Upload
khangminh22
View
15
Download
0
Embed Size (px)
Citation preview
Ethicsofhacking
任何實務的操作練習皆應獲得明確的許可修習這⾨課不構成任意存取別⼈的系統或資料的藉⼝最重要的是要保護好⾃⼰,不要觸犯法律Anyattempttocheatorattackothers(includingtheteachingteam)mayleadtoafailinggrade&severelegalconsequences
2
Agenda
Whatis(cyber)security?IntroductiontocryptographyIntroductiontonetwork&systemssecurity
• … viaveryshortexamples
Appendix:Securityprinciples
4
What’sNOTsecurity
Security!=cryptography• Cryptography!=encryption• Cryptography!=bitcoin
Security!=CTF
6
Whatissecurity?
Protectassets(e.g.,dataandcommunication)fromunauthorizedactionsAttackers=entitiesattempttodounauthorizedactions
9
Attackermay• Eavesdrop• Manipulate• Denialofservice• …
Example
Ensureprogramorsystemworkscorrectlyeveninthefaceofattack
10
Isit therightwebsite? Isitreallytheowneroftheaccount?Isthetransactioncontentcorrect?Cananyoneseemyaccountinformation?Istheserviceavailable?
Confidentiality(保密性)
ConfidentialityisprotectionfromunauthorizeddisclosureEavesdroppingonmessagesviolatesconfidentiality
12Alice Bob
Eve/Mallory
Internetorothercomm.networks
A->B:herearethemidtermexamquestions.
Unencryptedchannel
Integrity(完整性)
IntegrityisprotectionfromunauthorizedchangesModificationofmessagesviolatesintegrity
13
A->B:seeyouat6pm A->B:Idon’twanttoseeyouagain
Availability(可用性)AvailabilityensuresintendeduserscanaccessserviceDenialofServiceviolatesavailability
14
Memcrashed:DDoSamplificationusingmemcached
Mar.2018:memcached amplificationDDoSagainstGithub at1.3Tbps
Sep.2016:Mirai IoT botnetscausedDDoSat620Gbps
Mar.2013:DNSamplificationagainstSpamhaus at300Gbps
16
KRACK:KeyReinstallationAttackagainstWPA2
AsecurityflawintheWPA2protocolAttackercantrickvictimtoreinstallanalready-in-usekeyKeyreusebreaksthesecurityguaranteeNotasbadasitsounds…
• TLS(transportlayersecurity)canmitigatethisattack• Theattackermustbelocalandproactive
18
https://www.krackattacks.comM.Vanhoef andF.Piessens,“KeyReinstallationAttacks:ForcingNonceReuseinWPA2,”inACMCCS,2017.https://www.eff.org/deeplinks/2017/10/krack-vulnerability-what-you-need-know
MeltdownandSpectre
Cacheside-channelattacksthatexploitCPUhardwareimplementations(speculativeexecution)toleakdataSpectre takesadvantageofCPU'sbranchpredictionMeltdownleveragesout-of-orderexecution
20https://meltdownattack.com/https://www.kb.cert.org/vuls/id/584653
WannaCry Ransomware
It’sbelievedtobebasedonNSA’sleakedtoolEternalBlueExploit.LeverageWindows SMBv1vulnerabilities toactivelypropagate
• WindowsXP/Vista/7/8/8.1arevulnerable
• Infected>200Kcomputers,includinghospitals,transportation,etc.
• CVE-2017-0143~0148/MS17-010
23
Othersecurityrequirements
Authorization(授權)Accesscontrol (存取控制)Accountability(可歸責性)Auditability(可稽核性)Authenticity(鑑別性)Non-repudiation (不可否認性)Anonymity(匿名)Privacy(隱私)…
24
那要怎麼做到滴水不漏?
Wrongquestion!
