New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Computer & Info Security

by: Ashleigh Dare

Computer & Info Security ECS 235A

Ashleigh Dare
GPA 3.75

Hao Chen

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Hao Chen
Class Notes
25 ?




Popular in Course

Popular in Engineering Computer Science

This 51 page Class Notes was uploaded by Ashleigh Dare on Tuesday September 8, 2015. The Class Notes belongs to ECS 235A at University of California - Davis taught by Hao Chen in Fall. Since its upload, it has received 44 views. For similar materials see /class/187712/ecs-235a-university-of-california-davis in Engineering Computer Science at University of California - Davis.

Similar to ECS 235A at UCD

Popular in Engineering Computer Science


Reviews for Computer & Info Security


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 09/08/15
ECS235a 101207 lecture Projects proposals due two Mondays from now 1022 indicate if it is an ongoing or new project midterm report due in the middle of the quarter poster session 2 hours at the end of the quarter 7 last day in class Paper on Intrusion Detection What are the typical problems with intrusion detection systems IDS Problems with typical IDS o Difficult to detect new attacks 0 Most are based on the knowledge of known vulnerabilities 0 High false positive rate 0 Problem of correlating the alerts so that you have 1 alert and not several 0 Difficult to build models 0 Performance overhead Clever ideas to overcome problems 1 Build models from program automatically a Extracted the model from the source code b solved the problem of building models 2 Observation exploit needs to go through system calls 3 Aim for zero false positives a Motivation real world systems that have lots of false positives will not meet the psychological acceptability principle 7 most places would just turn it off If you have a system with zero false positives but some false negatives it is better than having no system in place at all Big question 7 how to build the model of the program Run another copy of the program Problem copy of the program may have the same vulnerability Build 2 copies of the program 2 teams Problem cost vulnerabilities still exist in shared library code Models 1 Set model a Like the ow insensitive model 7 bag of calls model no ow At runtime look at system calls and for each call detect if that system call is in the bag b Problem does not take order into account 2 N gram model a Look at system call sequences 7 ex 3 calls put every 3 set of calls in the model In the paper they use 2 digraph model 3 FSA a formally describemodel the program Try to model all the system calls using an FSA nodes and edges b Control ow graph 39 Nodes statements i39 Edges transitions ii39 Input symbols syscalls U s epsilon transition no system call iv Need a special WRONG state 7 any system call from a nonsystem call state or any one other than the system call on an edge from a system call node should be sent to the wrong state Wrong is an acceptingfinal state If an input string is accepting then an intrusion as happened c At runtime try to determine if the FSA accepts a string which is the system call trace of the running program Problem Shortcomings l Contextinsensitive 7 doesn t correlate function calls with function returns This can lead to many infeasible paths and lots of false negatives 2 Nondeterministic because it has epsilon transitions 7 have to explore runtimeexponential worst case 0 Could convert to a DFA but then you may have exponential space 0 There is no way to get over context insensitivity 3 To improve the precision by including context sensitivity 0 Push Down Automata I Solves the context insensitivity path I But still nondeterministic b c it has epsilon transitions 0 So try to convert it to deterministic 7 but you can t convert it from a NDPDA to DPDA This is a problem b c the slowdown is tremendous Assumptions 1 Assume that we know the path of the program from its source code But certain programming idioms can circumvent this 0 Sighandler 0 Could solve by adding a transition from every node to the sighandler 0 Instead they punted it to the runtime A similar sighandler was added Their runtime system can inject a prologue and an epilogue to the signal handler Problem the IDS doesn t know when your program has entered a given function If your program enters a function without making a system call the IDS doesn t know When the sys call happens your IDS doesn t know what system call you are in If we can tell the IDS which call we are it we can remove much of the nondeterminism Anytime your program makes a function call you emit a signal entering and exiting This is an extension to handle signal handlers You have to instrument your program to emit those signals Shmtcomings continued 1 Performance 2 Mimicry attacks a Ex open usr bar read i But an attacker could say open etcpasswd read this ts the