Principles of Info Security
Principles of Info Security CS 5323
Popular in Course
verified elite notetaker
Popular in ComputerScienence
This 6 page Class Notes was uploaded by Mireya Heidenreich on Thursday October 29, 2015. The Class Notes belongs to CS 5323 at University of Texas at San Antonio taught by William Winsborough in Fall. Since its upload, it has received 16 views. For similar materials see /class/231368/cs-5323-university-of-texas-at-san-antonio in ComputerScienence at University of Texas at San Antonio.
Reviews for Principles of Info Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 10/29/15
Principles of Information Security CS 5323 Lecture 14 Prof William Winsborough October 23 2007 Security Models A security model is a formal specification of a system for expressing and enforcing a security policy 23 Combat 2on7 Wlnsbur uuh cs 5323 Lecture it Business For Tuesday 1023 read Gollman Chapter 8 Tuesday 1030 and Thursday 111 you will have guest lectures by Prof Hugh Maynard about intrusion attacks and their detection 23 Combat 2on7 Wlnsburuuuh cs 5323 Lecture it State Machines Transition systems A set of states A set of inputs 2 Optionally a set of outputs A transition function S x Z a S 23 Combat 2on7 Wlnsburuuuh cs 5323 Lecture it State Machines Transition systems A set of states S A set ofinputs Z Optionally a set of outputs l39 Atransition function 6 S x Z a S x l39 Security properties can be modeled as sets of states that are deemed secure If the transition function can be shown to preserve the security property then when the system is started in a secure state all reachable states will also be secure 23 Combat 2on7 Wlnsbur uuh cs 5323 Lecture it BellLaPadula Model BLP Enforces the multilevel security MLS policy State machine model 7 Confidentiality Uses an access control matrlx and Securlty levels ute read append write access operations Securlty levels Access matrix l l s x o x A set of all access matrlx tables 7 o e B an ll ldlvldual access matrlx table 23 Combat 2on7 Wlnsburuuuh cs 5323 Lecture it Principles of Information Security CS 5323 Lecture 14 Prof William Winsborough November 6 2008 Business We will have one more midterm near the end of the semester The nal will be cumulative and optional lfyou have done well on the rst two midterms lwill base your grade on those exams plus homework an project lfyou need a chance to improve your performance study the material you didn t masterfor the midterms and ta e e nal Questions from previous lectures Remainder of slides are 2004 Matt Bishop 6 Nwember 2m Wnspumueh cs 5323 Lecture 16 2 NeedhamSchroeder Alice ll Bob ll 71 Alice Cathy Alice ll Bob ll n H 76 ll Alice ll 76 gt 765 gt 764 Alice Cathy wheelie gt765 Alice Bob 72 2 Alice Bob 72 1 gt76 Alice Bob 6 November 2m Wnspumueh cs 5323 Lecture 16 3 Argument Alice talking to Bob Second message Enciphered using key only she Cathy knows So Cathy erlclphered lt Response to rst message As r ll l it matches r ll l rlrstmessage Third message Alice knows only Bob can read it As only Bob can derlve sesslon lltey rrom message Any messages enciphered with that key are from Bob 6 Nwember 2m Wnspumueh cs 5323 Lecture 16 6 Argument Bob talking to Alice Third message Enciphered using key only he Cathy know 80 Cathy erlclphered lt Names Alice session key Cathy provlded sesslon lltey says AllCe ls otherparty Fourth message Uses session key to determine if it is replay 39om Eve lfrlot AllCe Wlll respond correctly ll l rlrth message lrso Eye can t declpherr2 and so can t respond orresponds lrlcorrectly 6 November 2m Wlnspuruueh cs 5323 Lecture 16 5 DenningSacco Modification Assumption all keys are secret Question suppose Eve can obtain session key How does that affect protocol In what follows Eve knows kS Alice ll Jr kB Eve Bob H gt 76 Eve Bob H n 1 gt 76 Eve Bob Member 2m