SlideShare una empresa de Scribd logo

Trick-or-Treat Protocols

Descargar como PPTX, PDF
David Evans
David Evans

Trick-or-Treat Protocols Public-Key Encryption SSL/TLS Security Assumptions Hair-Dryer Attacks

EducaciónTecnología
1 de 64
Plan for Today Developing a Security Mindset But first… “Trick-orTreat” Protocols! PS3 is due at 11:59pm tonight! 29 October 2013 University of Virginia cs4414 1
“Trick or Treat” Protocols 29 October 2013 University of Virginia cs4414 2
“Trick or Treat” Protocols Two parties: Tricker initiates the protocol by making a terrorist threat and demanding tribute Victim either pays tribute (usually in the form of sugary snack) or risks being tricked Tricker must convince Victim that she poses a credible threat: prove she is a qualified tricker 29 October 2013 University of Virginia cs4414 3
Trick-or-Treat “Trick or Treat?” Victim “Prove it!” Trickers? “The magic word is: shazam!” Any problems with this? 29 October 2013 University of Virginia cs4414 4
Authentication How can the tricker prove their trickability, without allowing the victim to now impersonate a tricker? 29 October 2013 University of Virginia cs4414 5
One-Way Functions f is a one-way function if it is a function y = f(x) that satisfies these two properties: Invertible: there exists an f -1 such that, for all x in range: f -1 (f (x)) = x One-way: it is much, much, much easier to compute f (x) than to compute f -1 (y) 29 October 2013 University of Virginia cs4414 6
Example One-Way-ish Function: Factoring Forward: given p and q are 200-digit prime numbers, output n = pq Backward: given n, output (p, q) Forward: given (p, q) easy to calculate f (p, q). Easy means we know is an algorithm with running time in Θ(N2) where N is number of digits. Backward: given n = f (p, q) hard to find p and q. Hard means (we hope) the fastest possible procedure has running time that is not polynomial in N 29 October 2013 University of Virginia cs4414 7
Best Known Factoring Algorithm General Number Field Sieve: running time is in log N⅓ log log N⅔) Θ(e where N is the number of bits in input. Note: unless you have a big quantum computer! Then the running time is in O((log 29 October 2013 University of Virginia cs4414 3). N) 8
Checks the factors multiply to produce n Problems with this? 29 October 2013 University of Virginia cs4414 9
Providing Asymmetry Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x No function (publicly) known with these properties until 1977… 29 October 2013 University of Virginia cs4414 10
Len Adleman 29 October 2013 Adi Shamir University of Virginia cs4414 Ron Rivest 11
RSA Cryptosystem e mod M Ee(M ) = n Dd(C ) = Cd mod n n = pq p, q are prime d is relatively prime to (p – 1)(q – 1) ed 1 mod (p – 1)(q – 1) 29 October 2013 University of Virginia cs4414 12
Correctness of RSA Ee(M ) = Me mod n Dd(C ) = Cd mod n Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = M This step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem 29 October 2013 University of Virginia cs4414 13
Hard to Invert Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d: d = e-1 mod (p – 1)(q – 1) All other attacks are equivalent to factoring n. No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one). For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030. 29 October 2013 University of Virginia cs4414 14
Easy to Invert with Trapdoor e mod M Ee(M ) = n Dd(C ) = Cd mod n 29 October 2013 University of Virginia cs4414 15
Checks that D(x)e mod n = x How does victim know e and n? 29 October 2013 University of Virginia cs4414 16
Help me verify “tricker@virginia.edu” Trickers Bureau 29 October 2013 University of Virginia cs4414 Checks that MeT@V mod n T@V = x 17
Except on Halloween, this is called a challenge-response authentication protocol. 29 October 2013 University of Virginia cs4414 18
Help me verify “tricker@virginia.edu” Modification #1: Don’t send x in clear – this would be vulnerable to relay attacks 29 October 2013 Trickers Bureau University of Virginia cs4414 Checks that D(x)eT@V mod n T@V = x 19
Help me verify “tricker@virginia.edu” Modification #1: Don’t send x in clear – this would be vulnerable to relay attacks Trickers Bureau Verifies x 29 October 2013 University of Virginia cs4414 20