100%安全、防禦所有攻擊,實務上是做不到的,為什麼?• 預算有限• 效能需求• 未知的攻擊 (zero-dayattacks)• 難以掌控的因素 (如使用者的使用方式)
25
26
Thesystemis100%secure
Thesystemprovides[SecurityRequirement]against[ThreatModel]under[Assumption]
針對攻擊者的假設:攻擊者的能力、知
識、資源等
其他的假設:E.g., 假定所有的客戶都不將新發的提款卡照片po上網或是把密碼告訴別人
例子The [system]provides[securityrequirement] against[ThreatModel]under[Assumption]
System=ATM提款系統Securityrequirement=身份認證Threatmodel=撿到提款卡並亂試pin碼Assumption= 使用者沒把pin碼寫在卡片套上或是用生日當pin碼
27
Threatmodel
Assumptionsabouttheadversary• Remember,wecan’tfightagainsteverypossibleattack.
Severalwell-knownmodelsexist• Chosen-plaintextattack(CPA),chosen-ciphertext attack(CCA)• Honest-but-curious• AdversaryintheDolev-Yaomodel• …
29
Threatmodel
Definebyattacker’scapability,knowledge,andresource
Capability– whatcantheattackerdo?• E.g.,passivevs.active
Knowledge– whatdoestheattackerknow?• E.g.,insidervs.outsider
Resource – howmuchresourcedoestheattackerhave?• E.g.,scriptkiddiesvs.government-fundedgroups
What’sareasonable threatmodel?Itdepends.• Risk=impactoftheattack× likelihoodoftheattack
30
沒有白吃的午餐– CostofSecurity
Securitycomeswithaprice• 開發和維護的成本• 系統效能降低• 使用者抱怨
Technicalchallenge:makingsecuritymechanismscheaper,faster,andmoreusableNon-technicalchallenge:justifysuchcosttoyourboss/customer!
31
沒有白吃的午餐– CostofSecurity
可能的攻擊這麼多怎麼辦?沒辦法全防,但可以盡量提升攻擊成功的難度定義一個合理的threatmodel
• 如根據risk排序• Risk=impactoftheattack× likelihoodoftheattack
善用共享資源及時修補已知、一般性的漏洞• Sharinginteltohelptimelyfixes• Manyexploitkitsforknownattacks;evenscriptkiddiescancausegreatdamage.
把精力放在未知的、針對性的攻擊
32
安全性取決於最弱的環節
33
User
Data
Web/App
Network
Software
Hardware
Attack:Findoneplacetopenetrate
Defense:Needtosecureeveryplace
Securityisonlyasstrongastheweakestlink
Defenseindepth
Examples• Two-factorauthentication• Anti-virus+firewall+IDS
Wecancombinemultiplestrategies• Prevention• Detection&Recovery• Resilience• Deterrence
34
Exercise
Whatwouldbeareasonablethreatmodel?Whatmightbetheweakestlink?
35
系館⾨禁系統
Securitymindset:Thinkabouthowtomakeitfailinsteadofhowtomakeitwork!
zuvio
Exercise
Securityrequirements:e.g.,confidentiality,integrity,availabilityThreatmodelSecurityisasstrongastheweakestlink.
36
zuvio
LandscapeofSecurityResearch
38
密碼學EncryptionDigitalsignatureHashMACPRNGBlockciphers…
弱點偵測、鑑識PenetrationtestingReserveengineeringBinaryanalysisDynamictaintanalysisForensicsMonitoring&auditing…
安全協定/機制EntityauthenticationAnonymousroutingPublickeyinfrastructuresBroadcastauthenticationKeymanagementSecuree-votingEncryptedemail…
安全實作Type-safelanguageControlflowintegrityObfuscationSandboxingRun-timeenforcementTrustedcomputing…
密碼學 Cryptography
Mathematicaltooltoprotectdataatrest anddatainmotionfromadversaries(Modern)cryptographyismorethanencryption.Securityofcryptosystemsreliesonmathematicalmodelingandproofsbasedonplausibleassumptions.
