CS162 Lecture: Monday, April 25, 2005 Yu, Wai Jing ----- Announcements: + The last midterm is 7pm, May 9, 10 Evans. + Professor Smith still has midterms that weren't picked up. + All grading are due by the Readers on the last week. ----- Overview: + Professor Smith - Encryption continued from last lecture. + Karl's Lecture - Security - Network Security - Karl's Research Projects + Professor Smith - New topic: Real Time Systems - New topic: Virtual Machine. -------------- Lecture begins Continued Topic: Encryption- + Federal Data Encryption Standard (DES): - The DES (Data Encryption Standard) algorithm was at one time the most widely used encryption algorithm in the world. Encrypting data converts it to an unintelligible form called cipher and decrypting cipher converts the data back to its original form called plaintext. This algorithm uses a binary number called a key for both enchipering and dechipdering. + Block cipher: - encrypts 64 bits at a time and uses 64 bit key (56 of it is actually used for the key, the other 8 bits are used for error detection) - It is designed to be hard but not impossible to break. - There are chips that encrypt/decrypt megabits per second. How it works: A block chiper is a type of symmetric-key encryption (explained later in karl's lecture). It transform a fixed-length block of plaintext into a block of ciphertext data of the same length given the provided secret key. Usually the fixed-length is 64 bit. Since different plaintext blocks are mapped to different cihpertext blocks to allow unique decryption, the block cipher provides a permutation of the set of all possible messages. This can be implemented efficiently in hardware and appears to be relatively safe. Building it with four chips can improve its security. - For practical purposes, DES is more than adequate. DES is no longer considered to be safe enough by NSA. The latest standard is the Clipper chip. + Clipper Chip: - encrypts information, but also allows government agents to recover the information if wanted to. (More details of Clipper Chip discussed at the end of this topic). - More sufficient security can be obtained by having two level encryptions in pairs. + Public Key Encryption: - A cryptographic system that uses two keys, a public and a private key. The public key is known by everyone and the private key is only known to the recipient of the message. Example, Alice wants to send a secure message to Bob, he uses Bob’s public key to encrypt the message and then Bob uses his private key to recover the message. -Basic outline: + A public and a private key that are inverses of each other, meaning whatever is encoded with one can be decoded with the other. + Each user has two keys, public and private key. Public keys are made available to everyone (example, in a phone book) where as the private key are kept secretly by that user. + The two keys are not derivable from each other. -Specific scheme for Public Key Encryption (pg 471-472, Chapter 14, of Silbersschatz and Galvin): Professor Smith> Do not need to remember it + Encode: E(m)=(m**e) mod n = C + Decode: D(C) = (C**d) mod n - e and n are public; d is private. - where: m is message, e, d, are between 0 and n-1; e, d, n positive integers. + Must derive e, d, and n such that the above decode is inverse of encode. - Let n=p*q (p, q large primes). - d is large integer relatively prime to (p-1)*(q-1) (i.e. GCD[d, (p-1)*(q-1)] == 1) - e is chosen such that (e*d) mod ((p-1)*(q-1)) == 1 - ICBS that this makes E and D inverses. + This is safe because although n is known, p & q are not known, and so e cannot be derived. (factoring is known to be hard.) + Safe Mail - use the public key of the destination user to encrypt the mail. Anybody can encrypt mail for a specific user and be certain that only the user will be able to decrypt it. This is a nice scheme because every user needs only to remember one key, and all senders can use the same public key to encrypt the mail message to that user. Using digital signatures will allow the receiver to know who he or she is getting the mail from. + Digital Signatures: - Allows users to sign their information so that the receiver will know who it came from. This scheme uses the public keys to certify identity of the data being sent. Example: Bob writes a message to Alice using Bob’s own private key. Alice can check to see if the message is from Bob by using Bob’s public key to see if it decrypts. Anything that decrypts into readable text with Bob’s public key must have come from Bob. This can be made legally binding as a form of electronic signature. - Encryption with your own private key can be read by anyone. - Encryption with your own private key and with someone else’s public key can only be read by intended