Special Topics CS 8803
Popular in Course
Popular in ComputerScienence
This 0 page Class Notes was uploaded by Alayna Veum on Monday November 2, 2015. The Class Notes belongs to CS 8803 at Georgia Institute of Technology - Main Campus taught by Patrick Traynor in Fall. Since its upload, it has received 34 views. For similar materials see /class/234079/cs-8803-georgia-institute-of-technology-main-campus in ComputerScienence at Georgia Institute of Technology - Main Campus.
Reviews for Special Topics
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/02/15
ReverseEngineering a Cryptographic RFID Tag H Contributions The rst published work to describe the details of reverse engineering a cryptographic function from its silicon implementation Cheaper and Automated What are we dealing with antenna RFlnterface Digital Control Unit Control 8 AL U Aml COIIISIOH EEF ROM Interface Authenti cation C39vvmo EEPROM Image analysis u l i u Q Q Q Q E H 3ft r Uh Wu C Challenge Mifare Crypto l Cipher Response Key stream RNG f39 48bit LFSR llll Protocol Analysis What data does each memory cell contain 0 Examine communication btw Mifare tags and a Mifare reader chip 220 OpenPCD OpenPlCC Open design 1356MHz RFID reader emulator Free schematics www0penpcdorg Mutual 3pass authentication sector key A or B read key randomchallenge answer randomchallenge verify answer answer verify answer Each sector two keys Linear Filter Function Cipher vulnerabilities sector key A or B read key randomchallenge answer randomchallenge verify answer answer verify answer Linear Filter Function Cipher vulnerabilities Linear Filter Function Cipher vulnerabilities Cipher vulnerabilities Brute force attack 0 Random Number Generation 0 Pre computing keys Rainbow table attack Always add some salt to your hash 0 when a remote hacker obtains a large list of hashed passwords from a server or database we39re in trouble 0 hash md539deliciously salty 39 password Possible Fixes Not resetting the ip ops 0 Increasing the size of the cipher state 48 Cryptol 16 RNG 0 Combine non linear feedback Safe now Differential Power Analysis Paul Kocher Joshua Jaffe and Benjamin Jun Cryptography Research Inc presented by ltao Dacosta Tamper resistant devices Tamper resistant microprocessors Store and process private or sensitive information The private information can not be extracted Smart Cards Selfcontained microcontroller with a microprocessor memory and a serial interface integrated on to a single chip that is packaged in a plastic card Used in banking applications mobile phones pay TV etc 39 H EEmf emails ili39k39E an if 7 ID card WH39f fr il fqlled I a quot3man raw 395 2 lugmimg Designing a secure smart card Several people involved with different assumptions Agorithm designers Protocol designers Software developers Hardware engineers Algorithm designer assumption Figure Traditional Cryptographic Assumptions INPUT MSG Crypmg aphlc Pr e 5m9 OUTPUT MSG Encrypt I Decrypt Sign Ietc Secret keys trom introduction to Differential PowerAnaysis and RelatedAttaoksquot by P Kooner et al Cryptography Research o Typically the algorithm is evaluated in isolation Differential cryptanalysis Linear cryptanalysis Reality Figure Actual Information Available Leaked Information Cryptographic processing Encrypt Decryth Slgn I etc Secret keys ump Ion Electromagnetic radwation Other Timing errors etc INPUT MSG DUTPUT MSG from Introduction 0 Differential PoweIAnalysls and RelatedAttacksquot by P Kocher et 3 Cryptography Research Reality Side Channel Attacks A correct implementation of a strong protocol is not necessarily secure Failures can be cause by Defective computation D Boneh R A DeMillo and R J Lipton On the importance of checking cryptographic protocols for faults EU ROCRYPT 3997 Information leaked during secret key operations Timing information Invasive measuring techniques Electromagnetic emanations ie TEMPEST Power analysis attacks le are built out of invidual transistors which consume fer4th i power mil 5 aquot Monitoring and analysis of the power consumption of a device to extract the private information stored in it Active relatively cheap non invasive attack Simple Power Analysis Focus on the use of visual inspection techniques to identify relevant power fluctuations during cryptographic operations Interpretation of power traces Power consumption measurements taken across a cryptographic operation Typically current used by a device over time SPA DES traces SPA trace showing an entire DES operation 4 25 E 40 3 75 t 35 g 3 3 25 I O 30 2 75 6 ofs 16 24 56 634 72 80 32 40 48 Time mS SPA trace showing DES rounds 2 and 3 T 1 T Time p8 SPA DES trace showing differences in power consumption of different microprocessor instructions jump 60 50 40 30 N 10 E S 60 no jump 0 50 40 30 20 10 0 1 v 7 2 3 4 5 Time in 35714MHz clock cycles SPA attack SPA can reveal sequence of instructions executed It can be use to break cryptographic implementations in which the execution path depend on the data being processed DES key schedule DES permutations Comparisons Multipliers Exponentiators Preventing SPA In general techniques to prevent SPA are fairly simple Avoid procedures that use secret intermediates or keys for conditional branching operations Hard wired implementations of symmetric cryptography algorithms Differential Power Analysis Use of statistical analysis and error correction techniques to extract information correlated to secret keys Based on the effects correlated to data values being manipulated More powerful than SPA and is much more difficult to prevent DPA basic idea Data collection Capture power traces T1m1k containing k samples each Record the ciphertexts C1m Knowledge of plaintext is not required Data analysis DPA selection function DCbKS gtO1 Compute ksample differential trace AD1k where 7 EV D7i7 1sTii39i 7 2211 DWMLBEDTriJi ADM Lynmum Z 17DZJKS 2 2211 DUN RisiTiiJ39i 22 TM 2 1 DCbxquots 7 m DPA against DES DPA selection function DCbKs is defined as Returning the value b of the DES intermediate L at the beginning of the 16th 0 lt b lt 32 C is the corresponding ciphertext K5 is the 6 key bits entering the Sbox corresponding to bit b 0 lt KS lt 26 Repeat procedure to find all KS values 8 to get the entire 48 bit subkey Hall Block 32 bits C Subkey 48 bits 64bit input angler Kquot K a 95 KS 5 l rrrrrr l C l P l 16th DES round l b Current pA DPA traces for DES mA WWWW WWWWWWWWNW W EWWWWWWWWWWWWWWW EWWWWMWMWWMWWW Power reference Correct Ks 39 Incorrect KS 1000 samples Quantitative DPA measurements Current mA Current uAt m a inninnt WWWwritme 7 2 3 4 5 6 7 8 Time in 35714MHz clock cycles Reference power consumption trace Standard deviation Differential trace m1 04 More about DPA Noise can be a problem Electronic radiation and thermal noise Quantization errors Uncorrected temporal misalignment DPA variations Automated template DPA Highorder DPA DPA against other algorithms In general DPA can be used to break any symmetric or asymmetric algorithm Public key algorithms ie RSA Asymmetric operations tend to produce stronger signals leaking than symmetric ones Reverse engineering using DPA o Preventing DPA Reduce signals size Introducing noise into power consumption measurements Designing cryptosystems with realistic assumptions about the underlying hardware Balanced HW and SW ie leaktolerant design Incorporating randomness Algorithm and protocollevel countermeasures Take away Power analysis techniques are of great concern multiple vulnerable devices easy to implement low cost and difficult to detect Systems must be designed With realistic assumptions taking into account all the components algorithms