39
Basiccryptographicprimitives
UnkeyedprimitivesCryptographichashfunction
• Provides:One-wayness,weakcollisionresistance,strongcollisionresistance
Symmetric(shared-key,same-key,secret-key)Symmetric-keyencryption
• Requires:secretkey• Provides:achievesecrecywithpartiesthatsharekey
Messageauthenticationcode(MAC)• Requires:secretkey• Provides:achieveauthenticationwithpartiesthatsharekey
41
Basiccryptographicprimitives
Asymmetric(public-privatekey)Diffie-Hellmankeyagreement
• Requires:authentickeyfromotherparty• Provides:bothpartiescancomputesecretinformation
Public-keyencryption• Requires:authentickeyfromotherparty• Provides:achievesecrecyformessagestootherparty
Digitalsignature• Requires:authentickeyfromotherparty• Provides:signatureandauthenticationproperties
42
Cryptographichashfunction
Mapsarbitrary-lengthinputtofinite lengthoutput• 𝑦 = 𝐻 𝑥 ,𝑦 isthehash of𝑥,and𝑥 isapreimage of𝑦• If𝐻(𝑥&) = 𝐻 𝑥 and𝑥& ≠ 𝑥,thenthisisacollision• Ensuresone-wayness andcollisionresistance
Applications• Integritycheck• Generatingdigest• Commitment• Passwordhashing• ProofofWork
43
https://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/
SHA-1collision found
SHAttered attack:263.1SHA-1evaluations• Ninequintillion(9,223,372,036,854,775,808)SHA-1computations• 6,500yearsofCPUcomputationtocompletetheattackfirstphase• 110yearsofGPUcomputationtocompletethesecondphase• Cost$110,000 usingcomputingpowerfromAmazon’sEC2cloud• Still100,000xfasterthanthebruteforceattack
Brute-forceattack:280 SHA-1evaluations
45
What’s“computationallyinfeasible”currently?
~233 devicesintheworld~230 symmetriccryptographicoperationsperdevicepersecond~225 secondsperyear~2128 operationstobruteforceAES-128encryption
=>~240 yearstobruteforceAES-128encryptionWell,~233 yearssincethebeginningoftheuniverse=>ItisinfeasibletocrackAES-128usingbruteforce
46
What’s“computationallyinfeasible”currently?
Ofcourse,anattackermaydosomethingsmarterthanbruteforce:
• Tradememoryforspeed(e.g.,meet-in-the-middleattack)
• Exploitdesignflaws• Quantumcomputing?• …
47
Symmetric-keyencryptionProtectsdatainmotion(e.g.,communication) anddataatrest(e.g.,storage)againstaneavesdropper
Providesconfidentialitybutnotmessage integrityDoesnotsayhowtosecurely shareasecretkey
48
Encryption(加密)
Insecurechannel
Decryption(解密)
Securechannel𝐾
𝑚 𝑐 = 𝐸(𝑘,𝑚)
𝐾
𝑐 𝑚 = 𝐷(𝑘, 𝑐)
Asimple(yetbroken)example:CaesarCipher
𝐸 𝑘,𝑚 = 𝑚 + 𝑘 𝑚𝑜𝑑26𝐷(𝑘, 𝑐) = 𝑐 − 𝑘 𝑚𝑜𝑑26
m,carecharactersAkindofsubstitution ciphersExample:k =2,m=appleè c=crrngk =3,c=rudqjhèm=?
HowwouldyoubreakCaesarcipher?