allowed sequence of calls but is an attack b Ex setuiduid execV drop the priVilege i This is safe 7 executes a program as the user ii To attack this 1 setuid100 invalid value 2 execV iii To defeat it the model would have to check the return call of the function Lecture Notes for 102308 by Thomas Tran 0 Last Week Untrusted Code 0 Janus o Untrusted code runs in a sandbox 0 System calls are trapped and evaluated 0 Moderate overhead I For certain applications this is tolerable 0 Ex Postscript viewer I For certain applications this is NOT tolerable 0 Ex Packet filter in a firewall o If we run it in user space there is too much switching between the kernel and the user space and there are too many system calls o If we run it in kernel space untrusted or buggy firewall software could corrupt a kernel or cause the kernel to panic I Similar to poor drivers and the BSOD o How do we run untrusted code in the same domain as kernel space I One solution is SFI Software Fault lsolation I SFl may have little overhead I In order to implement SFl we will need to rewrite our application 0 Separate code and data locations I Our goal is to not allow code to jump to other parts of memory I Example 0 mov eax ebx 0 We cannot statically analyze ebx 0 Therefore we must inject code to do checking at run time lfebx amp Ox50FF ebx error mov eax ebx What about an illegal read Should we prevent that o Depends on policy If we are only worried about illegal writing then no check is necessary Ex 2 jmp const 0 Here we can check statically at compile time if const is outside the range of our code jmp ebx 0 Again we need to check ebx at run time With all these if statements we are now introducing more branching which hurts CPU performance due to less prefetching Notes for September 30th ECS 235a lecture transcribed by Michael Clifford It is very difficult to do security formally Security is more of an art A set of principles can be used to avoid mistakes and guide design These include 1 Separation of privilege 2 Least privilege 3 Open design 4 Fail safe default 5 Economy of mechanism 6 Complete mediation 7 Psychological acceptability 8 Least common mechanism 1 Separation of privilege Example Access to both a gun and ammunition is required to fire a gun Example An adversary has access to only some systems not to all so you can transmit data through systems that the adversary does not control Example Anonymous emailer mail goes through a series of anonymous remailers S gtR1 gtR2 gt gtRn gtR S is the sender RX is the xth recipient The message needs to include the actual message the destination and the number of remailers to use The attacker could compromise one or more remailers Encrypt the message using a chain ofpublic keys one for each remailer in sequence MR public key 2 remailer 2 public key 1 Any compromised node does not know more than the previous or next node For n remailers mR public key 11 rn pkn1 r2 pk1 An anonymous remailer divides privilege among many nodes 2 Least privilege Give a program exactly enough privilege to complete its task Example root account on unix is needed for binding to lower numbered ports The reason is historical most root users were considered trustworthy All programs that listen to lower numbered ports were considered trustworthy under the original threat model This is no longer true Some root account functions account management access to the filesystem access to the entire memory space Root privilege violates least privilege because if one privilege is required obtaining root power gives the privilege holder all of the root privileges To mitigate this drop the root privilege as soon as possible Sandbox Confine untrusted programs Use a monitor to determine whether or not the program should be able to make specific system calls 3 Open design Example Algorithms are very hard to change if compromised but keys are very easy to change Algorithms should stay open but keys should not The security of the system should not be based on the secrecy of the algorithm Many peple looking at a design are more likely to find problems 4 Fail safe default Default deny or safe choice unless explicitly allowed You don t have to enumerate all possible faults Denial oflegitimate access results in user complaints if the problem is legitimate 5 Economy of mechanism Keeping things simple prevents mistakes Small is not necessarily better small be complicated Large is more likely to have bugs Keep unneeded services off 6 Complete mediation A program should check every access to every object file access on Unix fd open 6 access control is only checked here read fd lt read is still permitted even ifpermissions change or the file is deleted 7 Psychological acceptability Secure mechanisms are not acceptable to the user or users will circumvent them Lecture Notes for Capabilities ECS 235A Fall 2008 Transcribed by Fangqi Sun Nov 4 2008 Papers The Contused Deputy Hank Access