.g. files, directories, records, programs etc
– number/type depend on environment
 Access Right - way in which subject
accesses an object
– e.g. read, write, execute, delete, create, search
Types of Access Control
 A security policy may use two types of access
controls, alone or in combination. In one, access
control is left to the discretion of the owner. In the
other, the operating system controls access, and
the owner cannot override the controls.

15
The first type is based on user identity and is the
most widely known:
 Definition 1st type : If an individual user can set an access control
mechanism to allow or deny access to an object, that mechanism is a
discretionary access control (DAC), also called an identity-based
access control (IBAC).
– Discretionary access controls base access rights on the identity of the subject and
the identity of the object involved. Identity is the key; the owner of the object
constrains who can access it by allowing only particular subjects to have access.
The owner states the constraint in terms of the identity of the subject, or the owner
of the subject.

 EXAMPLE: Suppose a child keeps a diary. The child controls access

to the diary, because she can allow someone to read it (grant read
access) or not allow someone to read it (deny read access). The child
allows her mother to read it, but no one else. This is a discretionary
access control because access to the diary is based on the identity of
the subject (mom) requesting read access to the object (the diary).

16
The second type of access control is based on fiat,
and identity is irrelevant:
 Definition 2nd type : . When a system mechanism controls access to an
object and an individual user cannot alter that access, the control is a
mandatory access control (MAC), occasionally called a rule-based
access control.
– The operating system enforces mandatory access controls. Neither the subject nor
the owner of the object can determine whether access is granted. Typically, the
system mechanism will check information associated with both the subject and the
object to determine whether the subject should access the object. Rules describe the
conditions under which access is allowed.

 EXAMPLE: The law allows a court to access driving records without

the owners' permission. This is a mandatory control, because the owner
of the record has no control over the court's accessing the information.

17
Policy Languages
 A policy language is a language for representing a security policy.
1. High-level policy languages express policy constraints on entities using
abstractions.
2. Low-level policy languages express constraints in terms of input or invocation
options to programs existing on the systems.

High-Level Policy Languages

 A policy is independent of the mechanisms. It describes constraints placed on
entities and actions in a system. A high-level policy language is an
unambiguous expression of policy. Such precision requires a mathematical or
programmatic formulation of policy; common English is not precise enough.
 Assume that a system is connected to the Internet. A user runs a World Wide
Web browser. Web browsers download programs from remote sites and
execute them locally. The local system's policy may constrain what these
downloaded programs can do.
 Example : Java Program
18
High-Level Policy Languages
 Constraints expressed independent of enforcement
mechanism
 Constraints restrict entities, actions
 Constraints expressed unambiguously
– Requires a precise language, usually a mathematical, logical, or
programming-like language
 Examples
– Java constraint language – described in CS:A&S
– DTEL type enforcement language
– SAML http://xml.coverpages.org/saml.html
– IETF Policy models ftp://ftp.rfc-editor.org/in-notes/rfc3585.txt

19
DTEL – Domain Type Enforcement
Language
 Basis: access can be constrained by types
 Combines elements of low-level, high-level policy
languages
– Implementation-level constructs express constraints in terms of
language types
– Constructs do not express arguments or inputs to specific system
commands
 Used in Sidewinder firewalls
 Details of DTEL in
http://citeseer.ist.psu.edu/cache/papers/cs/16179/http:zSzz
Szwww.cs.ubc.cazSzspiderzSzabrodskyzSzdosezSzbadger.
95.pdf/badger96domain.pdf
 Type enforcement policies resurfacing in SE Linux

20
Example
 Goal: users cannot write to system binaries
 Subjects in administrative domain can
– User must authenticate to enter that domain
 Subjects belong to domains:
– d_user ordinary users
– d_admin administrative users
– d_login for login
– d_daemon system daemons

21
Low-Level Policy Languages
 A low-level policy language is simply a set of inputs or
arguments to commands that set, or check, constraints on a
system.
 EXAMPLE: The UNIX-based windowing system X11
provides a language for controlling access to the console
(on which X11 displays its images). The language consists
of a command, xhosts, and a syntax for instructing the
command to allow access based on host name (IP address).
For example,
 xhost +groucho –chico
– sets the system so that connections from the host groucho are
allowed but connections from chico are not.

22
 ECEG-6530
Computer (and Network) Security

Design Principles ,
Computer Viruses & Worms

1
Design Principles - Overview
 Eight principles underlying design and
implementation of security mechanisms
 Described in an article by Saltzer and
Schroeder (1975)
– Still generally applicable today!

2
Key point I
 Simplicity
– Make designs/mechanisms easy to understand
– Less chance of error
– Example: (potentially) faulty implementation of
sendmail
– Example: (potential) inconsistencies in security
policy

3
Key point II
 Restriction
– Minimize the “power” of an entity
• E.g., only allow access to information it needs
• E.g., only allow necessary communication; restrict
type of communication allowed
– Less chance of harm!

