Computer Security and Cryptography

1
Computer Security and Cryptography
Partha Dasgupta, Arizona State University
2
The Problem
If I didn't wake up, I'd still be sleeping.
3
Not just hype paranoia

• Internet hosts are under constant attack
• Financial losses are mounting
• Miscreants are getting smarter
• (and so are consumers)
• National Security risks were stated and then
  underplayed
• Data loss threatens normal users, corporations,
  financial institutions, government and more
• Questions
• HOW? WHY? and What can we do?

4
Overview

• Part 1 Security Basics
• Part 2 Attacks
• Part 3 Countermeasures
• Part 4 Cryptography
• Part 5 Network Security
• Part 6 System Security
• Part 7 State of the Art and Future

5
Part 1 Security Basics

• Computer and Network Security basics
• Hacking
• Attacks and Risks
• Countermeasures
• Secrets and Authentication
• Paranoia

6
Computer and Network Security

• Keep computers safe from program execution that
  is not authorized
• Keep data storage free from corruption
• Keep data storage free from leaks
• Keep data transmissions on the network private
  and un-tampered with
• Ensure the authenticity of the transactions (or
  executions)
• Ensure that the identification of the human,
  computer, resources are established
• With a high degree of confidence
• Do not get stolen, misused or misrepresented

7
Hacking or Cracking

• Plain old crime
• Phone Phreaking
• Credit cards, the old fashioned way
• Technology Hacks
• Design deficiencies and other vulnerabilite
• ATM, Coke Machines, Credit Cards, Social
  Engineering
• Software hacks
• Second channel attacks
• RFID issues
• Cell phone vulnerabilities
• Grocery cards?

8
Attacks and Risks

• Attacks
• An attack is a method that compromises one or
  more of- privacy (or confidentiality)- data
  integrity- execution integrity
• Attacks can originate in many ways
• System based attacks
• Network based attacks
• Unintended Consequences
• Risk a successful attack leads to compromise
• Data can be stolen, changed or spoofed
• Computer can be used for unauthorized purposes
• Identity can be stolen
• RISK can be financial

9
Attack Types

• System based attacks
• Virus, Trojan, rootkit
• Adware, spyware, sniffers
• A program has potentially infinite power
• Can execute, spawn, update, communicate
• Can mimic a human being
• Can invade the operating system
• Network based attacks
• Eavesdropping
• Packet modifications, packet replay
• Denial of Service
• Network attacks can lead to data loss and system
  attacks

10
Countermeasures

• System Integrity Checks
• Virus detectors
• Intrusion detection systems
• Software signatures
• Network Integrity checks
• Encryption
• Signatures and digital certificates
• Firewalls
• Packet integrity, hashes and other cryptographic
  protocols
• Bottom Line
• We have an arsenal for much of the network
  attacks
• System security is still not well solved

11
What is at Risk?

• Financial Infrastructure
• Communication Infrastructure
• Corporate Infrastructure
• Confidentiality and Privacy at many levels
• Economy
• Personal Safety

12
The Shared Secret Fiasco

• Our authentication systems (personal, financial,
  computing, communications) are all based on
  shared secrets
• ID numbers, Account numbers, passwords, SS, DOB
• When secrets are shared, they are not secrets
• They will leak!
• Given the ability of computers to disseminate
  information, all shared secret schemes are at
  extreme risk
• Media reports of stolen data is rampant

• The Fake ATM attack
• The check attack
• The extortion attack

13
How do secrets leak?

• Malicious reasons
• Simple mistakes
• Oversight
• Bad human trust management
• Bad computer trust management
• Nothing can go wrong
• Please believe in Murphy!

14
Keeping Secrets?

• Simple answer, not possible.
• Encryption is good, but data has to be
  unencrypted somewhere
• Disappearing Ink?
• Use paper based documents, not scanned.
• Public Key Encryption has much promise (PKI
  systems)
• Shared secrets need to be eliminated as much as
  possible
• Separate out of band communications
• Phone, postal mail, person-to-person

15
Authentication

• Shared secrets are used for authentication
• Username/passwords
• Multi-factor authentication
• What you know
• What you have
• What you are, what you can do.
• Most of the authentication methods are quite
  broken
• Designed when networking was not around
• PKI systems are better, but not deployed
• Too many false solutions (dangerous, gives a
  feeling of security)

16
Passwords

• The password is known to the host and the client
• Under some password schemes the host does not
  know the password (e.g. Unix)
• Passwords can leak from host or from client
• Same password is used for multiple sites
• Password managers are not too effective
• Good passwords are not as good as you think
• Invented for a completely different purpose,
  using passwords on the web, even with SSL
  encryption, is a bad idea

17
False Solutions

• Biometrics
• A digital bit string, or password that cannot be
  changed
• Plenty of attacks possible, including framing
• RFID identification
• Plenty of attacks possible
• Multi-Factor authentication
• Better, but still not good
• Smart cards (the not-so-smart ones)
• Again, based on shared secrets, have attacks and
  limitations

18
Paranoia?

• A large number of computers (consumer, business)
  are compromised or used for fraud
• Viral infections, zombies
• Many web servers are for fraudulent reasons
• Spam is an indicator
• Unprecedented lying, cheating
• Adware, popups, spyware
• All attempting to mislead, steer, and victimize
• Identity theft, financial theft, cheating
• Probably at an all time high
• Security Awareness is often coupled with paranoia
• It is necessary to be paranoid!

19
What is the point of an attack?

• Get your shared secrets for financial gain
• Espionage
• Disruption

PersonalCorporateFinancialSystem Identification
20
Computer Security

• Software needs to be verifiably untampered and
  trusted
• Networks need to be free from tampering/sniffing
• Data has to be secure from stealing and tampering
• End user protection
• A coalescing of software, hardware and
  cryptography along with human intervention and
  multi-band communication.