Control Leurre Access control matrix In computer systems we heve subjects end objects o Subjects ere typicelh users or therr representetwe processes o Objects ere resources such es les end devrces o Access control rs to deterrnrne whet subjects cen eccess whet objects Access control poircres ere rnost genereih de ned through eccess contro1 matrix The rows gets Suhjecis s Ohieciw e rs the menus um n m Figure 1 Access Control Mam39x Problems with access control matrix 0 Not easily extendable 0 Matrix might be sparse and space may be wasted Access control list 0 A row in access control matrix 0 Stored with objects Capability o A column in Access Control Matrix 0 Stored with subjects A good capability system has to make sure that capabilities are unforgeable This includes protection against creating new capabilities and copying existing ones Copying is a hard issue to deal with because of the possible existence of covert channels Covert channel A covert channel is a channel for conveying information that is not created for that pur pose Covert channels are dif cult to defend against One example of covert channels is the existence of speci c les names Possible solutions to covert channel 0 SSH pad package 0 Random timing How to implement Capabilities o Cryptography 0 Memory protection eg le descriptor o Objects view each object as a capability The Confused Deputy Possible solutions Check if the user can write to the log le if accessok username logfilename open logf ilename Use setuid switch between different hats 7 I WX I WX I WX setuid bitsetgid bit u g a seteuid root open highestscorefile seteuid user open logfile ruid Real hchen euid Effective root gt hchen suid Saved root Sometimes the suid needs to be set besides the euid to prevent users from switching to root open log le However7 it is not clear which capability should be applied Problems Designation wo authority bad If you name something7 you should be able to access it 7 Ambient authority also bad Explicit capability is better ECS 235A 7 Scribe Notes 7 10192007 Paul Congdon Con nement 1 How to con ne a program so it will not violate security properties of the system or other programs 2 The Janus paper addresses the con nement problem 3 Early Multitasking OSes had a similar problem 4 The goal of con nement is to uphold a Con dentiality b Integrity c and to a lesser degree Availability 5 Con dentiality 7 prevent the leak of con dential information 6 Integrity 7 prevent an untrusted program from harming the system 7 Availability 7 assure an untrusted program doesn t use too many resources Reference Monitors 1 An abstract mechanism for con nement approaches 2 Mediates access to objects and resources 3 Must posses the following properties a Always invoked b Easily veri able Mechanisms for Con nement 1 OS Sandbox a Always invoked 7 yes 7 Janus can be always invoked b Easily veri able 7 yes if implementation is simple and small such as Janus 2 Virtual Machines a Always invoked 7 yes b Easily veri able 7 more compleX than sandboxes but less compleX than the OS itself 3 Inline Reference Monitors 7 can be applied selectively a Always invoked 7 yes but only on those applications or resources being monitored b Easily veri able 7 may be circumvented because executing programs are not type safe Janus Paper Discussion 1 What is the threat model of Janus What is trusted and untrusted a Trusted elements i ii System Call tracing facility b Untrusted elements i Helper applications ii Input data to helper applications System call interposition approach a The assumption is that an application can t do harm without making system calls b This assertion of course depends upon the de nition of harm c If harm are threats to con dentiality integrity and availability then yes Janus provides protection Janus in action a Reads the con guration le b Loads appropriate monitoring modules c Sets up the monitoring mechanism syscall trace utility d Starts the application to be monitored Strengths of the approach a Very simple Weaknesses of the approach a Can not easily support applications that require privileges Does not consider the relationship among system calls Does not do a taint ow analysis on the data It can not track data ow Has issues with portability in the implementation Dif cult to write con gurations for Janus 0305 Comparing Janus and Firewalls Ni 5 V39 0 A rewall is a kind of reference monitor It should be easier to write rules for a rewall than Janus because rewalls are typically looking at a more constrained environment Janus deals with application semantics better than rewalls There are more advanced rewalls application proxies gateways that are more application semantic aware Firewall reference monitor has the advantage in being separate from the OS and is therefore easier to deploy Application gateways can recognize more compleX payloads but have issues operating in the presence of endtoend encryption