protocols hardware and software and their interactions HOW TO OWN THE INTERNET IN YOUR SPARE TIME By Stuart Vern amp Nicholas History III 1988 Morris Worm III 11 July 13 2001 Code Red 1 v1 11 July 19 2001 Code Red 1 v2 El Aug 4 2001 Code Red 11 1 Sept 18 2001 Nimdo D Jan 25 2003 Sapphire Worm 11 March 19 2004 Wi r ry Worm Worms Vs Viruses III A Virus is a malicious program that spreads using a propagation technique that generally requires user intervention and always possess a malicious intent I A worm on the other hand has ability to self propagate and may or may not have malicious intent Intended UsesApplications 3 III Launch a DDoS III Access to Sensitive Information 1 Spread false and confidential information I sow confusion amp disruption III Unknown reasons Mechanism of Operation III Target Selection D Initial Infection Infected Host Target Acqeisitlon Target Acquired Delivery of Eosile Code III Exploit II Propagation Mechanism I Deployment Tactics I Defenswe Measures 3 Hosmcade onTax get Sysiem 3 Execnion of Hostile Code System compromised 4 Optonal Transfer of Adatlonal Code Propagation Complete u hr n uw I Morris Worm i 988 nowI39tnnH III Multivectored like Nimda H leh fingerd via buffer overflow that work caused core dump on Suns i i Unix sendmail III Morris worm infected 6000 of 60000 hosts 51 0 i Very large percentage compared to today s worms Code Red vi July 13 2001 III Used an IIS vulnerability to perform website defacement III Linear spread random number generator seed was fixed 1 After successful infection the worm would check the date of the system Between 15 and the 20 Generate a random list of IP addresses and try to infect them Between the 20th and the 28 Launch a Denial of Service attack against wwwwhitehousegov Code Red v2 CRv2 Juy19th III Same codebase as CRvi II Fix the bug with random number generation I Found to affect additional devices with web interfaces such as routers switches and printers III CRvi and CRv2 are both memory resident and can be removed by simply reboot the infected system CodeRed Worm nfec ons in 2400008 on 3tu 19 2001 Large number of infections Home RoadRunner ATampT ISPs CodeRed Infections ham per mm 393cc mic 0190 D 308 0 nuU 83203 6 6 22 0 U01 mo lt3 0 412 01 2200 30 9 832 22286358383 8 magmacz wzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzz2zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzm8 comm c8 awwcwgaxcgcomwgng5584mcgcomm csawmcws mcao 8 c3 c83 o8 c88 am S coowmwcoooowco 32 A o D Zm 130 n0co Qmo Um Ema cm 0 CE 33 6 U323 F 3303 6 CE Qo 6 Iu o 263 03 88 no3 9n Ult 6 U323 Code Red animation III Used same IIS vulnerability as Code Red I but installed root backdoor instead I Fixed random lP generator I Subnet ScanLocalized Class B address space 38 probability Class A address space 12 probability Whole Internet address space 18 probability El Quicker infection Similar IP are close together External firewall Code Red Denial of Service A ack 5 MW mp mm Waugh 3 Dmpnral mu 7 01mm Ewinn WWWquot Mensa 3mm Nelwmk ms mum Exglnn Hm M meals mm HWFTvam gt vmmam us th Sam Attack internally Nimda III Multivectored worm relate back to morris worm llS vulnerability Email Firewall evasion Network shares Infect webpages Scan for Code Red and Saclmind backdoors II Almost no probing to 100 probessec in 12 hour How to Spread Fas rer III Hi rIis r scanning Fas rer s rar rup I Permutation Scanning Limi r redundant scans II Topologically Aware Scanning Hitlists El Public Survey I3 Spiders 1 DNS search 1 Distributed scanning using zombies lj Stealth scan takes longer but pretty much undetectable Permutation Scanning El Eliminate redundant scanning by partitioning searches El Start scanning from your point in permutation If machine in sequence is infected randomly choose new point to scan and increment counter Else infect computer and then scan III Stop scanning when counter SCANLMIT Permutation Scanning DAII worms share a common pseudo random permutation Eluse block cipher key to generate addresses ElWorms start scanning after their point in permutation sunblockdpher Permutation scanning IP Address Topological Scanning III Use email addresses MyDoom used Google Yahoo Altavista and Lycos El Internet cache for URLs III P2P peers Attractive for worm authors Proposed Concep ruol Worms III Flash I Warhol III BGP D 000 Flash worms III Capable of infecting most vulnerable servers in lt 30 seconds I Need a high bandwidth link 126 million servers were 48 Mb compressed 1 Limitations Initial infection slow transmit the host list Latency infect each new layer in the tree Flash worm spread using 0 hit list MWWWWW HEEDEE For 3 million hosts just 7 layers deep n 10 Warhol Worm III Uses combination of HitList amp Permutation Scanning I This combination improves initial speed quickly achieving a set base amp permutation scanning keeps the worms infection rate high for longer period El Provides a very practical design of a worm and achieves 99 infection in around 15mins More on Warhol worm Conventional 3001000 7 10 scanssec a Fast Scanning 2 200000 7 100 scanssec E Warhol E 100000 7 100 scanssec 7 10000 entry hit7list 7 Permutation scanning Timehours 7 Gives up when count Canven unal Warm Fast Scanning BGP Routing Worm III Based on BGP Routing Tables III Freely Available on the Internet I Geographical Information SPAS company country etc Reduce the scanning space to 286 of all IP space Routing Worm A Fast Selective Attack Worm based on IP Address Information Cliff C Zou Don Towsley39f Weibo Gong Songlin CaiDepartment of Electrical amp Computer Engineering 39fDepartment of Computer Science Univ Massachusetts Amherst Contagion III Slowly spreading worm to avoid detection I No special communication pattern El Potential A University 9 million distinct lP s in one month Kazza traffic at the university D Very difficult to detect since traffic pattern change is so small I Integrity checker Use those md5 sums KadeP2P t Overlooked large files many peers desktop grey content 1 The worm checks for the presence of a Kazan client on the computer and copies itself to the filesharing directory under the following names strip g r12 rack i bdcomipatches rootklt P Sapphire Worm Fastest spreading worm in history Doubled in size every 85 seconds Code Red s population doubled every 37 minutes Over 90 of vulnerable machines compromised in 10 minutes Targeted Microsoft s SQLServer through buffer overflow patch had been released Sent UDP packets 376 bytes to port 1434 so easy to filter Reached over 55 million scanssec in under 3 minutes httpwwwcsberkeleyedunweaversapphire Sapphire Worm January 25 2003 From 0 infected hosts to 74855 in 30 minutes httpzllwww caidaorganalysissecu ritysapphire Witty Worm March 19 2004 III Used hitlist or timed release of worm III Compromised SS products through buffer overflows ISS RealSecure Network RealSecure Server Sensor RealSecure Desktop and BlackICE Ij Infected 12000 computers and wrote to random points on disk 1 Spread one day after vulnerability was announced httpwww caidaorganalysissecu ritywitty Witty v Sapphire a Witty At peak flooded Internet with over 90 Obitssec Infected host then sent 20000 pockets between 796 and 1307 bytes III Sapphire With 100 Mbs link 30000sec scans with Sapphire From one copy of worm using 404byte UDP pockets 30000 404 12120000 bytes httpwww caidaorganalysissecu ritywitty Perfect Worm 3 El A perfect worm would have All vulnerable hosts known No dual scanning Immediate infection Using Code Red parameters N3oOOOOinitially infected 10 and scan rate of 358 mln Time Taken 7758 seconds On the Performance of Internet Worm Scanning Strategies