Security101Hsu-ChunHsiao

CSIE,NTU

Ethicsofhacking

任何實務的操作練習皆應獲得明確的許可修習這⾨課不構成任意存取別⼈的系統或資料的藉⼝最重要的是要保護好⾃⼰，不要觸犯法律Anyattempttocheatorattackothers(includingtheteachingteam)mayleadtoafailinggrade&severelegalconsequences

2

3

刑法第36章妨害電腦使⽤罪

Agenda

Whatis(cyber)security?IntroductiontocryptographyIntroductiontonetwork&systemssecurity

• … viaveryshortexamples

Appendix:Securityprinciples

4

WhatisSecurity?SecurityrequirementsThreatmodelCostofsecurity

5

What’sNOTsecurity

Security!=cryptography• Cryptography!=encryption• Cryptography!=bitcoin

Security!=CTF

6

7

Whatissecurity?

Protectassets(e.g.,dataandcommunication)fromunauthorizedactions

8

Whatissecurity?

Protectassets(e.g.,dataandcommunication)fromunauthorizedactionsAttackers=entitiesattempttodounauthorizedactions

9

Attackermay• Eavesdrop• Manipulate• Denialofservice• …

Example

Ensureprogramorsystemworkscorrectlyeveninthefaceofattack

10

Isit therightwebsite? Isitreallytheowneroftheaccount?Isthetransactioncontentcorrect?Cananyoneseemyaccountinformation?Istheserviceavailable?

Securityrequirements

Propertiesthattheprotectionshouldachieve

11

保密性 完整性

可得性、可⽤性

TheCIAtriad

Confidentiality(保密性)

ConfidentialityisprotectionfromunauthorizeddisclosureEavesdroppingonmessagesviolatesconfidentiality

12Alice Bob

Eve/Mallory

Internetorothercomm.networks

A->B:herearethemidtermexamquestions.

Unencryptedchannel

Integrity(完整性)

IntegrityisprotectionfromunauthorizedchangesModificationofmessagesviolatesintegrity

13

A->B:seeyouat6pm A->B:Idon’twanttoseeyouagain

Availability(可用性)AvailabilityensuresintendeduserscanaccessserviceDenialofServiceviolatesavailability

14

Exercise:whichsecurityrequirementisviolated?

15

zuvio

Memcrashed:DDoSamplificationusingmemcached

Mar.2018:memcached amplificationDDoSagainstGithub at1.3Tbps

Sep.2016:Mirai IoT botnetscausedDDoSat620Gbps

Mar.2013:DNSamplificationagainstSpamhaus at300Gbps

16

Exercise:whichsecurityrequirementisviolated?

17

zuvio

KRACK:KeyReinstallationAttackagainstWPA2

AsecurityflawintheWPA2protocolAttackercantrickvictimtoreinstallanalready-in-usekeyKeyreusebreaksthesecurityguaranteeNotasbadasitsounds…

• TLS(transportlayersecurity)canmitigatethisattack• Theattackermustbelocalandproactive

18

https://www.krackattacks.comM.Vanhoef andF.Piessens,“KeyReinstallationAttacks:ForcingNonceReuseinWPA2,”inACMCCS,2017.https://www.eff.org/deeplinks/2017/10/krack-vulnerability-what-you-need-know

Exercise:whichsecurityrequirementisviolated?

19

zuvio

MeltdownandSpectre

Cacheside-channelattacksthatexploitCPUhardwareimplementations(speculativeexecution)toleakdataSpectre takesadvantageofCPU'sbranchpredictionMeltdownleveragesout-of-orderexecution

20https://meltdownattack.com/https://www.kb.cert.org/vuls/id/584653

Exercise:whichsecurityrequirementisviolated?

21

zuvio

Exercise:whichsecurityrequirementisviolated?

22

zuvio

WannaCry Ransomware

It’sbelievedtobebasedonNSA’sleakedtoolEternalBlueExploit.LeverageWindows SMBv1vulnerabilities toactivelypropagate

• WindowsXP/Vista/7/8/8.1arevulnerable

• Infected>200Kcomputers,includinghospitals,transportation,etc.