Help me verify “tricker@virginia.edu” Modification #2: Set up a conversation, not just one authentication Trickers Bureau Verifies x 29 October 2013 University of Virginia cs4414 21
Help me verify “tricker@virginia.edu” Modification #2: Set up a conversation, not just one authentication Trickers Bureau Learn x and use it as a symmetric (e.g., AES) key 29 October 2013 University of Virginia cs4414 22
Should your Zhtta server implement this protocol? 29 October 2013 University of Virginia cs4414 23
29 October 2013 University of Virginia cs4414 24
29 October 2013 University of Virginia cs4414 25
29 October 2013 University of Virginia cs4414 26
SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Verify Certificate using KUCA Server Hello KRCA[Server Identity, KUS] Check identity matches URL Generate random K EKUS (K) Decrypt using KRS Secure channel using K 29 October 2013 University of Virginia cs4414 27
SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Verify Certificate using KUCA Check identity matches URL Generate random K Server Hello KRCA[Server Identity, KUS] How did client get KUCA? EKUS (K) Decrypt using KRS Secure channel using K 29 October 2013 University of Virginia cs4414 28
29 October 2013 University of Virginia cs4414 29
How does VarySign decide if it should give certificate to requester? Certificates VarySign.com rust-class.org, KUrust-class.org CP = KRVarySign*“rust-class.org”, KUrust-class.org] TJ CP Verifies using KUVarySign 29 October 2013 rust-class.org University of Virginia cs4414 30
$1500 for 1 year 29 October 2013 University of Virginia cs4414 $399 31
29 October 2013 University of Virginia cs4414 32
Certificate Revocation Certificate Revocation List (CRL) <cert ID, date> … VarySign.com petitions.gov, KUPetitions CP = KRVarySign*“petitions.gov”, cert ID, Expiration, KUPetitions] Client CP Petitions Verifies using KUVarySign 29 October 2013 University of Virginia cs4414 33
CRL Checking Mozilla Firefox Google Chrome On-line checking is expensive and may fail Attacker-in-the-middle can make it fail 29 October 2013 University of Virginia cs4414 34
SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Server Hello some extra steps: Verify Actual TLS hasKRCA[Server Identity, KUS] Certificate using KUCA - Negotiate versions CheckAgree - identity matches URL on which ciphers to use (many options, but beware!) Generate Decrypt -randomauthenticate client also Can K KU (K) E [K] KUS S using KRS Secure channel using K 29 October 2013 University of Virginia cs4414 35
How should the Tricker store her private key? 29 October 2013 University of Virginia cs4414 36
Passwords CCS 2013 29 October 2013 University of Virginia cs4414 37
Colleges at CMU: Arts Business Computer Science Engineering Humanities Other Policy 29 October 2013 University of Virginia cs4414 Business Policy Computer Science 38
29 October 2013 University of Virginia cs4414 39
Hair-Dryer Attacks Image from www.clean-funny.com, GoldenBlue LLC.
Java Platform malcode.java Java Source Code malcode.class javac Compiler JVML Object Code JavaVM if OK Bytecode Verifier Alice User 29 October 2013 University of Virginia cs4414 41
What the Verifier Does .method public static main([Ljava/lang/String;)V … iconst_2 istore_0 > java Simple aload_0 Exception in thread "main" java.lang.VerifyError: iconst_2 (class: Simple, method: main signature: iconst_3 ([Ljava/lang/String;)V) iadd Register 0 contains wrong type … return > java –noverify Simple .end method result: 5 29 October 2013 University of Virginia cs4414 42
Running Mistyped Code .method public static main([Ljava/lang/String;)V … > java –noverify Simple ldc 2220 Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEB istore_0 Function=JVM_FindSignal+0x1105F aload_0 Library=C:j2sdk1.4.2jrebinclientjvm.dll iconst_2 Current Java thread: iconst_3 at Simple.main(Simple.java:7) … iadd … # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION .end method # Error ID : 4F530E43505002EF # Please report this error at # http://java.sun.com/cgi-bin/bugreport.cgi # # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode) 29 October 2013 University of Virginia cs4414 43
