Security Matters

1
Security Matters

• V.T. Raja, Ph.D.,
• Oregon State University

2
Security Matters

• Outline
• Summary
• Example to illustrate RSA Algorithm
• A framework to help managers understand their
  role in security

3
Summary from first lecture on Security

• Characteristics of Secure Communication
• Perfect security a myth or a reality?
• Ciphers and Cryptography
• Authentication (ap 1.0 - ap 5.0)

4
Characteristics of Secure Communication
5
Cryptography

• Ciphers
• Caesar, Monoalphabetic, Polyalphabetic
• Symmetric Key Cryptography (SKC)
• Basic idea of SKC
• Notation for symmetric key
• Some popular SKC algorithms
• Sharing of symmetric key

6
Public Key Cryptography (PKC)

• Basic idea of PKC
• Notation for private/public key pair and plain
  text message
• RSA Algorithm
• Sharing public key
• Sender/Receive Authentication
• Man (Woman) in the middle attack

7
RSA Algorithm

• How does RSA work?
• Class Participation Exercise on RSA application
• Why does RSA work?
• (See additional handouts for answers)

8
Example to illustrate RSA Algorithm Participation
Exercise

• Background
• Bob has selected the prime numbers p and q as 5
  and 7 respectively.
• Bob has selected e to be the number 5.
• Alice and Bob interpret each letter in the
  English alphabet as a number between 1 and 26.
  That is, a 1, b 2, , n 14,, z 26.
• Alice wishes to send the plaintext love to Bob,
  after encrypting using RSA.
• Questions
• Compute Bobs public key using RSA.
• Determine Alices cipher text using RSA
  algorithm.

9
RSA Algorithm

• Even for small p and q, as seen in the
  participation exercise, we had to deal with
  extremely large numbers.
• If we follow the suggestion of RSA labs and
  select p and q to be several hundred bits long,
  then the following practical issues come to mind
• How to choose large prime numbers p and q?
• How to choose e and d?
• How to perform exponentiation with large numbers?
• (For those who are interested in this area, refer
  to Kaufman 1995 for answers to the above
  mentioned questions).

10
RSA and DES/AES

• DES is at least 100 times faster than RSA.
• In practice, RSA is often used in combination
  with DES or AES. How?
• (Alice encrypts DES key with Bobs public key.
  Bob decrypts and obtains DES key with his private
  key. The data is encrypted using DES key, which
  now both Alice and Bob have access to in order to
  encrypt/decrypt data).

11
Security of RSA

• The security of RSA relies on the fact that there
  are no known algorithms for quickly factoring a
  number (n), into the primes p and q. If one knew
  p and q, then given e, one could then easily
  compute the secret key d. It is not known
  whether or not there exist fast algorithms for
  factoring a number, and in this sense the
  security of RSA is not guaranteed.

12
Authentication

• ap 1.0
• ap 2.0
• ap 3.0
• ap 3.1
• ap 4.0
• ap 5.0

13
Authentication

• ap 1.0
• Alice announces to Bob, I am Alice.
• Trudy could have sent this message.
• ap 2.0
• Alice announces to Bob, I am Alice, and asks
  Bob to authenticate her by matching source IP (in
  IP header) with Alices IP.
• Trudy could have sent this message if she had
  done IP spoofing.

14
Authentication

• ap 3.0
• Alice announces to Bob, I am Alice, and asks
  Bob to authenticate her by verifying her
  plaintext password.
• Trudy may have already eavesdropped earlier, and
  have stolen Alices plaintext password during an
  earlier conversation between Alice and Bob. Now,
  Trudy could send the message, I am Alice by
  using Alices plaintext password.
• ap 3.1
• Alice announces to Bob, I am Alice, and asks
  Bob to authenticate her by verifying her
  encrypted password, which is kept the same for
  different communication sessions between Bob and
  Alice.
• Same disadvantage mentioned in ap 3.0 still
  exists. Note that Trudy need not decrypt the
  password. She could still eavesdrop, steal
  encrypted password, and then perform a playback
  attack on Bob.

15
Authentication

• ap 4.0
• Alice announces to Bob, I am Alice.
• Bob sends a plaintext nonce ( r) to Alice.
• Note that nonce is a one time value that is
  specific to that communication session. It is
  not repeated again in another session. So
  playback attack is not possible.
• Alice resends same nonce back to Bob but this
  time nonce is encrypted with symmetric key used
  by Alice and Bob.
• Bob decrypts nonce using symmetric key. If
  decrypted nonce equals the nonce he sent Alice
  earlier (i.e. decrypted nonce r) , then Alice
  is authenticated.
• However, this implies that Alice and Bob must
  have decided upon and exchanged their symmetric
  key.

