Introduction

Security introduction

When talking about security it is important to begin with the evaluation of what we need to protect and what are the risks. Here we can find a list of definitions that will be useful later:

• ASSET: the set of goods, data, and people needed for an IT service
• VULNERABILITY: intrinsic weakness of an asset
• THREAT: possible deliberate action or accidental event that can produce the loss of a security property by exploiting a vulnerability it depends upon the specific environment and/or operating conditions
• ATTACK: threat occurrence (deliberate action)
• (NEGATIVE) EVENT: threat occurrence (accidental event)

Security in the lifecycle of a system

Once threats and vulnerabilities are acknowledged it is possible to proceed with the development of the product or service. Security must be taken into account in every phase of the project: at the beginning the risks need to be assessed and security policies and procedures have to be defined. After that the team can check if there is any available product that can satisfy the requirements, if this is not the case the next phase consists in designing security services and integrating them in the code. Once the development phase is concluded tests need to be done (preferably by an external auditor). Even if the tests show positive results security needs to be set-up correctly (for example creating a new strong password for the home router before the first use). After all these steps the system can go live but it has to be constantly managed to keep up with new discoveries.

---

• INCIDENT: a security event that compromises the integrity, confidentiality, or availability of an information asset
• (DATA) BREACH: an incident that results in the disclosure or potential exposure of data
• (DATA) DISCLOSURE: a breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party

In the image above we can see that when a new vulnerability is discovered (which is something that happens extremely frequently) the risk level spikes up and continues increasing slowly until the vendor becomes aware of it. Once this happens the vendor needs a variable amount of time to solve the issue and create a patch. During this period, the only thing that can be done is to update security tools such as IDS (Intrusion Detection System) that can notify the victim in case of an attack. Once the vendor releases the patch the risk level starts decreasing faster and returns to the normal level once the patch is installed.

The time between the discovery of the vulnerability and the installation of the patch is called window of exposure.

Security principles

• Security in depth: multiple layers of security need to be implemented
• Security by design: the service has to be designed with security in mind as seen before
• Security by default: when there are multiple options available, the secure one need to be set by default
• Least privilege: users of the service should have the least amount of privilege that allows them to do their work. This limits the amount of damage that can be done by a user.
• Neet-to-know: similar to the least privilege principle. Users should only know what they need to complete their job. An example of this is the Amazon delivery service: warehouse workers should only know which items has to be packed in a certain box (without knowing who they are for), the bank should know about the amount that has to be payed for a certain order, etc.

Security properties/services

Italian	English
autenticazione (semplice/mutua)	(simple/mutual) authentication
autenticazione (della controparte)	(peer) authentication
autenticazione (dei dati)	(data/origin) authentication
autorizzazione, controllo degli accessi	authorization, access control
integrità	integrity
riservatezza, confidenzialità	confidentiality, privacy, secrecy
non ripudio	non-repudiation
disponibilità	availability
tracciabilità	traceability, accountability

Peer authentication

Peer authentication consists in the action of o ne or both parts of a communication of proving the other who they are.

Single

In single peer authentication only one of the parts has to prove their identity to the other.

Example: the user has to prove its identity to the server before being able to perform some action

Mutual

Both parts have to prove their identity to each other.

Example: the user has to login (prove its identity) into the bank account but the bank server has to prove the user that it is the real bank.

Data origin authentication

In this case what has to be authenticated is the data itself and not the user.

Example: emails are asynchronous (sender and receiver does not have to be online at the same time) so the email has to be authenticated so that the receiver can be sure where it comes from.

Non-repudiation

Formal proof (acceptable by a court of justice) that gives undeniable evidence of the data creator, normally it is associated not only to technical aspects but also to a specific procedures performed voluntarily. We (almost) never have non-repudiation with protocols or procedures that perform automatic actions on user’s behalf.

Authorization (access control)

The user need to be authorized to perform a specific action by the owner of the resource or the administrator.

Privacy (communication)

Privacy (data, actions, position)

Data that belong to an user, their actions and their position must not be accessible to a third party.