Trusted Computing Base malcode.java Java Source Code malcode.class javac Compiler JVML Object Code Trusted Computing Base JavaVM if OK Bytecode Verifier Alice User 29 October 2013 Policy University of Virginia cs4414 44
TCB Should be Small There are two ways of constructing a software design: One way is to make it so simple there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies. Tony Hoare How big is the TCB for Android? 29 October 2013 University of Virginia cs4414 45
Is this really the whole TCB? malcode.java Java Source Code malcode.class javac Compiler JVML Object Code Trusted Computing Base JavaVM if OK Bytecode Verifier Alice User 29 October 2013 Policy University of Virginia cs4414 46
Bytecode Verifier Checks JVML code satisfies safety properties: – Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once – After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read. 29 October 2013 University of Virginia cs4414 47
Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the astore and aload, the assumption might be wrong. 29 October 2013 University of Virginia cs4414 48
Can you really blame cosmic rays when your program crashes? 29 October 2013 University of Virginia cs4414 49
29 October 2013 University of Virginia cs4414 50
Can an attacker use this to break into your SIM card? 29 October 2013 University of Virginia cs4414 51
Improving the Odds • Set up memory so that a single bit error is likely to be exploitable • Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003. 29 October 2013 University of Virginia cs4414 52
Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object: class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } 29 October 2013 class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } University of Virginia cs4414 53
a1 a3 a4 Pointee p = new Pointee (); ArrayList<Filler> fillers = new ArrayList<Filler> (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a5 a6 a7 a1 a2 f b a5 Pointee Object Filling Up Memory Filler Object a2 a6 a7 a1 Filler Object 29 October 2013 University of Virginia cs4414 a2 a3 a4 54
a1 Wait for a bit flip… a3 a4 • Remember: there are lots of Filler objects (fill up all of memory) • When a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a5 Filler Object a2 a6 a7 a2 f b a5 Pointee Object a1 a6 a7 a1 Filler Object 29 October 2013 University of Virginia cs4414 a2 a3 a4 55
a1 Type Violation a3 a4 a5 After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! Filler Object a2 a6 a7 a2 f b a5 Pointee Object a1 a6 Can an attacker exploit this? a7 a1 Filler Object 29 October 2013 University of Virginia cs4414 a2 a3 a4 56
Finding the Bit Flip while (true) { for (Filler f : fillers) { if (f.a1 != p) { // bit flipped! … } else if (f.a2 != p) { … } } 29 October 2013 University of Virginia cs4414 57
Violating Type Safety class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time Declared Type f.a1 Pointee f.a1.b int fr == f.a1 Filler fr.a4 == f.a1.b Pointee 29 October 2013 University of Virginia cs4414
Exploiting Type Unsafety class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = 1524383; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! No security policy now… new File (“C:thesis.doc”).delete (); 29 October 2013 University of Virginia cs4414 59
Getting a Bit Flip Wait for a Cosmic Ray – You have to be really, really patient… (or move machine out of Earth’s atmosphere) X-Rays – Expensive, not enough power to generate bit-flip High energy protons and neutrons – Work great - but, you need a particle accelerator Hmm…. 29 October 2013 University of Virginia cs4414 60
Using Heat 50-watt spotlight bulb Between 80° -100°C, memory starts to have a few failures Attack applet is successful (at least half the time)! Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala 29 October 2013 University of Virginia cs4414 61
Attacks Violate Assumptions Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures 29 October 2013 University of Virginia cs4414 62
Charge PS3 is due at 11:59pm tonight! Karsten Nohl will talk about actual practical ways to attack SIM card VMs in class Thursday! If you want to learn more about “Trick-or-Treat” protocols, take MoMa’s cs4501 course in the Spring. (If you just want to Trick-or-Treat, you can come by my lab Rice 442 Thursday afternoon.) 29 October 2013 University of Virginia cs4414 63