Cliff Changchun Zou Don Towsley39f We be Gong Department of Electrical amp Computer Engineering 39fDepartment of Computer Science Univ Massachusetts Amherst Perfect Worm with delay 4105 3539 g 3 No delay 2 With delay 39I 25 I 39 239 I 3 39 as f 1 139 cf 05 x 1 J n quot I I 8 2 4 6 8 1O 12 14 TimeHseoond Fig 2 The propagmion of a perfect worm with and without time delay N 360000 1 358 mim 10 10 delay is e 2 seconds Updating Worms 1 Distributed Control Each worm could have a subset of infected hosts Each command can be signed and then sent to other copies of worm Received commands can be verified and then forwarded El Programmable Updates Dynamic code loading Flexible language combined with a small interpreter Government Role 11 CyberCenter for Disease Controlquot CDC Homeland security III Cyber CDC responsible for Identifying outbreaks Rapidly analyzing pathogens I How open should results be Fighting infections Anticipating new vectors Proactively devising detectors for new vectors Resisting future threats Observations III Infection from a new exploit 0day can happen fast or even an old exploit I A wellwritten virusworm without any large errors could do really bad damage I Some potential solutions Distributed Firewalls Honeypots Can diversity help I IIS exploits in Code Red IRC channels used for remote control Lots of things to work on II Buffer Overflows still prevalent III Passwords still poorly chosen El People with a lot less skill than Robert Morris have done much more damage El Misconfigured policies D Complexity is an evil to security Morris used a sendmail vulnerability I People don t keep up with patches even on servers Security Holes Who Cares USENIX security 2003 httpwwwuseniXorgeventssec03techrescorlahtml us mun unlim 39 988 WA TE BY U S MARSHAPS my m m W British Smith sentence releasing Meli Simon VCIiiOI39 s Teenager who sentenced to U Has it worked mum um Tracking Anonymous Peerto Peer VoIP Calls on the Internet 70quot A 7154 TX 3 r V 3 V quot39239 W C 39Fx 2 r 1 FA 3944 V za 3 quot 395 M t 11 1 J 11 u I L 149 1 win I h J Us 11 u Introduction VoIP is populars People need privacy and want to be anonymous Law enforcement agencies need to conduct lawful electronic surveillance How to balance Target Skype Based on KaZa Widely used Encrypted from end to end by 256 bit AES Traverse most rewalls and NAT gateways Intelligently routes the encrypted calls through different peers to achieve low latency Proprietary peer to peer signaling protocol Key challenge 0 How to identify the correlation between the VolP ows of the caller and callee Passive approach Timing characteristics Not distinct enough Active approach embed a unique watermark Redundancy technique Overall Model Skype Peer A Skype my a Skype Vol aw Low Latency 39 Intermediate Skype Vol ow to be consisted Anonymizmg Skype my in be comma Network Black Box Internet cloud and low latency anonymizing network 1 We can monitor the Skype ow from the blackbox to the Skype peer 2 We can perturb the timing fo the Skype ow from the Skype peer to the black box Timing based correlation methods Foundation The invariant property of inter packet timing characteristics of VoIP ows 0 Passive timing based correlation approaches Effective when timing characteristics are unique Not suitable for VoIP ows The rst active approach Embed a unique watermark into the inter packet timing domain Has the potential to differentiate ows with similar timing characteristics Can not be directly used for VoIP ows Stringent realtime constraints Interpacket arrival time is very short Based on quantization of averaged IPDs require buffering Our approach Key challenge How to precisely adjust the packet timing without buffering and guarantee the even time adjustment of those selected packet 0 Make the inter packet timing characteristics more unique Embed a unique watermark in real time Probabilistic Distribution of IPDs Dmhmmn n in mm m a ummumm m M m mm m quotmum my m m Trunmnirlg mm mm imumuvuzmmm m Mum mummy Dem m Muiucmd ribuuou of l39PDs nrme nri mng 2 Di mating and terminating Skype ows Distribution of IPD differences Yrd mm m lJlllxrrnK mm van m M ummm my Embedding and Decoding binary bit probabilistically Probability of Yrd to be positivenegative is equal k Figure 4 Embedd Binary an by shining the Distribution of Ya by u m the Len or Right Shift the distribution by a to left or right can make Ynd more likely to be negative or positive After this decoding the embedded digit is easy Embedding and Decoding binary bit probabilistically However this is always a non zero probability such a embedded bit is decoded incorrectly 39 Solution Watermark bit embedding success rate is normally distributed No matter what variance it has No matter how small the adjustment a is No matter how large the networkjitter may have We can make the rate close to 100 by increasing redundancy Transparent watermarking in real time Need the capability to delay speci ed packet of speci ed duration 0 Linux kernel lacks hard real time scheduling and does not support time critical tasks Real time application interfaceRTA Coexist with original kernel services Guarantee execution time regardless of current load High precision software timer Experiments 39x mmpmm Vu mm mm wmermurk Engm Skypr pm A Sky Pat H V Walcnmrksd LquAvcncy mmnncdmc Wmennurked OrigimlSkypa SLweVu uw Anunyrmzing Sky39pel ean SkypeVuJJ uw VulP uw Nuqu Watermarking parameter selection 0 To make the watermark more robust against the network delayjitter and high watermark bit detection rate Larger watermark embedding delay a Bigger redundancy r Distribution of Delay Jitter Distribution of the 10424 Nmmnk Delay Jittcni 161739 Hm 1 Q 120 hintSI A i am 2 MI g 0 Z 2m I li its 12 at 2 3 2 it la Network Delay mm in Millimmnd Figure 7 Distribution of the Network Delay Jit ters of Skype VoIP Call Average number of error bits Aveage Number omm his nnmm Walemurk a w w m I M Redundancy mm L39rmr 1m Number Figure 4 Average Number or an Errors vs Lhe Redundancy Number r True positive is a 2 M W m m mm Figure 9 The ma 9U Tm mm km m CnmLulinn True Yeshiva mm n ma anP Calls mm niAllnwm m Bus usz Bn Wavcnmrk VoLP Calls False positive mm thinu mmami u Umumlxlld nun5311 DimAlumni nKVumhvnuKDx cmm Bmursmm min mmgnw rmmmm Lwnmwx 25quot mm M mmm rxmxlmmmm asuznm mmquot of Em 1m mm qulluwu 2m n Figure la The Numbers 0quot Errur Bits and Correlation False Positive Rate of 99m Pairs nf Uncurrelnled Skype VolP Flows INFORMATION SECURITY CENTER Signaling vulnerabilities in wiretapping systems Authored by Micah Sherr Eric Cronin Sandy Clark and Matt Blaze University of Pennsylvania Presented by Frank S Park College of Computing Georgia Institute of Technology Geuvgia Tech lnluvmaliun 322qu Center Atlanta GEDYEla USA INFORMATION SECURITY CENTER Eavesdropping Any party listening on others without a knowledge of being listened Have you eavesdropped before Phone Conversation Email Instant Messaging FacetoFace Conversations All eavesdroppers are adversaries True Geuvgia Tech immmaimn SEEMW Center Aiiama Gamma USA INFORMATION SECURITY CENTER Eavesdropper s Dilemma The architecture of many eavesdropping systems allows defending against evasion or confusion only at the expense of increased exposure to the other Evasion Preventing legitimate traffic from reaching the interception system Confusion Injecting spurious traffic reachable by the interception system Georgia Tech Information Security Center Atlanta Georgia USA INFORMATION SECURITY CENTER Lawful Interception Used bylaw enforcement agencies in the US All the 3Ietter agencies Two V retapping Categories Dialed Number Recoder DNR or