4
Design Principles
1. Principle of Least Privilege
2. Principle of Fail-Safe Defaults
3. Principle of Economy of Mechanism
4. Principle of Complete Mediation
5. Principle of Open Design
6. Principle of Separation of Privilege
7. Principle of Least Common Mechanism
8. Principle of Psychological Acceptability

5
Principle 1
 “Principle of least privilege”
– A subject should be given only the privileges it
needs to accomplish its task
– The function of a subject (not its identity)
should determine this
• I.e., if a subject needs certain privileges only to
complete a specific task, it should relinquish those
rights upon completion of the task

6
In practice…
 Systems are often not designed with the
necessary granularity
– E.g., “append” may not be distinct from “write”
– E.g., in UNIX, no access controls for root
• Anyone who can make backup files can also delete
files

7
Principle 2
 “Principle of Fail-Safe Defaults”
– Unless a subject is given explicit access to an
object, it should be denied access
– I.e., the default is no access
– E.g., a process reporting an error message
should not try to expand its rights in an attempt
to correct the error

8
Principle 3
 “Economy of Mechanism”
– Security mechanisms should be as simple as
possible…
– …but no simpler!

9
Consequences
 If design/implementation are simple, less
chance for error
 Software testing is also simpler
 Software interfaces especially suspect
– Typically make assumptions about the
input/output format of the other module
– E.g., finger protocol

10
Principle 4
 “Principle of Complete Mediation”
– All accesses to objects should be checked to
ensure they are allowed
– OS should mediate any request to read an
object --- even on the second such request by
the same subject!

11
Insecure examples…
– In UNIX, when a process tries to read a file, the
system checks access rights
– If allowed, it gives the process a file descriptor
– This file descriptor can be presented to the
kernel for access
– Note that if permissions are subsequently
disallowed, the process still has the valid file
descriptor!
• Insufficient mediation

12
Principle 5
 “Open Design”
– No “security through obscurity”
– Security of a system should not depend on the
secrecy of its implementation
• Of course, secret keys do not violate this principle!

13
Principle 6
 “Separation of Privilege”
– A system should not grant permission based on
a single condition
– E.g., require more than one sys admin to
implement a critical command

14
Principle 7
 “Principle of Least Common Mechanism”
– Minimize mechanisms depended upon by all
users
– Shared mechanisms are a potential information
path, and should not compromise security
– Any mechanism serving all users must satisfy
all users, a difficult task to achieve…

15
Principle 8
 “Psychological Acceptability”
– Security mechanisms should not make access to
the resource more difficult
– If mechanisms are too cumbersome, they will
not be used!
– Even if they are used, they may be used
incorrectly
– Password example…

16
Principles in Practice

17
Computer Viruses and Worms

18
Overview
 Types of infection
 Definitions
 Difference between virus and worm
 Origins
 Types of viruses
 Worms

19
Overview Cont…
 Melissa virus
 I love you virus
 Code red (worm)
 Symptoms of an infection
 Protection measures
 Conclusion

20
Types of Infection
 VIRUSES
 E-MAIL VIRUSES
 WORMS
 TROJAN HORSES

21
Viruses
A virus is a small piece of
software that piggybacks on
real programs.

2 main characteristics of
viruses
 It must execute itself.
 It must replicate itself.

22
Virus
Virus might attach itself to a program such
as spreadsheet. Each time the spreadsheet
program runs, the virus runs too and
replicate itself.

23
E-mail Viruses
 Moves around in e-mail messages
 Usually replicate itself by automatically
mailing itself to dozens of people in the
victim’s email address book.
 Example “MELISSA VIRUS”
 Example “I LOVE YOU VIRUS”

24
WORMS
 Small piece of software that uses computer
networks and security holes to replicate itself.
 Copy of the worm scans the network for another
machine that has a specific security hole.
 Copy itself to the new machine using the
security hole and start replicating.
 Example “CODE RED”

25
Trojan Horses
 A simple computer program
 It claim to be a game
 Erase your hard disk
 No way to replicate itself.

26
Difference between Virus and Worm
The difference between a worm and a virus is
that a virus does not have a propagation
vector. i.e., it will only effect one host and
does not propagate to other hosts. Worms
propagate and infect other computers.
Majority of threats are actually worms that
propagate to other hosts.

27
Why do people do it ?
 For some people creating viruses seems to
be thrill.
 Thrill of watching things blow up.

28
Viruses
 Viruses show us how vulnerable we are
 A properly engineered virus can have an
amazing effect on the Internet
 They show how sophisticated and
interconnected human beings have become.

29
Types of Viruses
– File infector virus
• Infect program files
– Boot sector virus
• Infect the system area of a disk
– Master boot record virus
• infect disks in the same manner as boot sector viruses. The
difference between these two virus types is where the viral code is
located.
– Multi-partite virus
• infect both boot records and program files
– Macro virus
• infect data files. Examples: Microsoft Office Word, Excel,
PowerPoint and Access files

30
Melissa Virus (March 1999)
Melissa virus spread in Microsoft Word documents
sent via e-mail.
How it works ?
 Created the virus as word document
 Uploaded to an internet newsgroup
 Anyone who download the document and opened
it would trigger the virus.
 Send friendly email messages to first 50 people in
person’s address book.
31
Melissa Virus
Melissa Virus was the fastest spreading virus
ever seen.
Forced a number of large companies to shut
down their e-mail systems.

32
I Love You Virus (May,2000)
 Contained a piece of code as an attachment.
 Double Click on the attachment triggered
the code.
 Sent copies of itself to everyone in the
victim’s address book
 Started corrupting files on the victim’s
machine.

33
Code Red (Worm)
 Code Red made huge headlines in 2001
 It slowed down internet traffic when it
began to replicate itself.
 Each copy of the worm scanned the internet
for Windows NT or Windows 2000 that
don’t have security patch installed.
 Each time it found an unsecured server, the
worm copied itself to that server.
34
Code Red Worm
Designed to do three things
 Replicate itself for the first 20 days of each
month.
 Replace web pages on infected servers with
a page that declares “Hacked by Chinese”
 Launch a concreted attack on the White
House Web server

35
Symptoms of Infection
 Programs take longer to load than normal.
 Computer’s hard drive constantly runs out
of free space.
 The floppy disk drive or hard drive runs
when you are not using it.
 New files keep appearing on the system and
you don’t know where it come frm.

