Computer Security CS 426 Lecture 21 - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Computer Security CS 426 Lecture 21

Description:

Allow recount, provide confidence in results. Who might attack system? Voter wants ... Diebold Election Systems. Unfortunately, linear congruential generators ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 15
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 21


1
Computer Security CS 426Lecture 21
  • Examples of Using Cryptography Incorrectly

2
Related Readings
  • Analysis of an electronic voting system
  • Kohno, Stubblefield, Rubin, Wallach, 2004
  • Intercepting Mobile Communications The
    Insecurity of 802.11
  • Borisov, Goldberg, Wagner, 2001
  • The Final Nail in WEPs Coffin
  • Bittau, Handley, Lackey, 2006

3
Example voting machine
  • Standard hardware
  • Commercial OS
  • Many run WinCE
  • Programmable
  • Specify election
  • Smartcard authentication
  • Invalidate card when done
  • Data output
  • Network, or
  • Place disk in another computer

4
Basic security analysis
  • What is voting system supposed to do?
  • Correctly count votes
  • One person, one vote
  • Voter privacy
  • Prohibit vote selling
  • Allow recount, provide confidence in results
  • Who might attack system?
  • Voter wants to vote twice
  • Election worker
  • Programmer working for voting machine company

5
Diebold Case Study
T. Kohno, A. Stubblefield, A. Rubin, D. Wallach
  • Proprietary system
  • Certification mandated by election laws
  • Without public review Security through obscurity
  • Diebold system leaked
  • AccuVote-TS DRE system, Oct 2000 - April 2002
  • Available on open ftp server
  • Identified by activist Bev Harris
  • Some zip files, cvs repository
  • DMCA concern over zip encryption
  • Available on New Zealand site

6
Some problems
  • Encrypted votes and audit logs
  • define DESKEY ((des_key)"F2654hD4")
  • No authentication of smartcard to voting terminal
  • Insufficient code review

7
Sample comment in code
  • // LCG - Linear Conguential Generator
  • // used to generate ballot serial numbers
  • // A psuedo-random-sequence generator
  • // (per Applied Cryptography,
  • // by Bruce Schneier, Wiley, 1996)

Unfortunately, linear congruential generators
cannot be used for cryptography Page
369 Applied Cryptography, by Bruce Schneier
- BallotResults.cpp Diebold Election Systems
8
Other problems
  • Smartcards use no cryptography
  • Votes kept in sequential order
  • Several glaring errors in cryptography
  • Inadequate security engineering practices
  • Default Security PINs of 1111 on administrator
    cards
  • Windows Operating System
  • tens of millions of lines of code
  • new critical security bugs announced frequently

9
802.11 Security
  • Used between a Wireless Access Point and Wireless
    Ethernet Cards
  • Existing security consists of two subsystems
  • A data encapsulation technique called Wired
    Equivalent Privacy (WEP)
  • An authentication algorithm called Shared Key
    Authentication
  • Goals
  • Create the privacy achieved by a wired network
  • Simulate physical access control by denying
    access to unauthenticated stations

10
WEP Encapsulation
  • WEP Encapsulation Summary
  • A master key shared between the end points
  • Encryption Algorithm RC4
  • Per-packet encryption key 24-bit IV
    concatenated to a master key
  • WEP allows IV to be reused with any frame
  • Data integrity provided by CRC-32 of the
    plaintext data (the ICV)
  • Data and ICV are encrypted under the per-packet
    encryption key

11
What Went Wrong in WEP?
  • The space of IV is too small IV is sent in
    clear.
  • With two messages encrypted using the same IV,
    one can recover the key stream.
  • The attack is made much easier by chosen
    plaintext attacks, which can be carried out in
    the environment where WEP is used.

12
Ways to Accelerate the Attack
  • Send spam into the network no pattern
    recognition required!
  • Get the victim to send e-mail to you
  • The AP creates the plaintext for you!
  • Decrypt packets from one Station to another via
    an Access Point
  • If you know the plaintext on one leg of the
    journey, you can recover the key stream
    immediately on the other
  • Etc., etc., etc.

13
Fragmentation Attacks
  • Knowing several bytes of plaintexts in the
    beginning of a message enables one to extract the
    beginning of key streams
  • Using fragmentation, one can send messages using
    a short key stream
  • By crafting messages sent to a particular IP
    address, one can have the WAP decrypt to get the
    plaintext and long key stream
  • Attack can be carried out after receiving one
    packet

14
Coming Attractions
  • November 9
  • Introduction to network security
Write a Comment
User Comments (0)
About PowerShow.com