Pen Register Full Audio Interception Two V retapping Technologies Loop Extender Taps u CALEA Taps Geurgia Tech immmaimn SEEMW Center Aiiama GEDYEia USA INFORMATION SECURITY CENTER Loop Extender Tap 0 Physical split on the target line that feed to the friendly line via network provider 0 Exposed to telco insiders 0 Only works for landlines Gamma Tech Wuvmallun 322qu Center Atlanta Geumla USA INFORMATION SECURITY CENTER CALEA Tap 2 Different channels to a friendly line Call Data Channels CDC Call Content Channels CCC No physical exposure to tapped lines Works for both landline and wireless lines Gamma Tech lnfuvmaliun 322qu Center Atlanta Genmia USA v 4 5 ram any mm w INFORMATION SECURITY CENTER Denial of Service Attack Eavesdropper Monitored Line 0 Forces usage of all available CCCs that an eavesdropper can monitor 0 Once all resources are being used a monitored line can make a call without eavesdropper being able to monitor the content of the call Gamma Tech lnluvmaliun 322qu Center Atlanta GEDYEla USA Consists of two audio freque n c Low tones in rows High tones in co 39m hsi Standard phones use 12 keys howe column is specified in the standards for additional tone signals Geuvgia Tech iniuvmaliun 32qu CEMEV Aliama Geuvgia USA Understanding DTMF DTMF transmission and decoding are analog process No two DTMF decoders will use precisely the same threshold to determine whether a given signal is accepted or rejected Atelephone switch is an oracle for determining whether DTMF signals sent to it have parameters within its tolerance Geurgia Tech Wurmaliun SEEMW Center Atlanta GEDYEla USA b j y l Two different decoders processeac the target line independently The acceptance parameter of the digits di a be set liberally or conservatively Liberal Accepts digits that switch may not Conservative Rejects digitsthat switch may not More than likely eavesdropper s decoder will be more liberal Why Gamma Tech Wuvmaliun 322qu Center Atlanta Geuvgia USA 5min Mme INFORMATION SECURITY CENTER Dialed Digit Spoofing Itrim Imcrylrcmlinn In in plume r mm and mnfu nn um I u M amp 1734966876649916955564239261200 Evasion or Confusion Gamma Tech Wuvmaiiun 322qu came Aiiama Genmia USA INFORMATION SECURITY CENTER Caller ID Spoofing V retap can also receive and decode all CallingNumber ID CNID when target line is receiving a call Forged CNID is repeatedly spent on the line while the phone is onhook Evasion or Confusion Geuigia Tech lnluimaliun Seculliv Center Atlanta GEDYEla USA INFORMATION SECURITY CENTER lnband Signaling Signaling Methods DTMF Dialed Digits Caller ID Audible Tones Dial Tone Busy Tone Ringing Direct Current DC voltage and current onoff hook DTMF is decodable by the wiretap system DC cannot be forwarded on the friendly line in a same way as in the target line DC signaling is converted to DTMF signals to be processed by the wiretap system Geuvgia Tech immmaimn 32qu CEMEY Atlanta GEDYEla USA ugh 1mm 2mm andfduzaNnn E Known to use Ctone sometime wiretap system when signaling the o i state Geuvgia Tech Wurmaiiun Secuvilv camey Aiiama Geuvgia USA INFORMATION SECURITY CENTER Line Status Spoofing By injecting Ctone on the line wiretap system will believe that the line is onhook CO Switch will not process Ctone the same since it relies on DC signals Geuvgia Tech Wuvmaiiun SEEMW Cemev Aiiama GEDYEia USA INFORMATION SECURITY CENTER Line Status Spoofing RECORDING Wiretap System NEW CALL OnOff Hooking Suspend VWetap Recording New Call Spoofing Geuvgia Tech Wuvmaiiun SEEMW Came Aiiama GEDYEia USA INFORMATION SECURITY CENTER New and mprovedll Wait CALEA addresses much ofthese attacks by using outofband signaling In addition to new technology one new feature was added called Backward compatibility FBI and DOJ explicitly requested that continuity tone on idle CCC channel be required CALEA feature Gamma Tech lnlurmaliun 322qu Center Atlanta GEDYEla USA Unsafe at any key size An analysis of the WEP encapsulation Jesse R Walker Presented by Daniel Luo 20081002 80211 WLAN Two modes 0 Infrastructure mode Access point Adhoc mode 0 Three states 0 Unauthenticated and unassociated 0 Authenticated and unassociated Authenticated and associated Wired Equivalent Privacy WEP TA 1 TJ LVU 11 L C Lu 0 4 1 4 139 1 In lVU uuv v Jr D 391mmnmu m 0 Root cause Bad design Bad implementation Outline 0 WEP 0 Decrypting data Without keys 0 Problems with RC4 0 Recommendations WEP Initialization RC4 Massage Vector IV Key K M CRC Key is 5113er Key tream u I zation vector Iv Ciphertext C between all members 0 IV has only 24 bits Decrypting data without keys I 0 IV collisions Key stream from a stream cipher should never be reused Without frequently changing the shared key WEP would exhaust 224 IVs quickly Birthday attack 39 1 chances of collision after 582 encrypted frames 10 after 1881 encrypted frames 39 50 after 4823 encrypted frames 99 after 12430 encrypted frames 0 8021 lb lleps could send 635 lSOObyte frames Decrypting data without keys II o If plaintext P is known 0 KC P o If only cipher texts are observed CP if K C P397 IT K o era Cquot P 0 An attacker can infer When each bit is the same or different in the two steams Guess plain text by further exploiting WEP s checksum 0 After reconstructing the entire key schedule an attacker can compute the base key 0 WEP just concatenates the IV directly to the base key RC4 KSA Key Scheduling 0 PRGA Pseudo Random Algorithm Generation Algorithm N2Il 118 0 i 0 0 Lkey length 0 j 0 0 fori0to N l 0 While 1 0 Si i 0 i i l modN 0 end 0 j j Si mod N 39 j 0 SWaPSiSi for i 0 to N l 0 output SSi Si mod j j Si keyi mod N L mod N 0 end swapSiSi end RC4 s week key Plaintext encrypted under these keys can be easily recovered Example IV3255V K3255Vk3k4 i0 j0SOKO 3 i1j3SlK13 i2j3SZK2 5V i3j5VS3K3 6VK3 Assumptions 6VK3 gt5V Output key stream after the i3 step jj f 1 An attacker knows the first byte of the plaintext One weak IV can reveal a key byte 5 of the time Mark Stamp and Richard M Low Applied Cryptanalysis Breaking Ciphers in the Real World WileyIEEE Press2007 Breaking 104 bit WEP in less than 60 seconds 0 Erik Tews RalfPhilipp Weinmann Andrei Pyshkin Breaking 104 bit WEP in less than 60 secondsWISA 2007 LNCS 4867 pp 188202 SpringerVerlag 0 We demonstrate an active attack on the WEP protocol that is able to recover a 104bit WEP key using less that 40000 frames With a success probability of 50 In order to succeed in 95 of all cases 85000 packets are needed Are SSL and IP SEC vulnerable to such attacks 0 SSL Use hashing functions SHAI and W5 on the key from the KSA Does not rekey RC4 for each packet but rather uses the previous state for the next packet CBC o IPSes 0 Unique key for each direction of each session over each link 3DES A single key for at most 232 packets 64 bit IV or 128bit IV when AES is used CBC mode Recommendations AES Offset Codebook Mode OCB Good cipher Ef cient implementations Session key derivation Remove the basekey from directly attacks Tie the session ke to the session key e OCBAEStagbasekey0 BSSID sendermac addr receivermacaddress Encapsulation A 128bit IV A 32bit sequence number The LLC data payload encrypted The 128bit OCB data authentication tag Remote Timing Attacks are Practical David Brumley Dan Boneh Stanford University Stanford University dbrumleycsstanfordedu dabocsstanfordedu Presented by Samrit Sangal RSA Public key ltengt Private key ltdngt cme mod n mcd mod n npq p and q are large primes Open SSL Decryption 0 mcd mod n CH 0 mc mod p m2cd2 mod q 0 Using Chinese Remainder theorem we can calculate m from m and m2 gd mod q 0 Simplest way to calculate is square and multiply Let 50 1 For k 0 upto 7 1 If bit k