36
Symptoms of Infection Cont..
 Strange sounds or beeping noises come
from the computer.
 Strange graphics are displayed on your
computer monitor.
 Unable to access the hard drive when
booting from the floppy drive.
 Program sizes keep changing.

37
Protection
 TO protect yourself you need to be
“Proactive” about Security issues. Being
reactive won’t solve anything; Specially at
crunch time and deadlines!! In matter of
fact it can make the problem much more
complex to solve, and the situation much
worse, resulting in a complete Nightmare!!
 Best Measures are the preventative ones.

38
Protection Measures
 You need to basically to do four steps to
keep your computer and your data secure:
1. Get the latest Anti-Virus Software.
2. Make sure you have the latest security
patches and hot fixes using Windows
Update.
3. Use a Host-Based Firewall.
4. BACKUP your Important Files.

39
Conclusion
Be aware of the new infections out there.
Take precaution measures.
Always backup your data.
Keep up-to-date on new Anti virus software.
Simply avoid programs from unknown
sources.

40
 ECEG-6530
Computer (and Network) Security

Authentication, Passwords

1
Definition
 Authentication is the process of validating the
identity of someone or something.
 Generally authentication requires the presentation
of credentials or items of value to really prove the
claim of who you are.
 The items of value or credential are based on
several unique factors that show something you
know, something you have, or something you are

2
– Something you know: This may be something you mentally
possess. This could be a password, a secret word known by the
user and the authenticator.
– Something you have: This may be any form of issued or acquired
self identification such as:
• SecurID
• CryptoCard
• Activcard
• SafeWord
• and many other forms of cards and tags.
– Something you are: This being a naturally acquired physical
characteristic such as voice, fingerprint, iris pattern and other
biometrics.
– In addition to the top three factors, another factor, though indirect,
also plays a part in authentication.
• Somewhere you are: This usually is based on either physical
or logical location of the user. The use, for example, may be on
a terminal that can be used to access certain resources.

3
Review: Three Categories
 What you know
– Password
– PIN
 What you have
– e-Token
– RFID (Radio Frequency Identification )
 Who you are
– Biometrics
eToken
 May store credentials
such as passwords,
digital signatures and
certificates, and
private keys
 Can offer on-board
authentication and
digital signing
RFID ( Radio Frequency Identification )
 13.56Mhz read/write
support
 May communicate with
a variety of
transponders
(ISO15693, ISO14443
Type A & B, TagIt,
Icode, etc.)
 Reader is controlled via
PCMCIA interface
using an ASCII protocol
 In general authentication takes one of the
following three forms:
– Basic authentication involving a server. The server
maintains a user file of either passwords and user
names or some other useful piece of authenticating
information. This information is always examined
before authorization is granted.
– Challenge-response, in which the server or any
other authenticating system generates a challenge to
the host requesting for authentication and expects a
response.
– Centralized authentication, in which a central
server authenticates users on the network and in
addition also authorizes and audits them.

7
Multiple Factors and Effectiveness
of Authentication
 To increase authentication effective ness, a
scheme with multiple methods is used.
Systems using a scheme with two or more
methods can result in greater system
security
 The popular technique, referred to as multi-
factor authentication, overcome the
limitations of a specific authentication.

8
Authentication Elements
 An authentication process as is based on the following five
elements:
1. Person or Group Seeking Authentication - usually
users who seek access to a system either individually
or as a group. If individually, they must be prepared to
present to the authenticator evidence to support the
claim that they are actually authorized to use the
requested system resource.
2. Distinguishing Characteristics for Authentication -
User characteristics are grouped into four factors that
include: something you know, something you have,
something you are, and a weaker one somewhere you
are. In each of these factors, there are items that a
user can present to the authenticator for authorization
to use the system.
9
3. The Authenticator - to positively and sometimes
automatically identify the user and indicate whether
that user is authorized to access the requested
system resource.
4. The Authentication Mechanism - consists of three
parts that work together to verify the presence of the
authenticating characteristics provided by the user.
1. the input,
2. the transportation system,
3. and the verifier.
5. Access Control Mechanism - User identifying and
authenticating information is passed to access control
from the transport component. That information is
validated against the information in its database
residing on a dedicated authentication server, if the
system operates in a network, or stored in a file on a
local medium.
10
Types of Authentication
 There are two basic types of authentication. non-repudiable
and repudiable. Other types of authentication include user,
client, and session authentication.
– Non-repudiable Authentication - involves
characteristics whose proof of origin cannot be denied.
Such characteristics include biometrics like iris
patterns, retinal images, and hand geometry and they
positively verify the identity of the individual.
– Repudiable Authentication – involves factors, “what
you know” and “what you have,” that can present
problems to the authenticator because the information
presented can be unreliable because such factors suffer
from several well-known problems including the fact
that possessions can be lost, forged, or easily
duplicated.

11
Authentication Methods
 There are several authentication methods including:
password, public-key, anonymous, remote and certificate-
based authentication.
– Password authentication - the oldest and the
easiest to implement. It includes reusable passwords,
one-time passwords, challenge response passwords, and
combined approach passwords.
– Public Key Authentication – This requires each
user of the scheme to first generate a pair of keys and
store each in a file. Each key is usually between 1024
and 2048 bits in length. Public-private keys pairs are
typically created using a key generation utility. The
server knows the user's public key because it is
published widely. However, only the user has the
private key.
12
– Anonymous Authentication - Clients who do not intend
to modify entries or access protected attributes or entries on a
system typically use anonymous authentication. Mostly these
users are not indigenous users in a sense that they do not have
membership to the system they want access to. They access
the system via a special “anonymous” account.
– Digital Signatures-Based Authentication – is an
authentication technique that does not require passwords and
user names. It consists of an electronic signature that uses
public key infrastructure (PKI) to verify the identity of the
sender of a message or of the signer of a document. The
scheme may include a number of algorithms and functions
including the Digital Signature Algorithm (DSA), Elliptic
Curve Digital Signature and Algorithm (ECDSA), account
authority digital signature, authentication function, and signing
function.

