CS558 : Introduction to Network Security
Boston University, Computer Science, Spring, 2017
Link to websubmit
Link to piazza
To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university's rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy is that you must respect the privacy and property rights of others at all times, or else you will fail the course.
Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern "hacking." Understand what this law prohibits.
Read BU's Conditions of Use and Policy on Computing Ethics
and the BU's Academic Conduct Code. As members of the university, you are required to abide by these policies.
- The one time pad and it security. (Section 5.2.1 of Ross Anderson's book (The following references are more technical than Andersons book, but also more technical than what we covered in class: Leo Reyzin's Crypto notes, Sec 2.2 of Katz and Lindell)
- 128-bit security level and why 2^128 is a big number. link
- Stream ciphers, and how to construct a stream cipher from a Pseudo Random Generator (PRG). (Section 5.3.2 of Ross Anderson's book.)
- Block ciphers (also known as pseudorandom permutation) (Optional: AES, AES competition, attack on AES reducing security by 1/32,000
- Block cipher modes of operation (reference: wikipedia)
- Electronic Code Book (ECB) mode and why its not secure
- Cipher Block Chaining (CBC) mode
- Counter Mode (CTR) mode
- Definitions of security for encyption schemes. (My lecture notes) Security against
- Known Ciphertext Attacks (KCA)
- Known Plaintext Attacks (KPA)
- Chosen Plaintext Attacks (CPA)
- Chosen Ciphertext Attacks (CPA)
- Most block ciphers and stream ciphers satisfy CPA security but not CCA security.
- Message authentication codes (MAC). (Boaz Barak lecture notes, up to page 2, excluding the proof. The following reference is more technical than what we covered in class: Section 4-4.3 of Katz and Lindell.)
- In Lab1, we saw that MD5(key,message) is vulnerable to length extension attacks. This means that MD5(key,message) is not a good MAC (because of length extension).
- Security Definition for MACs: Existential Unforgeability against Chosen Message Attacks
- How do we get a CCA secure encyption scheme ? (Reference: Boaz Barak lecture notes, page 3 up to item 1 on page 4.)
We take a CPA secure encryption scheme (Enc, Dec), and a good MAC, and then combine them as follows. The secret key is (k1,k2). To encrypt, we take c = Enc(k1,m) and t=MAC(k2,m) and output (c,t) as the CCA secure ciphertext. Then, decryption works as follows: If Ver(k2,c,t) = t then output m=Dec(k1,c) and otherwise output "fail".
OPTIONAL: Here is a link to a research paper that explains why the above works. The scheme above is called "encrypt then authenticate" in the paper.
- OPTIONAL: In class, I mentioned several practical attacks on encryption schemes that are CPA secure, but not CCA secure. One of my favorite ones is this attack on CBC-mode encyption (which is CPA secure but not CCA secure, because the CBC-mode encryption is not additionally MAC'd as described above) when used as part of IPsec. here. Its worth just reading through the abstract of the paper.
Public Key Crypto
- Assymetric keys link. See also Ross Anderson's book Section 5.2.5, 5.3.4 and 5.3.5.
- Digital signatures and their security.
- Public Key encryption and its security.
- RSA, and how it can be used both for public-key encryption and for digital signatures.
- Optional. In class I mentioned that it is important that each party choose its own unique RSA modulus and RSA factors p and q; bad things happen when this is not the case, see this paper.
- Public Key Infrastructures (PKI) and digital certificates. Some good background on PKI starts on slide 34 of this.
- Here is a great article on the limitations of the web's PKI from ACM Queue, please read it!
- Key exchange mechanisms. Diffie Helman Key Exchange, and RSA-Key Wrapping Key Exchange, as used in TLS 1.2.
- Why RSA key wrapping fails to provide forward secrecy. Why diffie hellman key exchange succeeds at providing forward secrecy.
- The Very Bad Things that happen when a certificate authority's key is compromised by an attacker.
- Encryption back doors.
Optional: In class I mentioned the DUAL EC DBRG backdoor. See here for a good summary.
- Overview slides covering IP, TCP, UDP, TLS and Ethernet/ARP: my slides.
- In class we described network censorship techniques, including the use of TCP reset packets. These slides gives a good overview of censorship technology seen in the wild.
- Internet routing security (BGP security): slides and article.
- The security of the domain name system (DNS security).
- The security of the network time protocol (NTP security). (Guest Lecture by Aanchal Malhotra)
- Email security. My slides based on this 2015 research paper. We also discuss PGP.
- Tor and online anonymity. We use slides by Paul Syverson.
- Encrypted messaging protocols