보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)

고려대학교정보보호대학원
마스터 제목 스타일 편집
고려대학교 정보보호대학원
보안실무, 어디까지가실무일까?

3
1. Who am I ?

SANE Lab.-www.kimlab.net -

SANE Lab.-HARU (www.h4ru.com) -
(Founder : 김승주, 2011년)

SANE Lab.-SECUINSIDE (www.secuinside.com) -
(Founder : 김승주, 2011년)

9

10

11

12

13
But I also …

14
Love “IT Security Evaluation” …

15
Love “Hacking” …

16
(CanSecWest 2013)

17

18
(Black Hat 2013 & ITRC 2014)

19
2. Security is a Chain,
Really?

20
Secrets and Lies : Preface

21
The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were the answer. I was pretty naive. The result wasn't pretty.
……
Security is a chain;it's only as secure as the weakest link. Security is a process, not a product.
Secrets and Lies : Preface

22
2.1 Cryptographer's
Problem

23

24

25
Crypto 'Becoming Less Important‘ …

26
Why? Not Research the Real World!

27

28
Most Cryptographers …

29
paper
Papers
Most Cryptographers …

30
Enough?

31
How about?

32
2.2 Hacker‘s Problem

33
Not Research the Theory!

34
Most Hackers …

35

36
3. Case Study

37
3.1 Case I

38
Do You Know?

39

Increase length of message so that it is a multiple of the block size

Padding can be used to enhance security

Disguise the length of plaintexts

Prevent traffic analysis, or guessing based on plaintext length

“Buy” versus “Sell”

Can padding have a negative impact on security?
Padding

40
CBC mode
Ci-1
Ci
Pi-1
Pi
dK
dK
Pi-1
Pi
Ci-1
Ci
eK
eK
Typical block size n:
64 bits (DES, triple DES) or 128 bits (AES).
Typical key size:
56 bits (DES), 168 bits (triple DES), 128, 192 or 256 bits (AES).

41
Malleability of CBC mode
Ci-1
Ci
Pi-1
Pi
dK
dK
Flipping bits here
Leads to bit flips here
And randomised block here

42

Byte-orientated padding scheme

If q bytes are required to fill the last block, then add q bytes of value q

xx xxxxxxxxxxxxxxxxxxxxxxxxxxxx01

xx xxxxxxxxxxxxxxxxxxxxxxxxxx02 02

xx xxxxxxxxxx0a 0a0a0a0a0a0a0a0a0a

10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
CBC-PAD of PKCS#5

43

The padding is removed after decryption

What if padding is invalid?

xx xxxxxxxxxxxxxxxxxxxxxxxxxx01 02

xx xxxxxxxxxxxxxxxxxxxxxx04 03 04 04

Behavior depends on implementation

Error msg? Status msg? Measurable delay?
CBC-PAD of PKCS#5

44

First proposed by Serge Vaudenay(2002)

Assume that a padding oracle is available to the adversary

Adversary submits CBC mode ciphertextto oracle

Oracle decrypts under fixed key K and checks correctness of padding with respect to particular padding method in use

Oracle outputs VALID or INVALID according to correctness of padding
Padding Oracle Attack

45

Vaudenayshowed that padding oracles and bit flipping can be used to build decryption oracle for CBC mode

For a variety of padding schemes, including those used in SSL/TLS and IPSec.
PO
K
(IV, C1, C2, …)
“VALID” or “INVALID”
Padding Oracle Attack on CBC

46
Padding Oracle Attack on CBC (in Detail)
PO
K
(r, Ci)
“VALID”
Compute P⊕Ci−1⊕r
Check LSB8(P⊕Ci−1⊕r)=’01’ ?
LSB8(P) = LSB8(r)⊕’01’⊕LSB8(Ci−1)

47
How about?

48
How about?

Padding Oracle Attacks : Side channel against CBC-PAD

This vulnerability was first identified by Serge Vaudenayin 2002, but was difficult enough to exploit that there were no live examples of it until Thai Duong and JulianoRizzo on September 23, 2011.

BEAST :Browser Exploit Against SSL/TLS

49
How about?

50
How about?
Fast Software Encryption 2002

51
3.2 Case II

52
Do You Know?

53
How about?
(ACM CCS 2013)

54
How about?

55

Ian Goldberg (hacker) and David Wagner (cryptographer) were graduate students at Cal in 1996

Ian’s now a professor at University of Waterloo, David is a professor at Berkeley)

Ian and David wondered how the Netscape Browser generated its session key for SSL

They reverse-engineered the part of the browser containing the PRNG
How about?

56
Netscape PRNG
global variable seed;
RNG_CreateContext()
(seconds, microseconds) = time of day;
pid = process ID; ppid = parent process ID;
a = mklcpr(microseconds);
b = mklcpr(pid+ seconds+ (ppid<< 12));
seed = MD5(a, b);
mklcpr(x)
return ((0xDEECE66D * x + 0x2BBB62DC) >> 1);

57

Assume you have an account on the same machine as the browser

Use ‘ps’ to get pidand ppidand run tcpdumpto get time SSL challenge was issued

This yields pid, ppid, and seconds, and only microseconds remains unknown

Exhaustively searchwith complexity 220to find microseconds

Takes about 10 seconds on a modern machine

Attack is possible without an account, but a little harder
Weakness of Netscape PRNG (Ver.’96)

Fast Software Encryption 2010
How about?