such as SSL ECS 235A 7 Scribe Notes 7 10312007 Taeho Kwon Basic Components of Botnet Bot Master Bots Communication Server Creation Step of Botnet Add a bot Exploit vulnerability to take control of victim Victim downloads botware SW of bot Join the server Listen to server Execute command Why is IRC protocol popular for Botnet Good for both onetoone and onetomany communications Stateful protocol Simplicity How to detect Botnet Use Honeynet I Easily detected by botmaster I Can compromise other hosts if the honeynet is not wellorganized Detect unusual connection to prede ned suspicious hosts Detect correlation among tra ics of botmaster and bots Botn39xa ster I i x I Communication er Correlation of traffics among botmaster and bots Serv Usage of Botnets DDoS Hosting require high availability I Common goods I Malware for Driveby Download attack I Phising Scam Eavesdropping Spam How to guarantee the high availability of Botnet Problem I Bot itself has low availability 0 Total number of bots is large but the number of active bots is small I Hard to use botnets for jobs requiring high availability and complex implementation like scam Solution I Although bots cannot guarantee high availability botnet can be highly available by using several techniques 0 Proxy Layer Use bot as a proxy to server with high availability 0 Short DNS TTL Guarantee the connection of bots to communication servers even though IP address is banned by ISP I Organize Fast Flux Network to increase reliability Scam host with high availability A HTTP Proxy victim victim Figure 1 Original Botnet Structure Automated Worm Fingerprinting Date of Lecture 110207 Potential obstacles to automatic worm ngerprinting 0 Performance 0 Fingerprint may not exist 0 False Positives Accuracy of ngerprint Observations of worm behavior 0 Content invariance 0 Content prevalence 0 Address dispersion 7 same set of source and destination addresses Port can also be used to detect worm like activity In case of client server applications or P2P networks port is random whereas in case of worm port is xed Substring Match Algorithm used to detect worm strings inside packets Input X x1 xn Y y1 yn Output Is Y is a substring of X Algorithm for i 0 i lt nml i if Xi im Y return yes return no Running time of this algorithm Onm 7 quadratic 7 expensive in real time packet analysis for worm like behavior We can use hash algorithm to convert it to On time Hash algorithm Fingerprint Choose a large number T Pick a random prime P C 2 T FX X mod P for i 0 i lt nml i if FXi im 7 FY return yes return no But here cost of FX is Om 7 so no advantage But we can implement FX in 01 time if we have knowledge about previous substrings We can write Xil im 2Xi im 7 2m391Xi Xim So FXil im 2FXi im 7 2m391Xi Xim mod P Size ofP iflogT This gives FX to be 01 But this might not always produce right answer 7 coz hash function may hash different strings to same value The probability is PrFX FY l X Y FX 7 FY ltgt XY P a alazax gt 2x where ai s are prime factors ofa Thus X lt loga 1TT number of primes between 1 and T Therefore PrFX FY l X Y IV 1TT n 1TT lt n 126TlnT Additional Issues in the Paper This paper assumes that fingerprint of worm will exist in the network packets But worms can be polymorphic Code inside the worm can be encrypted One possible solution for this kind of problem is to look for encryptor or decryptor code inside the worm Scribe ECS 235 10172007 Discussing a paper on Web Security Protection and Communication Abstractions for Web Browsers in MashupOS by Wang Fan Howell and Jackson In the early days of the Web interaction started with forms These forms had the following problems Not all transactions require the server but in forms errors can t be caught locally No incremental updatepartial refresh is possible Delays due to asynchronous behavior Stateless network Web 20 increases interaction by using the following two features 0 AJAX Asynchronous JAVA and XML 0 Continuously interacts with the server in the background 0 JavaScript gets data from in the background 0 Mashups o Integrates data from different websites 0 Also lets the data from different websites communicate URL Provider 1 Provider 2 Integrator This does cause a security issue that there may be information leak from one provider to the other We use the Same Origin Policy SOP which says JavaScript programs can talk to the Web of only its own domain Mashups can use frames Hence in this case the following scenarios can take place Provider 1 comes from a com and Provider 2 comes from bcom 7 Communication possible Provider 1 comes from a com and Provider 2 comes from acom 7 Communication not possible Let us assume an example where the two providers are mapcom and housecom The above takes place when they are both being integrated using some Mashup To avoid the problems mentioned we devise a few ways In the first case we use ltscriptgt tags to include the code from mapcom