CS 558 Spring 2017

CS558 : Introduction to Network Security
Boston University, Computer Science, Spring, 2017

Course Syllabus Assignments Schedule Class Blog Calendar Link to websubmit Link to piazza

Instructor: Sharon Goldberg
Lectures: Tuesday & Thursday 2:00-3:15PM, CAS B12

Course Assistants:
Sophia Yakoubov (MCS135)
Ann Ming Samborski
Sean Smith

Discussions:
Friday, 11:15AM in MCS B33
Friday 12:20PM in MCS B25
Friday, 1:25PM in MCS B25

Student work from this year!
scribe notes
blog post on web-audit poster session!
video from a student presentation!
security news project reports!

Ethics

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university's rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern "hacking." Understand what this law prohibits.

Read BU's Conditions of Use and Policy on Computing Ethics and the BU's Academic Conduct Code. As members of the university, you are required to abide by these policies.

Topics Covered:

Symmetric Crypto

The one time pad and it security. (Section 5.2.1 of Ross Anderson's book (The following references are more technical than Andersons book, but also more technical than what we covered in class: Leo Reyzin's Crypto notes, Sec 2.2 of Katz and Lindell)
128-bit security level and why 2^128 is a big number. link
Stream ciphers, and how to construct a stream cipher from a Pseudo Random Generator (PRG). (Section 5.3.2 of Ross Anderson's book.)
Block ciphers (also known as pseudorandom permutation) (Optional: AES, AES competition, attack on AES reducing security by 1/32,000
Block cipher modes of operation (reference: wikipedia)
- Electronic Code Book (ECB) mode and why its not secure
- Cipher Block Chaining (CBC) mode
- Counter Mode (CTR) mode
Definitions of security for encyption schemes. (My lecture notes) Security against
- Known Ciphertext Attacks (KCA)
- Known Plaintext Attacks (KPA)
- Chosen Plaintext Attacks (CPA)
- Chosen Ciphertext Attacks (CPA)
Most block ciphers and stream ciphers satisfy CPA security but not CCA security.
Message authentication codes (MAC). (Boaz Barak lecture notes, up to page 2, excluding the proof. The following reference is more technical than what we covered in class: Section 4-4.3 of Katz and Lindell.)
- In Lab1, we saw that MD5(key,message) is vulnerable to length extension attacks. This means that MD5(key,message) is not a good MAC (because of length extension).
- Security Definition for MACs: Existential Unforgeability against Chosen Message Attacks
How do we get a CCA secure encyption scheme ? (Reference: Boaz Barak lecture notes, page 3 up to item 1 on page 4.)
- We take a CPA secure encryption scheme (Enc, Dec), and a good MAC, and then combine them as follows. The secret key is (k1,k2). To encrypt, we take c = Enc(k1,m) and t=MAC(k2,m) and output (c,t) as the CCA secure ciphertext. Then, decryption works as follows: If Ver(k2,c,t) = t then output m=Dec(k1,c) and otherwise output "fail".
- OPTIONAL: Here is a link to a research paper that explains why the above works. The scheme above is called "encrypt then authenticate" in the paper.
- OPTIONAL: In class, I mentioned several practical attacks on encryption schemes that are CPA secure, but not CCA secure. One of my favorite ones is this attack on CBC-mode encyption (which is CPA secure but not CCA secure, because the CBC-mode encryption is not additionally MAC'd as described above) when used as part of IPsec. here. Its worth just reading through the abstract of the paper.

Public Key Crypto

Assymetric keys link. See also Ross Anderson's book Section 5.2.5, 5.3.4 and 5.3.5.
Digital signatures and their security.
Public Key encryption and its security.
RSA, and how it can be used both for public-key encryption and for digital signatures.
Optional. In class I mentioned that it is important that each party choose its own unique RSA modulus and RSA factors p and q; bad things happen when this is not the case, see this paper.
Public Key Infrastructures (PKI) and digital certificates. Some good background on PKI starts on slide 34 of this.
Here is a great article on the limitations of the web's PKI from ACM Queue, please read it!
Key exchange mechanisms. Diffie Helman Key Exchange, and RSA-Key Wrapping Key Exchange, as used in TLS 1.2.
Why RSA key wrapping fails to provide forward secrecy. Why diffie hellman key exchange succeeds at providing forward secrecy.
The Very Bad Things that happen when a certificate authority's key is compromised by an attacker.
Encryption back doors.
- The clipper chip and 1990's crypto wars. Required: Read this article New York Times Mag 1994
- 2014: the crypto wars return. Optional: Washington Post editorial supporting an encryption "golden key", and pushback from the security community.

Optional: In class I mentioned the DUAL EC DBRG backdoor. See here for a good summary.

Web Security

Web security model: Slides from Stanford
- HTTP (GET, POST, etc),
- Webpage rendering and events
- DOM,
- Image tags,
- single pixel tracking,
- HTTP/HTTPS mixed content
- Same origin policy
- Cookies
SQL injection Steve Freidl's SQLi Blog Post
XSS (Cross Site Scripting) Slides from Berkeley

Network security

Overview slides covering IP, TCP, UDP, TLS and Ethernet/ARP: my slides.
In class we described network censorship techniques, including the use of TCP reset packets. These slides gives a good overview of censorship technology seen in the wild.
Internet routing security (BGP security): slides and article.
- Do problem 4 from the 2013 exam.
The security of the domain name system (DNS security).
- A gentle introduction to DNS is here http://www.isoc.org/briefings/016/index.shtml.
- A list of the DNS root zones is here: http://www.root-servers.org/
- We discuss Kaminsky's famous attack on DNS using this UnixWiz article. See also this figure explaining the Kaminsky attack.
- We discuss DNSSEC using this presentation from Olaf M. Kolkman in 2004. Some other good references are these cloudflare blog and this slide deck from Paul Wouters at Blackhat'09 is an additional resource, but you need not review this one in great detail.
- You can run you own DNS queries by logging into csa2.bu.edu and running dig +trace example.com, obviously replacing example.com with whatever domain you want to look at. Dig can let you look at pretty much anything in the DNS; type man dig on csa2 to see some options, or find a dig tutorial online. If you want to look at DNSSEC deployments using dig, this tutorial is a good place to start.
- Optional: A very interesting FAQ about root zone operations, (e.g. why there is diversity in the code used to operate the root zone servers), by Daniel Karrenberg, an operator of the K-root.
The security of the network time protocol (NTP security). (Guest Lecture by Aanchal Malhotra)
Email security. My slides based on this 2015 research paper. We also discuss PGP.
Tor and online anonymity. We use slides by Paul Syverson.
Encrypted messaging protocols
- Signal vs Whatsapp comparison by the Intercept
- My slides on encrypted messaging (signal/whatsapp).