WlnsburuuuhCSSSZSLectureM Solution In protocol above Eve impersonates Alice Problem replay in third step First in previous slide Solution use time stamp Tto detect replay Weakness if clocks not synchronized may either reject valid messages or accept replays Parties with either slow or fast clocks vulnerable to ay Resetting clock does not eliminate vulnerability a Nuvember 2m Winsbumuuh cs 5323 Lemme u 7 NeedhamSchroeder with DenningSacco Modification Alice ii Bob ii 71 Alice Cathy Alice llBobll n ilk ll Alicell Tilr HEWi Alice Cathy Alice M m k k5 Alice Bob HM Alice lt Bob rr 1 gt76 Alice Bob 6 Nwember 2m Winsburuuuh cs 5323 Lemme u a OtwayRees Protocol Corrects problem That is Eve repaying the third message in the protocol Does not use timestamps Not vulnerable to the problems that Denning Sacco modification has Uses integer n to associate all messages with particular exchange a Nuvember 2m Winsbumuuh cs 5323 Lemme u a The Protocol Alice 7 ii Alice ii Bob ii 71 H n H Alice ii Bob 15A Bob nllAliceHBoblHr HnllAliceHBobHr H can 72 in HAliceHBobHrB B b Cathy nrkkrkk Bob nllfnllk h Alice 4 Bob 6 Nwember 2m Winsburuuuh cs 5323 Lemme to 1D Argument Alice talking to Bob Fourth message If 11 matches first message Alice knows it is part of this protocol exchange Cathy generated ks because only she Alice know kA Enciphered part belongs to exchange as r matches r in encrypted part of first message a Nuvember 2m Winsbumuuh cs 5323 Lemme u n Argument Bob talking to Alice Third message If 11 matches second message Bob knows it is part of this protocol exchange Cathy generated ks because only she Bob know k5 Enciphered part belongs to exchange as r2 matches r2 in encrypted part of second message a Nwember 2m Winsburuuuh cs 5323 Lemme u 12 Replay Attack Eve acquires old ks message in third step nri IlkskA r2 kskB Eve forwards appropriate part to Alice Alice has no ongoing key exchange with Bob n matches nothing so is rejected Alice has ongoing key exchange with Bob n does not match so is again rejected lfreplay is rortne current key exchange and Eve sen tn i t e relevant part before Bob dld Eve could sirnplv listen to trarrie no replavinvolved s Nuvemher 2m vvinsnuruuen cs 5323 Lecture lo l d ea User u authenticates to Kerberos server Obtains ticket TumS forticket granting service TGS User u wants to use service 3 User sends authenticator Au ticket TumS to TGS asking for ticket for service TGS sends ticket Tu sto user User sends Au Tu to server as request to use 5 Details follow a Nuvemher 2m vvinsnuruuen cs 5323 Lecture lo Kerberos Authentication system Based on NeedhamSchroeder with DenningSacco modi cation Central server plays role oftrusted third party itcathyi Ticket Issuer vou ch es for identity of requester of service Authenticator Identi es sender s Nwemher 2m vvinsnuruuen cs 5323 Lecture lo Ticket Credential saying issuer has identified ticket requester Example ticket issued to user u for service 5 Tu 5 u H u s address valid time ku 5ks where kw is session key for user and service Valid time is interval for which ticket valid u s address may be IP address or something else Note rnore fields but not relevant nere s Nwemher 2m vvinsnuruuen cs 5323 Lecture lo Authenticator Credential containing identity of sender of ticket Used to con rm sender is entity to which ticket was is e Example authenticator user u generates for serv39 AMS u H generation time H k ku S where kt is alternate session key Generation time is when authenticator generated Note rnore fieldS not relevant nere s Nuvemher 2m vvinsnuruuen cs 5323 Lecture lo Protocol ullTGs user Cathy k k T lt 53gt ull my ii ii rum user TGS userl Jr Mr HT 52 l u uIGS 1A TGS Attila H1 Wu 6 Nwemher 2m vvinsnuruuen cs 5323 Lecture lo la Analysis First two steps get userticket to use TGS User u can obtain session key only if u knows key