Integrity (data modification)

Even if a malicious person cannot understand the content of a message/file/etc. it can still modify it (in unpredictable ways) and this might cause problems. Let’s imagine a money transfer over a computer network: if someone is able to intercept the payment message, edit it and forward it to the original destination, it might be possible to change the payment amount.

With integrity implemented on the other hand, the malicious person can still edit the data but the receiver can detect the change and reject the message.

If we want to prevent data modification we would need to implement authorization but this is almost impossible in network communication.

Integrity (data cancellation/filtering)

This is similar but the message, instead of being edited, is deleted.

Replay attack

Replay or Reply

Pay attention to the difference between “replAy” (riprodurre, fare di nuovo) and “reply” (rispondere, risposta)

Replay attacks consist into recording a specific message between two point and sending it back multiple times to achieve a specific goal (for example record the message of a money transfer and replaying it multiple times to collect more money).

To protect against this kind of attacks the receiver must be able to detect if the received message is a real one or a copy.

Data protection

For the security properties seen above it is always important to consider three cases of data protection based on “where” that data is:

1. Data in transit: when data are transmitted over a communication channel
2. Data at rest: when data are stored in a memory device
3. Data at work: when data are in RAM for use by a process

Each of these cases poses different problems and requires different solutions (for example when the data is in RAM security has to be implemented in the hardware).

Enemy analysis

Where is the enemy (I)

When trying to understand what security procedures need to be implemented, it is important to consider where the “enemy” is located in order to choose the correct countermeasure.

• Outside our organization: if we trust the members of our organization we should create a firewall (perimeter defense) to be protected from the outside.
• Outside our organization, with the exception of our partners: in this case it is necessary to create a VPN (Virtual Private Network) to give access to trusted partners and be protected from the others.
• Inside our organization: if we don’t trust who is inside the organization the problem is more difficult to solve and a solution could be a LAN (Local Area Network).
• Everywhere: This is the most realistic case since the idea of “inside” and “outside” doesn’t make sense anymore considering how in today’s world we are always connected to some other services. The solution is then to implement application-level protection which means that each program cannot rely on other services for protection and data protection, in other words we need to create a ZTA (Zero Trust Architecture).

Where is the enemy (II)

Another way of considering the enemy location is in respect to the two peers A and B who interact in any kind of network communication:

• MITM (Man-In-The-Middle): in this case the enemy is between the two peers.
• MATE (Man-At-The-End): here the enemy is inside one of the peers (for example with remote access to the computer).
• MITB (Man-In-The-Browser): in this case the enemy has access to one specific component of one of the peers (typically the web browser).

What action can the enemy perform

We can identify two types of attacks: passive attacks where the enemy can only read the data between A and B and active attacks, where the enemy can also modify, delete or create new data.

Technological problems

The main issues described here are related to the fact that networks were not created with security in mind:

• Most communications for example are made in clear
• Networks operate in broadcast (messages from one peer are send to everybody and, ideally only the intended receiver would accept them).
• Geographical connections use shared lines and data passes through third-party routers.
• User authentication is typically weak.
• There is no server authentication.
• Software contains bugs.

Attacks

This list contains a brief explanation of the attacks, for more details see the slides of the course (pages 58-84).

IP spoofing (masquerading)

In this attack someone uses the IP address of another host to perform (illegal) actions. One example is accessing a server that uses address based authentication (which should NEVER be used).

Packet sniffing (eavesdropping)

In packet sniffing the attacker intercepts messages that are not intended for him. This is very easy to do in broadcast networks since, as stated above, the messages are sent to everyone.

Since it is almost impossible to create non-broadcast networks, the only countermeasure is to encrypt the packet payload.

Denial of Service (DoS)

DoS attacks aim to keep a host busy so that it can’t provide its services. The attack consists in sending an excessive amount of request to the server so that it gets saturated and can no longer serve its purpose.

Unfortunately there is no countermeasure to this attack, the only thing that can be done is to monitor the traffic and oversize the server to mitigate the effects of an attack.

Distributed Denial of Service (DDoS)

Similar to DoS but the requests come from many different hosts (for example computers infected by a virus) to create a botnet. Often the bots are controlled by a master that coordinates them.