of is 1 them Let Bk sky y mod n Else Let RA 2 5quot Let 5H1 mod 71 EndFor Return REA gd mod q 0 Each multiplication requires a reduction mod q 0 Calculating this by multi precision division is expensive 0 Done using Montgomery reductionsThis transforms mod q multiplications to mod R where Rgtq ancl gcdRm l R 2quotwhere k is a multiple of 32 or 64 gd mod q 0 aRbRCR2 CR2 Rquot CR mod q 0 Extra reductions maybe required at the end of a reduction if CR gt q 21Rgt bRCR2 CR2 R CR mod q 0 Reduction is CR q Causes timing differences of extra reductions in Montgery s algorithm gd mod q discontinuity when discontinuita when 9 mod p 2Q 3Q D 4G 5q values 9 between 0 and Sq What do we know Uses CRT to break exponentiation into two parts Uses sliding window strategy instead of square and multiply Uses Montgomery reductions for modular reductions Two algorithmic data dependencies which cause time variance The Attack 0 Build approximations to q that get more accurate as the attack proceeds 0 Initial guess between 25392 and 2539 39Time the decryption of all possible combinations of the top few bits 0 This gives a bound for q The Attack Let g be the same value as q Let ghi be the same value as q with the ith bit as I Then two cases arise if bit i of q is then gltghiltqelsegltqltghi Compute ugh ghiRquot mod N and uggRquot mod N Measure time to decrypt ti DecryptTimeug and t2 DecryptTimeughi The Attack 0 The difference t t2 is largethen bit i is 0 else bit i is 0 Large difference may be positive or negative depending on which factor dominated the time difference Neighborhood of values 0 Ideally one would like tgl tgz gtgt tg3 tg4 whengl ltqltg2andg3ltg4ltq 0 But with sliding windows this does not happen resulting in weak indication 0 To overcome we query with a neighbourhood of values g g l g2 gn Tg i0 to n 2 DecryptTime gi The Oracle 0 Decryptions carried out by initiating fraudulent SSL handshakes with various values of g 0 Time of response from server is Tg 0 Time measured by counting cpu cycles A 24 Ghz processor gives a resolution of 24 billion ticks per second Number of queries 0 For each bit i n neighborhood values ands samples 0 Number of queries sn soooo 3e07 zeroeone gap when a on oi q0 3 60000 E 25907 zeroeone gap when a on oi qi S 40000 E 2e07 20000 Deegpnen time converges mm 39 m E L g o I l 39 I I I 39 E 1e07 n 5 20000 E 5e06 mm W m I E E I 40000 i 0 450000 5e06 2 4 s a 12 14 mo 200 300 400 500 500 700 aon you 1000 pi sampies tor a panicuiar cipherlext Neighborhood size a The u39me variance for decrypting a particular ciphenext b Byincreasing the neighborhood size we increase the zercr decreases as we increase the number of samples taken one gap between a bit of q that is 0 and a bit of 1 that is 1 Different Keys 1Ee07 2e06 e9 39 388 u 919 or no Ie07 r g 15 E E 0 E sews E o 0 I 5 0 E ewe mcm smg noigh larger zeroone gin g Ezewe r 9 5eos 41 52 E eewe s 2 i Vx E 1ec7 E 4e06 l a 15amp07 5606 D 250 190 195 200 205 210 215 220 Bits guessed 0 lacior 11 Bits guessed DI lactor q a The zemrane gap Ty Ty indicates that we can disng b When the neighborhood is 400 the zerorone gap is email guish between bits that are 0 and l of the RSA factor q for 3 for some bits in key 3 making it dif cult to distinguish bee different randomlyrgenerated keys For clarity bits of q that tween the 0 and 1 bits of q By increasing the neighborhood 6 1 are omitted as the maxi can i m senn L 39 Ln launch this Case a successful attack D 9 gt U 3 O 0 E C 9 H 9 h I gt CD E Architecture effects 2e07 15e07 1e07 5e06 0 T I IOptimizedT Optimized but wo mcpu Unop n zed 200 Bits guessed of factor q Time vana nn in CPU cycles 15907 1e07 5e06 5e06 1e07 1 564 07 0 IPC vs Network OpenSSL pamhed who 7 OpenSSL pamhed bxt1 npa ched mm Unpatched mm Bixs guessed of factor a 200 250 Time variation in CPU cycles 1 Se07 memetwork 7 etwork 1e07 ln erpmcess rm of V lnterprocess bt1 r l 5e06 0 5e06 1 e07 1 5607 U 50 200 250 Bits guessed of fame I Network Size 15e 07 2 07 quot ApachemudSSL 7 F Apacheemaa sucampus backbone 7 w tunnel w ApachemoLSSL 7 one swmch W07 Simple RSA server I quot5907 a a 1e07 E 59406 44 E 0 O 0 52406 E E 5 5 eseeoe 1 J g eseme m gt 719417 m gt v 39 4 4mm 2 VLWN W E gt 459417 45mm r2e 7 725 o 200 250 u so mu 150 200 250 Ens guessed anaemr a Bus guessed 0 factor q a The zerorcne gaps when attacking ApachemodSSL b The zerorcne gap when attacking ApachemcdSSL and Stunnel separated by one switch separated by several rowers and a network backbone Using the Fluhrer Mantin and Shamir Attack to Break WEP presented by Daniel Komaromy Overview of WEP Message Sender IV K RC4 gt Receiver I IV 171 IV K RC4 gt 1 Shared Key Auihentication Challenge P Response P WEPK IV PR ICV Integrity Check Value CR032 Message Overview of WEP Message IICVI Sender IV K RC4 E9 Wm Receiver IV IV K RC4 gt Shared Ke Authentication V Challenge Message IICVI Response PC B WEPK39Iv PR ICV Integrity Check Value CRC32 History of the failure of WEP 1 WEP published in 1999 IEEE 80211 Early problems with key size 40 bit passphrase usage gt 104 bit key Keystream recovery 2000 D Walker Unsafe at any key size Failure of SKA and integrity protection keystream recovery techniques 2001 D Borisov Goldberg Wagner lntercepting Mobile Communications The Insecurity of 80211 D Arbaugh Shankar Wan Your 80211 Wireless Network has No Clothes Attacks believed not practical other techniques for authentication MAC filter SSID cloak And then came FMS i RC4 overview KSA PRGA For i 0 N 1 Initialization Si i i 0 i 0 j 0 j 0 Generation loop Repeat N times i i 1 iiSlilKim0dL iJSi Swapisiiisuv Swapltsiiismgt l n1 Output SSi Si Correlation between the key sequence and the secret key 1 X XY X Y Z Resolved if at any ith stage of KSA Si1 X and SH SiSi1 X Y Prremains unchanged during KSA 005 First output SSi Si SS1 SS1 ijOii1jjS1 I FMS attack overview I Published in Fluhrer Mantin Shamir Weaknesses in the key scheduling Algorithm of RC4 2001 I We can simulate the start of KSA because IV is sent in cleartext and WEP I Find IV such that KSA is resolved and output leaks information about the key With every weak IV found guess 1 byte of K avg 60 guessesbyte needed for recovering K I When trying to recover KA SI1 lt I and SI1 SISI1 I A after I steps results in resolved condition after I A steps with high probability Weak IV A3 n1 X FMS attack start A3 N1 x K3 KA3 0 1 2 A3 ioio FMS attack compute j O 1 2 A3 i0 jjSiKi0A3 FMS attack swap 1 A3 1 2 0 4 K swap smsm 39jjsmKmoA3 FMS attack step 2 increment i compute j A3 1 2 0 i1 ijsl Klili1N1i FMS attack step 2 swap Lj A3 0 2 1 i1 K swap SiSi 39jjsli1Ki1j1N1j gt Output1SS1SS1SA3 IF SO S1 is unchanged 25 434044 4 4 4 Z 4 75 F 2 m 981 can 3 424 a 4 Z gtal man gtw Ta c4 44 fol26 an Kiel 45 4 m gtw4 Zgtw4 95259 bmm 4 mEE man 524 9555 823 FMS attack put into practice May 2004 I How do we get known first byte El IP ARP packet first byte known turns out additional encapsulation header results in OXAA as first byte I How is the IV incremented in this case simple counter I What setup to use card sniffer El Today almost every known card out there Prism2 PrismGT Atheros Broadcom RTL81808187 RAlink ACX1XX Zydas supported driver patches for almost all l FMS attack improvements I New weak IVs D IVs can be recomputed and checked El there were about 9000 weak IVs 2813 basic type for 104 bit wep key I Guessing early bytes 0 use cheksum to see if our guess is correct 0 ASCII passphrase directly used check if sASCkeyByte I Special resolved cases D S1 SS1 SS1SS1 only 2 distinct values D more probable 13 instead of 5 to remain unchanged I Instead of waiting for 60 bytes for each key byte continuously