recipient. + One Way Encryption: - Stores encrypted password into a file. Pros: - Don’t have to be able to decrypt it, just compare the encrypted submitted password with the stored password in the encrypted password file. - Can’t deduce what needs to be submitted. (The encryption algorithm should not be invertible.) Cons: - Possible to decrypt the password in the password file by generating all the possible encrypted passwords and compare. + General Problem – How do we know that an encryption mechanism is safe? - This is extremely hard to prove. - Hot topic for researcher. + More on CLIPPER Chip - Chip Contains + 64-bit block encryption (algorithm classified) + Uses 80 bit keys. + Uses 32 rounds of scrambling (compared to 16 for DES) + Uses the following numbers: + F - 80-bit key used by all Clipper chips + N - 30-bit serial number (per chip) + U - 80-bit secret decryption key for this chip only. + Secure conversation occurs this way: + Session key K is negotiated (somehow). + E(M;K) is encrypted message stream. + E(E(K;U), N; F) is a "law enforcement block". With F, we can get E(K;U),N. From N, (the serial number), we can get U (held by federal agencies), and then can get K. From K, we can decrypt messages. + Key U is xor of U1 and U2. U1 and U2 held by different federal agencies. (Can get both U1 and U2 only with court ordered wiretap) - End of topic Encryption – -------- Karl’s Lecture begins Security – + Adversaries - There is a possibility that information gets modified or listened before it gets to the expected destination. Alice -------------------------? Bob ^ |Mallet(evil) + Trust = depended = bad. By minimizing what’s trusted, it minimizes dependencies. - Examples: Do not trust that the packets over network to not be changed. Do not trust that the network will not allow eavesdroppers. + Authentication – Identifying with who you are talking to. + Authorization – What they are allowed to do once they have been identified. + Hash Functions - md5 can not be reversed. - Example: md5(“hi”) = “somestuff”, there is not md5Reverse(“somestuff”) to get “hi” back. - Allows password to be verified but not retrieve it. - Can be attacked by generating all the dictionary words then compare. However this can be solved by adding a salt (added on random characters, but stored somewhere). - Example: md5(salt+”hi”) - Weaknesses found in MD5, recently in Secure Hash Algorithm (SHA)-1, easily brute forcible. + Authenticity – When you want to verify a message from Alice is 1. originated by Alice 2. not altered by attacker 3. not replayed by attacker 4. not re-ordered by attacker - Solutions: 1. Use digital signature. 2. Generate authentication code based on shared key and message. 3. & 4. Using sequence number and a “I’m Finished” message. (FIN) + Confidentiality – Use Encryption. + Secure channel - Authenticated channel + encrypted channel => secure channel - Not allowing attacker to guess secret key - even if the attacker can eaves drop many messages and their MAC - even if he can trick the sender into sending message of his choosing and eavesdrop the MAC (Message Authentication Code). + Symmetric VS Asymmetric Encryption - Symmetric encryption = private key encryption - Encryption and decryption shares the same secret key Examples of ciphers: Caesar cipher, Transposition cipher, DES, 3DES, AES, Blowfish, CAST, ARCFOUR. - Asymmetric encryption = public key encryption - Encryption and decryption uses a different key - Encryption key can be public key Examples of algorithms: RSA, DSA Implementations: PGP, GPG (email & general-purpose), SSL, and SSH. How Asymmetrix encryption can work: Key pair K_private, K_public - can derive K_public from K_private, but not vice-versa - [plain text]K_private = cipher text - [cipher text]K_public = plain text - [plain text]K_public = cipher text - [cipher text]K_private = plain text + Digital Signatures – Alice wants everyone to know message m was written by her. - [m]Alice_private (encrypts the m with Alice's private key) = signature - Everyone else can check [signature]Alice_public (decrypts the m with Alice's public key) = m - If the decrypted m is plain text then that means the message is written by Alice. + Public Key Encryption – Alice wants to send Bob a message m - [m]B_public_key = encrypted-m - [encrypted-m]B_private_key = m - In practice, public key encryption also uses signatures - Alice signs her m with her private key: [[m]B_public]A_private (First encrypt the message with Bob's public key, then encrypt the encrypted message with Alice's private key) + Certificates – This is useful in that your browser does not have to hold millions of public keys since there exist millions of websites. With certificates, the browser only needs to hold one public