• CVE-2017-0143~0148/MS17-010

23

Othersecurityrequirements

Authorization(授權)Accesscontrol (存取控制)Accountability(可歸責性)Auditability(可稽核性)Authenticity(鑑別性)Non-repudiation (不可否認性)Anonymity(匿名)Privacy(隱私)…

24

那要怎麼做到滴水不漏？

Wrongquestion!

100%安全、防禦所有攻擊，實務上是做不到的，為什麼？• 預算有限• 效能需求• 未知的攻擊 (zero-dayattacks)• 難以掌控的因素 (如使用者的使用方式)

25

26

Thesystemis100%secure

Thesystemprovides[SecurityRequirement]against[ThreatModel]under[Assumption]

針對攻擊者的假設：攻擊者的能力、知

識、資源等

其他的假設：E.g., 假定所有的客戶都不將新發的提款卡照片po上網或是把密碼告訴別人

例子The [system]provides[securityrequirement] against[ThreatModel]under[Assumption]

System=ATM提款系統Securityrequirement=身份認證Threatmodel=撿到提款卡並亂試pin碼Assumption= 使用者沒把pin碼寫在卡片套上或是用生日當pin碼

27

合理的threatmodel很重要

28

Threatmodel

Assumptionsabouttheadversary• Remember,wecan’tfightagainsteverypossibleattack.

Severalwell-knownmodelsexist• Chosen-plaintextattack(CPA),chosen-ciphertext attack(CCA)• Honest-but-curious• AdversaryintheDolev-Yaomodel• …

29

Threatmodel

Definebyattacker’scapability,knowledge,andresource

Capability– whatcantheattackerdo?• E.g.,passivevs.active

Knowledge– whatdoestheattackerknow?• E.g.,insidervs.outsider

Resource – howmuchresourcedoestheattackerhave?• E.g.,scriptkiddiesvs.government-fundedgroups

What’sareasonable threatmodel?Itdepends.• Risk=impactoftheattack× likelihoodoftheattack

30

沒有白吃的午餐– CostofSecurity

Securitycomeswithaprice• 開發和維護的成本• 系統效能降低• 使用者抱怨

Technicalchallenge:makingsecuritymechanismscheaper,faster,andmoreusableNon-technicalchallenge:justifysuchcosttoyourboss/customer!

31

沒有白吃的午餐– CostofSecurity

可能的攻擊這麼多怎麼辦？沒辦法全防，但可以盡量提升攻擊成功的難度定義一個合理的threatmodel

• 如根據risk排序• Risk=impactoftheattack× likelihoodoftheattack

善用共享資源及時修補已知、一般性的漏洞• Sharinginteltohelptimelyfixes• Manyexploitkitsforknownattacks;evenscriptkiddiescancausegreatdamage.

把精力放在未知的、針對性的攻擊

32

安全性取決於最弱的環節

33

User

Data

Web/App

Network

Software

Hardware

Attack:Findoneplacetopenetrate

Defense:Needtosecureeveryplace

Securityisonlyasstrongastheweakestlink

Defenseindepth

Examples• Two-factorauthentication• Anti-virus+firewall+IDS

Wecancombinemultiplestrategies• Prevention• Detection&Recovery• Resilience• Deterrence

34

Exercise

Whatwouldbeareasonablethreatmodel?Whatmightbetheweakestlink?

35

系館⾨禁系統

Securitymindset:Thinkabouthowtomakeitfailinsteadofhowtomakeitwork!

zuvio

Exercise

Securityrequirements:e.g.,confidentiality,integrity,availabilityThreatmodelSecurityisasstrongastheweakestlink.

36

zuvio

IntroductiontoCryptography

37

LandscapeofSecurityResearch

38

密碼學EncryptionDigitalsignatureHashMACPRNGBlockciphers…

弱點偵測、鑑識PenetrationtestingReserveengineeringBinaryanalysisDynamictaintanalysisForensicsMonitoring&auditing…

安全協定/機制EntityauthenticationAnonymousroutingPublickeyinfrastructuresBroadcastauthenticationKeymanagementSecuree-votingEncryptedemail…

安全實作Type-safelanguageControlflowintegrityObfuscationSandboxingRun-timeenforcementTrustedcomputing…

密碼學 Cryptography

Mathematicaltooltoprotectdataatrest anddatainmotionfromadversaries(Modern)cryptographyismorethanencryption.Securityofcryptosystemsreliesonmathematicalmodelingandproofsbasedonplausibleassumptions.