Recomendados

Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)David Evans
 
Benchmarking
BenchmarkingBenchmarking
BenchmarkingDavid Evans
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Virtual Memory (Making a Process)
Virtual Memory (Making a Process)Virtual Memory (Making a Process)
Virtual Memory (Making a Process)David Evans
 
Distributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDistributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDuyhai Doan
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Crossing into Kernel Space
Crossing into Kernel SpaceCrossing into Kernel Space
Crossing into Kernel SpaceDavid Evans
 
System Calls
System CallsSystem Calls
System CallsDavid Evans
 

Recomendados

Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)David Evans
 
Benchmarking
BenchmarkingBenchmarking
BenchmarkingDavid Evans
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Virtual Memory (Making a Process)
Virtual Memory (Making a Process)Virtual Memory (Making a Process)
Virtual Memory (Making a Process)David Evans
 
Distributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDistributed algorithms for big data @ GeeCon
Distributed algorithms for big data @ GeeConDuyhai Doan
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Crossing into Kernel Space
Crossing into Kernel SpaceCrossing into Kernel Space
Crossing into Kernel SpaceDavid Evans
 
System Calls
System CallsSystem Calls
System CallsDavid Evans
 
Access Control
Access ControlAccess Control
Access ControlDavid Evans
 
Tutorial on Cryptography
Tutorial on CryptographyTutorial on Cryptography
Tutorial on Cryptographykenluck2001
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEIJTRET-International Journal of Trendy Research in Engineering and Technology
 
Elliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofElliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofNimish Joseph
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
 
Testability for Developers
Testability for DevelopersTestability for Developers
Testability for DevelopersAlexander Tarlinder
 
Mutual Exclusion
Mutual ExclusionMutual Exclusion
Mutual ExclusionDilum Bandara
 
V design and implementation of network security using genetic algorithm
V design and implementation of network security using genetic algorithmV design and implementation of network security using genetic algorithm
V design and implementation of network security using genetic algorithmeSAT Journals
 
Design and implementation of network security using genetic algorithm
Design and implementation of network security using genetic algorithmDesign and implementation of network security using genetic algorithm
Design and implementation of network security using genetic algorithmeSAT Publishing House
 
The Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLThe Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLUlisses Costa
 
doc1.pdf
doc1.pdfdoc1.pdf
doc1.pdfaminasouyah
 
sheet1.pdf
sheet1.pdfsheet1.pdf
sheet1.pdfaminasouyah
 
lecture7.pdf
lecture7.pdflecture7.pdf
lecture7.pdfaminasouyah
 
paper1.pdf
paper1.pdfpaper1.pdf
paper1.pdfaminasouyah
 
paper8.pdf
paper8.pdfpaper8.pdf
paper8.pdfaminasouyah
 
Engineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionEngineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionDavid Evans
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)Maarten Mulders
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and IsogeniesPriyanka Aash
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - LuxembourgAbhik Roychoudhury
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022Becky Burwell
 
Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 

Más contenido relacionado

Similar a Trick-or-Treat Protocols

Tutorial on Cryptography
Tutorial on CryptographyTutorial on Cryptography
Tutorial on Cryptographykenluck2001
 
Elliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofElliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofNimish Joseph
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
 
V design and implementation of network security using genetic algorithm
V design and implementation of network security using genetic algorithmV design and implementation of network security using genetic algorithm
V design and implementation of network security using genetic algorithmeSAT Journals
 
