Enforce a label-baesd policy:

• Assign security label (level) to all data
• Assign a security label (clearance) to each user
• DBMS should make sure that all users have access to only those data for which they have a clearance

• Simple-Security

Subject S can read object O only if

label(S) dominates label(O)

• *(STAR)-Property

Subject S can write object O only if

label(O) dominates label(S)

• A Trojan Horse is rogue software installed, perhaps unwittingly, by duly authorized users
• A Trojan Horse does what a user expects it to do, but in addition exploits the user's legitimate privileges to cause a security breach

• Trojan Horses are the most insidious threat
• Viruses and logic bombs are examples of Trojan Horses
• It is possibel to embed Trojan Horses in hardware and firmware
• It is possible to embed Trojan Horses in critical system software such as compilers and Database Management Systems

• It contains security classes of all objects and subjects
• Whatever a subject accesses an object, it must do so via the reference monitor
• It enforces the two MAC requirements
• It is always running, cannot be bypassed, and cannot be tampered with

• Simple-Integrity

Subject S can read object O only if
label(O) dominates label(S)

• Star-Property

Subject S can write object O only if
label(S) dominates(O)

• Information Flow in BIBA is downward
• Information Flow in BLP is upward
• Since up and down are relative BLP and BIBA are essentially equivalent
• Lattice-based access control yields one way information flow, which can be used for confidentiality or integrity

High-low policy

• There are only two security classes called for example, H (for high) and L(for low); all flows are allowed except that form high to low. In other words, high information is more sensitive than low information

Denning's Axioms

<SC, ->, +O>

• SC is finite
• -> is a partial order on SC
• SC has a lower bound L such as L -> A for all AŒ SC, That is, L is the lowest security class
• +O is a least Upper Bound (lub) operator on SC

• SC is a universally bounded lattice
• There exists a Greatest Lower Bound(glb) operator xO (also called meet)
• There exists a highest security class H

Is a mathematical structure

 (see slide 9 of lecture 9)

• Example of a commercial security policy for confidentiality
• Mixture of free choice (discretionary) and mandatory controls

Brewer-Nash

Chinese Wall Policy

• BN Simple-Security

• S can read O only if:

O is in the company datasetas some object previously read by S (ie., O is within the wall)

or

O belongs to a conflict of interest class within which S has not read any object (i.e., O is inthe open)

• owner has all-or-nothing power
• spaghetti of intent
• negative permissions make for messier spaghetti
• trojan horses can subvert intent

• A user's permissions are determined by the user's roles

• rather than identity (DAC) or clearance (MAC)
• roles can encode arbitrary attributes

• Facilitates

• administration of permissions
• articulation of policy

• ranges from very simple to very sophisticated

• HRU, Take-Grant, SPM, TAM
• Type enforcement
• Generalized framework for access control

• Cryptology means hidden writing
• Comes from the Greek words (hidden or secret) and (writing)
• A tool for cryptographic services

Encryption

Decryption

Secret-key encryption

Public-key encryption

Public-key digital signatures

Message digests

Public-key certificates

Key agreement protocols

Key recovery and archive

• confidentiality
• integrity
• authentication
• non-repudiation
• management of security

• Quituple (E, D, M, K, C)

• M set of plaintexts
• K set of keys
• C set of ciphertexts
• E set of encryption functions e: M x K -> C
• D set of decryption functions d: C x K -> M

Classical Cryptopraghy

• Sender, receiver share common key
  • Keys may be the same, or trivial to derive from one another
  • sometimes called symmetric cryptogrphy
• Two  basic types
  • Transposition ciphers
  • Substitution ciphers
  • Combinations are called product ciphers

Rearrange letters in plaintext to produce ciphertext

Example (Rail-Fence Cipher)

Plaintext is HELLO WORLD

Rearrange as

HLOOL

ELWRD

Ciphertext is HLOOL ELWRD

• Change characters in plaintext to produce ciphertext
• Example (Caesar cipher)
  • Plaintext is HELLO WORLD
  • Change each letter to the third letter following it (X goes A, Y to B, Z to C)
    • Key is 3, usually written as letter 'D'
  • Ciphertext is KHOOR ZRUOG

• observe but do not modify traffic
• threat for confidentiality

• delete, add, and replay traffic
• threat for confidentiality, integrity, authentication and non-repudiation