13
– Wireless Authentication –This is an
IEEE’s 802.1X, Extensible Authentication
Protocol (WEP) scheme that authenticates
mobile devices as they connect to fixed
network as well as mobile networks. This
authentication requires Wi-Fi mobile units to
authenticate with network operating systems
such as Windows XP.

14
Developing an Authentication Policy
 In many organizations the type of authentication used is
not part of the security policy, therefore, few have a say in
what authentication policy is used. It is becoming
increasingly popular to involve as wide a spectrum of
users in the development of the authentication policy.
Sometimes it even requires input from business and IT
representative communities that do business with the
organization.
 This is sometimes key to ensuring acceptance and
compliance by those communities.
 Several steps are necessary for a good authentication
policy:

15
– List and categorize the resources that need to be
accessed, whether these resources are data or systems.
Categorize them by their business sensitivity and
criticality.
– Define the requirements for access to each of the above
categories taking into account both the value of the
resource in the category as well as the method of
access.
– Set requirements for passwords and IDs.
– Create and implement processes for the management of
authentication systems.
– Communicate policies and procedures to all concerned
in the organizations and outside it. The creation of
policies

16
PASSWORDS

17
Password-based protocols
 Password-based authentication
– Any system based on low-entropy shared secret
(note: different from book definitions!)
– Dictionary attacks are a problem
 Any password-based protocol is vulnerable
to an “on-line” dictionary attack
– On-line attacks can be detected and limited
Password-based protocols
 Any password-based protocol is vulnerable
to an off-line dictionary attack if server is
compromised (why?)
 Goal: password-based protocol should be
secure against off-line attacks when server
is not compromised
– Unfortunately, this has not been the case in
practice (e.g., telnet, cell phones, etc.)
Password Guessing
 one of the most common attacks
 attacker knows a login (from email/web page etc)
 then attempts to guess password for it
– try default passwords shipped with systems
– try all short passwords
– then try by searching dictionaries of common words
– intelligent searches try passwords associated with the user
(variations on names, birthday, phone, common words/interests)
– before exhaustively searching all possible passwords
 check by login attempt or against stolen password file
 success depends on password chosen by user
 surveys show many users choose poorly
Password Capture
 another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login (eg. telnet, FTP,
web, email)
– extracting recorded info after successful login (web
history/cache, last number dialed etc)
 using valid login/password can impersonate user
 users need to be educated to use suitable
precautions/countermeasures
Password selection
 User selection of passwords is typically
very weak
– Lower entropy password makes dictionary
attacks easier
 Typical passwords:
– Derived from account names or usernames
– Dictionary words, reversed dictionary words, or
small modifications of dictionary words
– Etc.
Better password selection
 Non-alphanumeric characters
 Longer phrases
 Can try to enforce good password
selection…
 …but these types of passwords are difficult
for people to memorize and type!
Password storage
 In the clear…
 Hash of password
 “Salt”-ed hash of password
– Makes bulk dictionary attacks harder, but no
harder to attack a particular password
 Centralized server stores password
 Threshold storage of password
Centralized password storage
 Authentication storage node
– Central server stores password; servers request
the password to authenticate user
 Auth. facilitator node
– Central server stores password; servers send
information from user to be authenticated by
the central server
 Note that central server must be
authenticated!
Password Management
 front-line defense against intruders
 users supply both:
– login – determines privileges of that user
– password – to identify them
 passwords often stored encrypted
– Unix uses multiple DES (variant with salt)
– more recent systems use crypto hash function
Managing Passwords
 need policies and good user education
 ensure every account has a default password
 ensure users change the default passwords to
something they can remember
 protect password file from general access
 set technical policies to enforce good passwords
– minimum length (>6)
– require a mix of upper & lower case letters, numbers,
punctuation
– block know dictionary words
Managing Passwords
 may reactively run password guessing tools
– note that good dictionaries exist for almost any
language/interest group
 may enforce periodic changing of passwords
 have system monitor failed login attempts, &
lockout account if see too many in a short period
 do need to educate users and get support
 balance requirements with user acceptance
 be aware of social engineering attacks
Proactive Password Checking
 most promising approach to improving
password security
 allow users to select own password
 but have system verify it is acceptable
– simple rule enforcement (see previous slide)
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter)
to detect poor choices
 ECEG-6530
Computer (and Network) Security

Message integrity, Message

authentication codes, signature
schemes

1
Message Integrity

The integrity of the message is preserved even if we

sign the whole message because we cannot get the
same signature if the message is changed.

A digital signature provides message integrity.

2
Digital Signatures
 Encryption, message authentication and digital
signatures are all tools of modern cryptography.
 A signature is a technique for non-repudiation
based on the public key cryptography.
 The creator of a message can attach a code, the
signature, which guarantees the source and
integrity of the message.

3
Properties of Signatures
 Similar to handwritten signatures, digital
signatures must fulfill the following:
 Must not be forgeable
 Recipients must be able to verify them
 Signers must not be able to repudiate them later
 In addition, digital signatures cannot be constant
and must be a function of the entire document it
signs

4
Types of Signatures
 Direct digital signature – involves only the
communicating parties
 Assumed that receiver knows public key of sender.
 Signature may be formed by (1) encrypting entire
message with sender’s private key or (2) encrypting
hash code of message with sender’s private key.
 Further encryption of entire message + signature with
receiver’s public key or shared private key ensures
confidentiality.