To improve a DDoS attack the attacker can use a reflector to hide its tracks or an amplification factor (that relies on specific protocols) to deal a greater damage without needing more bots.

Shadow/Fake server

In this attack a host shows itself as a service provider without having the rights to do so. In this way it can provide malicious answers to the client.

The attack can be performed both as shown in the picture above or by manipulating the DNS or routing to redirect the victim to the fake server.

The best countermeasure in this case is server authentication so that the user can verify if it’s talking to the real server or not.

Connection hijacking/MITM/data spoofing

In this attack the attacker takes control of a communication channel to insert, delete or manipulate the traffic. It can be performed as logical or physical Man In The Middle (MITM).

Countermeasures for this attack are implementing secrecy, data authentication, integrity (to detect if data has been modified) and serialization (numbering the packets to detect is something is missing).

It should be noted that peer authentication is not enough because the attacker could intervene after the authentication.

Trojan

A trojan (horse) is a program containing malicious software that could be executed on a user terminal (which are usually less protected than the network).

Malware

Definitions

• Virus: a piece of software that damages the target, replicates itself and is spread (involuntarily) by humans (for example by using an infected USB drive).
• Worm: does not inflict direct damage but can harm the target by saturating its resources. It can propagate automatically across multiple devices.
• Trojan: a malware vector.
• Backdoor: an authorized access point to a system that could be created or exploited by the attacker.
• Rootkit: a set of privileged access tools which could be hidden in the lower level of a host (e.g in the kernel).
• PUA: Potentially Unwanted Software, programs which are not dangerous but that were not installed on purpose.

Virus and worms

Both viruses and worms take advantage of the people to spread. Users could in fact be pushed to install malicious software by stress or ignorance, the system manager could make configuration mistakes and the producer could allow automatic execution of untrusted software.

Ransomware

Ransomware is a malware whose aim to get a ransom from the user. This is typically achieved by making user data unreadable and asking money for them to be unlocked.

One way to minimize the damage would be to make frequent backups but this is not enough. The backup could also be affected by the ransomware since it could already be present on the device when the backup was made. It is important to always check that the backup is readable and to know which is the last good one.

Non technological problems

There are a lot of problems that are not related to technical issues but to the people that interact with the systems. People usually make mistakes because of ignorance, when stressed or overloaded, etc. Other issues are related to complex user interfaces that may mislead the user or tempt the user into taking unsafe “shortcuts” (such as disabling the anti virus to improve performance).

Social engineering

Social engineering consists into forcing users to involuntarily partecipate to the attack. Showing acquaintance with the company’s procedures, habits and personnel helps in gaining trust and make the target lower his defenses.

Phishing

Phishing is the use mail or similar tools to attract a user to a fake (shadow) server to. The goal for the attacker is to acquire their personal data or persuade them to install a plugin or extension (which actually is a virus or a Trojan).

There are two main variants of phishing:

• Spear phishing: includes several personal data to disguise the fake message as a good one (e.g. e-mail address, name of Dept/Office, phone number, etc.)
• Whaling: in this case the attacker utilizes spear phishing methods to go after a large, high-profile target, such as a CEO or CIO.

Fake mail

Faking an email or a SMS is easy, the difficult part is using the right tone to trick the victim. In emails a way to circumvent this problem could be using a previous real email and changing parts of it (for example an attachment). SMS are easier to fake since they are usually shorter.

Stuxnet attack

The Stuxnet attack is interesting because it is the first known one that targets a cyber-physical system (a system where computers control physical devices). In this case the target was an enrichment plant in Iran. The malware exploited several windows vulnerabilities and was disguised as a driver on a USB drive of a maintenance technician.

The plant relied on physical separation (air gap) for protection but did not implement any other layers (no anti virus, firewall, etc) and had many unnecessary services running. This meant that the virus was able to go unnoticed and spread across the network with ease.