Design and implementation of network security using genetic algorithm
Design and implementation of network security using genetic algorithmDesign and implementation of network security using genetic algorithm
Design and implementation of network security using genetic algorithmeSAT Publishing House
 
The Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLThe Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLUlisses Costa
 
Engineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionEngineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionDavid Evans
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)Maarten Mulders
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022Becky Burwell
 

Similar a Trick-or-Treat Protocols (20)

Access Control
Access ControlAccess Control
Access Control
 
Tutorial on Cryptography
Tutorial on CryptographyTutorial on Cryptography
Tutorial on Cryptography
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
 
Elliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofElliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proof
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge Proof
 
Testability for Developers
Testability for DevelopersTestability for Developers
Testability for Developers
 
Mutual Exclusion
Mutual ExclusionMutual Exclusion
Mutual Exclusion
 
V design and implementation of network security using genetic algorithm
V design and implementation of network security using genetic algorithmV design and implementation of network security using genetic algorithm
V design and implementation of network security using genetic algorithm
 
Design and implementation of network security using genetic algorithm
Design and implementation of network security using genetic algorithmDesign and implementation of network security using genetic algorithm
Design and implementation of network security using genetic algorithm
 
The Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDLThe Cryptol Epilogue: Swift and Bulletproof VHDL
The Cryptol Epilogue: Swift and Bulletproof VHDL
 
doc1.pdf
doc1.pdfdoc1.pdf
doc1.pdf
 
sheet1.pdf
sheet1.pdfsheet1.pdf
sheet1.pdf
 
lecture7.pdf
lecture7.pdflecture7.pdf
lecture7.pdf
 
paper1.pdf
paper1.pdfpaper1.pdf
paper1.pdf
 
paper8.pdf
paper8.pdfpaper8.pdf
paper8.pdf
 
Engineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionEngineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric Encryption
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and Isogenies
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - Luxembourg
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022
 

Más de David Evans

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeDavid Evans
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in BitcoinDavid Evans
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm ConfirmationsDavid Evans
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting TransactionsDavid Evans
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in ParadiseDavid Evans
 
Mining Economics
Mining EconomicsMining Economics
Mining EconomicsDavid Evans
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More ParanoidDavid Evans
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key SignaturesDavid Evans
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?David Evans
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the MassesDavid Evans
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of ReserveDavid Evans
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!David Evans
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinDavid Evans
 

Más de David Evans (20)

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero Knowledge
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in Bitcoin
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm Confirmations
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting Transactions
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in Paradise
 
Bitcoin Script
Bitcoin ScriptBitcoin Script
Bitcoin Script
 
Mining Economics
Mining EconomicsMining Economics
Mining Economics
 
Mining
MiningMining
Mining
 
The Blockchain
The BlockchainThe Blockchain
The Blockchain
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More Paranoid
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key Signatures
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the Masses
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of Reserve
 
Silk Road
Silk RoadSilk Road
Silk Road
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, Permacoin
 

Último

Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 

Último (20)

Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 

Trick-or-Treat Protocols

  • 1.
  • 2. Plan for Today Developing a Security Mindset But first… “Trick-orTreat” Protocols! PS3 is due at 11:59pm tonight! 29 October 2013 University of Virginia cs4414 1
  • 3. “Trick or Treat” Protocols 29 October 2013 University of Virginia cs4414 2
  • 4. “Trick or Treat” Protocols Two parties: Tricker initiates the protocol by making a terrorist threat and demanding tribute Victim either pays tribute (usually in the form of sugary snack) or risks being tricked Tricker must convince Victim that she poses a credible threat: prove she is a qualified tricker 29 October 2013 University of Virginia cs4414 3
  • 5. Trick-or-Treat “Trick or Treat?” Victim “Prove it!” Trickers? “The magic word is: shazam!” Any problems with this? 29 October 2013 University of Virginia cs4414 4
  • 6. Authentication How can the tricker prove their trickability, without allowing the victim to now impersonate a tricker? 29 October 2013 University of Virginia cs4414 5
  • 7. One-Way Functions f is a one-way function if it is a function y = f(x) that satisfies these two properties: Invertible: there exists an f -1 such that, for all x in range: f -1 (f (x)) = x One-way: it is much, much, much easier to compute f (x) than to compute f -1 (y) 29 October 2013 University of Virginia cs4414 6
  • 8. Example One-Way-ish Function: Factoring Forward: given p and q are 200-digit prime numbers, output n = pq Backward: given n, output (p, q) Forward: given (p, q) easy to calculate f (p, q). Easy means we know is an algorithm with running time in Θ(N2) where N is number of digits. Backward: given n = f (p, q) hard to find p and q. Hard means (we hope) the fastest possible procedure has running time that is not polynomial in N 29 October 2013 University of Virginia cs4414 7
  • 9. Best Known Factoring Algorithm General Number Field Sieve: running time is in log N⅓ log log N⅔) Θ(e where N is the number of bits in input. Note: unless you have a big quantum computer! Then the running time is in O((log 29 October 2013 University of Virginia cs4414 3). N) 8
  • 10. Checks the factors multiply to produce n Problems with this? 29 October 2013 University of Virginia cs4414 9
  • 11. Providing Asymmetry Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x No function (publicly) known with these properties until 1977… 29 October 2013 University of Virginia cs4414 10
  • 12. Len Adleman 29 October 2013 Adi Shamir University of Virginia cs4414 Ron Rivest 11
  • 13. RSA Cryptosystem e mod M Ee(M ) = n Dd(C ) = Cd mod n n = pq p, q are prime d is relatively prime to (p – 1)(q – 1) ed 1 mod (p – 1)(q – 1) 29 October 2013 University of Virginia cs4414 12
  • 14. Correctness of RSA Ee(M ) = Me mod n Dd(C ) = Cd mod n Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = M This step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem 29 October 2013 University of Virginia cs4414 13
  • 15. Hard to Invert Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d: d = e-1 mod (p – 1)(q – 1) All other attacks are equivalent to factoring n. No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one). For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030. 29 October 2013 University of Virginia cs4414 14
  • 16. Easy to Invert with Trapdoor e mod M Ee(M ) = n Dd(C ) = Cd mod n 29 October 2013 University of Virginia cs4414 15
  • 17. Checks that D(x)e mod n = x How does victim know e and n? 29 October 2013 University of Virginia cs4414 16
  • 18. Help me verify “tricker@virginia.edu” Trickers Bureau 29 October 2013 University of Virginia cs4414 Checks that MeT@V mod n T@V = x 17
  • 19. Except on Halloween, this is called a challenge-response authentication protocol. 29 October 2013 University of Virginia cs4414 18
  • 20. Help me verify “tricker@virginia.edu” Modification #1: Don’t send x in clear – this would be vulnerable to relay attacks 29 October 2013 Trickers Bureau University of Virginia cs4414 Checks that D(x)eT@V mod n T@V = x 19
  • 21. Help me verify “tricker@virginia.edu” Modification #1: Don’t send x in clear – this would be vulnerable to relay attacks Trickers Bureau Verifies x 29 October 2013 University of Virginia cs4414 20