49
BreakingCaesarCipher
Bruteforce:Tryallk(only26possibilities)Frequencyanalysis:calculatethefrequencyofunigram,bigram,…NaturalLanguageProcessing
50
Aperfectlysecure(yetimpractical)example:One-timepad
XORmessagewitharandomkeyof samelength𝐸 𝑘,𝑚 = 𝑘⊕𝑚𝐷 𝑘, 𝑐 = 𝑘 ⊕ 𝑐
51http://users.telenet.be/d.rijmenants/en/onetimepad.htm
One-timepadachievesperfectsecurity(undercertainassumptions)
OTP:XORmessagewitharandomkeyofsamelengthIninformationtheoryandcryptography,one-timepadisanencryptionschemethatisunconditionallysecure
• Pr 𝐸 𝒌, 𝑚; = 𝑐 = Pr 𝐸 𝒌,𝑚< = 𝑐• kisarandomvariableuniformlydrawnfromthekeyspace
• Pr 𝒎 = 𝑚 𝒄 = 𝑐 = Pr 𝒎 = 𝑚• foreach𝑚 ∈ ℳ andeach𝑐 ∈ 𝒞 withnon-zeroprobability
52
One-timepadachievesperfectsecurity(undercertainassumptions)
Threatmodel• Aneavesdropper attemptstolearnsomethingabouttheplaintextorkeyfromtheobservedinformation
Assumptions• Assumethesenderandreceiversharearandomsecretof
lengthofm• Assumethekeyisneverreused
53
Securityofencryptionschemes
Ideally,wewouldliketoensurethat• Ciphertext leaksnoinfoaboutkeyand/orplaintext• Plaintextandciphertext pairsleaksnoinfoaboutkey
However,suchinformation-theoreticalsecurity ishardtoachieveinpractice.
• It’sproventhatkeysmustbeatleastaslongasmessages:ifanencryptionschemeisperfectlysecure,then 𝒦 ≥ |ℳ|.
Instead,wewouldaimforcomputationalsecurity:acomputationallyboundedadversarycannotrecoverthekeyorplaintextinreasonabletime.
54
Modernciphers
Streamciphers⽤shortsecret產⽣看似random的longkeystream
EncryptonesymbolatatimeExample:RC4
Blockciphers把訊息拆成固定⻑度的短block,⼀個⼀個處理
Encryptoneblock(agroupofsymbols)atatimeExample:DES,AES
55
MessageAuthenticationCodes(MAC)
Messageauthenticationcodes(MAC),orkeyedhashProvidesintegrityand authenticity
• Integrity:m wasnotmodified• Authenticity:m wascreatedbythekeyowner(whichimpliesintegrity)
56
m MACfunction
K
MACK(m)
Whypublic-keycryptography?
對稱式密碼學難以解決:1. Keydistributionproblem
• 對稱式密碼學假設雙方已建立共同的秘鑰• 秘鑰怎麼安全地建立?
2. Digitalsignatures• 數位簽章需提供「不可否認性(non-repudiation)」• 在對稱式密碼學中,簽名方跟驗證方須有共同的秘鑰• 雙方知道的都相同,要如何達到不可否認性?
57
Merkle’s PuzzlesGoal: AliceandBobwantstoestablishasharedsecretinthepresenceofaneavesdropper,Eve.
58
1.Pickrandom𝑘E, 𝑠E;Computen puzzles,𝑃E = (𝐸(𝑘E , 𝑠E),𝐸(𝑘E, 𝑖),𝐸(𝑘E, 0))
2.𝑛 puzzlesinrandomorder 3.Pick𝑃K = (𝑐<,𝑐L,𝑐M);Recoverakey𝑘 s.t. 𝐷 𝑘, 𝑐M = 0 usingbrute-forcesearch;then
ℓ ← 𝐷 𝑘, 𝑐L𝑠ℓ ← 𝐷 𝑘, 𝑐<
4.index,ℓ
Establishedasharedsecret𝑠ℓ
Merkle’s PuzzlesAnearlyexampleofpublickeycryptographyComputationalcomplexity:
• Alice:𝑂(𝑛)• Bob:𝑂( 𝒦 )• Eve:𝑂(𝑛 𝒦 )
Complexitygap:攻擊者要算很久、Alice/Bob不⽤然⽽quadraticcomplexitygap(when𝑛 = 𝒦 )還是不太夠
59
Merkle,R.C.(April1978)."SecureCommunicationsoverInsecureChannels". CommunicationsoftheACM. 21 (4):294–299.