shared with Cath Next four steps show how u gets and uses ticket for service 5 Service s validates request by checking sender using AM is same as entity ticket issued to Step 6 optional used when u requests confirmation 6 November 2m Winsnumugn cs 5323 Leciuie it Public Key Key Exchange Here interchange keys known eA e5 Alice and Bob s public keys known to all dA d5 Alice and Bob s private keys known only to wner Simple protocol k5 is desired session key k Alice lt gt 25 6 November 2m Winsnuiuugn cs 5323 Leciuie it Problems Relies on synchronized clocks If not synchronized and old tickets authenticators not cached replay is possible Tickets have some fixed fields Dictionary attacks possible Kerberos 4 session keys weak had much less than 56 bits of randomness researchers at Purdue found them from tickets in minutes 6 Nwember 2m Winsnuiuugn cs 5323 Leciuie it Problem and Solution Vulnerable to forgery or replay Be ause e5 known to anyone Bob has no assurance that Alice sent message Simple fix uses Alice s private key k5 is desired session key k at Alice AME Bob 6 Nwember 2m Winsnuiuugn cs 5323 Leciuie it Notes Can include message enciphered with ks Assumes Bob has Alice s public key and vice versa If not each must get it 39om public serv r lf keys not bound to identity of owner attacker Eve can launch a maninthemiddle attack next slide Cathy is public server providing public keys Solution to tnis bll idll ig identity to keys discussed lateras public key infrastructure Pki 6 November 2m Winsnumugn cs 5323 Leciuie it ManintheMiddle Attack Alice sendBob 5 public key Eve mtemegts request Cathy Eve send Bob s public key Cathy 25 Eve Cathy 2 Alice Eve Ur 2 E g Alice 3 E Evemteme smzssa 2 Bob 76325 Eve Bob 6 Nwember 2m Winsnuiuugn cs 5323 Leciuie it Cryptographic Key Infrastructure Goal bind identity to key Classical not possible as all keys are shared Use protocols to agree on a shared key see earlier Public key bind identity to public key Crucial as people will use key to communicate with principal whose identity is bound to key Erroneous binding means no secrecy between principals Assume principal identi ed by an acceptable name a Nuvember 2m Winsbur uuh cs 5323 Lecture w 25 Certificates Create token message containing Identity of principal here Alice Corresponding public key Timestamp when issued Other information perhaps identity of signer signed by trusted authority here Cathy CA 6A Alice II T dC a Nwember 2m Winsburuuuh cs 5323 Lecture w 25 Use Bob gets Alice s certificate If he knows Cathy s public key he can decipher the certi cate When was Certificate issuem lathe principaiAiice7 Now Bob has Alice s public key Problem Bob needs Cathy s public key to validate certificate Problem pushed up a level Two approaches Merkle s tree signature chains 6 Nuvember 2m Winsbur uuh cs 5323 Lecture w 27 Certificate Signature Chains Create certificate Generate hash of certificate Encipher hash with issuer s private key Validate Obtain issuer s public key Decipher enciphered hash Recompute hash from certificate and compare Problem getting issuer s public key a Nwember 2m Winsburuuuh cs 5323 Lecture w 28 X509 Chains Some certificate components in X509v3 Version Serial number Signature algorithm identi er hash algorithm Issuer s name uniquely identi es issuer Interval of validi Subject s name uniquely identi es subject Subject s public ey Signature enciphered hash a Nuvember 2m Winsbur uuh cs 5323 Lecture w 25 X509 Certificate Validation Obtain issuer s public key The one for the particular signature algorithm Decipher signature Gives hash ofcerti cate Recompute hash from certificate and compare lfthey differ there s a problem Check interval of validity This con rms that certi cate is current a Nwember 2m Winsburuuuh cs 5323 Lecture w 3
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'