59
3.3 Case III

60
UKCriteria
GermanCriteria
French
Criteria
Orange Book(TCSEC) 1985
미국
영국
독일
프랑스
Canadian Criteria
(CTCPEC) 1993
Federal Criteria
Draft 1993
캐나다
ITSEC(1991)
※ 1999년: ISO/IEC 15408 국제표준으로제정
v1.0 1996
v2.0 1998
v2.1 1999
v2.2 2004
v2.3 2005
v3.1 R1 2006.9
v3.1 R2 2007.9
Do You Know?

61
(출처: www.commoncriteriaportal.org)
Do You Know?

62
Do You Know?
※ "Certified" for products/PPs that were certified up to 5 years ago and are still supported. "Certified –
Archived"for products/PPs that were certified over 5 years ago or are no longer supported.

63
How about?

64
How about?

65
How about?

66

State whatshould be protected.

A security policy is a statement of what is, and what is not, allowed.

Confidentiality :Who is allowed to learn what?

Integrity :What changes are allowed by system.

… includes resource utilization, input/output to environment.

Availability :When must service be rendered.

And howthis should be achieved.
Security Policy

67

Formal Specification of Security Policy

(e.g.) DAC Model, MAC Model, Bell-LaPadulaModel, BibaModel, Clark-Wilson Model, Harrison-Ruzzo-UllmanModel, Chinese Wall Model, RBAC Model, etc.
Security Policy Model (SPM)

68

Informal method

English (or other natural language)

Semiformal methods

Gane& Sarsen/DeMarco/Yourdon

Entity-Relationship Diagrams

Jackson/Orr/Warnier

SADT, PSL/PSA, SREM, etc.

Formal methods

Finite State Machines

Petri Nets

Z

ANNA, VDM, CSP, etc.
(Semi-)Formal Methods

69

(M202, Open University, UK) A safe has a combination lock that can be in one of three positions, labeled 1, 2, and 3. The dial can be turned left or right (L or R). Thus there are six possible dial movements, namely 1L, 1R, 2L, 2R, 3L, and 3R. The combination to the safe is 1L, 3R, 2L; any other dial movement will cause the alarm to go off.
FSM Example

70
[State Transition Diagram]
[Transition Table]
FSM Example

71

Security Policy : A subject has read access to a file

only if the permission R was initially present or has been explicitly granted by the file’s owner.
Example

72



Solution Design : For each transition that gives new read access to an object,

access control (reference monitor) checks that this has been done by the owner of the object using confer_read.
Example

73



Solution (Mechanism) : For each transition that gives new read access to an object,

access control (reference monitor) checks that this has been done by the owner of the object using confer_read.
Is this solution
right or not?
Example

74

Security Policy Modeling :
Example

75

Solution (formally) :
Example

76

Theorem :

If access control makes sure that only locally acceptable transitions take place, then all reachable states are authorized, i.e. the system is secure.

Formally:
Example

77

Proof :
Example
77

78

Theorem Proving with Isabelle :
Example
78

79
Example
79

80
Example

81
Example
81

82
Example
82

83
Example
83

84
3.4 Case IV

85
업무망
인터넷망
Do You Know?

86
(출처: 정현석, “국내망분리관련현황”, Shared IT, 2014.6.17)
Do You Know?

87
How about?

88
How about?

89
How about?

90
How about?

91
3.5 Case V

92
Do You Know?

93
Do You Know?

94
Do You Know?

95
http://www.bpak.org
박세준(Brian Pak)
-
Computer Science 전공및Mathematical Science 부전공@ CMU
-
Platform-independent Programs (ACM CCS'10) -Codegate CTF 2011 –1위-SECUINSIDE CTF 2011 –1위-SECUINSIDE CTF 2012 –1위-DEFCON CTF 2012 –2위
How about?

96
How about?

97
How about?

98
How about?

4. 확대되는전선

100
Shredder Hacking

101
Compromising Reflections

102
Compromising Reflections

103
Keyloggingusing Smartphone

104
Keyloggingusing Smartphone

105
Hack 4096-bit RSA Keys via CPU Sound

106
SECURITY
IS NOTA
PRODUCT
BUTA
PROCESS

107
End-to-End Proof
Policy
Mechanisms
Assurance
Level of Trust that it really does!

108

Policy Assurance :Evidence establishing security requirements in policy is complete, consistent, technically sound.

Security Objectives : High-level security issues

Security Requirements : Specific, concrete issues

Design assurance : Evidence establishing design sufficient to meet requirements of security policy.
End-to-End Proof

109

Implementation Assurance : Evidence establishing implementation consistent with security requirements of security policy.

Operational Assurance : Evidence establishing system sustains the security policy requirements during installation, configuration, and day-to-day operation.

Also called ‘Administrative Assurance’.
End-to-End Proof

110
C&A

111
Provably Secure O/S

112
이론= 실무

113
이론= 실무정책= 기술

보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Viewers also liked

Viewers also liked (15)

Similar to 보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)

Similar to 보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31) (20)

More from Seungjoo Kim

More from Seungjoo Kim (17)

보안실무, 어디까지가실무일까? @ 보안대첩 (2014.10.31)