Morestory:http://merkle.com/1974/
Diffie-HellmankeyagreementSetup:Publicvalues:largeprimep,generatorgAlicepicksasecreta,andBobpickssecretbKeyagreement:
60
ga modp
gb modp
Bobcomputes(ga)b =gabmodp
Alicecomputes(gb)a =gabmodp
AliceandBobcanthenusegab modptoderivetheirsharedkey
Authenticatedchannel
Maninthemiddle(MitM)attackagainstDH
MitM attackinterceptscommunicationbetweentwopartieswhobelievetheyaredirectlytalkingtoeachotherExample:MitMattackagainstDHkeyagreement
• EveimpersonatesAlicetoBobandBobtoAlice
61Evecandecryptthecomm.betweenAliceandBob
a bm𝑔R𝑚𝑜𝑑𝑝 𝑔T𝑚𝑜𝑑𝑝
𝑔T𝑚𝑜𝑑𝑝 𝑔U𝑚𝑜𝑑𝑝
𝑔UT𝑚𝑜𝑑𝑝𝑔RT𝑚𝑜𝑑𝑝 ≠
2015TuringAwardWinnersWhitfieldDiffie andMartinHellmanFortheircriticalcontributionstomoderncryptography
• “Diffie andHellman’sgroundbreaking1976paper,NewDirectionsinCryptography,introducedtheideasofpublic-keycryptographyanddigitalsignatures,whicharethefoundationformostregularly-usedsecurityprotocolsontheInternettoday.”
http://amturing.acm.org/
62
Public-keyencryptionBobhasapublic/privatekeypair(𝑝𝑘U, 𝑠𝑘U).Assumeanauthenticatedchanneltopublish 𝑝𝑘U
• Authenticatedchannel:msgs can’tbemodifiedbutcanbeoverheard
Bobkeepshisownprivatekey 𝑠𝑘Uinsecret,soonlyBobcandecrypt𝑐,andonlyAliceandBobknow𝑚.
63
Encryption(加密)
Insecurechannel
Decryption(解密)
Authenticatedchannel𝑝𝑘U
𝑚 𝑐 = 𝐸(𝑝𝑘U,𝑚)
𝑠𝑘U
𝑐 𝑚 = 𝐷(𝑠𝑘U, 𝑐)
DigitalSignatures
Alicehasapublic/privatekeypair(𝑝𝑘R, 𝑠𝑘R).OnlyAlicecancreatethissignature(non-repudiation).Evecanalsoverifythissignature,butanymodificationwillbedetected.
64
Signature(簽章)
Insecurechannel
Verification(認證)
Validornot
Authenticatedchannel
𝑠𝑘R 𝑝𝑘R
𝑚 𝑚, 𝜎𝜎 = 𝑆(𝑠𝑘R,𝑚)
𝑚, 𝜎
2002TuringAwardWinners
RonRivest,Adi Shamir,LeonardAdlemanFortheiringeniouscontributionformakingpublic-keycryptographyusefulinpractice.
• Rivest,Shamir,andAdleman presentedpracticalimplementationsintheir1977paper,“Amethodforobtainingdigitalsignaturesandpublic-keycryptosystems,”whichshowedhowamessagecouldeasilybeencoded,senttoarecipient,anddecodedwithlittlechanceofitbeingdecodedbyathirdpartywhoseesit.
65
Symmetricvs.asymmetriccrypto
SymmetriccryptoBothpartiessharesamekey
Secretkey(orsharedkey)onlyknowntocommunicatingparties
Forsecurecomm.,keyshouldbesecret&authentic
AsymmetriccryptoEachpartyhasapublic&aprivatekey
PublickeyknowntoeveryonePrivatekeyonlyknowntoowner
Forsecurecomm.,privatekeyissecretandpublickeyisauthentic
66
Comparisonsym vs.asym crypto
Symmetriccrypto112bitkeyforhighsecurity(year2015)
~1,000,000ops/secon1GHzprocessor
10xspeedupinHW
Asymmetriccrypto2048bitkey(RSA)forhighsecurity(year2015)
~100signatures/sec~1000verify/s(RSA)on1GHzprocessor
LimitedspeedupinHW
67
為什麼密碼學的演算法應該要公開?
