CSCE 522

1

• CSCE 522
• Lecture 16
• Electronic Mail Security

2
Reading list

• Required
• E-mail security Chapter 7.6
• Malicious code
• Chapters 3.1, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8
• Recommended
• Chapters 3.1
• USC Computer Services Virus Information Center
  http//www.sc.edu/ars/virus
• CERT Advisory, http//www.cert.org/advisories

3
Electronic Mail

• Most heavily used network-based application
• Used across different architectures and platforms
• Send e-mail to others connected directly or
  indirectly to the Internet regardless of host
  operating systems and protocols
• NEED
• Authentication
• Confidentiality

4
Why Email Security?

• Message confidentiality
• Message integrity
• Sender authentication
• Nonrepudiation

5
Secure E-mail Approaches

• PEM Privacy-Enhanced Mail
• S/MIME
• PGP Pretty good Privacy

6
Privacy Enhanced Mail (PEM)

• Components
• Message Encryption
• Certificate based key management
• Algorithms, modes, identifiers
• Key certification and related services

7
PEM Algorithms

• Symmetric key management DES-ECB, DES-EDE
• Session key is encrypted using DES, using key
  shared by the sender and receiver, and attached
  to the message
• Asymmetric key management RSA, MD2
• Public key certificates are created and signed,
  using MD to hash and RSA to sign. The session
  key is encoded using RSA and the recipients
  public key, and attached to the message

8
S/MIME

• Specification rather than product
• Relays on public key certificates issued by
  hierarchically organized CA
• Part of the most user agent software packages on
  the market

9
Pretty Good Privacy

• Phil Zimmermann (early 90)
• Confidentiality and authentication for
• Electronic mail and
• Storage applications

10
PGP Evolution

• Best available cryptographic algorithms (90)
• Integrate these algorithms such that
• Independent of operating system and processor
• Based on a small set of commands
• Make the application and the documentation
  available through the Internet
• Agreement with a company to provide compatible,
  low-cost commercial version of PGP

11
PGP - Usage

• PGP became widely used within a few years
• Available worldwide for different platforms
• Based on proven secure algorithms such as RSA,
  IDEA, MD5
• Wide range of applicability
• Was not developed or controlled by government
  standards

12
PGP Services

• Digital Signature RSA, MD5
• Hash code of message is created using MD5,
  encrypted using RSA, with senders private key,
  and attached to the message
• Confidentiality RSA, IDEA
• Message is encrypted using IDEA, with one-time
  session key generated by the sender, session key
  is encrypted, using RSA and the recipients
  public key, and attached to the message

13
PGP Services

• Compression ZIP
• Message may be compressed for storage or
  transmission
• E-mail compatibility
• Encrypted message is converted to ACSII string
• Segmentation
• To accommodate maximum message size, PGP performs
  segmentation and reassembly

14
Authentication
KAprivate
H(M)
KAprivateH(M)
E
H
H
M
M
c
Compare
M
D
concatenate
KAprivateH(M)
KApublic
Receiver B
Sender A
15
Confidentiality
Ksession
Ksession(M)
Ksession(M)
M
E
E
concatenate
M
c
Ksession
E
D
KBpublic (Ksession)
Ksession
KBpublic (Ksession)
KBpublic
KBprivate
Receiver B
Sender A
16
Confidentiality and Authentication
Sender A
KAprivate
KsMH(M)
KBpublic
E
Ks
M
H
E
M
E
c
c
KAprivateH(M)
KBpublic (Ks)
H
Compare
D
D
Ks
D
KBprivate
KApublic
Receiver B
17
Program Security
18
Program Flaws

• Taxonomy of flaws
• how (genesis)
• when (time)
• where (location)
• the flaw was introduced into the system

19
Security Flaws by Genesis

• Genesis
• Intentional
• Malicious Trojan Horse, Trapdoor, Logic Bomb,
  covert channes
• Non-malicious
• Inadvertent
• Validation error
• Domain error
• Serialization error
• Identification/authentication error
• Other error

20
Kinds of Malicious Codes

• Virus a program that attaches copies of itself
  into other programs. Propagates and performs
  some unwanted function.
• Rabbit (Bacteria) program that consumes system
  resources by replicating itself.

21
Kinds of Malicious Code

• Worm a program that propagates copies of itself
  through the network. Usually performs some
  unwanted function.
• Does not attach to other programs
• Trojan Horse secret, undocumented routine
  embedded within a useful program. Execution of
  the program results in execution of secret code.

22
Kinds of Malicious Code

• Logic bomb, time bomb logic embedded in a
  program that checks for a certain set of
  conditions to be present in the system. When
  these conditions are present, some malicious code
  is executed.
• Trapdoor secret, undocumented entry point into a
  program, used to grant access without normal
  methods of access authentication.

23
Virus

• Virus lifecycle
• Dormant phase the virus is idle. (not all
  viruses have this stage)
• Propagation phase the virus places an identical
  copy of itself into other programs of into
  certain system areas.
• Triggering phase the virus is activated to
  perform the function for which it was created.
• Execution phase the function is performed. The
  function may be harmless or damaging.

24
Virus Types

• Transient (parasitic) virus most common form.
  Attaches itself to a file and replicates when the
  infected program is executed.
• Memory resident virus lodged in main memory as
  part of a resident system program. Virus may
  infect every program that executes.

25
Virus Types

• Boot Sector Viruses
• Infects the boot record and spreads when system
  is booted.
• Gains control of machine before the virus
  detection tools.
• Very hard to notice
• Carrier files AUTOEXEC.BAT, CONFIG.SYS,IO.SYS

26
Virus Types

• Stealth virus a form of virus explicitly
  designed to hide from detection by antivirus
  software.
• Polymorphic virus a virus that mutates with
  every infection making detection by the
  signature of the virus difficult.

27
How Viruses Append


virus
virus
Original program
Original program
Virus appended to program
28
How Viruses Append


Virus-1
virus
Original program
Original program
Virus-2
Virus surrounding a program
29
How Viruses Append


virus
Original program
Original program
Virus integrated into program
30
How Viruses Gain Control

• Virus V has to be invoked instead of target T.
• V overwrite T
• V changes pointers from T to V
• High risk virus properties
• Hard to detect
• Hard to destroy
• Spread infection widely
• Can re-infect
• Easy to create
• Machine independent

31
Virus Signatures

• Storage pattern
• Code always located on a specific address
• Increased file size
• Execution pattern
• Transmission pattern
• Polymorphic Viruses

32
Antivirus Approaches

• Detection determine infection and locate the
  virus.
• Identification identify the specific virus.
• Removal remove the virus from all infected
  systems, so the disease cannot spread further.
• Recovery restore the system to its original
  state.

33
Preventing Virus Infection

• Prevention
• Good source of software installed
• Isolated testing phase
• Use virus detectors
• Limit damage
• Make bootable diskette
• Make and retain backup copies important resources

34
Worm

• Self-replicating (like virus)
• Objective system penetration (intruder)
• Phases dormant, propagation, triggering, and
  execution
• Propagation
• Searches for other systems to infect (e.g., host
  tables)
• Establishes connection with remote system
• Copies itself to remote system
• Execute