key from the certificate authority (e.g., Verigsing). - How it works: Alice wants to send a signed document to Bob. To verify the signature on the document, Bob uses Verigsign’s (the certificate authority) public key to check the signature on Alice’s certificate to prove that Verigsign created it. After the certificate has been successfully de-encrypted, Bob can check if Alice is in good standing with Verigsign and that all the information concerning Alice’s identity has not been altered. - Main defense: certificates has an expiration date. Network Security – + Attacks on TCP: source spoofing - Analogue to “call back”: SYN ACK - SYN ACK has to go back to source address - SYN ACK contains initial sequence number (ISN) - To spoof packets: - Predict ISN Example: create a dummy connection to get ISN, and hope the next connection is ISN+1 or ISN+2 - Solution: use random ISN + Attacks on TCP: SYN flood (“SYN trickle” attack) - In TCP, there is a limit to state size (max 6 pending connections) - Un-acknowledged SYN ACKs expire after a minute, by sending 6 SYNs a minute, it can prevent anyone else from connecting (Denial of Service) - Solution: SYN cookies – don’t create state until the next packet after SYN ACK + Worms - forms an ecosystem - Spreads rapidly in matters of seconds through out the network. - Logistic curve: infects until no one else to infect - Does not need human interactions (like virus does), it just spreads on the vulnerability - Can be polymorphic - Traditional defense use signature-based scanners - This requires a human to analyze the worm and create the signature. - New approaches to defense against worms - Automatic signature generation - Machine learning + Malware – programs that try to hurt your system, corrupt your hardware. Karl’s Research Projects – 1. Finding & verifying lack of format string vulnerabilities in Debian Linux 2. Semi-supervised learning on novel worms - End of Karl’s lecture – -------- Next Topic: Real Time Systems + Real Time Systems – systems that deals with the real world. It does not support time sharing and has to complete certain events that meets with the real time DEADLINE. - Most typical real time system is mechanical system Examples: Assembly line, Anti-ballistic missile defense, Medical systems + What Real Time System must be able to do: 1. Meet all deadlines with 99+% - 100% probability. 2. Handle the aggregate load. + What Real Time System needs: 1. Deadline scheduler – schedule events such that all events are met at its specified deadline. 2. Avoidance of page faults – generally must lock deadline oriented code into memory. 3. Avoidance of I/O when near deadline is pending – must gather necessary information from I/O devices in advance. + Real Time System does not imply no cache memory allowed - Generally with a cache memory, system will finish a event before the deadline. - Cache always makes things faster However, Smith explains that real time system does not use cache because they (people who makes real time system) can’t afford to be not precise and that they are paranoid deterministic! - End of topic Real Time Systems – ------ Next Topic: Virtual Machines (Very brief) Reading: Robert Goldberg, “Survey of Virtual Machine Research”, IEEE Computer, June, 1974, pp. 34-45. (pg. 435-446 inside Reader #1) + Virtual Machines – is a software version of the basic hardware machine. - This software is accomplished by allowing most of its instructions to excute on a real hardware. + Virtual Machine Monitor (VMM) – the heart of VM – This is the piece of software that provides the pseudo-bare machine interfaces. - This transforms a single machine interface into the illusion of many. - Each of this virtual machine is an efficient replication of the original computer system. (processor instructions, memory, I/O devices, etc...) + Diagram of the virtual machine idea (pg. 436 and 437 inside Read #1 for better picture) - The operating system = privileged software nucleus in the diagram. - Figure 1. Illustrates multiple extended machine interfaces with only one bare machine interface provided. - Figure 2. Illustrates multiple virtual machines that extends from a bare machine using virtual machine monitor. Figure 1. [Bare Machine] -^-^-^-^-^-^-^ <- Basic Machine Interface [OS] / \ / \ / \ / \ / \ [ ] <-> [ ] <- Extended Machines -^-^-^-^ ---^--^-- <- Extended machines Interface [User Program] [User Program] Figure 2. [Bare Machine] -^-^-^-^-^-^-^ <- Basic machine Interface / \ / \ / \ [ VM ] [ VM ] --^--^--^--- --^-----^--- <- Basic Machine Interface [ OS #1 ] [ OS #2 ] / \ / \ / \ / \ [ ] <#1> [ ] [ ] <#2> [ ] <- Extended Machines -^-^-^-^ --^--^-- -^-^-^- --^--^-- [User Program] [User Program] [User Program] [User Program] - End of today’s lecture -