testing against resolved cases to find most likely byte prioritizing in case of tie lowercase uppercase number symbol other Results discussion I Number of packets needed dropped to 12 million from 5 million I IV selection counter random flipping 39 Keyselection D passphrase mapping individual keys LEAP 39 Careful usage of RC4 stream D Reprocess IV drop first 256 bytes I Treat link layer insecure use higher layer security History of the failure of WEP cont d 39 Vendor reaction not practical key rotation rekeying drop weak IVs I Work on 80211i starts D WPA patch of WEP superseeded WEP in 2003 El WPA2 ratified 24th June 2004 I KoreK s attacks D 06062004 on Netstumbler chopchop tool posted 09142004 El Improved statistical attacks need only 500000 packets to recover key chopchop attack deciphers encrypted packets withouth recovering the key History of the failure of WEP cont d I Christopher Devin writes aircrack 2004 I Packet reinjection technique fragmentation attack May 2005 D Bittau Handley Lackey The Final Nail in WEP s Coffin D send arbitrary data on a WEP network after having eavesdropped only a single data packet realtime decipher techniques I Klein Attacks on the RC4 stream cipher 2007 0 Based on Klein s work Tews Weinmann Pyshkin Breaking 104 bit WEP in less than 60 seconds PTW attack I Today I Easytouse tools implement attacks h k k Backtrack aircrack 3quot W D cracking WEP key takes less then 3 minutes with automated tools even ifthere is no client associated to the AP I Problems with new methods 3 WPA I Some EAP implementations turned out to be flawed MITM attacks on tunneled protocols dictionary attacks on PSK 3 Captive portals 3 Tools cowpatty AirSnarf rogue ap freeradiuswpe asleap LEAP and many many more I And mainly WEP is still used I WEP usage statistics Security in use source Webtorial Stateofthe Market report 20052007 2002 2003 2004 2005 2006 2007 WEP Usage over Time source wiglenet Takeaway I Chosen mechanism can be good in general but useless for the specific task I Cryptographically strong elements not necessarily create a cryptographically strong system I Replacing a flawed system can be very hard even though a good patch is known I Little security is worse then no security Playing hide and seek with stored keys Adi Shamir Nicko Van Someren presented by Daniel Komaromy College of Computing Georgia Institute of Technology Digital Rights Management Technologies Film CSS AACS BD Audio CDs Sony BMG rootkit Internet music o E books Approaches o Content protection copy prevention o Legal avenue Watermarking What is this talk not about DRM IS KILLING MUSIC AND IT39S A FIIF OFF 700000 jobs 2508 each year What is this talk not about U T HINKIN B or BMNG ka PODIELECOH 0R 39ITUNESY REHEHBR FYOU PIRATE sonErHWG ITEYoJas Fol UFE You CAN TAKE TANNHERE mo n mu m WORK kJ arr lFYOU RN DRM LOCKEDFEDIA AND IF mm 13me YOJ39lL BE A mnwu m won so REMEHBER IF you mm A man YOU ow cwur on PIRATE IT HE YOU39LL BEACKMNN E THER HAY IFYOU DONT LIKE THIS unimu DamFREE Fuss iPadMTIms HJRM Digital Restrictions M anag em ent So what is it a bout then The inherent aw of the concept of DRM enforced through content encryption and authorized players A quick sideTM the analog hole DEVIGG 33 bid Kids Kdg K44 Kids Volu me ID 39 WII Me 397 Key BlockI gt5 Km sz M3 K1114 K1115 Title Key File Kll m m M has I gment I Devcrynted tment Locating hidden cryptographic keys Published in Financial Cryptography 99 Goal find key on hard disk of an off line PC with a quick scan Where can we find a key Separate file hard coded in crypto unintentional storage left in swap backup damaged sector in memory during usage Original motivations lunchtime attacks authenticode breaking and preventing can be both goodbad interestingly in line with DRM j Finding Secret RSA keys Public parameters e n are known Attacker has access to u bits known to contain the V bit long secret key d as a continuous string u 10mm 103 K Method 1 exhaustive search Trial decryptions with known plaintext ciphertext pair over substrings of u with a sliding window of shift size 1 Several pairs can prevent false positives With expected plaintext statistics ciphertext only is also feasible Problem RSA computations are expensive Time complexity grows cubically in V u trials of V modulo operations of V2 complexity 0uv3 gt 1019 Goal make trials faster Method 2 incremental computation based on overlap Right shift in u means multiplication by 2 i I MSB c2 2V3912 is substracted 2 2 1 A new bit c as LSB ch is added T d 2d c1 c22V T 1nd m2d c1 arm 1nd 2 mcz mCz ZV mod n u trials of V2 time complexity 0UV2 Method 3 incremental computation in OV Giventhated I I k Dn and k lt 2 gt IzCDn I ed I mod n is a small negative number Computing ed quot 1 mod n from ed 39 1 mod n only takes a constant number of additions subtractions 62d39 C1C22V 1 mod n I 2ed39 I mod n I 6C1C22V mod n For each substring if result is small negative we found a hit u trials gt Ouv time complexity Method 4 preoompute candidate bits of d Small e 3 or 216 is common 4 p1q1 W PtqI ed 21 kCDn 1 kn kpq I o If e23 k is I or 2 gt kn3 gives the two possible candidates for the top half bits of d oThis is sufficiently large to avoid false positives gt search through u and match the candidate strings to find d in 0a But number of candidates grows exponentially in the size of e Method 5 searching for pq pq could be discarded but in most cases they are actually used for the CRT optimization of the modulo exponentiation get Xemod n from Xemod p and Xemod q Given that they occur next to each other do multiply consequent substrings of size V 2 gt if result is n we found p and q oThis takes 0uV2 but if we only use lowest word it39s 0 u with the probability of false positives still low Finding public RSA keys Motivation replace signature in authenticode Characteristic of cryptographic keys high entropy oVisual representation 1 bit pixel 300 kbytes Computing entropy efficiently gt count of unique bytes in a substring V with a sliding window over u gt O u complexity V 64 Figure 1 Key information in the middle of the gure looks more noisy than the rest of the data Better methods of hiding keys Off line storage Replace d with d kCDn protects against small exponent attack Matching levels of entropy spreading the key encrypting the rest of the code gt performance cost anything else Code optimization for a pre defined key Aftermath further results Researchers Uncover Vulnerability inWeb Server Security Weakness Presents Risk to E commerce Bnetcom January 2000 nCipher released key management tool to extracting keys from the system into secure hardware storage We saw that hiding the key in memory is hard but how about hiding it in a binary Barak et al On the Impossibility of Obfuscating Programs 2001 Jacob et al Attacking an obfuscated cipher 2002 How about physical protection Tamper resistant Hardware Why did these guys NOT read this paper CSS Content Scrambling System by DVD ForuIn 1996 DVD encrypted with a proprietary algorithm could only be played with custom players vendors signed agreements DeCSS Ion Lech Johansen 2 1999 play on unlicensed player Disassembled object code ofplayer to retrieve key Arrested and tried in Norway finally acquitted of all charges in 2003 libdvdcss brute force 40 bit key Why did these guys NOT read this rr Foes stIzY quot 7 l 39 Advanced Access Content System HD DVD Blu ray WWW m 1 Houf ggl39avi AACS crypto is publicly documented no disassembly ERIE L Muslix64 AACS is Unbreakable YouTube December 39 I 2006 released in backupHDDVD 3 Retrieved WinDVD39s decryption key from memory during YES playback SUE H c Method for key