Secretsarehardtoprotect(soshouldbeminimized)AllowssystemtobeopenlyexaminedbymanypeopleKerckhoffs’s principle,重要的資安原則之一
• “Acryptosystemshouldbesecureevenifeverythingaboutthesystem,exceptthekey,ispublicknowledge.”
Securitythroughtransparencyvs.securitythroughobscurity
以住家安全為例:安全性應仰賴門鎖,而不是把家的格局建得像迷宮。
68
很重要所以說三遍
Don’tdesignorimplementyourowncryptographicalgorithms!
Cryptographyishighlybrittle;Asinglespecificationorprogrammingerrorcanmakeitcompletelyinsecure.Alwaysusewell-developedstandardsandlibrariesInotherwords,ifsomeonedesignshis/herowncryptoalgorithms,youarelikelyabletobreakit.
69
ReviewandExercise
One-timepadandperfectsecuritySymmetricvs.asymmetriccryptographyComputationalinfeasibility
70
zuvio
Example:ThreatagainstEntityAuthentication
Peggy(Prover)
Victor(Verifier)
Directattack(e.g.,guessingthesecret)
I’mPeggy.
…
Someproofthatcanonlybeconstructedby
someonewithS
Passiveeavesdropping
Activeattack Databasehack
73
SecuringNetworkProtocols
Wemayalsoneed:Entityauthentication,anonymouscommunication,DDoSdefense
74
Application
Transport
Network
DataLink
Physical
HTTP,Telnet, SMTP,DNS,BGP
TCP,UDP
IP
Wi-Fi
SSL/TLS,SSH
IPSec
WEP,WPA
DNSSec,SBGP
以HTTPS為例
Attackercaneavesdroponandmodify thetraffic,andevenimpersonate theserver
WithoutHTTPS
WithHTTPSHTTPSguaranteesconfidentiality,integrity,andauthentication
75
*HTTPSisHTTPoverTLS
EntityAuthenticationinHTTPS
X.509PublicKeyInfrastructure(PKI)AhierarchyofCertificationAuthorities
76
…
RootCA
Rootcertificates
Allyourtrustrelationshipsonlinearereducedtotrustingthislistofrootcertificates
77
OSXKeychain
RougeCAs&stolencertificates
AttackerusesafakecertificatethatpassesbrowsercheckWhowantstodothis?
• Organizationsmonitoringtraffic• Governmentsdoingcensorship• Cloudproviders• …
How?• CompromisedCAs• Compelledcertificates• Browsernotcheckingcorrectly(perhapsonpurpose)• …
78
Passwordhashing為例
Whyhashingpasswords?Threatmodel:leakedpassworddatabaseIfpasswordsarestoredintheirhashforms(ratherthaninplaintext),thenit’sharderforthetheattackertorecoverthepasswordsincaseofdataleak.
80
Morepasswords:https://github.com/danielmiessler/SecLists/tree/master/PasswordsA.Juels andR.L.Rivest,“Honeywords:MakingPassword-CrackingDetectable,”inProceedingsofACMCCS,2013.
Passwordhashing
Store𝐻 𝑃 insteadofplaintextpassword𝑃Isthisenoughtoprotectleakedpasswords?
81http://cacr.uwaterloo.ca/hac/about/chap10.pdf
ExhaustiveSearchvs.DictionaryAttack
82
DictionaryAttack
Tryingapple:failedTryingblueberry :failedTryingjustinbeiber :failed...Tryingletmein :failedTryings3cr3t:success!
ExhaustiveSearch
Tryingaaaa :failedTryingaaab :failedTryingaaac :failed...Tryingacdb :failedTryingacdc :success!
https://crackstation.net/hashing-security.htm
Saltingandstretching
Store{salt,𝐻^ 𝑠𝑎𝑙𝑡, 𝑃 } insteadof𝐻 𝑃• 𝐻^meansthehashfunctionisappliedttimes• tisattheorderof1000• Whydoesthesehelp?
Salting:adding randomvaluessuchthattwoaccountswiththesamepasswordgeneratedifferenthashes
• Preventtheuseofpre-computedtables
Stretching:deliberately slowdownpasswordcracking
83