  • 22. Help me verify “tricker@virginia.edu” Modification #2: Set up a conversation, not just one authentication Trickers Bureau Verifies x 29 October 2013 University of Virginia cs4414 21
  • 23. Help me verify “tricker@virginia.edu” Modification #2: Set up a conversation, not just one authentication Trickers Bureau Learn x and use it as a symmetric (e.g., AES) key 29 October 2013 University of Virginia cs4414 22
  • 24. Should your Zhtta server implement this protocol? 29 October 2013 University of Virginia cs4414 23
  • 25. 29 October 2013 University of Virginia cs4414 24
  • 26. 29 October 2013 University of Virginia cs4414 25
  • 27. 29 October 2013 University of Virginia cs4414 26
  • 28. SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Verify Certificate using KUCA Server Hello KRCA[Server Identity, KUS] Check identity matches URL Generate random K EKUS (K) Decrypt using KRS Secure channel using K 29 October 2013 University of Virginia cs4414 27
  • 29. SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Verify Certificate using KUCA Check identity matches URL Generate random K Server Hello KRCA[Server Identity, KUS] How did client get KUCA? EKUS (K) Decrypt using KRS Secure channel using K 29 October 2013 University of Virginia cs4414 28
  • 30. 29 October 2013 University of Virginia cs4414 29
  • 31. How does VarySign decide if it should give certificate to requester? Certificates VarySign.com rust-class.org, KUrust-class.org CP = KRVarySign*“rust-class.org”, KUrust-class.org] TJ CP Verifies using KUVarySign 29 October 2013 rust-class.org University of Virginia cs4414 30
  • 32. $1500 for 1 year 29 October 2013 University of Virginia cs4414 $399 31
  • 33. 29 October 2013 University of Virginia cs4414 32
  • 34. Certificate Revocation Certificate Revocation List (CRL) <cert ID, date> … VarySign.com petitions.gov, KUPetitions CP = KRVarySign*“petitions.gov”, cert ID, Expiration, KUPetitions] Client CP Petitions Verifies using KUVarySign 29 October 2013 University of Virginia cs4414 33
  • 35. CRL Checking Mozilla Firefox Google Chrome On-line checking is expensive and may fail Attacker-in-the-middle can make it fail 29 October 2013 University of Virginia cs4414 34
  • 36. SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Server Hello some extra steps: Verify Actual TLS hasKRCA[Server Identity, KUS] Certificate using KUCA - Negotiate versions CheckAgree - identity matches URL on which ciphers to use (many options, but beware!) Generate Decrypt -randomauthenticate client also Can K KU (K) E [K] KUS S using KRS Secure channel using K 29 October 2013 University of Virginia cs4414 35
  • 37. How should the Tricker store her private key? 29 October 2013 University of Virginia cs4414 36
  • 38. Passwords CCS 2013 29 October 2013 University of Virginia cs4414 37
  • 39. Colleges at CMU: Arts Business Computer Science Engineering Humanities Other Policy 29 October 2013 University of Virginia cs4414 Business Policy Computer Science 38
  • 40. 29 October 2013 University of Virginia cs4414 39
  • 41. Hair-Dryer Attacks Image from www.clean-funny.com, GoldenBlue LLC.
  • 43. What the Verifier Does .method public static main([Ljava/lang/String;)V … iconst_2 istore_0 > java Simple aload_0 Exception in thread "main" java.lang.VerifyError: iconst_2 (class: Simple, method: main signature: iconst_3 ([Ljava/lang/String;)V) iadd Register 0 contains wrong type … return > java –noverify Simple .end method result: 5 29 October 2013 University of Virginia cs4414 42
  • 44. Running Mistyped Code .method public static main([Ljava/lang/String;)V … > java –noverify Simple ldc 2220 Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEB istore_0 Function=JVM_FindSignal+0x1105F aload_0 Library=C:j2sdk1.4.2jrebinclientjvm.dll iconst_2 Current Java thread: iconst_3 at Simple.main(Simple.java:7) … iadd … # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION .end method # Error ID : 4F530E43505002EF # Please report this error at # http://java.sun.com/cgi-bin/bugreport.cgi # # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode) 29 October 2013 University of Virginia cs4414 43
  • 45. Trusted Computing Base malcode.java Java Source Code malcode.class javac Compiler JVML Object Code Trusted Computing Base JavaVM if OK Bytecode Verifier Alice User 29 October 2013 Policy University of Virginia cs4414 44