16
Authentication

• ap 5.0
• Alice announces to Bob, I am Alice.
• Bob sends a plaintext nonce ( r) to Alice.
• Since nonce is a one-time value, playback
  attack is not possible.
• Alice resends same nonce back to Bob but this
  time nonce is encrypted with Alices private key.
  
• Bob decrypts nonce using Alices public key. If
  decrypted nonce equals the nonce he sent Alice
  earlier (i.e. decrypted nonce r) , then Alice
  is authenticated.

17
Exchanging Public Keys

• Why should public key be publicly available?
• Wouldnt it be better for Alice and Bob to
  exchange their respective public keys via e-mail,
  after authenticating each other?
• Due to possibility of man (woman) in the middle
  attack.

18
Man (Woman) in the Middle Attack

• Alice transmits, I am Alice.
• Trudy (alias Eve) eavesdrops.
• Bob sends a nonce r.
• Trudy intercepts nonce, and sends Bob encrypted
  nonce (encrypted using her private key).
• Bob sends a message to Alice asking her for a
  public key.
• Trudy intercepts message, and sends Bob Trudys
  public key.
• Bob decrypts nonce with Trudys public key
  (thinking that he is using Alices public key),
  and inadvertently authenticates Trudy.

• While Bob is encrypting new data using Trudys
  public key, Trudy is busy posing as Bob to Alice.
  In particular,
• Trudy transmits Bobs nonce to Alice
• Alice transmits encrypted nonce (encrypted using
  Alices private key).
• Trudy intercepts encrypted nonce, and asks Alice
  for her public key.
• Alice sends her public key

19
Man (Woman) in the Middle Attack

• Bob sends encrypted data (encrypted using Trudys
  public key)
• Trudy decrypts using her private key, and finds
  out Bobs plain text.
• Trudy encrypts Bobs plain text using Alices
  public key.
• Trudy transmits encrypted text to Alice.
• Alice decrypts using her private key, and finds
  out Bobs plain text.
• Alice and Bob are happy that they have had a
  secure communication. They are ignorant of the
  fact that Trudy has intercepted and decrypted
  Bobs message to Alice.

20
Public Key Certification

• PK cryptography possible for two entities to
  exchange secret messages without having to
  exchange secret keys.
• Communicating entities have to exchange public
  keys (without being subject to man in the middle
  attack).
• Binding a public key to a particular entity is
  typically done by a Certification Authority (CA).
  

21
Certification Authority

• A CA verifies that an entity is who it claims to
  be.
• After verification, CA creates a certificate that
  binds the public key to appropriate entity.
• Certificate
• includes a public key
• includes globally unique identifying information
  about owner of the public key
• Is digitally signed by CA

22
Digital Signatures and Message Digests

• Assume Bob wants to digitally sign a document,
  m.
• Bobs digital signature could be KB- (m)
• Due to complexity of RSA, digital signatures are
  applied to fingerprints instead of being
  applied to message m.
• Fingerprint H(m) where H denotes a hash
  algorithm
• Bobs digital signature is KB- (H(m))

23
Message Digests

• Message Digest (Hash) algorithms
• MD5 SHA-1 SHA-224-256-384-512
• Secure Hash Algorithm is a U.S. federal standard
• Required for use whenever a secure message digest
  algorithm is required for federal applications
• Produces a 160-bit message digest.
• Longer the output length, the more secure SHA-1
• SHA-224, SHA-256, SHA-384, and SHA-512, (which
  despite the similarity of names), are actually
  fairly different algorithms to SHA-1 and have
  much wider safety margins.

24
Managements Role in Security

• A framework to help managers understand that
  security rests on three cornerstones

25
Three Cornerstones

• Technology
• Organization
• Critical Infrastructure
• Management should provide strong leadership in
  all three areas.

26
Cornerstone Technology

• Have an understanding/appreciation of technology
• Firewalls
• IDS/IPS systems
• Antivirus/Security Patches
• Physical security
• Client/Server/Perimeter Security Secure VPNs
• Evaluation of potential technology acquisitions
  based on their impact on security
• Symmetric and Public Key Cryptography

27
Example DDoS attack on iPremier Company

• IPremier
• Sells luxury and rare high priced items on
  Internet
• Survived dot com implosion
• Customers have good credit history with high
  spending limits
• Experienced a DDoS on Web Server
• Ha Ha Ha! e-mails received by Help Desk
• Problems at Colocation facility Qdata
• iPremier employees could not get access to
  Qdatas Network Operations Center (NOC)

28
Questions

• About Qdata
• Although an early entrant in the industry, Qdata
  lost any prospect of market leadership
• Had not been quick to invest in advance
  technology
• Had experienced difficulty in retaining qualified
  staff
• Questions
• If you were the CIO, how would you react to this
  situation?
• What implications does this situation have for
  the iPremier company?

