21. 고려대학교정보보호대학원
마스터 제목 스타일 편집
21
The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were the answer. I was pretty naive. The result wasn't pretty.
……
Security is a chain;it's only as secure as the weakest link. Security is a process, not a product.
Secrets and Lies : Preface
39. 고려대학교정보보호대학원
마스터 제목 스타일 편집
39
Increase length of message so that it is a multiple of the block size
Padding can be used to enhance security
Disguise the length of plaintexts
Prevent traffic analysis, or guessing based on plaintext length
“Buy” versus “Sell”
Can padding have a negative impact on security?
Padding
40. 고려대학교정보보호대학원
마스터 제목 스타일 편집
40
CBC mode
Ci-1
Ci
Pi-1
Pi
dK
dK
Pi-1
Pi
Ci-1
Ci
eK
eK
Typical block size n:
64 bits (DES, triple DES) or 128 bits (AES).
Typical key size:
56 bits (DES), 168 bits (triple DES), 128, 192 or 256 bits (AES).
41. 고려대학교정보보호대학원
마스터 제목 스타일 편집
41
Malleability of CBC mode
Ci-1
Ci
Pi-1
Pi
dK
dK
Flipping bits here
Leads to bit flips here
And randomised block here
42. 고려대학교정보보호대학원
마스터 제목 스타일 편집
42
Byte-orientated padding scheme
If q bytes are required to fill the last block, then add q bytes of value q
xx xxxxxxxxxxxxxxxxxxxxxxxxxxxx01
xx xxxxxxxxxxxxxxxxxxxxxxxxxx02 02
xx xxxxxxxxxx0a 0a0a0a0a0a0a0a0a0a
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
CBC-PAD of PKCS#5
43. 고려대학교정보보호대학원
마스터 제목 스타일 편집
43
The padding is removed after decryption
What if padding is invalid?
xx xxxxxxxxxxxxxxxxxxxxxxxxxx01 02
xx xxxxxxxxxxxxxxxxxxxxxx04 03 04 04
Behavior depends on implementation
Error msg? Status msg? Measurable delay?
CBC-PAD of PKCS#5
44. 고려대학교정보보호대학원
마스터 제목 스타일 편집
44
First proposed by Serge Vaudenay(2002)
Assume that a padding oracle is available to the adversary
Adversary submits CBC mode ciphertextto oracle
Oracle decrypts under fixed key K and checks correctness of padding with respect to particular padding method in use
Oracle outputs VALID or INVALID according to correctness of padding
Padding Oracle Attack
45. 고려대학교정보보호대학원
마스터 제목 스타일 편집
45
Vaudenayshowed that padding oracles and bit flipping can be used to build decryption oracle for CBC mode
For a variety of padding schemes, including those used in SSL/TLS and IPSec.
PO
K
(IV, C1, C2, …)
“VALID” or “INVALID”
Padding Oracle Attack on CBC
46. 고려대학교정보보호대학원
마스터 제목 스타일 편집
46
Padding Oracle Attack on CBC (in Detail)
PO
K
(r, Ci)
“VALID”
Compute P⊕Ci−1⊕r
Check LSB8(P⊕Ci−1⊕r)=’01’ ?
LSB8(P) = LSB8(r)⊕’01’⊕LSB8(Ci−1)
48. 고려대학교정보보호대학원
마스터 제목 스타일 편집
48
How about?
Padding Oracle Attacks : Side channel against CBC-PAD
This vulnerability was first identified by Serge Vaudenayin 2002, but was difficult enough to exploit that there were no live examples of it until Thai Duong and JulianoRizzo on September 23, 2011.
BEAST :Browser Exploit Against SSL/TLS
55. 고려대학교정보보호대학원
마스터 제목 스타일 편집
55
Ian Goldberg (hacker) and David Wagner (cryptographer) were graduate students at Cal in 1996
Ian’s now a professor at University of Waterloo, David is a professor at Berkeley)
Ian and David wondered how the Netscape Browser generated its session key for SSL
They reverse-engineered the part of the browser containing the PRNG
How about?
56. 고려대학교정보보호대학원
마스터 제목 스타일 편집
56
Netscape PRNG
global variable seed;
RNG_CreateContext()
(seconds, microseconds) = time of day;
pid = process ID; ppid = parent process ID;
a = mklcpr(microseconds);
b = mklcpr(pid+ seconds+ (ppid<< 12));
seed = MD5(a, b);
mklcpr(x)
return ((0xDEECE66D * x + 0x2BBB62DC) >> 1);
57. 고려대학교정보보호대학원
마스터 제목 스타일 편집
57
Assume you have an account on the same machine as the browser
Use ‘ps’ to get pidand ppidand run tcpdumpto get time SSL challenge was issued
This yields pid, ppid, and seconds, and only microseconds remains unknown
Exhaustively searchwith complexity 220to find microseconds
Takes about 10 seconds on a modern machine
Attack is possible without an account, but a little harder
Weakness of Netscape PRNG (Ver.’96)
60. 고려대학교정보보호대학원
마스터 제목 스타일 편집
60
UKCriteria
GermanCriteria
French
Criteria
Orange Book(TCSEC) 1985
미국
영국
독일
프랑스
Canadian Criteria
(CTCPEC) 1993
Federal Criteria
Draft 1993
캐나다
ITSEC(1991)
※ 1999년: ISO/IEC 15408 국제표준으로제정
v1.0 1996
v2.0 1998
v2.1 1999
v2.2 2004
v2.3 2005
v3.1 R1 2006.9
v3.1 R2 2007.9
Do You Know?