The three (four) pillars of security

Link to original

Cryptography

Symmetric encryption

Terminology

• Message in clear: plain text or clear text, we will refer to it as P.
• Encrypted message: cyphertext, we will refer to it as C

Kerchoffs’ principle

If the keys are kept secret, managed only by trusted systems and of adequate length, then there is no need for the algorithm to be kept secret, it is better to make it public so that it can be studied and possible defects can be corrected.

If the Kerchoffs’ conditions are met, then the only possible attack is the brute force attack which requires a number of trial where is the number of bits of the key.

Symmetric cryptography

In symmetric cryptography there are two identical keys K which are share between sender and receiver (only!). The encryption consists in applying a mathematical function enc on the key-plain text pair C = enc(K, P), the decryption, on the other hand, uses a function dec = enc^-1 which, given the same pair as before, returns the plain text P = dec (K, P). Note that the key is always the first argument.

Symmetric cryptography has a low computational load but has a major flaw (which will be analysed later), which is how to securely share the key between sender and receiver.

XOR function

The XOR function is often used in cryptography because it is the ideal “confusion” operator (a random input will generate a random output). The XOR operates on two bits and the result is if the bits are identical, otherwise.

It is also very important to notice that the XOR is the inverse of itself .

DES

The DES (Double Encryption Standard) algorithm was one of the most used algorithms in the past decades (nowadays it is extremely easy to attack and should never be used). Its main advantage was its efficiency, since it used only three simple operations: XOR, shift and permutation. The first two are operation that can be easily carried out by a normal processor while the latter required a dedicated coprocessor.

The algorithm required a 56+8 bit key (8 parity bits do not increase security) and operated on 64 bits data blocks. This means that to encrypt a message longer that 64 bits, it has to be split in multiple block (more on that later).

Triple DES (3DES)

Since the normal DES was found to be easily attacked, a new version was introduced. This new version increased the security using the basic DES algorithm multiple times.

3DES has the advantage that remains compatible with normal DES if alle the keys used are equal to each other.

There are two variants of 3DES:

2 keys 3DES

This algorithm uses two keys and which are used as follows:

1. The plain text is encrypted with the first key to obtain a first cyphertext: .
2. The cyphertext created in the previous step in encrypted again with the second key:
3. The final cyphertext (the one that will be sent to the receiver) is obtained encrypting the cyphertext from step 2 with the first key:

3 keys 3DES

This algorithm uses three keys , and which are used as follows:

1. The plain text is encrypted with the first key to obtain a first cyphertext: .
2. The cyphertext created in the previous step in encrypted again with the second key:
3. The final cyphertext (the one that will be sent to the receiver) is obtained encrypting the cyphertext from step 2 with the third key:

Meet in the middle attack

Double DES does not exists because it would be subject to a meet in the middle attack. If in DES we use a key of length , in 2DES we would have a key of length but the meet in the middle attack would reduce the effective key length to (basically you double the amount of work to encrypt the message and you get the same result as adding only 1 bit).

How it works

• Hypothesis:
  • The keys and are bits long
  • There is a know plain text/cypher pair such as . This can be easily obtained if the attacker is able to use the encryption algorithm with a chosen plain text.
• Actions:
  • Compute all the possible values and store them with the key that generated them.
  • Compute all the possible values and store them with the key that generated them.
  • Search among all the stored values the ones with and retrieve the keys that generated them.

Block algorithms

As anticipated before, many algorithms can only be applied to fixed size blocks: this implies that longer data has to be split before the algorithm can be applied.

Here we will discuss two modes of operation.

Electronic Code Book (ECB)

In ECB the blocks are encrypted individually: and then sent one after the other. The decryption is extremely simple and consists in using the decryption algorithm on each block: .

This mode has the advantage of being fast and parallelizable (the blocks can be encrypted individually without needing to know anything else).

Even considering said advantages, this mode is very weak, specifically on long messages, because the attacker can precompute of a known with all possible keys and then compare the results with the blocks sent by the victim. Even though such an attack seems difficult to perform (it requires to know what message the victim will send), it is instead quite easy: consider that most file types have a constant heading that gives information about the file itself, and thus the attacker can easily guess the content of one of the blocks.