39

40Menezes,vanOorschot,andVanstone.1997.HandbookofAppliedCryptography.CRCPress

Basiccryptographicprimitives

UnkeyedprimitivesCryptographichashfunction

• Provides:One-wayness,weakcollisionresistance,strongcollisionresistance

Symmetric(shared-key,same-key,secret-key)Symmetric-keyencryption

• Requires:secretkey• Provides:achievesecrecywithpartiesthatsharekey

Messageauthenticationcode(MAC)• Requires:secretkey• Provides:achieveauthenticationwithpartiesthatsharekey

41

Basiccryptographicprimitives

Asymmetric(public-privatekey)Diffie-Hellmankeyagreement

• Requires:authentickeyfromotherparty• Provides:bothpartiescancomputesecretinformation

Public-keyencryption• Requires:authentickeyfromotherparty• Provides:achievesecrecyformessagestootherparty

Digitalsignature• Requires:authentickeyfromotherparty• Provides:signatureandauthenticationproperties

42

Cryptographichashfunction

Mapsarbitrary-lengthinputtofinite lengthoutput• 𝑦 = 𝐻 𝑥 ,𝑦 isthehash of𝑥,and𝑥 isapreimage of𝑦• If𝐻(𝑥&) = 𝐻 𝑥 and𝑥& ≠ 𝑥,thenthisisacollision• Ensuresone-wayness andcollisionresistance

Applications• Integritycheck• Generatingdigest• Commitment• Passwordhashing• ProofofWork

43

https://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/

SHA-1collision found

44https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

SHA-1collision found

SHAttered attack:263.1SHA-1evaluations• Ninequintillion(9,223,372,036,854,775,808)SHA-1computations• 6,500yearsofCPUcomputationtocompletetheattackfirstphase• 110yearsofGPUcomputationtocompletethesecondphase• Cost$110,000 usingcomputingpowerfromAmazon’sEC2cloud• Still100,000xfasterthanthebruteforceattack

Brute-forceattack:280 SHA-1evaluations

45

What’s“computationallyinfeasible”currently?

~233 devicesintheworld~230 symmetriccryptographicoperationsperdevicepersecond~225 secondsperyear~2128 operationstobruteforceAES-128encryption

=>~240 yearstobruteforceAES-128encryptionWell,~233 yearssincethebeginningoftheuniverse=>ItisinfeasibletocrackAES-128usingbruteforce

46

What’s“computationallyinfeasible”currently?

Ofcourse,anattackermaydosomethingsmarterthanbruteforce:

• Tradememoryforspeed(e.g.,meet-in-the-middleattack)

• Exploitdesignflaws• Quantumcomputing?• …

47

Symmetric-keyencryptionProtectsdatainmotion(e.g.,communication) anddataatrest(e.g.,storage)againstaneavesdropper

Providesconfidentialitybutnotmessage integrityDoesnotsayhowtosecurely shareasecretkey

48

Encryption(加密)

Insecurechannel

Decryption(解密)

Securechannel𝐾

𝑚 𝑐 = 𝐸(𝑘,𝑚)

𝐾

𝑐 𝑚 = 𝐷(𝑘, 𝑐)

Asimple(yetbroken)example:CaesarCipher

𝐸 𝑘,𝑚 = 𝑚 + 𝑘 𝑚𝑜𝑑26𝐷(𝑘, 𝑐) = 𝑐 − 𝑘 𝑚𝑜𝑑26

m,carecharactersAkindofsubstitution ciphersExample:k =2,m=appleè c=crrngk =3,c=rudqjhèm=?

HowwouldyoubreakCaesarcipher?