5
Types of Signatures
 Problems with direct signatures:
Validity of scheme depends on the security of
the sender’s private key  sender may later
deny sending a certain message.
Private key may actually be stolen from X at
time T, so timestamp may not help.

6
Types of Signatures
 Arbitrated digital signature – involves a trusted
third party or arbiter
 Every signed message from sender, X, to receiver, Y,
goes to an arbiter, A, first.
 A subjects message + signature to number of tests to
check origin & content
 A dates the message and sends it to Y with indication
that it has been verified to its satisfaction

7
Basic Mechanism of Signature
Schemes
 A key generation algorithm to randomly select a
public key pair.
 A signature algorithm that takes message + private
key as input and generates a signature for the
message as output
 A signature verification algorithm that takes
signature + public key as input and generates
information bit according to whether signature is
consistent as output.

8
Digital Signature Standards
 NIST FIPS 186 Digital Signature Standard (DSS)

 El Gamal

 RSA Digital Signature

- ISO 9796
- ANSI X9.31
- CCITT X.509

9
DSS
 Public-key technique.
 User applies the Secure Hash Algorithm
(SHA) to the message to produce message
digest.
 User’s private key is applied to message
digest using DSA to generate signature.

10
 Global Public-Key Components
p A prime number of L bits where L is a multiple of 64 and 512  L  1024
q A 160-bit prime factor of p-1
g = h(p-1)/q mod p, where h is any integer with 1<h< p-1, such that (h(p-1)/q mod
p)>1
User’s Private Key
x A random or pseudorandom integer with 0<x<q
User’s Public Key
y = gx mod p
User’s Per-Message Secret Number
k A random or pseudorandom integer with 0<k<q
Signing
r = (gk mod p) mod q s = [k-1 (H(M) = xr)] mod q
Signature = (r, s)
Verifying
w = (s’)-1 mod q
u1 = [H(M’)w] mod q u2 = (r’)w mod q v = [(gu1yu2) mod p] mod q
Test: v = r’

The Digital Signature Algorithm (DSA)

11
El Gamal Signature Scheme
 A variant of the DSA.
 Based on the assumption that computing discrete
logarithms over a finite field with a large prime is
difficult.
 Assumes that it is computationally infeasible for
anyone other than signer to find a message M and
an integer pair (r, s) such that aM = yrrs(mod p).

12
El Gamal Signature Scheme
Parameters of El Gamal

p A large prime number such that p-1 has a large prime factor

x The private key information of a user where x<p

a A primitive element of the finite field for the prime p

y = ax mod p

(p,a,y) The public key information

13
El Gamal Signature Scheme
Step 1 Randomly choose an integer k such that (k, p-1) =
1, 1<k<p-1, and k has not been used to sign a
previous message
Step 2 Calculate r = ak (mod p)
Step 3 Find s such that M = xr + ks (mod (p-1))
Step 4 Collect the pair (r, s) as the digital signature on the
message M

Since, M = xr + ks (mod (p-1))

 aM = a(xr+ks) = axraks = yrrs(mod p)
 Given M and (r, s), the receiver or 3rd party can
verify the signature by checking whether
aM = yrrs(mod p) holds or not.

14
RSA Digital Signature Scheme
 Based on the difficulty of factoring large numbers.
 Given M, RSA digital signature can be produced
by encrypting either M itself or a digest of M using
the private signature key s.
 Signature, S = ws mod n, where w is message to be
signed or message digest and n = pq (p and q are
large primes).
 Verification: w = Sv mod n, where (v, n) is the
public verification key.

15
Conclusions
 Digital signatures are an effective mechanism used
for authenticity and non-repudiation of messages.
 Several signature schemes exist, but DSS is
probably the most popular.
 Digital signatures may be expanded to be used as
digital pseudonyms which would prevent
authorities from figuring out a sender’s identity,
for example by cross-matching

16
17
Message Authentication
 Message authentication is a procedure to verify
that received messages come from the alleged
source and have not been altered.
 Message authentication may also verify
sequencing and timelines.
 A digital signature is an authentication technique
that also includes measures to counter repudiation
(reject) by the source.

18
Authentication Functions
 Functions are at two levels in message
authentication.
 At the lower level, there must be some sort of
function that produces an authenticator:
 a value to be used to authenticate a message.
 The lower level function is then used as
primitive in the higher level authentication
protocol that enables a receiver to verify the
authenticity of message.

19
 Following are some types of functions that
may be used to produce an authenticator.
They may be grouped into three classes.
1. Message encryption.
2. Message authentication code (MAC)
3. Hash Function.

20
 – Message encryption.
 The cipher text of the entire message serves as its
authenticator


– Message authentication code (MAC)

 A public junction of the message and a secret key
that produces a fixed-length value that serves as its
authenticator


– Hash Function.
 A public function that maps a message of any length
into a fixed-length hash value, which serves as the
authenticator.


21
Message encryption

 Message encryption by itself can provide a

measure of authentication.
 The analysis differs for symmetric and
public-key encryption schemes.

22
Symmetric Encryption
 Consider the straight forward use of
symmetric encryption (figure 11.1a).
 A message M transmitted from source A to
destination B is encrypted using a secret key D
shared by A and B.
 if no other party knows the key, then
confidentiality is provided: No other party can
recover the plaintext of the message.

23
24
25
 In addition, we may say that B is assured that the message
came was generated by A.
 why? The message must have come form A because A is
the only other party that possesses K and therefore the only
other party with the information necessary to construct
ciphertext that can be decrypted with K.
 furthermore, if M is recovered, B knows that none of the
bits of M have been altered, because an opponent that does
not know K would not know how to alter bits in the
ciphertext to produce desired changes in the plaintext.

