Security Through Encryption

Different ways to achieve security of communication data

• Keep things under lock and key– Physical

• Encryption• Through password protection

Sender, Listener, Eavesdropper

What is the most frequent concern you have about browsing and security?

A. Someone might steal my password, credit card etc.

B. I might get viruses on my machineC. My privacy might be compromised by

eavesdropping to determine what I view, buy etc.

D. AllE. None

Encryption, Authentication, Non-repudiation

• Encryption– Make sure that a message, once encrypted,

cannot be read by anyone. Perhaps your grades are mailed to you in this way, and accessible only with a password.

– Without a password, message is visible, but looks like junk.

Encryption, Authentication, Non-Repudiation

• Authentication– Ensure that a message is sent by authentic person. – For example, ensure that www.bofa.com is

actually Bank of America’s website.– Ensure that email is indeed from your friend.

Encryption, Authentication, Non-Repudiation

• Non-repudiation– Ensure that the sender cannot claim not to have

sent a message that he/she sent.– For example, if you signed an agreement or tax

return online, later you cannot claim that it was sent by someone else pretending to be you.

– Similar to putting your thumbprint on a document.

What is https?

• Secure way of browsing– Ensures authenticity of web server that ‘serves’

the web page to the user, or ‘client’.– Encrypts the data so that the data transmissions,

in both directions, cannot be read by eavesdropping.

Public Key Cryptography

• Symmetric key algorithm– Both sender and receiver have the same key– If I send you my email password by SMS, and you

use it to access my email, that is the equivalent of a symmetric key algorithm

• Public key cryptography is an asymmetric key algorithm, where 1 public key is used to lock (encrypt) and another private to unlock (decrypt)

• Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA).

Asymmetric Key and EncryptionEncryption:Anyone can encrypt a message using a public key. Only Alice can retrieve it.It is like a mailbox whose location is the public key. Anyone can drop stuff in, but only the owner can retrieve the message.

Security depends on the secrecy of the private key.

Knowing the public key is not enough to compute the private key.

Diffie-Hellman Key Exchange

Can be used for authentication

Can be used for a digital

signature.

Digital signature is like a wax seal

on an envelop. Anyone can open

the envelop, but the seal means

that the sender was the original

person – authentication and non-

repudiation.

Using a key

• Shared secret can be the key used to encrypt transmission.– This symmetric key is faster to use than

asymmetric keys– Keys can be discarded after each session, and new

ones calculated for each fresh sessions

How it works -- RSA

• Difficulty of factoring a large number– Given a large number, say 1219, it is time-

consuming to factor it.– Have to go through prime numbers one by one,

checking each to see if it is a factor.– But easy to verify that 23 and 53 are the two

(prime) factors.• Just multiply them together.

• Publicly described in 1977

RSA (Rivest, Shamir, Adleman)

• Cook had come up with it in 1973, 4 years earlier, but it was classified.– Is it right that RSA should get credit?

• Patent granted in the USA, but not elsewhere, due to earlier publication

• Bob uses Alice's public key to encrypt message to Alice, and Alice uses her private key to decrypt it.

• How would Alice know that it was Bob who sent that message?– Authentication?

Authentication

• To digitally sign the message:– Alice calculates a hash value of the message using a

standard calculation.– She does the same operation as she would do to decrypt

a message, using her private key, and generates a signature.

– She attaches it to the message and sends it to Bob.– Bob does the same operation as he would do to encrypt

the message, using Alice's public key. – If he gets back the message's hash value, he confirms

that it has been signed by Alice.

How to ensure that the public key does belong to Alice?

• Certificate authority– When you go to a website, the browser has built-

in software to check the public key supplied by the site against the key in a registry.

– Registry maintained by Symantec etc. (Used to be Verisign)

– Once you have a public key of the website, you can create a private key, and generate a shared secret key. Each private key is valid only for one session.

SSL Certificates

• SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.

• Vendor applies for SSL certificate to certificate authority• Certificate authority, such as GlobalSign, checks out

vendor's credentials in real life– Issues certificate

• Vendor installs certificate on web server• Browsers such as Firefox and Chrome will inspect and

accept the certificate from reputed certificate authorities

Heartbleed

What is the Heartbleed bug?

• Exploits a vulnerability in OpenSSL software library, used to implement the Transport Layer Security protocol used in web, instant messaging etc.

• Exposes user’s passwords, cookies and other data to the attacker.

• Not a virus.

Why heartbleed?

• The TLS protocol involves establishing a connection (a session) between two entities A and B, like initiating a phone call.

• When connection is idle, one entity can ask the other ‘Are you alive? If so, send me the 4-letter word blah.’

• Like checking the heartbeat.

Buffer over-read bug

• The extra data that is sent back is fetched from the server’s memory, due to the bug. It could include passwords and private keys.

• Like if someone you had called in to fix your plumbing were to look through your closets for information.

When was this bug introduced discovered, and fixed?

• Introduced in Dec. 2011, by one of the authors (Seggelmann) of the (open-source) software team.

• Discovered on April 1, by Neel Mehta of Google, and Codenomicon.

• Fixed right away, but servers have to use the new software.

What data is vulnerable?

• Servers carry users’ passwords, cookies, and session keys.

• Servers might also yield private SSL keys. Servers have to reissue their SSL certificates.

Which servers are vulnerable?

• Anyone using certain versions of OpenSSL– 17% of all servers– Most banks don’t use OpenSSL

What can a user do?

• Check websites on tester site to see if vulnerability has been fixed.

• Change passwords for those sites.

Did NSA know about this before?

April 11, 2014NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong. From http://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew

Which is true?

1. Heartbleed is a kind of virus that spreads through machines.2. Heartbleed is a weakness in commonly used software that

allows peeking into a server’s memory.3. Heartbleed is easily fixed by fixing software on servers such

as those owned by Amazon.com.4. Heartbleed can be stopped by updating your web browser.A: 1, 2, 3, 4 C: 2, 3, 4B: 2, 3 D: 1, 2, 4

Your worry?

A: I don’t care; we all have to go some day!B: I am worried enough to change my passwords, but doubt if I will lose anything.C: I am very worried -- this could be the beginning of bigger stuff.