recovery leaked forumdoom9org AACS approach revocable keys Is this sufficient AACS Licensing Administrator key publishing controversy In April 2007 a DMCA notice to Digg results in removed postsaccounts gt cyber revolt from 36000 pages to 368000 in a day An interesting new twist AACS LA Acano L I sv orquot quotCky N 395 won 55 quotmb8 0 I 0p 9 en DB F9 1 quotsell 55 c5 395 39 3932 9D 3 74 5s 837 c 53 Why did these guys NOT read this paper II AACS Follow ups MPGv4 67 BD w BD released November 2007 claiming Will not be cracked Within 10 years Runs aVM on authorized players that can examine and change eg patch the host environment SlySoft s AnyDVD circumvented it in March 2008 then next release Jumper by August Circumvention based on reverse engineering obfuscated binary code of players October 2008 open source BD crack released on doom9 forum INFORMATION SECURITY CENTER Defending Against an Internetbased Attack on the Physical World Authored By Simon Byers Aviel D Rubin David Kormann Presented By Frank S Park College of Computing Georgia Institute of Technology Gamma lns1llul2 ulTechnuIDEV 32qu Ouncems my the w Mummema suns51w Imagine This hffn39lwvwv mefarafe 39 quot7R 3 3Rl ie hard 4 trailer Can this be real Or is this just another Hollywood effect Gamma msmme mmmuwugv Secuulv Ouncems my me w Mummema suns51w INFORMATION SECURITY CENTER Should we be worried Man accused of hacking into 911 19yearold Randall Ellis from Washington state dispatched SWAT to a resident in Orange County California Two charged with hacking LA traf c lights Two men have been charged with illegal computer access after they allegedly hacked into the Los Angeles city traffic center to turn offtraffic lights at four intersections 0 US military shaken by hack attack Using software easily obtained from hacker World V de Web sites on the Internet computer experts at the National Security Agency or NSA could have shut down the US electricpower grid and rendered impotent the command andcontrol elements of the military39s Pacific Command Suurce ucR egisler cum cumpulerwurld cum GEDYEla institute ulTechnuluuv 32qu Concerns my the lP Multimedia suns51w INFORMATION SECURITY CENTER 95 of websites are vulnerable Crosssite scripting 80 percent SQL injection 62 percent Parameter tampering 60 percent Cookie poisoning 37 percent Database server 33 percent Web server 23 percent Buffer overflow 19 percent Suuvce mm znns JavaOne Cunlevence Gamma Institute ulTechnuluuV 32qu Ouncems rm the w Multimedia suns51w Search Engine API Allows customizable front UI for developers Creates access to centralized database of indexed content in the Internet This is a great feature Right UH gt7 2 ml 3 U39Z m4 v Z 97 39ie 2 MI 0 u Z Geuvgta nsmute utTechnutugy Sammy ouncemsvmme P Mummema Subsystem INCORMATION SECURITY CENTER Physical Attack v10 Virtual Request gtgtgt Physical Delivery Mail Catalogs Information Packet Free Sample Information Gathering Targeted Victim s Physical Address Access to Online RequestOrder Form Execution How to automate the requests Motives Incentives Gamma lns1ilul2 ulTechnuIUEV 32qu Ouncems rm the w Multimedia suns51w INFORMATION SECURITY CENTER Why is this an attack Increased volume ofjunk mail Increased cost to targeted company Ability to interfere with postal infrastructure Diversion to bigger attack Emotional Distress Gamma lns1ilul2 ulTechnuluuv 32qu Ouncems rm the w Multimedia suns51w INFORMATION SECURITY CENTER Execution Simple Perl script to parse web form Base on the input label machine can easily determine expects field value Another script to send POST requst um mummymun Gamma lns1ilul2 ulTechnuluuv Securilv Ouncems rm the w Multimedia suns51w INCORMATION SECURITY CENTER Detection NonTrivial to Detect Ubiquitous request origins Dispersed requests in nature Low rate of requests Use of anonymizing tools Gamma institute uiTechnuiuuv Secuvilv Ouncems my the w Muitimema suns51w INCORMATION SECURITY CENTER Prevention Restricted Access to Indexing LimitedControlled access to search engine database HTML Obfuscation Randomized input label Human in the Loop CAPTCHA Reverse Turing Test Client Puzzle Use of requestor s physical resource Honeypots Early Detection Browsing Session Management Heuristic Intelligence GEDYEla lns1ilul2 uiTechnuluuv Securllv Ouncems my the w Multimedia suns51w smam INCORMATION SECURITY CENTER Legal Concerns This attack doesn t fall under the computer crime Computer crime requires an act of unauthorized access Traditional Mail Fraud Forbiddance in use of the name and address of another in a mail Generating large volume can be considered as obstruction of mail Gamma lns1ilul2 ulTechnuluuv Secuvllv Ouncems 1m lhe w Mummema suns51w INCORMATION SECURITY CENTER From Google As of December 5 2006 we are no longer issuing new API keys for the SOAP Search API Gamma msmme mmmuwugv Secuulv Ouncems my me w Mummema suns51w INFORMATION SECURITY CENTER Where are we going with this Current attacks may not be as dramatic as Die Hard 4 but our reliance in technology is allowing such physical attacks feasible Gamma lns1ilul2 ulTechnuluuv c 322qu cm emsrmme w Multimedia suns51w Steve Bono Matthew Green Adam Stubblefield Ari Juels Avi Rubin Michael Szydlo Presented By Ankur Aggarwal Security Analysis of a Cryptographically Enabled RFID Device Security through Obscurity generally ineffective Design Guidance to Data Security Community Staging the Attack Resources Needed Seriousness of the Threat Counter Measures RadioFrequency Identification In nai39ve terms intelligent barcodes Active has its own battery Passive powered by the signal from the reader Main components Tag Transponder and the reader Small wireless devices that emit unique identifiers upon interrogation by RFID readers Sophisticated RFID devices can offer cryptographic functionality ClDigital Signature Transponder DST is such a eVIce Small microchip and antenna coil with no onboard power source Contains a secret 40bit cryptographic key that is fieldprogrammable via RF command Interaction with a reader DST emits a 24bit factory set ID and then authentication process starts Reader sends a 40bit challenge DST encrypts the challenge truncates the resulting ciphertext and sends a 24bit rnnnnnnn Vehicle Immobilizers 150 million immobilizer keys use RFID Condition to enable fuelinjection system of the vehicle Electronic Payment ExxonMobil SpeedPass system Seven million cryptographicallyenabled keychain tags accepted at 10k locations worldwide Reverse engineer the DST To demonstrate the weakness of the cipher Crack the key To demonstrate the inadequacy of the bit length Simulate the DST device To demonstrate how to spoof a reader DSTs are designed for short range scanning only few centimeters DSTs can respond to as many as 8 queriessec Active scanning Attacker brings her own reader within scanning range of the victim Permits a chosenchallenge attack Passive eavesdropping Eavesdrop on the communication between the victim and a legitimate reader Auto theft via eavesdropping Own a van with eavesdropping equipment Park near victim s car and wait to capture key to reader transmissions Make a key based on data collected Auto theft via active attack Subornbribe a valet at a parking facility to scan immobilizer keys while parking their cars Speed Pass theft via active attack Carry a reader and a shortrange antenna and scan nearby passengers in a subway MGDO I 765765 8 547489 8 Black Box Or Oracle 748603 DST 9 Experimental observation of responses output by the device Aim was to get a schematic if the block cipher used in the challengeresponse protocol TI has not published their algorithm or Block