Secret Key Cryptosystem

• A and B can be people or computers
• attacker is assumed to know E and D
• confidentiality depends only on secrecy of the key
• secret key systems do not scale well
  • with N parties we need to generate and distribute N*(N-1)/2 keys

• prolonged use increases exposure

• short-term keys communicated by means of long-terms keys

Secret Key

Cryptosystems

• 64 bit data block size
  • DES: 56 bits
  • Triple DES: 112 bit key
  • IDEA: 128 bit key
  • Skipjack (Clipper):80 bit
  • RC2: variable size key
• 128 bit data block size
  • Advanced Encryption Standard: 128, 192 or 256 bits

• Variable block size
  • RC5
    • 32, 64, or 128 block size
    • variable key size
    • variable numner of rounds
  • Advanced Encryption Standard under development
    • must support key-block combinations of 128-128, 192-128, 256-128
    • may support other combinations

• ciphertext only
  • cryptanalyst only knows ciphertext
• known plaintext
  • cryptanalyst knows some plaintext-ciphertext pairs
• chosen plaintext

• 40 bit key requires 2³⁹ ≈ 5* 10¹¹ trials on average (exportable from USA)
• Trials/second    Timerequired

1              20,000years

10³             20years

10⁶             6 days

10⁹           9 minutes

10¹²          0.5 seconds

• if keys are poorly chosen know plaintext attacks can be very simple

• often the user's password is the key

• in a dictionary attack the cryptanalyst tries passwords from a dictionary, rather than all possible keys
• for a 20,000 word dictionary, 1 trial/second will crack a poor password in less then 3 hours

• 56 bit key
• 64 bit block size
• E and D are public
• US Federal standard for sensitive but unclassified information
  • adopted as ANSI DEA (Data Encryption Algorithm)

• Modes
  • ECB, CBC
• Major weakness is key size of 56 bits
• useful life can be extended by triple DES (effective key size 112 bits)

• ok for small messages
• identical data blocks will be identically encrypted

• Needs an Initialization Vector (IV) to serve as the first feedback block
• IV need not be secret or random
• Integrity of the IV is important, otherwise first data block can be arbitrarily changed
• IV should be changed from message to message, or first block of every message should be distinct

Public Key Cryptosystem

• Solves the key distribution problem provided there is a reliable channel for communication of public keys
• requires reliable dissemination of 1 public key/party
• scales well for large-scale systems

• confidentiality based on infeasibility of computing B's private key from B's public key
• key sizes are large ( 512 bits and above) to make this computation infeasible

RSA

(Rivest-Shamir-Adleman)

• public key is (n,e)
• Private key id d
• encrypt: C = M^e mod n
• decrypt: M = C^d mod n

choose 2 large (100 digit) prime numbers p and q

compute n = p*q

pick e relatively prime to Φ(n) which is (p-1)*(q-1)

compute d, e*d = 1 mod Φ(n), which means (e*d)-1 should be evenly divisble by Φ(n)

publish (n,e)

keep d secret ( and discard p,q)

• RSA encrypts at kilobits/second
• DES encrypts at megabits/second
• This 1000-fold difference in speed is likely to remain independent of technology advances

• key size of RSA is selected by the user
  • casual 384 bits
  • commercial 512 bits not any more
  • military 1024 bits

• RSA has a unique property, not shared by other public key systems
• Encryption and decryption commute
  • (M^e mod n)^d mod n = M  encryption
  • (M^d mod n)^e mod n = M  signature
• Same public key can be use for encryption and signature

NIST Digital Signature Standard:

to sign message m: private key x

• choose random r
• compute v = (g^r mod p) mod q
• compute s =(m+xv)/k mod q
• signature is (s,v,m)

NIST Digital Signature Standard:

to verify signature: public key y

• compute u1 = m/s mod q
• compute u2 = v/s mod q
• verify that v = (g^u1 *y^u2 mod p) mod q

Characteriscts of NIST Digital Signature Standard

• Separate algorithms for digital signature and public-key encryption
• signature does not repeat, since r will be different on each ocassion
• same random number r is used for two messages, the system is broken
• message expands by a factor of 2
• if RSA signatures do repeat, there is no message expansion

Diffie-Hellman
Key Agreement

• security depends on difficulty of computing x given y=a^x mod p
  called the discrete logarithm problem