in the integrator and since the presence of ltscriptgt tag determines the origin so by the SOP communication can take place The problem with this approach is that now macom can access housecom Integrator ltscriptgt code from map com ltscr iptgt o Proxy based approach 7 The diagram below explains the proxy based approach The SOP is no problem in this approach but the Integrator can be rendered as the choke point housecom mapcom Integrator Browser So the current approach is all or nothing mechanism which is to be resolved Communication possibilities Integrator 9 Provider Provider 9 Integrator Usage Not Possible Not Possible Frames Possible Possible ltscriptgt Possible Not Possible Not possible Possible Unusual Situation This paper provides a mechanism for the last two situations which is allows one wayrestricted communication This is done by using the following two tags ltsandboxgt and ltopen sandboxgt They guarantee oneway access and let Integrator communicate with the provider If Integrator and Provider are from the same domain then we use ltsandboxgt and if there are from different domains then use ltopen sandboxgt housecom lt0 pen sandboxgt ltopen sandboxgt The disadvantage of is that ltsandboxgt and ltopen sandboxgt gives all privileges Another approach is to use the ltfrivgt tags which allow twoway communication pipes housecom A 2way ltfrivgt channel for communicati0 mapcom lt frivgt Weaknesses o The implementation requires browser and website changes 0 Assumes that integrators are trusted and not malicious ECS 235A crass 10032007 Anonymous rermailers Idea Based cry a charm of reprnar ers 1 source k trestrnatrun O 39O 2 O Eyery component nas a key parr How does source sends a message rn to destrnatron7 a Source nds a path to destrnatron 7 So rce sends data to 1 r 1 decrypts and drscovers tne next node 2 r 1 sendsdata to 2 r 2 decrypts and drscovers tne next node 3 Data we E1 Em Er Edecmm message Adamoquot Ak Az Corrdusrorr No orre WrH know who the source rs and who the destrrratrorr rs vvnat desrgrr pnncrpre does rt roHows7 Separatrorr or pnyrrege Passwords Let us rrnagrne that we are regrstered rn 20 Websrtes r If We use 20 drffererrt passwords 9 We can39t remember 7 1r we use tne sarne password for 3H srtes rf tne password rs comprormsed tney er naye access to eyerywnere Drffererrt so utrorrs e Operrrld a thrrdrparty yennes our rderrtrty e We onry naye to rernern er t e tnrrdeparty password39 c 1r tne thrrdrparty or centrar porrrt rs comprormsed eg pnrsnrng tney er naye access to eyerywnere Pnysrcar devrces tne user nas a pnysrcar devrce contarrrrrrg passwords 7 Password nasn uses Orrerway functrorrs e Oneeway functrorr H A functrorr wnrcn rs easy to perrorrn rrv one way but rs drrncurt to perrorrn rrr tne otner way A sortware computes tne carc tor a gwerr URL H master password URL password for the Website o If the attacker is on the piattorm which computes the hash our master password couid be compromis o If the attacker is on the network the master password is secured by t e hash function How does websites store passwords usually USER SECURE CHANNEL WEBSITE eiiterpwd O Cumputes htpwdi pwd stuies hpwd Other important principles There are some other principIes that the paper forgot to mention 7 Orthogohai security prmcipie o De nmon it a mechamsm has been compromised it doesn39t feet to other mechanisms o xampies SSL at transport Iayer FIrewaH it the system is compromised the firewaH wiii be stiii working IDS Intrusion detection system 7 Formahsm o Demanding tormai proofs of the security mechamsms and systems o NormaHy it is hard to do Buffer overflow ActUaHy buffer over ow is the enemy ho1m security bet hoperHy it is going to extinguish Attack goaIs r Imect amp execute maIcode Jump to eXIStH Ig code e g execute functions iike exec path which hormaiiy are m a fixed memory point Crash the appiicatioh Program error classification Trapped Errors Behavior specified Program terminates immediately Enforced by hardware Eg division by zero Cryptographic protocols design and analysis David Wagner University of California Berkeley Notation A B C S names of legitimate parties Short for Alice Bob client server M name of a malicious attacker Short for Mallet Notation 1A gtBI The above means 1 Protocol designer intended the message 1 to be sent by I party B 2 This message was intended to be sent first in a series of Caveats 1A gtBI Do note 1 B only receives the message 1 not who it came from Thus messages should include the sender s name if the needs to know it 2 There is no guarantee that A the network or the adversa as intended Thus messages might be intercepted modified reorder More Notation k is a key 12 1 is its inverse For symmetric cryptosystems k k l for publickey cryptos the public key and 12 1 the corresponding private key Notation Without End xk means 1 encrypted under k Warning This is implicitly assumed to provide both secrecy ar the