Diagram citing security by obscurity Figure out the cipher used by the DST by reverse engineering under constraint of minimum resource requirement Software packages were not used due to copyright issues Digital Signature Transponder 3 400 clocks 910 rounds ChallengeFResponse Register quot2 R outi ng N artwork Encrypn39on Key Register 400 3 clocks Digitai Signature DST4O Algorithm impiementation Dr Ulrich Kaiser Texas Instruments Deutschland G mbH 3939 l ir r lei i ll r l l Q j The schematic does not describe the logical operations executed by the f boxes the g boxes and the hbox The mapping of key and challenge bits to the f boxes is governed by a routing array whose organization the TI schematic does not descnbe no indication of which bits in the challenge and key registers are input to which f boxes Hbox outputs a pair of bits instead of a single bit Compared the logical output to the predicted output to determine the behavior of the hardware circuit With the help of published block DST block Diagram and trial and error The required information will be used in later stages to simulate the digital transponder The authors were able to recover The key schedule The routing mechanism The logical functions computed by the fg and h boxes The Feistel structure of the DST cipher Feistel structure of an cipher can be considered as steps of the algorithm Order in which various operations are performed Software implementation to verify that discovered algorithm works when given the same challenge and key Keys in SpeedPass token and automobile ignition keys are immutable Key recovery is needed Two challengeresponse pairs are needed to determine a key uniquely DST4O outputs 24bit per 40bit challenge Cracker tries each possible key on the first challenge When a response match is found it verifies that the key works on the second chaHenge Each FPGA can test 16M keys per second The entire 40bit key space can be exhausted in under 21 hours using a smmeFPGA To speed up search under 1 hour for realistic scenarios the authors assembled 16 such circuits in parallellt3500 The authors were able to find the keys of 5 TI provided tags in under 2 hours to verify the correctness of the algorithm TLI III I I 39I39I Looks up Powers Up the DST and Response constitutes the secret sends a 4Oblt Challenge 24 bit serial number key based 24 bit signature on the serial Encrypts Challenge using amp a 16 bit CRC 39d broadCaSt Secret Key and sends the by the DST response PC equipped with a DAC board digitaltoanalog converter Input and output of DAC board connected to an antenna tuned at 134 KHz Steps Analyze the AD conversions received by the DAC board Decode the AM signal containing the challenge sent from the reader Perform an encryption of this challenge using the recovered secret DST key I Code the FMFSK signal representing the correct response I Output this FMFSK signal to the DAC board Charles V Wright Lucas Ballard Fabian Monros e Gerald M Masson Language Identification of Encrypted VoIP Traffic Vijay A Balasubramaniyan 10282008 Realizes routing of voice calls over the internet Umbrella term for set of protocols Control plane SIP or H323 Media RTP SRTP ZRTP Why VoIP Reduces cost Geography agnostic Feature rich Popular instances ATampT CallVantage Yahoo Messenger Google Talk Alejandro y Roberto or Alice and Bob VoIP Security 0 Control plane Digest authentication SSLTLS Lightweight authentication Media SRTP o AES in counter mode No padding AES in f8mode output feedback mode 7 o No encryption ZRTP o Hash of previous operations used as salt for next Really safe NO crafty obsener can look at traf c characteristics and determine language Alejandro y Roberto or Alice and Bob State of the art Simple speech recognition 1990 Identifying language using audio Information leakage Determining VoIP end points even in the presence of anonymizers Determining endpoint through structured data Video leakage SSH leakage Papers Goal Language recognition through information leakage Alejandro y Roberto or Alice and Bob Codec choice Narrowband vs wideband 8kHZ vs 15 kHZ Advantage Higher sound quality Disadvantage Requires more bandwidth Skype wideband CBRs vs VBRs CBR Constant bit rate VBR Humans think certain sounds important 9 allocate a larger number of bits Advantage Bandwidth savings for improved sound quali Disadvantage Twice the time to code and decode Adopnon 3 GG Vor s Speex 9 different bit rates 9 9 different packet sizs remember SRTP Alejandro y Roberto or Alice and Bob Encrypted VoIP Decry ption High correlation between VBR output and encrypted packet length 0 Packet length 9 Information about the conversation Marriage of 2 techniques 9 Information leakage Alejandro y Roberto or Alice and Bob 5mm mqucucies nf Hu mes kw Indonesian mu Ruinquot and Mnndwln Oregon Graduate Institute Center for Speech Learning Corpus 22 languages 70 100 speakers all around the w l Answering machine speak on topics like What did you recently eat random 1 minute tho ghts Language differentiators 182 kbps Mandarin vs Russian 215 kbps Indonesian vs Czech I Probability distribution of 2grams 3 grams ngrams Alejandro y Roberto or Alice and Bob Adversarial Mode of Operation llu E DEE WEE mm D D Build ngram probability distribution for languages of interest Build it from a corpus paper Choose ngrams which provide differentiating characteristics between languages 39 Sniff packets from the wire 39 Compare the packets to the ngram probability distribution Use kisquare test statistic Language with the closest distribution Alejandro y Roberto or Alice and Bob Evaluation asmxxzaxsgzga W 5quot i rquot iquotrm quot 1quotw y w W 5 quot Figure x can mwing lmw men in spenku39s lim imh 39j 0m 3quot 5 Pmm Wm glmgc was mung um clussxi la s mp c Eh lk z Classi er on the 21 languages Leave one out cross validation Mark gtlty based on user language classifier guess Results TA guessed correctly 40 of time CA not very goo Alternative perspective How many guesses to correctly identify 39 diagonal Indonesian 40 on rst try Most languages 34 guesses Alejandro y Roberto or Alice and Bob Improving results mm magma snags wlmuwuuluimm n Julunnuman w m mm ID cur showing haw men we speaker s lune mg m among 0 miner39s my I chum using 47 giammd Ide margmmi Flng 9 Canfmlnn Mum x or m 2way test using is grams mi redmm m symbol mm and yum boxes uptown nocumclzs oi w and commune 9 bitrates 9 9 packet sizes 3gram 451 choices Too little speech to train Reduce dimensionality 6 encode silence Group 2 frequencies as 1 47 choices Resu 66 correct identi cation Horribly misclassi es certain languagues TA Can we do 2 iterations CDF also shows improvement Alejandro y Roberto or Alice and Bob Binary classification and Mitigation ENV CZJA Table I my classi er recogniliou mus fur selecle iasngiizA ngEnAnguages and their ahbxaviaiions are 86 accuracy Usage scenario Endpoints are in different countries Mitigations Padding o 128 bit block ineffective Larger sizes significant overhead Possible tradeoff CBR No bandwidth savings especially in the case of silence Alejandro y Roberto or Alice and Bob DiSCUSSlOl lS Why did the paper get in Can we perform this attack in other more ef cient ways Effect of intentional voice modulation other forms of noise white brown Typically VoIP clients use xed rate G711 G729 Along with silence compression would you equire VBRs How much better are VBRs over CBRs with silence supression Multilingual conversations Other encryption mechanisms VoIP over IPSec Is padding a feasible alternative Random ordering of packets Alejandro y Roberto or Alice and Bob
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'