49

BreakingCaesarCipher

Bruteforce:Tryallk(only26possibilities)Frequencyanalysis:calculatethefrequencyofunigram,bigram,…NaturalLanguageProcessing

50

Aperfectlysecure(yetimpractical)example:One-timepad

XORmessagewitharandomkeyof samelength𝐸 𝑘,𝑚 = 𝑘⊕𝑚𝐷 𝑘, 𝑐 = 𝑘 ⊕ 𝑐

51http://users.telenet.be/d.rijmenants/en/onetimepad.htm

One-timepadachievesperfectsecurity(undercertainassumptions)

OTP:XORmessagewitharandomkeyofsamelengthIninformationtheoryandcryptography,one-timepadisanencryptionschemethatisunconditionallysecure

• Pr 𝐸 𝒌, 𝑚; = 𝑐 = Pr 𝐸 𝒌,𝑚< = 𝑐• kisarandomvariableuniformlydrawnfromthekeyspace

• Pr 𝒎 = 𝑚 𝒄 = 𝑐 = Pr 𝒎 = 𝑚• foreach𝑚 ∈ ℳ andeach𝑐 ∈ 𝒞 withnon-zeroprobability

52

One-timepadachievesperfectsecurity(undercertainassumptions)

Threatmodel• Aneavesdropper attemptstolearnsomethingabouttheplaintextorkeyfromtheobservedinformation

Assumptions• Assumethesenderandreceiversharearandomsecretof

lengthofm• Assumethekeyisneverreused

53

Securityofencryptionschemes

Ideally,wewouldliketoensurethat• Ciphertext leaksnoinfoaboutkeyand/orplaintext• Plaintextandciphertext pairsleaksnoinfoaboutkey

However,suchinformation-theoreticalsecurity ishardtoachieveinpractice.

• It’sproventhatkeysmustbeatleastaslongasmessages:ifanencryptionschemeisperfectlysecure,then 𝒦 ≥ |ℳ|.

Instead,wewouldaimforcomputationalsecurity:acomputationallyboundedadversarycannotrecoverthekeyorplaintextinreasonabletime.

54

Modernciphers

Streamciphers⽤shortsecret產⽣看似random的longkeystream

EncryptonesymbolatatimeExample:RC4

Blockciphers把訊息拆成固定⻑度的短block，⼀個⼀個處理

Encryptoneblock(agroupofsymbols)atatimeExample:DES,AES

55

MessageAuthenticationCodes(MAC)

Messageauthenticationcodes(MAC),orkeyedhashProvidesintegrityand authenticity

• Integrity:m wasnotmodified• Authenticity:m wascreatedbythekeyowner(whichimpliesintegrity)

56

m MACfunction

K

MACK(m)

Whypublic-keycryptography?

對稱式密碼學難以解決：1. Keydistributionproblem

• 對稱式密碼學假設雙方已建立共同的秘鑰• 秘鑰怎麼安全地建立？

2. Digitalsignatures• 數位簽章需提供「不可否認性(non-repudiation)」• 在對稱式密碼學中，簽名方跟驗證方須有共同的秘鑰• 雙方知道的都相同，要如何達到不可否認性？

57

Merkle’s PuzzlesGoal: AliceandBobwantstoestablishasharedsecretinthepresenceofaneavesdropper,Eve.

58

1.Pickrandom𝑘E, 𝑠E;Computen puzzles,𝑃E = (𝐸(𝑘E , 𝑠E),𝐸(𝑘E, 𝑖),𝐸(𝑘E, 0))

2.𝑛 puzzlesinrandomorder 3.Pick𝑃K = (𝑐<,𝑐L,𝑐M);Recoverakey𝑘 s.t. 𝐷 𝑘, 𝑐M = 0 usingbrute-forcesearch;then

ℓ ← 𝐷 𝑘, 𝑐L𝑠ℓ ← 𝐷 𝑘, 𝑐<

4.index,ℓ

Establishedasharedsecret𝑠ℓ

Merkle’s PuzzlesAnearlyexampleofpublickeycryptographyComputationalcomplexity:

• Alice:𝑂(𝑛)• Bob:𝑂( 𝒦 )• Eve:𝑂(𝑛 𝒦 )

Complexitygap:攻擊者要算很久、Alice/Bob不⽤然⽽quadraticcomplexitygap(when𝑛 = 𝒦 )還是不太夠

59

Merkle,R.C.(April1978)."SecureCommunicationsoverInsecureChannels". CommunicationsoftheACM. 21 (4):294–299.