  • 46. TCB Should be Small There are two ways of constructing a software design: One way is to make it so simple there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies. Tony Hoare How big is the TCB for Android? 29 October 2013 University of Virginia cs4414 45
  • 47. Is this really the whole TCB? malcode.java Java Source Code malcode.class javac Compiler JVML Object Code Trusted Computing Base JavaVM if OK Bytecode Verifier Alice User 29 October 2013 Policy University of Virginia cs4414 46
  • 48. Bytecode Verifier Checks JVML code satisfies safety properties: – Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once – After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read. 29 October 2013 University of Virginia cs4414 47
  • 49. Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the astore and aload, the assumption might be wrong. 29 October 2013 University of Virginia cs4414 48
  • 50. Can you really blame cosmic rays when your program crashes? 29 October 2013 University of Virginia cs4414 49
  • 51. 29 October 2013 University of Virginia cs4414 50
  • 52. Can an attacker use this to break into your SIM card? 29 October 2013 University of Virginia cs4414 51
  • 53. Improving the Odds • Set up memory so that a single bit error is likely to be exploitable • Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003. 29 October 2013 University of Virginia cs4414 52
  • 54. Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object: class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } 29 October 2013 class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } University of Virginia cs4414 53
  • 55. a1 a3 a4 Pointee p = new Pointee (); ArrayList<Filler> fillers = new ArrayList<Filler> (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a5 a6 a7 a1 a2 f b a5 Pointee Object Filling Up Memory Filler Object a2 a6 a7 a1 Filler Object 29 October 2013 University of Virginia cs4414 a2 a3 a4 54
  • 56. a1 Wait for a bit flip… a3 a4 • Remember: there are lots of Filler objects (fill up all of memory) • When a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a5 Filler Object a2 a6 a7 a2 f b a5 Pointee Object a1 a6 a7 a1 Filler Object 29 October 2013 University of Virginia cs4414 a2 a3 a4 55
  • 57. a1 Type Violation a3 a4 a5 After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! Filler Object a2 a6 a7 a2 f b a5 Pointee Object a1 a6 Can an attacker exploit this? a7 a1 Filler Object 29 October 2013 University of Virginia cs4414 a2 a3 a4 56
  • 58. Finding the Bit Flip while (true) { for (Filler f : fillers) { if (f.a1 != p) { // bit flipped! … } else if (f.a2 != p) { … } } 29 October 2013 University of Virginia cs4414 57
  • 59. Violating Type Safety class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time Declared Type f.a1 Pointee f.a1.b int fr == f.a1 Filler fr.a4 == f.a1.b Pointee 29 October 2013 University of Virginia cs4414
  • 60. Exploiting Type Unsafety class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = 1524383; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! No security policy now… new File (“C:thesis.doc”).delete (); 29 October 2013 University of Virginia cs4414 59
  • 61. Getting a Bit Flip Wait for a Cosmic Ray – You have to be really, really patient… (or move machine out of Earth’s atmosphere) X-Rays – Expensive, not enough power to generate bit-flip High energy protons and neutrons – Work great - but, you need a particle accelerator Hmm…. 29 October 2013 University of Virginia cs4414 60
  • 62. Using Heat 50-watt spotlight bulb Between 80° -100°C, memory starts to have a few failures Attack applet is successful (at least half the time)! Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala 29 October 2013 University of Virginia cs4414 61
  • 63. Attacks Violate Assumptions Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures 29 October 2013 University of Virginia cs4414 62
  • 64. Charge PS3 is due at 11:59pm tonight! Karsten Nohl will talk about actual practical ways to attack SIM card VMs in class Thursday! If you want to learn more about “Trick-or-Treat” protocols, take MoMa’s cs4501 course in the Spring. (If you just want to Trick-or-Treat, you can come by my lab Rice 442 Thursday afternoon.) 29 October 2013 University of Virginia cs4414 63