Internet Security * LOL * Cryptography and Protocol Security * Threat models and risk analysis * Security protocols (p. 832 Fig 18-4) * Internet application-level attacks Everyone On The Internet Is Friendly * Core assumption of early RFCs * Physical security made nets hard to observe * Endpoints were physically bound to well-known actors * Threats have scaled up slowly * Increasing US endpoints * International endpoints * Financially significant traffic * Security/safety significant traffic Cryptography Will Save Us * Current core assumption * "Wire-Equivalent Privacy" * Lots of fancy configurable crypto protocols * Problems: * Protocols as secure as crypto? * Traffic analysis, denial of service? * Security requirements? Fundamentals of Cryptography (I) * Idea: make message impossible / infeasible to read for all but intended recipients * Three eras: * "Secret" algorithms * Symmetric / private key * Public key, Diffie-Hellman Fundamentals of Cryptography (II) * Block ciphers * DES, 3DES * AES * Stream ciphers * RC4 Fundamentals of Cryptography (III) * Direct Mode * Counter Mode * Cipher-Block Chaining Fundamentals of Cryptography (IV) * Trust policy * Trust chains * Credentials, authentication * Key management * Identity, Revocation, Repudiation Page 816-817, Section 18.4.6-7 * Full of bugs * Wrong description of LCG vulnerability (is linear) * PRF is not alg distinguishable by *any* poly alg * CSPRNGs are not (AFAIK) required to be from PRF * Salt only protects again dictionary attacks * Mallet modifying messages may mangle metafield Threat Modeling * Who is the attacker? * What is the goal of the attack? * Eavesdropping * Active attack * Denial of service * How "hard" is the attack? * What's the "payoff" for the attacker? The Risk Equation V = sum (Pr(r) * Cost(r)) (r in R) * Interested in risks with high PR() and Cost() * Determine acceptable level of total risk * Complex systems fail in complex ways Existing protocols * PKI * EAP * IPsec * TLS * DNSSEC PKI * Incredibly complicated (c.f. Peter Gutmann, "PKI: It's Not Dead, Just Resting" and "Everything You Never Wanted To Know About PKI But Were Forced To Find Out") * Basic idea: Root trust at top-level agency, build trust tree * Underlies TLS (later) browser security, a few other things * Can work, but hard, and expensive ($ per large random number) EAP, WEP, WPA * Basic wireless security mechanisms at link layer * EAP also used elsewhere * Provides for secure association of supplicant (establishes keys etc) * Conglomeration of other protocols (common theme) IPsec * Security mechanism at network layer * "Just" encrypt all the packets * IKE key exchange * Tunnel vs Transport modes * Auth Header vs Payload TLS/SSL * Mechanism at transport layer * Normally for TCP (but see DTLS) * PKI-dependent (DHE etc should be supported) * Encrypts with various key-sizes, algorithms * Standard for HTTP, common with other things (e.g. SMTP) DNSSEC * Mechanism at application layer * "Can I trust the DNS?" * Has yet another complicated infrastructure for key management and data exchange * Relies heavily on storing DNSSEC info in DNS RRs * Not yet widely deployed Your Perfect Protocol Implemented In C * Protocols are insanely complex * Implementations are bad * Rarely formally validated * Rarely adequately tested (impossible?) * At least inspected due to open source * Applications screw everything up anyway The Morris Worm When I was in grad school... * SMTP DEBUG command left in * Other ways malware propagates * Buffer overflows * Social engineering "The Internet Is Serious Business" * We've never had such a large, complex and integrated collective artifact tied so closely to so many people * Nobody knows what to do about it * Hopefully it will eventually be sorted using tools like the ones we've seen today, but better * If you are interested, talk to me about (unpaid) research possibilities