• Public- key encryption
  • RSA (Rivast-Shamir-Adleman)
• Public-key Digital signatures
  • RSA
  • NIST DSS(Digital Signature Standard)
• Public-key key agreement
  • Diffie-Hellman

• Public-key technology is very slow
• Public-key encryption
  • use public-key encryption to send a secret key with confidentiality
  • actual traffic is encrypted using secret key
• Public-key digital signatures
  • cannot sign big messages

• for performance reasons
  • sign the message digest
  • not the message
• one way function
  • m=H(M) is easy to compute
  • M=H^-1 (m) is hard to compute

• diffcult to find M' such that H(M')=H(M)
• Given M, m=H(M) try messages at random to find M' with H(M')=m
  • 2^k trials on average, k=64 safe to be

• difficult to find any two M and M' such that H(M')=H(M)
• Try pairs of messages at random to find M and M' such that H(M)'=H(M)
  • 2^k/2 trials on average, k=128 to be safe

• proposed by Ron Rivest (of RSA)
• MD5 is na improved version of MD4
• 128 bit digest
• simple, compact and fast

• 160 bit digest
• similar to MD5

• Authentication
• Integrity

• Does not provide
  • non-repudiation

• HMAC_k (M) = h(K+o opad|| h(K+o ipad || M))
  • h is any message digest function
  • M message
  • K secret key
  • opad, ipad: fixed outer and inner padding
• HMAC-MD5, HMAC-SHA

• public-key encryption
  • sender needs public key of receiver
• public-key digital signatures
  • receiver needs public key of sender
• public-key key agreement
  • both need each other's public keys

• Impractical
• Inadequately
• the user populations become large

• Scable and Controllable
• Demand public-key certification authority(CA)

• A document containing a certified statement, especially as to the truth of something - literally
• A collection of information plus a digital signature - electronic world

k=y_b^xA mod p =y_A^xB mod p = a^xA^xB

system constants: P: prime numbers, a: integer

• Need to get CA's public key certificate
  • To verify CA's signature
• Need to get a subscriber's public key certificate
  • To obtain the public key of a subscriber of CA
• Need to get his own certificate from CA
  • To use mutual authentication as a certificate is presesnted across the internet

Key-Pair Generation

• Private key
  • Secure transfer to the key-pair holder's system
• Public key
  • Secure transfer to one or more certification authorities as an input to certification authorities as an input to certificate generation functions
• Types
  • Key-pair holder system
  • Central system

• Without needing to consider
  • Confidentialiality
  •  
    • No need to keep Public-key value confidential
  • Authentication and Integrity
    • CA's digital signature inside the certificate provides both authentication and integrity

• Trustworthiness
  • Important factor
  • A certificate is only useful if the public-key user is certain it trusts the certification authority to issue only valid certificates
• Certificate Trust
  • how to acquire public key of the issuer to verify signature
  • whether or not to trust certificates signed by the issuer for this subject

Different Types of Certification Authority

• Single CA
  • Not pratical
  • Need to have sufficient knowledge of and an adequate relationship with all potential users 
• Multiple CAs
  • Certificate chain or Certificate path

• A restricted lifetime
• To control cryptanalysis opportunity
• To constrain the period vulnerability

What is Revocation?

• In the event of a know or suspected key comprise, it should be possible to protect users against continuing to use the public-key via a certificate

• CRLs issued periodically as per CA policy
  • blank CRLs can be issued
• CRL distribution
  • pull method
  • push method
• Immediate or real-time revocation
  • needs query to CA on every certificate use
  • maybe of for small closed communities

• Tamper-resistant hardware or token
  • Smart card
  • PCMCIA card
    Authentication: physical token or biometric check
    
• Storage in an encrypted data file within a system
  Authentication: password and PIN

• Authentication
  • cannot be forged
• Integrity
  • message cannot be altered
• non-repudiation
  • only sender could have signed the message
• management of security

• confidentiality
  • secret key encryption
• integrity, authentication, non-repudiation
  • public-key digital signatures, message digests, public-key certificates
• management of security
  • all above, key-agreement protocols, key recover

• In Greek, it means "covered writing"
• The art of hiding information in ways that prevent detection of hidden messages
• While the goal of the cryptography system is to conceal the content of the messages, the goal of information hiding or steganogrphy is to conceal their existence

• Encoding a hidden message in a strand of human DNA

• Information hidden in documents by manipulating the positions of lines and words