26
 So we may say that symmetric encryption
provides authentication as well as
confidentiality.
 However, this flat statement needs to be
qualified.
 Consider exactly what is happening at B.
 given a decryption function D and a secret key
K, the destination will accept any input X and
produce output Y = Dk(X).

27
 If is the ciphertext of a legitimate message M
produced by the corresponding encryption
function, then Y is some plaintext message M.
 Otherwise, Y will likely be a meaningless
sequence of bits.
 There may need to be some automated means
of determining at B whether Y is legitimate
plaintext and therefore must have come from
A.

28
Public Key Encryption
 The straight forward use of public-key encryption
(figure 11.1b) provides confidentiality but not
authentication.
 The source (A) uses the public key KUb of the destination
(B) to encrypt M. Because only B has the corresponding
private key KRb, only B can decrypt the message.
 This scheme provides no authentication because any
opponent could also use B’s public key to encrypt a
message, claiming to be A.

29
30
 To provide authentication, A uses its private key to encrypt
the message, and B uses A’s public key to decrypt (figure
11.1c).
 This provides authentication using the same type of
reasoning as in the symmetric encryption case:
The message must have come from A because A is the
only party that possesses KRa and therefore the only party
with the information necessary to construct ciphertext that
can be decrypted with KUa.

31
 Again the same reasoning as before applies:
There must be some internal structure to the
plaintext so that the receiver can distinguish
between well-formed plaintext and random
bits.

32
33
 Assuming there is such structure, then the scheme of figure
11.1c does provide authentication.
 It also provides what is known as digital signature.
 Only A could have constructed the ciphertext because only
A possesses KRa. Not even B, the recipient, could have
constructed the ciphertext. Therefore, if B is in possession
of the ciphertext, B has the means to prove that the
message must have come from A.
 In effect, A has “signed” the message by using its private
key to encrypt.

34
 To provide both confidentiality and authentication,
A can encrypt M first using its private key, which
provides the digital signature, and then using B’s
public key, which provides confidentiality (figure
11.1d).
 The disadvantage of this approach is that the
public-key algorithm, which is complex, must be
exercised four times rather than two in each
communication.

35
36
Message Authentication Code
 An alternative authentication technique
involves the use of a secret key to generate
a small fixed-size block of data, known as a
cryptographic checksum or MAC that is
appended to the message.

37
 This technique assumes that two communicating
parties, say A and B, share a common secret key
K. when A has a message to send to B, it
calculates the MAC as a function of the message
and the key:
MAC = CK(M), where
M = input message
C = MAC function
K = shared secret key
MAC = message authentication code

38
The process depicted in figure 11.4a provides
authentication but not confidentiality, because the
message as a whole is transmitted in the clear.

39
Confidentiality can be provided by performing
message encryption either figure 11.4b or before
Figure 11.4c the MAC algorithm.

40
41
 ECEG-6530
Computer (and Network) Security

Hash functions, PKI

1
Hash function

 Hash function is a public function which

accepts a variable size message M as input
and produces a fixed-size output, referred to
as a hash code H(M).

2
 The hash code is also referred to as a
message digest or hash value.
 The hash code is a function of all the bits of
the message and provides an error-detection
capability:
A change to any bit or bits in the message
results in a change to the hash code.

3
 Unlike a MAC, a hash code does not use a
key but is a function only of the input
message.
 Figure 11.5 illustrates a verity of ways
in which a hash code can be used to provide
message authentication, as follows:

4
Confidentiality and authentication

Authentication

Authentication,
digital signature

5
Authentication, digital signature, confidentiality

Authentication (no encryption needed!)

Authentication, confidentiality

6
 The message plus concatenated hash code is
encrypted using symmetric encryption.
 Here only A and B share the secret key; the message
must have come from A and has not been altered.
 Hash code provides the structure or redundancy
required to achieve authentication because
encryption is applied to the entire message plus hash
code, confidentiality is also provided.

7
 Only the hash code is encrypted, using
symmetric encryption.
 This reduces the processing burden for
those applications that do not require
confidentiality.
 Note that the combination of hashing and
encryption results in an overall function that
is, in fact, a MAC (figure 11.4a).

8
That is, EK[H(M)] is a function of a variable-length
message M and a secret key D, and it produces a fixed-
size output that is secure against an opponent who does
not know the secret key.

9
 Only the hash code is encrypted, using
public-key encryption and using the
sender’s private key.
 As with (b), this provides authentication.
 It also provides a digital signature, because
only the sender could have produced the
encrypted hash code.
 In fact, this is the essence of the digital
signature technique.

10
If confidentiality as well as a digital signature is desired,
then the message plus the public-key-encrypted hash
code can be encrypted using a symmetric secret key.
This is a common technique.

11
12
13
 Confidentiality can be added to the
approach of (e) by encrypted the entire
message plus the hash code.

 When confidentiality is not required,

methods (b) and (c) have an advantage over
those that encrypt the entire message in that
less computation is required.

14
Requirements for Hash function
 A hash function H takes a message M of variable length
and transforms it into a fixed-length hash value h
– h = H(M)

 A hash function H must have the following properties:

– One-way property: for any given value h, it is computationally
infeasible to find x such that H(x) = h.
– Weak collision resistance: for any given message x, it is
computationally infeasible to find y ≠ x with H(y) = H(x)
– Strong collision resistance: it is computationally infeasible to find
any pair (x,y), such that H(x) = H(y).