Another problem of ECB is that the receiver has not way of knowing if the blocks were mixed or if some of them were deleted.

Cypher Block Chaining (CBC)

In this mode the blocks are not encrypted individually but each of them contributes to the final cypher, making the previous attack unfeasible. The i-th block is obtained as follows: .

Since the first block would be subject to the same attack seen before, it is important to add an initialization vector (IV) chosen at random which has to be sent as well to allow the decryption.

The decryption phase in this case is not trivial: . The receiver needs to know = IV.

Padding

Complementarily to what said before, if the data to be sent is shorter than the block of the algorithm, it has to be “enlarged” to be able encrypt it. The problem that arise are that more data than necessary has to be sent and that the padding bits need to have a standardized value.

The padding bits can be chosen in many different ways, for example:

• All 0s (this method requires to know the length of the message in advance to be able to distinguish the “good” bits from the padding).
• One 1 bit followed by many 0s (used in DES).
• One byte with value 128 followed by 0s.
• Last byte with value equal to the length of the padding. This method requires to define what is the value of the other bits, again multiple options are available:
  • All 0s.
  • All bytes with the length of the padding.
  • Random bytes (can increase security since the attacker has no way to extract any information about the size of the padding).
  • Each bytes contains a progressive number from 1 to the length of the padding.
  • All bytes represent the length of the padding - 1.

Some types of padding can offer minimal integrity control (for example if the data is manipulated or the key is wrong the the length of the padding would be incoherent). Padding is usually used on the last block of large data and, in case the data length is an exact multiple of the block, it has to be added for consistency.

Cyphertext Stealing (CTS)

todo

Counter Mode (CTR)

todo

Symmetric stream encryption algorithms

This kind of algorithms works on a data stream without requiring the split in block, instead it operates on one bit or one byte at a time.

The ideal algorithm of this kind is the one-time pad: this algorithm requires a key which is:

1. As long as the message to be sent
2. Single use
3. Pre-shared between sender and receiver

The encryption function is a simple XOR between the plain text and the key. As it’s easy to imagine, this algorithm is not practical at all but it provides maximum security.

In real algorithms a pseudo-random key generator is used to generated keys that are synchronized between sender and receiver. Modern algorithms of this kind are Salsa20 and ChaCha20.

Symmetric encryption problems

Symmetric encryption has two important flaws that have to be acknowledged.

The first one is that if a message has to be shared between two parties, they need to share a common private key just for their couple; if someone has to send a message to a restricted group, the key has to be shared among all the members of that group.

The second problem concerns the key distribution: since each couple needs its own secret key, parties would need keys to be able to communicate with each other. Furthermore the keys cannot be exchanged on the same (unsecure) channel where the communication happens, otherwise everybody would be able to see them. This means that the key exchange has to happen Out-Of-Band (OOB), for example in person. This is obviously not feasible and thus a solution has to be found.

Asymmetric/Public-key cryptography

In public-key cryptography (PKC), instead of having a single key shared between sender and receiver, a key pair is used. The two keys are not independent: if one of them is used for encryption, the other one must be used for decryption.

Compared to symmetric cryptography, asymmetric cryptography has a much higher computational load and for this reason it’s commonly used for encrypting the keys of a symmetric algorithm before sharing them.

The keys are generated in pairs: one of them, the secret key () is kept by the owner, the other one, the public key () is shared with everybody. The reasons for this will be clear in the following.

Do to how the algorithms are created, a message encrypted with can be decrypted only by the corresponding and vice versa. This allows us to use the same algorithm for two distinct goals.

Confidentiality without shared secrets

PKC allows anybody to generate a secret message for a particular receiver provided that they know its public key. To do that the sender has to encrypt the plain text with the receiver’s public key; this message can be decrypted only by the receiver since it is the only one with the right private key.

Digital signature

Digital signature provides a way for someone to authenticate a message and provide integrity. Digital signature work in the opposite way compared to what we saw previously. In this case the sender “signs” the message by encrypting it with its private key, the receiver then uses the corresponding public key to verify that the message was really sent by the real sender (who is the only one with the correct private key).

Link to original