• Least significant bit insertion
• making filtering
• applying more sophisticated image processing algorithms

• Data can be hidden in the audio files. Slight alterations on sound, such as tiny shifts in phase angle, speech cadence, and frequency, can transport hidden information, but are indiscernible to human senses

• confidentiality
  • secret key encryption
• integrity, authentication, non-repudiation
  • public-key digital signatures, message digests, public-key certificates
• Management of security
  • all above, key-agreement, key recovery

• While the goal of the cryptography system is to conceal the content of the messages, the goal of information hiding or steganography is to conceal their existence

• We need end-to-end authentication which is safe from
  • at least passive wiretapping, and
  • active wiretapping for higher assurance
• More generally we need two-way end-to-end authentication

End-To-End

Authentication

• Crypotgraphy based
• Hardware assistance
  • smart card with reader
  • readerless see through device
  • calculator style device requiring additional key stokes

• User and system share a secret function f (in practice, f is a known function with unkown parameters)

• random passwords that are used only once
  • user unfriendly
  • computing device friendly
• Bell Core's S/Key system

• Improved performance because of reduced contention for centralizrd resources
• Increased availability, as the risk of the system failure is lower
• Greater versatility through the combined processing of disparate platforms

• The weakening of security
• The increasing risk of security attacks

• Connected or unconnected systems
• Indepenedent copies of software
• Independent copies of data

• Interconnected systems
• Same Software
• Share the same data

• Interconnected systems
• Independent copies of software
• Share the same data

• Rely on each individual client workstation to assure the identity of users
• Rely on each server to enforce a security policy UID
• Require that client systems authenticate themselves to servers, but trust the client system concering the identity of its user

• Require the user to prove identity for each service invoked, also require that servers prove also require that servers prove their identity to clients

• Bilateral (Rhosts Model)
• Consolidated (kerberos Model)

• Authentication service
• Part of project Athena of MIT
• Intended to have thress componets to guard a network's gate
  • Authentication
  • Accounting
  • Audit

Motivation for kerberos

Provide authentication between any pair of entities

By a trusted third-party

KERBEROS DESIGN GOALS

IMPECCABILITY?

• no cleartext passwords on the network
• no client passwords on servers
• minimum exposure of client key on workstation

KERBEROS DESIGN GOALS

Containment?

• compromise affects only one client (or server)
  • CONSOLIDATED KERBEROS MODEL
• limited authentication lifetime (8 hours, 24 hours, more)

KERBEROS DESIGN GOALS

Transparency?

• password required only at login
• minimum to existing applications

•  Authentication Server (AS)
  • Verify a user
  • Create a ticket-granting-ticket
• Ticket granting Server (TGS)
  • Create a ticket for requested server

• Used to pass securely to the server the identity of the client
•  Good for a single server
• Possible to use multiple times within its lifetime
• Client cannot decrypt this ticket
  • Zero knowledge of server’s secret key
• Tc,s = {s, c, addr, timeo, life, Kc,s}EKs
• addr can be used to ensure that the client using the
• ticket is the same client to whom the ticket was issued.

• Life time is minimum of:
  • requested life time
  • max lifetime for requesting principal
  • max lifetime ofr requesting service
  • max lifetime of ticket granting ticket
• Max lifetime is 21.5 hours

• Generated every time the client wishes to usea service on the server
• Can only be used once (unlike a ticket)
• Purpose : sealed plaintext proves that the client also knows the session key
• Ac,s= {c, addr, timea,OSK}EKc,s

• First service a client accesses is the ticketgranting service
• Additional services are accessed by getting tickets from the ticket-granting service
• Shared client-server secret key can be used for confidentiality of each IP packet or each RPC

• Step 1 (Client-Kerberos)
  • to obtain ticket-granting ticket
  • once per user logon session
• Step 2 (Client-Kerberos)
  • to obtain service-granting ticket
  • once per type of service
• Step 3 (Client-Server)
  • to obtain service
  • once per service session

• Kerberos tickets are renewable, so service can be maintained beyond maximum ticket lifetime.
• Ticket can be renewed until min of:
  • requested end time
  • start time + requesting principal’s max renewable lifetime
  • start time + requested server’s max renewable lifetime
  • start time + max renewable lifetime of realm

• Require the user to prove identity for each service invoked, also require that servers prove their identity to clients