29
iPremier Example (Continued)

• Unable to determine extent of damage (firewall
  penetrated? How deep is the penetration?)
• Unable to determine if customer data was stolen
  (CIOs main immediate concern)
• Unable to track (in a reasonable time frame)
  where Ha, ha, ha e-mails received by support
  folks are originating
• Even if e-mail is tracked eventually leads to
  another Zombie

30
iPremiers Response to Attack Very Poor

• Try to shut down traffic from Zombies didnt
  work for every zombie that was shut down two
  new zombies joined the party automatically
• Shut down Web Server?
• Cost of downtime?

31
Imperative Need for Secure CommunicationCost of
downtime
32
iPremiers Response to Attack Very Poor

• Unable to determine if they should disconnect
  the communication lines
• initially CIO and CTO had discussion - may lose
  logging data that could help them figure out what
  happened (preserving evidence to find root cause
  of problem and what to disclose publicly)
• later concluded that detailed logs have not been
  enabled
• Unable to determine if they should call Seattle
  Police or FBI?

33
iPremiers Response to Attack Very Poor

• How to handle PR (before info about security
  breach leaks out)?
• Unable to decide if all systems need to be
  rebuilt
• Worst is over? Damage has been done?
• Attack stopped after about 75 minutes without
  any intervention from iPremier or from Qdata!
• FBI Calls iPremier?
• Would system rebuild imply wiping out any
  remaining proof of iPremiers innocence?

34
Some Business Implications for IPremier

• Web server unavailable to legitimate customers
• Cost of downtime?
• Bad reputation for the business
• Lost customers
• Loss of customer goodwill
• Legal issues if customer data was compromised

35
Some Business Implications for IPremier

• Impact on stock price
• Unknown damages to the network/business?
• What if there was another attack?

36
Cornerstone Organization

• Organizational characteristics typically under
  the control of organization
• Structure
• Business environment
• Culture
• Policies and Responses
• Standard Operating Procedures
• Education, Training, and Awareness

37
Managements Role in Security

• Realize that total/perfect security is a myth
• Act appropriately, recognizing that security
  rests on three cornerstones
• Critical Asset Identification
• Initial Risk Assessment
• Risk Assessment as a continuous process

38
Managements Role in Security

• Creating a security team
• Initiate and actively participate in
  planning/design/documentation/ testing of
  security policy
• Actively involved in establishing standard
  operating procedures

39
Managements Role in Security

• Developing and maintaining an appropriate
  organizational culture
• Ensure employees are educated and trained
  regarding importance of following security policy
• Have an understanding of what each security tool
  proposed by IT team can do or cannot do

40
Managements Role in Security

• Have a good control environment
• Physical controls
• Data/Content control
• Implementation control (outsourcing)
• Operations/Administrative Control
• Application Controls specific to individual
  system components/applications
• (e.g., Limiting e-mail attachments)

41
Cornerstone Critical Infrastructure

• Infrastructure that are so vital that their
  damage or destruction would have a debilitating
  impact on the physical or economic security of
  the country
• Telecommunications
• Banking
• Energy

42
Why should government/academic institutions/indust
ry collaborate?

• In each others interest
• CI in large part is owned by the private sector,
  used by both private and public sectors, and
  protected in large part by public sector.
• Need to discuss problems and exchange ideas and
  solutions to cyber attacks/misuse
• Resource/cost/information sharing
• Opportunity to play a role in the evolution of
  best practices
• Help shape legal and government policies in areas
  of mutual concerns Appropriate guidance for
  rapid additional protection measures

43
CERT Source http//www.us-cert.gov/
44
What does CERT do?
45
Imperative Need for Secure CommunicationReported
Security Incidents up to 1995Source CERT.ORG
46
Reported Security Incidents 1995 2003 Source
http//www.cert.org/present/cert-overview-trends/m
odule-1.pdf
47
Why have cyber attacks been on the rise?Some
reasons
48
Managements Role in Security

• Recognize that security requires an end-to-end
  view of business processes
• Achieve a balanced approach to security one
  that does not solely focus on technological
  solutions
• Recognize that security is a socio-technical
  issue, and requires strong leadership from
  management

49
Managements Role in Security

• Management ties everything together
• Responsibility
• Ownership

• Security is a Mindset, not a service. It must be
  a part of all decisions and implementations.

50

• Apply the Dutta/McCrohan framework and help
  iPremiers management react appropriately to the
  security incident.