standard notation For instance 51 yk securely binds 1 1 Excercise How do you implement xk k1 means 1 signed under k l Most authors conventionally use xk1 for signatures but I don t like the standard notation Exercise Why not Still More Notation TA is a timestamp chosen by A NA is an unpredictable random nonce a challenge chosen Who s awake What does the following notation mean 1 A gtBI 14 kABABK21KB 2 B gt A messagekAB Warmup Establishing a secure channel with a challengeresponse prot Can you spot the flaw 97 WP A gtBI B gtAI A gtBI A gtBI A gtBI A NB NB K21 message KB message KB DenningSacco 1 Key exchange between A B with the aid of an online certifica 1 A gt S A B 2 S gt A certAcertB 3 A gt B certAcertB kABTAK1KB A Can you spot the flaw Breaking DenningSacco 1 Look closely 3 A gt B certAcertB kABTAK1KB A The key kAB isn t bound to the names of the endpoints A B Therefore B can extract the quantity MAB TAK1 and use i39 A in a new connection to 0 like this 3 B gt C certAcertCkABTAK21KC As a result 0 mistakenly concludes he is speaking with A A Lesson Moral Be explicit Bind all names and all other relevant c every message Exercise Why do so many protocols fail this way Credits Abadi Early SSL Key exchange with mutual authentication 1 A gtBI kABKB 2 B gtAI NBkAB 3 A gtB certANBK21kAB Can you spot the flaw Breaking early SSL Look closely 1 A gtBI kABKB 2 B gtAI NBkAB 3 A gtB certANBK21kAB Alice will sign anything with her private key The attack on early SSL B can open a connection to C and pretend to be A as follows 1 B gt C I kBCKC 2 C gt A I NCkBC When 0 challenges B with nonce NC Bob sends NB 2 NC and uses her as an oracle 1 A gt B I kABKB 2 B gt A I NCkAB 3 A gt B certA NCKA1kAB A will sign anything so B extracts NC K21 and he s in 3 B gt C certA NCK211 AB Fixing early SSL Fix replace NBK1 with A B NA NBK1 A A 1 A gtBI kABKB 2 B gtAI NBkAB 3 A gt B certA ABNANBK1kAB A Moral Don t let yourself be used as a signing oracle Add randomness and bind names before signing Credits Abadi GSM challengeresponse A is cellphone handset B is a base station 1 B gtAI NB 2 A gt B I A NBK1 datak AB where k fKAB NB is the voice privacy key Can you spot the weakness X509 standard 1 Sending a signed encrypted message to B 1 A gt B A TAB messageKBKL A Can you spot the flaw Breaking X509 standard 1 Look again 1 A gt B A TAB messageKBKL A There s no reason to believe the sender was ever aware of the the message An Attack on X509 1 Example Proving yourself by sending a password Attacker M intercepts Alice s encrypted password 1 A gt B A T141BpasswordKBKL A Then M extracts passwordKB and sends 1 M gt B M TMB passwordKBK1 M Now M is in without needing to know the password Another Attack on X509 1 Example Secure auctions The same attack provides an easy way for M to send in a cop under his own name without needing to know what A s bid we Lessons An important difference between 0 Authentication as endorsement ie taking responsibility 0 Authentication as a way of claiming credit Encrypting before signing provides a secure way of assigning but an insecure way to establishing credit Moral sign before encrypting Credits Abadi TMN Pop quiz Watch carefully A B establish a shared key k3 using the help of a fast server 1 A gtSI kAKS 2 B gtSI kBKS 3 S gtA kAEBkB A recovers k3 as M 690914 a3 k3 Can you spot the flaw Breaking TMN Let s play spot the oracle The attack Given kBKS M M can conspire to recover kg 1 M gtSI kBKS 2 M gtSI kMKS 3 S gtMI kBGBkM Now M M can recover k3 from kBKS Cre Goss railway protocol A and B establish an authenticated shared key MB 2 734 ea I 1 A gtBI ATAKB 2 B gtAI B I BKA Do you see the subtle weakness Triangle attacks on Goss If session keys sometimes leak the system breaks M can recover 734 from 734KB by opening a session to B ar A s encrypted contribution to the key 1 M gtBI CTAKB 2 B gtM BerKM Now if M can learn kBM somehow he can compute 734 2 kg Basically if B lets session keys leak M can use him as as a oracle to obtain TA from TAKB Play the same games with A to recover TB from TBKA you then learn kAB Crelt Implementing protocols Explicitness is powerful and cheap The mathematical notation 1 B gt A I NB 2 A gt B I NBk A BKA might be implemented in practice as 1 B gt A Msg 1 from B to A of GSM protocol v10 is a 2 A gt B Msg 2 from A to B of GSM protocol v10 is the challenge NB and A asserts that the ses fresh and good for communication between 1 session where N B was seen KA Can you see why each of the elements above are there Implementing protocols Any value received as cleartext should be treated as untrustw may use it as a hint for performance but don t depend on it fo Minimize state each message should be selfexplanatory


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Amaris Trozzo George Washington University

"I made $350 in just two days after posting my first study guide."

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.