15
Other Hash Function Uses
 to create a one-way password file
– store hash of password not actual password
 for intrusion detection and virus detection
– keep & check hash of files on system
 pseudorandom function (PRF) or
pseudorandom number generator (PRNG)

16
Two Simple Insecure Hash Functions

 consider two simple insecure hash functions

 bit-by-bit exclusive-OR (XOR) of every block
– Ci = bi1 xor bi2 xor . . . xor bim
– a longitudinal redundancy check
– reasonably effective as data integrity check
 one-bit circular shift on hash value
– for each successive n-bit block
• rotate current hash value to left by1bit and XOR block
– good for data integrity but useless for security

17
Hash Function Requirements

18
 Introduction to PKI,
Certificates
& Public Key Cryptography

19
Introduction to PKI, Certificates & Public Key
Cryptography
Role of Computer Security
CIA

• Confidentiality: protection against data disclosure

• Integrity: protection against data modification

• Availability: protection against data disponibility

Identification & Authentication (I&A)

Provide a way of identifying entities, and controlling this identity

Non-repudiability
Bind an entity to its actions

20
Introduction to PKI, Certificates & Public Key
Cryptography

How to implement CIA, I&A, N-R ? With

Cryptography !

Main cryptographic tools:

• Hash Functions

• Secret Key Cryptography

• Public Key Cryptography

And their combinations:

• Certificates

• PKI
21
Introduction to PKI, Certificates & Public Key
Cryptography

Main cryptographic tools

Hash Functions:
Bind one entity with a unique ID => Signature
Hash + Encryption => trusted signature

Symmetric Key Cryptography

2 users share a secret key S and
an algorithm.

S(S(M)) = M

Problem:
how to exchange secret keys ?
=>Secret Key Server (ex: kerberos)

22
 Introduction to PKI, Certificates & Public Key
Cryptography
Main cryptographic tools
Public Key Cryptography:
Each user has a public key P and a private key S, and an algorithm A.
P(S(M)) = S(P(M)) = M
 No shared secret !

Authentication with Public Key Crypto

Encryption with Public Key Crypto

23
Introduction to PKI, Certificates & Public Key
Cryptography

Main cryptographic tools, PKI

How to distribute public keys ?

 Public Key Server (PKS), key exchange protocols

Public Key Infrastructure (PKI):

PKI = N x (Entities with private keys) + public key exchange system

REM: Public Key algorithms are slow

 Need to use both Public & Secret Key Cryptography
 Public Key Protocols work in 3 phases
1. Authentication via Public Key Cryptography (challenge)
2. Exchange of a session Secret Key, encrypted with Public Key Crypto
3. Session encrypted with Symmetric Cryptography

24
Introduction to PKI, Certificates & Public Key
Cryptography
Certificate
A certificate binds an entity with its public key.
It’s just a digitally signed piece of data.

 digital ID card

Certificate =
an entity’s description (name, etc.) The certificate is issued
+ and signed by a trusted
entity’s public key Certificate Authority (CA)
+
expiration date, serial number, etc.
+ Digital signature:
CA’s name CA signature = certificate hash,
+ encrypted with CA’s private key
a signature issued by a CA

25
Introduction to PKI, Certificates & Public Key
Cryptography

Certificate

The certificate’s CA is the only entity able to create/modify the certificate

 the CA has to be trusted

Certificates enable:
• Clients to authenticate servers
• Servers to authenticate clients
• Public key exchange without Public Key Server
 No disclosure of private/secret keys.

Certificates are usually stored encrypted.

Special features:
• chains of CAs, to distribute the task of issuing Certificates
• Certificate Revocation List, to disable certificates

26
Introduction to PKI, Certificates & Public Key
Cryptography

Usual cryptographic algorithms & infrastructures

Hash: MD4, MD5, SHA-1

Symmetric Key: DES, 3DES, AES (Rijnael),

IDEA, RC4

Public/Private Key: RSA, Diffie-Hellman

Certificat: X509

PKI: IPSec, SSL, (kerberos)

27
 Introduction to PKI, Certificates & Public Key
Cryptography

example: IPSec

IPSec works at IP level.

Provide authentication and encryption. Used to build VPNs.

Configuration:
• 2 transfert modes: tunnel or transport
• 2 transfert protocols:
• AH (Authentication Header) => authenticated traffic
• ESP (Encapsulating Security Payload) => encrypted traffic

Key exchange protocols:

Internet Key Exchange (IKE),
Internet Security Association and Key Management Protocol (ISAKMP),
etc.

28
Introduction to PKI, Certificates & Public Key
Cryptography

Weaknesses of PKI and Certificates

PKI:
• unsecured server: hackable Public Key/Certificate servers
• unsecured client: private keys/passwords can be stolen/spied
• weak algorithm: short keys, implementation or design breach

Certificate:
• unsecured computer: certificates can be stolen, password spied
• certificate password: certificates are stored encrypted, with weak password
• untrustable CA: easy to be issued a certificate from a CA
• users: they seldom check if CA can be trusted before
accepting certificates (netscape GUI)

Attack example:
• hack client’s computer, steal certificate & password
• man in the middle

29
Public Key Infrastructure
( PKI )

INTRODUCTION

30
Enterprise PKI

31
What is PKI?
Public/Private key pair
The public key is a string of bits
A public key certificate answers the following questions (and
many more)
• Whose certificate is it?
• What can it be used for?
• Is it still valid?
• Example uses:
– Is this really the key for Jack Nathan?
– Can this key be used to send an encrypted message to John Smith?
– Was the key used for digitally signing this document valid at the
time of signing?
– Fetch me the key of Mike Jones