61. 고려대학교정보보호대학원
마스터 제목 스타일 편집
61
(출처: www.commoncriteriaportal.org)
Do You Know?
62. 고려대학교정보보호대학원
마스터 제목 스타일 편집
62
Do You Know?
※ "Certified" for products/PPs that were certified up to 5 years ago and are still supported. "Certified –
Archived"for products/PPs that were certified over 5 years ago or are no longer supported.
66. 고려대학교정보보호대학원
마스터 제목 스타일 편집
66
State whatshould be protected.
A security policy is a statement of what is, and what is not, allowed.
Confidentiality :Who is allowed to learn what?
Integrity :What changes are allowed by system.
… includes resource utilization, input/output to environment.
Availability :When must service be rendered.
And howthis should be achieved.
Security Policy
67. 고려대학교정보보호대학원
마스터 제목 스타일 편집
67
Formal Specification of Security Policy
(e.g.) DAC Model, MAC Model, Bell-LaPadulaModel, BibaModel, Clark-Wilson Model, Harrison-Ruzzo-UllmanModel, Chinese Wall Model, RBAC Model, etc.
Security Policy Model (SPM)
68. 고려대학교정보보호대학원
마스터 제목 스타일 편집
68
Informal method
English (or other natural language)
Semiformal methods
Gane& Sarsen/DeMarco/Yourdon
Entity-Relationship Diagrams
Jackson/Orr/Warnier
SADT, PSL/PSA, SREM, etc.
Formal methods
Finite State Machines
Petri Nets
Z
ANNA, VDM, CSP, etc.
(Semi-)Formal Methods
69. 고려대학교정보보호대학원
마스터 제목 스타일 편집
69
(M202, Open University, UK) A safe has a combination lock that can be in one of three positions, labeled 1, 2, and 3. The dial can be turned left or right (L or R). Thus there are six possible dial movements, namely 1L, 1R, 2L, 2R, 3L, and 3R. The combination to the safe is 1L, 3R, 2L; any other dial movement will cause the alarm to go off.
FSM Example
70. 고려대학교정보보호대학원
마스터 제목 스타일 편집
70
[State Transition Diagram]
[Transition Table]
FSM Example
71. 고려대학교정보보호대학원
마스터 제목 스타일 편집
71
Security Policy : A subject has read access to a file
only if the permission R was initially present or has been explicitly granted by the file’s owner.
Example
72. 고려대학교정보보호대학원
마스터 제목 스타일 편집
72
Security Policy : A subject has read access to a file
only if the permission R was initially present or has been explicitly granted by the file’s owner.
Solution Design : For each transition that gives new read access to an object,
access control (reference monitor) checks that this has been done by the owner of the object using confer_read.
Example
73. 고려대학교정보보호대학원
마스터 제목 스타일 편집
73
Security Policy : A subject has read access to a file
only if the permission R was initially present or has been explicitly granted by the file’s owner.
Solution (Mechanism) : For each transition that gives new read access to an object,
access control (reference monitor) checks that this has been done by the owner of the object using confer_read.
Is this solution
right or not?
Example
76. 고려대학교정보보호대학원
마스터 제목 스타일 편집
76
Theorem :
If access control makes sure that only locally acceptable transitions take place, then all reachable states are authorized, i.e. the system is secure.
Formally:
Example
107. 고려대학교정보보호대학원
마스터 제목 스타일 편집
107
End-to-End Proof
Policy
Mechanisms
Assurance
Level of Trust that it really does!
108. 고려대학교정보보호대학원
마스터 제목 스타일 편집
108
Policy Assurance :Evidence establishing security requirements in policy is complete, consistent, technically sound.
Security Objectives : High-level security issues
Security Requirements : Specific, concrete issues
Design assurance : Evidence establishing design sufficient to meet requirements of security policy.
End-to-End Proof
109. 고려대학교정보보호대학원
마스터 제목 스타일 편집
109
Implementation Assurance : Evidence establishing implementation consistent with security requirements of security policy.
Operational Assurance : Evidence establishing system sustains the security policy requirements during installation, configuration, and day-to-day operation.
Also called ‘Administrative Assurance’.
End-to-End Proof