Protection (Chapter 14) limits the access of users to resources (e.g.,
files). It provides a mechanism that controls the access of programs processes,
or users. Protection is an internal issue. Protection is important even on
a machine used by only one person in a locked and isolated room.
Security (Chapter 15) prevents unauthorized access to the system. Security is an external issue.
GnuPG is a complete and free replacement for PGP. Because it does not
use the patented IDEA algorithm, it can be used without any restrictions. GnuPG
is a RFC2440 (OpenPGP) compliant application.
Step n+1 MANY variants
Trust a public key?
One student observed: All of your examples assume we have a public key that is really from the sender.
VERY GOOD!!!
Actually, from the person it claims to be. Yes, you could create a private key - public key pair, claiming to be from the President. If someone encrypted a message for the President using that public key and you intercepted the message, you could read the Top Secret message.
How can you be sure?
Know the author and get his/her public key directly. Since I showed you the web page with my public key, you can be reasonably certain that it IS my public key. Of course, if is possible that someone hacked my web site and substituted a fake. I admit I did not personally check each character today.
My public key might be officially registered with Verisign or some other official registry. If you trust that authority, you might trust my public key you get from them.
You might have a friend you trust, and that friend might tell you (either directly or through PGP formalities) that he/she believes that to be my public key, so you can trust it to a slightly less degree than you trust your friend.
There is an entire concept "Web of Trust" which allows me to sign someone else's public key and say (in effect), "I believe this is valid." If you don't trust me, my signature carries no weight with you. If you do trust me, you can trust the public key I have signed. How do you know it is I who signed it? Digital signature plus whatever trust you have in "my" public key. Hence, a public key signed by many people in whom you have trust is probably a trustworthy key.
How you come by the public key also should be a factor. Consider: If I call Lands End, place an order, and give them my phone number over the phone, I am reasonably certain it is really Lands End to whom I am speaking. Someone COULD be eaves-dropping, but at least I have high confidence I am not talking to an impostor. On the other, if someone calls ME and says, "This is Lands End. Please give me your credit card number," I am MUCH more skeptical.
If I type the URL of a web site I am accustomed to using and I retrieve a public key, I am reasonably certain it is a valid public key, although the entire web site COULD be an impostor. On the other hand, if I receive unsolicited email containing a public key, I am more skeptical. I might call the claimed author and ask, "Did you send your public key to me at about 2:37 PM this afternoon?"
15.4.3 SSL
Communicate securely between browser and web server, e.g.,
credit card numbers
Virtual Private Networks (VPN)
Precondition: Server s obtained a certificate cert from a certification authority
CA, including
Attributes including DNS name
Public encryption algorithm E()
Public key ke
Validity interval for the certificate
Digital signature of the certification authority
Precondition: Client has obtained the public verification algorithm for the
certification authority
Basic idea:
Establish each identity
Use public keys to exchange a one-time symmetric key
Communicate using symmetric key
What are the threats?
The dance (See pp. 586-7 for more detail)
Client initiates
Client sends 28-byte random value
Server responds with 28-byte random value + its certificate
Client checks validity of certificate
Client generates secret 46-byte pms, encrypts using server's public key,
and transmits
Server decrypts to recover pms
Both client and server use two 28-byte values & pms to compute a master
secret key ms. Use ms to generate four keys:
Symmetric encryption key for client --> server
Symmetric encryption key for server --> client
Key to authenticate client --> server
Key to authenticate server --> client
Client can send encrypted, signed messages to server
Server can send encrypted, signed messages to client
15.1 Security Problem
What do we fear?
"Total security cannot be achieved." - p. 560
Threat is the potential for a security violation
Attack is an attempt to break security
Breach of confidentiality - Unauthorized reading of data
Breach of integrity - Unauthorized modification of data
Breach of availability - Unauthorized destruction of data
Theft of service - Unauthorized use of resources
Denial of service - Prevent legitimate use
Take security measures at four levels:
Physical
Human
Operating system
Network
15.2 Program Threats
Write a program that creates a breach of security
15.2.1 Trojan horse programs
Code segment that misuses its environment
Search PATH - All directories must be secure
"." in the search path
15.2.2 Trap door
Might check for a specific user and circumvent normal security
Undocumented command-line options
Built into the compiler?
15.2.4 Stack and buffer overflow
Review activation record
Web form: Enter name:
Copy contents into a string:
char userName[40];
strcpy(userName, ...);
Possible buffer overflow could alter the return address
Instead of returning, could jump to arbitrary code, e.g., command shell
P. 566: "Unfortunately, good bounds checking is the exception rather than
the norm."
15.2.5 Viruses
15.3 System and Network Threats
Examples include
Masquerading
Replay
Worms
Port scanning
Denial-of-service
15.5 User Authentication
How do we determine that whether a user's identity is authentic?
Something you have, e.g., key, card, dongle
Something you know, e.g., password
Something you are, e.g., fingerprint
15.5.1 Passwords
15.5.2 Password vulnerabilities
15.5.3 Encrypted passwords
15.5.4 One-time passwords
15.5.5 Biometrics
15.6 Implementing Security Defenses
Improved user education through writing fault-free software