32
Security Services That Can Be
Supported By PKI

 Authentication - Ability to verify the

identity of an entity
 Confidentiality - Protection of information
from unauthorized disclosure
 Data Integrity - Protection of information
from undetected modification
 Non-repudiation - Prevention of an entity
from denying previous actions
 Key estalishment
33
A Fully Functional PKI
 Certification authority
 Certificate repository
 Certificate revocation
 Key backup and recovery
 Automatic key update
 Key history management
 Cross-certification
 Support for non-repudiation
 Time stamping
 Client software
34
Secret Key Cryptography
 Classical form of cryptography
 Single key used to encrypt and decrypt data
 Strengths
–Very fast relative to public key
cryptography
–Relatively short keys
 Weakness: Key must be shared among
interested parties
35
Public Key Cryptography
• Each entity has a PAIR of mathematically related
keys
– Private Key - known by ONE
– Public Key - known by Many
 Not feasible to determine Private Key from Public
Key
 Strength – no shared private keys
 Weakness
– Relatively slow
– Requires longer keys for same level of
security
36
Public Key Cryptography (cont.)
 Public key is best suited to
– Digital signatures (e.g., RSA and DSA)
– Key Management
• Key transfer (e.g., RSA)
• Key agreement (e.g., Diffie-Hellman)

37
 Cryptography
encryption
message encryption key
algorithm

Transmission
Channel

decryption
decryption key message
algorithm

38
Public Key Cryptosystem (RSA)
 A public encryption method that relies on a public
encryption algorithm, a public decryption
algorithm, and a public encryption key.
 Using the public key and encryption algorithm,
everyone can encrypt a message.
 The decryption key is known only to authorized
parties.
 Asymmetric method.
– Encryption and decryption keys are different; one is not
easily computed from the other.

39
Public Key Cryptosystem (RSA)
 p and q are two prime numbers.
 n = pq
 m = (p-1)(q-1)
 a is such that 1 < a < m and gcd(m,a) = 1.
 b is such that (ab) mod m = 1.
 a is computed by generating random positive
integers and testing gcd(m,a) = 1 using the
extended Euclid’s gcd algorithm.
 The extended Euclid’s gcd algorithm also
computes b when gcd(m,a) = 1.
40
RSA Encryption And Decryption
 Message M < n.
 Encryption key = (a,n).
 Decryption key = (b,n).
 Encrypt => E = Ma mod n.
 Decrypt => M = Eb mod n.

41
Breaking RSA
 Factor n and determine p and q, n = pq.
 Now determine m = (p-1)(q-1).
 Now use Euclid’s extended gcd algorithm
to compute gcd(m,a). b is obtained as a
byproduct.
 The decryption key (b,n) has been
determined!

42
Security Of RSA
 Relies on the fact that prime factorization is
computationally very hard.
 Let q be the number of bits in the binary
representation of n.
 No algorithm, polynomial in q, is known to
find the prime factors of n.
 Try to find the factors of a 100 bit number.

43
Why Do We Need Certificates?

 Associate the public key with a name or

entity
 What is this key good for?
– Signatures or encryption?
– Authorization
– Secure mail, secure web, or digital
signatures
– How can I trust it?
44
Example Public Key Certificate

45
A Certificate with Policy
Information

46
Problems with Identity Certificates
 Which “Don Smith?” does this certificate corresponds to?
 Suppose there are two “Don Smith” s in the same
organization, how do we know to whom a given certificate
belongs?
 Where directory do we look up for “Don Smith?”
 Examples:
– PGP: Used for email encryption
• Identity is name + email address
– SPKI: Used for authorization/access control
• Identity is a name meaningful within the domain of application
– Account name on a server
– Credit card number
– Merchant ID
– PGP and SPKI also use the public key as a unique ID

47
Basic Certificate Contents
 Version
 Serialnumber
 Signature (algorithm identifier: DSA with SHA-
1)Issuer
 Validity
 Subject (Name)
 Subject PublicKeyInfo
 IssueruniqueID (optional)
 subjectuniqueID (optional)
48
PKI ARCHITECTURES

49
Conventional PKI Architecture
RA CA CA RA

Repository Repository

Relying party Relying party Relying party

User User User User

CA: Certification Authority

RA: Registration Authority

50
PKI Architectures
 Single CA
 Hierarchical PKI
 Mesh PKI
 Trust lists (Browser model)
 Bridge CAs

51
Single CA

 A CA that issues certificates to users and systems,

but not to other CAs
– Easy to build
– Easy to maintain
– All users trust this CA
– Paths have one certificate and one CRL
– Doesn’t scale particularly well

52
Hierarchical PKI
 CAs have a hierarchical relationship (as in a
tree)
 All CAs trust the root CA
 Root CA certifies its child CAs, and they in
turn certify their child CAs, and so on.
 Easy to establish/verify trust relationship
between any two CAs

53
Strict Hierarchy of CAs

54
Mesh PKI
 CAs have peer-to-peer relationships
 Users trust the CA that issued their
certificates

55
Trust lists (Browser)
 User trusts more than one CA
 Each CA could be a single CA or part of a PKI
– For hierarchies, should be the root
– For mesh PKIs, could be any CA

56
Bridge CA
 Designed to address the shortcomings of the trust
lists and cross-certified enterprise architecture
 To unify many PKIs into a single PKI---acts as a
sort of trust arbitrator
 If the trust domain is implemented as a
hierarchical PKI, the bridge CA will establish a
relationship with the root CA
 If the domain is implemented as a mesh, the
bridge will establish a relationship with one of its
CAs.

57
Cross-certification
 CA of one organization being certified (for
trust purposes) by another CA of a different
organization
 Peer-to-peer relationships among CAs
 Appropriate when a small number of
enterprise PKIs intend to establish trust
relationships

58