Module 5 - Internet Application Security and Privacy
Cryptography - Turning plaintext into ciphertext, send message over unsecure medium, separate security of the medium from security of the message
Cryptanalysis - Breaking secret messages
Cryptology studies both of these
Three components to cryptography:
- Confidentiality - Prevent attacker from reading message
- Integrity - Prevent attacker from modifying message
- Authenticity - Prevent attacker from impersonating sender
Kerchkoff's Principle - Overall security should not rely on a secret that is hard to change
- --System is at most secure as number of keys
- --Best cryptosystem is where all attacker can do is guess keys
Attacker may know
- --Algorithm
- --Part of plaintext
- --Corresponding plaintexts and ciphers
- --Ways to access oracle
Symmetric cryptography/Secret Key encryption - Key sender uses to encrypt messages is the same one recipient uses to decrypt them
One-Time Pad - Unbreakable, XOR key with plaintext only one time
- --Cannot use key more than once
- --Key needs to be truly random
56 Bit Key was cracked by BOIC in 5 minutes, therefore 128 bit should be standard
Principle of Easiest Penetration should also be considered
Secret key cryptosystems come in two classes:
- Stream ciphers - Fast OTP but with pseudorandom key, RC4 is a deprecated example
- Block ciphers - Operate on blocks, splitting them is mode of operation, AES is an example
Asymmetric cryptography - public and secret key pair
Hybrid Cryptography – This is faster as it combines the speed of symmetric encryption with the convenience of public key encryption
- Pick random 128 bit key K
- Encrypt with K
- Encrypt key K with public key
- Send encrypted message and key
However even if keys cannot be decrypted, message can be changed while in transmit, need measure of integrity
Cannot use regular checksum since message can be changed without altering it
Hash functions compute message digest such as MD5, they are required to be:
- Preimage-resistant - hard to find x for y such that h(x) = y
- Second preimage-resistant - given x, hard to find xx' s.t. h(x)=h(x')
- Collision-resistant, hard to find two unique values x,x' s.t h(x)=h(x')
Hash functions provide integrity only when message digest is secure
Message Authentication Code - keyed hash function where the computed hash value is generated using a secret key
Multiple ways to combine cipher with MAC: Encrypt/then/before/and MAC.
Need an authenticated encryption mode to securely combine cipher and MAC
Repudiation - Sender cannot prove that they did not impersonate and make up the tag and message up themselves
We need a digital signature which proves:
- --Alice sent the message, like a MAC
- --Message has not been altered since it was sent, like a MAC
- --We can prove these points to a 3rd party
To make a digital signature:
- Alice signs message with private signature key
- Bob verifies message with Alice's public signature key
Hybridize signatures:
- --Alice sends unsigned message and signature on hash of message
Combine public-key verification and digital signatures
- --Alice has (encryption, decryption) & (signature, verification)
- --Alice encrypts her message with Bob's public key and signs cipher with her private signature key
- --Bob decrypts cipher with his private key and checks signature with Alice's public signature key
- --Alice can sign her encryption key with her signature key
Key Management - Ways to find keys:
- --Manual Keyring
- --Web of trust through a friend
- --Trust third parties like CA's
Certificate Authorities - Trusted third parties who receive Alice's public key and other info, sign it with their public key to create a certificate
Everyone assumed to have CA's public key
Common mistakes:
- --Two-time pad
- --Assuming encryption provides integrity
- --Replay/Reaction Attacks
Execute apps only if they are signed
Network cryptography used at every level:
- Link - WEP
- Network - VPN
- Transport - TLS/SSL, Tor
- Application - SSH, PGP, OTR
Link Layer
Link layer is intended to protect LAN, WEP is an example
Wired Equivalent Privacy intended to enforce:
- Confidentiality - Prevent adversary from learning traffic
- Access Control - Prevent adversary from learning infrastructure
- Data integrity
WEP problems: Short IV (24 bits long),
The checksum interacts pessimaly with the stream cipher. CRC is linear
The authentication protocol reveals enough information for an attacker to authenticate herself
WEP - 75
WEP - 85
Network Layer
Network Layer Security - security across links is not enough, we need security across entire networks, end-2-end
VPN - Connected two remote networks so that they appear to be a single network:
- --Each side is connected to VPN gateway
- --The data is encrypted and tunneled to the other side
Tunneling - Sending message in protocol as payload of another protocol
IPSec - A method to setup a VPN with two modes:
- --Transport mode - Only original packet are encrypted, useful for LAN
- --Tunnel mode - Contents and header are encrypted, useful for connecting networks
Microsoft PPTP - Old method of VPN with flaws
VPNs based on SSH - IP over PPP over SSH over TCP over IP
Trans Layer - Security = TLS, Privacy = Tor
Main transport layer security is SSL or TLS; provides server auth, integrity, confidentiality:
- --Client indicates to server which ciphersuites it knows
- --Server sends back host name, verification key, admin info and signature from CA
- --Client checks if CA signed by client browser embedded public key, host name matches?
- --Symmetric encryption with MAC proceeds between them
TLS has become the most successful Privacy Enhancing Technology - It just works
Main transport layer privacy mechanism is Tor:
- --2 million daily users
- --Lets you make TCP connections without revealing your IP address
- --Scattered around the Internet are 7000 Tor nodes called Onion Routers
- --Alice uses something similar to TLS to tunnel through each node until the end
- --Message M becomes Ek1(Ek2(Ek3(M)))
- --Each node knows Alice is using Tor but do not know which site she visiting
- --Website itself only knows it got a connection from last node, this connection is not inherently encrypted
- --Anonymity unlinkability(long-term) and linkably(short-term)
- --However two connections in quick succession are likely from the same person
Nymity Slider:
- Verinymity - SIN
- Persistent Pseudo - Pen Name
- Linkable - Prepaid phone cards
- Unlinkable - Tor
App Layer
Secure Remote Login:
- --Either send a password over encrypted channel which is cross referenced with hash of your password
- --Or send a random challenge with private signature key
Type 0 remailers - send email to server which remailers it as anonymous, this was shut down due to Scientology leaks
Type 1 remailers - mail is now sent in encrypted chains but reply support has been dropped, no pseudonymity
Nym servers restored association of sender with messages, thereby restoring pseudonymity
Type 2 remailers - introduced constant length messages but requires a special email client to fragment the data
Type 3 remailers - Improved and native support for pseudonymity
PGP - Originally created by Phil Zimmermann in 1991, got in trouble for this
PGP used for hybrid encryption and digital signature of emails
PGP aimed to create 4 keys: encryption, decryption, signature and verification
Fingerprints created to deal with large public keys - cryptographic hash of the key, no known way to make two different keys have the same fingerprint provided the hashing is collision resistant
Alice can also sign Bob's key to verify that the key is in fact his which she uses
Web of Trust is network of people acting as links for passing around public keys
Perfect Forward Secrecy - Future key compromises should not reveal past communication, use temporary keys for this called session keys created using the Diffie-Hellman protocol
We do not want digital signatures since they are undesirable for private conversations
However we do want authentication
Alice has deniability since we cannot prove she generated her MAC
Off-the-Record messaging provides private messaging with Confidentiality and Authentication as well Perfect Forward Secrecy and Plausible Deniability - Signal is an example which uses Triple Diffie-Hellman or deniable authenticated key exchange or DAKE