Morestory:http://merkle.com/1974/

Diffie-HellmankeyagreementSetup:Publicvalues:largeprimep,generatorgAlicepicksasecreta,andBobpickssecretbKeyagreement:

60

ga modp

gb modp

Bobcomputes(ga)b =gabmodp

Alicecomputes(gb)a =gabmodp

AliceandBobcanthenusegab modptoderivetheirsharedkey

Authenticatedchannel

Maninthemiddle(MitM)attackagainstDH

MitM attackinterceptscommunicationbetweentwopartieswhobelievetheyaredirectlytalkingtoeachotherExample:MitMattackagainstDHkeyagreement

• EveimpersonatesAlicetoBobandBobtoAlice

61Evecandecryptthecomm.betweenAliceandBob

a bm𝑔R𝑚𝑜𝑑𝑝 𝑔T𝑚𝑜𝑑𝑝

𝑔T𝑚𝑜𝑑𝑝 𝑔U𝑚𝑜𝑑𝑝

𝑔UT𝑚𝑜𝑑𝑝𝑔RT𝑚𝑜𝑑𝑝 ≠

2015TuringAwardWinnersWhitfieldDiffie andMartinHellmanFortheircriticalcontributionstomoderncryptography

• “Diffie andHellman’sgroundbreaking1976paper,NewDirectionsinCryptography,introducedtheideasofpublic-keycryptographyanddigitalsignatures,whicharethefoundationformostregularly-usedsecurityprotocolsontheInternettoday.”

http://amturing.acm.org/

62

Public-keyencryptionBobhasapublic/privatekeypair(𝑝𝑘U, 𝑠𝑘U).Assumeanauthenticatedchanneltopublish 𝑝𝑘U

• Authenticatedchannel:msgs can’tbemodifiedbutcanbeoverheard

Bobkeepshisownprivatekey 𝑠𝑘Uinsecret,soonlyBobcandecrypt𝑐,andonlyAliceandBobknow𝑚.

63

Encryption(加密)

Insecurechannel

Decryption(解密)

Authenticatedchannel𝑝𝑘U

𝑚 𝑐 = 𝐸(𝑝𝑘U,𝑚)

𝑠𝑘U

𝑐 𝑚 = 𝐷(𝑠𝑘U, 𝑐)

DigitalSignatures

Alicehasapublic/privatekeypair(𝑝𝑘R, 𝑠𝑘R).OnlyAlicecancreatethissignature(non-repudiation).Evecanalsoverifythissignature,butanymodificationwillbedetected.

64

Signature(簽章)

Insecurechannel

Verification(認證)

Validornot

Authenticatedchannel

𝑠𝑘R 𝑝𝑘R

𝑚 𝑚, 𝜎𝜎 = 𝑆(𝑠𝑘R,𝑚)

𝑚, 𝜎

2002TuringAwardWinners

RonRivest,Adi Shamir,LeonardAdlemanFortheiringeniouscontributionformakingpublic-keycryptographyusefulinpractice.

• Rivest,Shamir,andAdleman presentedpracticalimplementationsintheir1977paper,“Amethodforobtainingdigitalsignaturesandpublic-keycryptosystems,”whichshowedhowamessagecouldeasilybeencoded,senttoarecipient,anddecodedwithlittlechanceofitbeingdecodedbyathirdpartywhoseesit.

65

Symmetricvs.asymmetriccrypto

SymmetriccryptoBothpartiessharesamekey

Secretkey(orsharedkey)onlyknowntocommunicatingparties

Forsecurecomm.,keyshouldbesecret&authentic

AsymmetriccryptoEachpartyhasapublic&aprivatekey

PublickeyknowntoeveryonePrivatekeyonlyknowntoowner

Forsecurecomm.,privatekeyissecretandpublickeyisauthentic

66

Comparisonsym vs.asym crypto

Symmetriccrypto112bitkeyforhighsecurity(year2015)

~1,000,000ops/secon1GHzprocessor

10xspeedupinHW

Asymmetriccrypto2048bitkey(RSA)forhighsecurity(year2015)

~100signatures/sec~1000verify/s(RSA)on1GHzprocessor

LimitedspeedupinHW

67

為什麼密碼學的演算法應該要公開？

Secretsarehardtoprotect(soshouldbeminimized)AllowssystemtobeopenlyexaminedbymanypeopleKerckhoffs’s principle，重要的資安原則之一

• “Acryptosystemshouldbesecureevenifeverythingaboutthesystem,exceptthekey,ispublicknowledge.”

Securitythroughtransparencyvs.securitythroughobscurity

以住家安全為例：安全性應仰賴門鎖，而不是把家的格局建得像迷宮。

68

很重要所以說三遍

Don’tdesignorimplementyourowncryptographicalgorithms!

Cryptographyishighlybrittle;Asinglespecificationorprogrammingerrorcanmakeitcompletelyinsecure.Alwaysusewell-developedstandardsandlibrariesInotherwords,ifsomeonedesignshis/herowncryptoalgorithms,youarelikelyabletobreakit.

69

ReviewandExercise

One-timepadandperfectsecuritySymmetricvs.asymmetriccryptographyComputationalinfeasibility

70

zuvio

71

“Cryptoisbypassed,notpenetrated”– Adi Shamir

(VeryShort)IntroductiontoNetwork&SystemsSecurity

byexamples

72

Example:ThreatagainstEntityAuthentication

Peggy(Prover)

Victor(Verifier)

Directattack(e.g.,guessingthesecret)

I’mPeggy.

…

Someproofthatcanonlybeconstructedby

someonewithS

Passiveeavesdropping

Activeattack Databasehack

73

SecuringNetworkProtocols

Wemayalsoneed:Entityauthentication,anonymouscommunication,DDoSdefense

74

Application

Transport

Network

DataLink

Physical

HTTP,Telnet, SMTP,DNS,BGP

TCP,UDP

IP

Wi-Fi

SSL/TLS,SSH

IPSec

WEP,WPA

DNSSec,SBGP

以HTTPS為例

Attackercaneavesdroponandmodify thetraffic,andevenimpersonate theserver

WithoutHTTPS

WithHTTPSHTTPSguaranteesconfidentiality,integrity,andauthentication

75

*HTTPSisHTTPoverTLS

EntityAuthenticationinHTTPS

X.509PublicKeyInfrastructure(PKI)AhierarchyofCertificationAuthorities

76

…

RootCA

Rootcertificates

Allyourtrustrelationshipsonlinearereducedtotrustingthislistofrootcertificates

77

OSXKeychain

RougeCAs&stolencertificates

AttackerusesafakecertificatethatpassesbrowsercheckWhowantstodothis?

• Organizationsmonitoringtraffic• Governmentsdoingcensorship• Cloudproviders• …

How?• CompromisedCAs• Compelledcertificates• Browsernotcheckingcorrectly(perhapsonpurpose)• …

78

79

Passwordhashing為例

Whyhashingpasswords?Threatmodel:leakedpassworddatabaseIfpasswordsarestoredintheirhashforms(ratherthaninplaintext),thenit’sharderforthetheattackertorecoverthepasswordsincaseofdataleak.

80

Morepasswords:https://github.com/danielmiessler/SecLists/tree/master/PasswordsA.Juels andR.L.Rivest,“Honeywords:MakingPassword-CrackingDetectable,”inProceedingsofACMCCS,2013.

Passwordhashing

Store𝐻 𝑃 insteadofplaintextpassword𝑃Isthisenoughtoprotectleakedpasswords?

81http://cacr.uwaterloo.ca/hac/about/chap10.pdf

ExhaustiveSearchvs.DictionaryAttack

82

DictionaryAttack

Tryingapple:failedTryingblueberry :failedTryingjustinbeiber :failed...Tryingletmein :failedTryings3cr3t:success!

ExhaustiveSearch

Tryingaaaa :failedTryingaaab :failedTryingaaac :failed...Tryingacdb :failedTryingacdc :success!

https://crackstation.net/hashing-security.htm

Saltingandstretching

Store{salt,𝐻^ 𝑠𝑎𝑙𝑡, 𝑃 } insteadof𝐻 𝑃• 𝐻^meansthehashfunctionisappliedttimes• tisattheorderof1000• Whydoesthesehelp?

Salting:adding randomvaluessuchthattwoaccountswiththesamepasswordgeneratedifferenthashes

• Preventtheuseofpre-computedtables

Stretching:deliberately slowdownpasswordcracking

83

Exercise:假設情境題

NA:要如何協助遭遇以下錯誤訊息的系上同學？

SA:計中發現NTU的帳號密碼似乎有部分外洩了！NASA團隊能提供什麼建議給系上同學，以提升csie account的安全性？

84

zuvio

://www.csie.ntu.edu.tw