CS558 : Network Security
(Privacy, Anonymity, and Online Censorship).
Boston University, Computer Science, Spring, 2013
Instructor: Sharon Goldberg
Google Calendar for this Course
Link to websubmit
System security: Lectures taught by David Seidman (January 28-31)
A note on ethics:In these classes you learned a number of web and software exploits. Please read the statement of ethics, law, and university policy here and do NOT try these on any site where you do not have explicit permission to do so!
Fuzzing Lab. Due Feb 22. Instructions.
Link to websubmit.
System security homework. Due February 12. ho1
Extra security related reading recommended by David:
- Microsoft's own Security Research and Defense blog written by David's teammates at MS.
- BugTraq not a news feed per se but a mailing list to discuss and share vulnerabilities, exploits, and related information. Note that you may see unethical, rude, and generally bad behavior on this mailing list, but there is lots of good technical information mixed in as well.
- Following security researchers on Twitter e.g. Dan Kaminsky, Jacob Applebaum, Charlie Miller,....
- Another talk David has given about Stuxnet and the vulnerability economy.
Reference books: "Writing Secure Code",
or see also this site. The book "Windows Internals".
Hashing and Entropy (Week of Feb 4)
Speaker: Adam. flame presentation
Speaker: Yieli. password cracking presentation
- We discussed Shannon Entropy and min entropy.
- We also discussed Kerckhoff's Principle for cryptosystems. wiki ref
- We talked about the entropy in the GS cookie. Here's an interesting paper that shows how to reduce the entropy by 15 bits.
- We also talked about 3 different properties of hash functions. One way fucntions (see Katz and Lindell page 194-198), Pseudorandom functions (Katz and Lindell page 86) and Collision Resistant Hashes (Katz and Lindell page 127).
- Here is a page with references to different kinds of hash functions. Most modern crypto uses SHA-256. There is also a competition to create a new SHA-3. The winner was finally announced just this October 2012!
- Password hashing article. It has a section called "The WRONG Way: Double Hashing and Wacky Hash Function" which mentions using double hashing or a combination of hash functions.
- Cryptographers have also looked at the question of combining hash functions. Here are a few papers:
- Marc Fischlin,
Anja Lehmann. "Multi-property Preserving Combiners for Hash Functions" Theory of Cryptography 2008. paper.;
- Here's an earlier paper on the subject by the same authors.
- The problem was first studied in a formal cryptographic way by Hertzberg in 2002; this is the same Hertzberg's who gave a talk on DNS security here at BU on Wednesday morning!
- In class someone asked why the hash-function h(key,message) is not used (i.e. where the key is appended to the message), and instead we use more complicated things like HMAC when we want a pseudorandom function. To see why, you can refer to the HMAC paper for details; page 16 shows why this construction fails to be secure.
Encryption and authentication ( Feb 12-21)
Speaker: Sachin. red october presentation
Speaker: Marc. java facepalm presentation
Encryption. Definitions: perfectly secure encryption (Katz Lindel page 30-34), CPA secure encryption (Katz Lindel page 82-85) . Schemes: one time pad (Katz Lindel page 34-36), stream ciphers (Katz Lindel page 69-80). Public key encryption.
Authentication. Message authentication codes (Katz Lindel page 114-118), digital signatures.
Basic crypto homework.
Due March 1. Deadline extended to March 6. ho2 ho2 solution
IPsec: Symmetric Encryption and Authentication. (Feb 26 - March 5)
Speaker: Allan. presentation
Speaker: David. presentation
Speaker: Zhouqun. presentation
We discuss how IPsec and TLS/SSL are used, covering both the high-level issues about where in the Internet each protocol is used, as well as the underlying cryptographic issues related to encryption and authentication.
- We discussed the notion of CCA security and CPA security for encryption, and how, when we talk about encryption
in practice, most schemes are ony CPA secure (i.e. AES, DES, blowfish, etc.). However, on the internet we almost always
want CCA security, so we can defend against active attackers; to do this, we need to combine CPA secure encryption with
a secure MAC. For a reference, see the Katz and Lindell textbook.
- Note on the order of encryption and authentications are based on Hugo Krawcyzk's amazing paper from 2001 (one of my favorites) that was rewritten as Chapter 4.9 of Katz and Lindell's "Introduction to Modern Cryptography" textbook.
- We cover IPsec in detail, using Steve Friedl's illustrated guide.
Reading. Please read sections 1-3 and 7 from this EuroCrypt'2006 paper on attacks on encryption-only uses of IPsec; email me a 200 word summary of the attack described in the paper in time for class on February 28. Email subject should be: CS558 Reading 1.
IKE: Internet Key Exchange. (March 7 - )
We discuss SigMA protocols used for IKE (internet key exchange) for IPsec using Hugo Krawcyzk's excellent slides. The corresponding paper may also be useful pdf.
IPsec and IKE homework. Due March 20. ho3. ho3 solution
TLS and PKI (March 18)
We discuss SSL/TLS and public key infrastructures.
Lab 2: SSL certificates. Due April 11. Lab 2
DDoS and Amplification attacks (March 28)
We discussed the DDoS attack on spamhaus that is happened this week.
Routing security and BGP attacks (March 28-April 2)
- See the handout describing BGP operation; it's available in the box outside MCS135.
- References on the RPKI: slides.
- See also Danny Cooper's talk on our RPKI research from BFOC'13 .
- Slides on BGP security here. We discussed the first 25 slides. This slide deck is based on our SIGCOMM'10 paper
- The Pakistan Telecom / YouTube incident - a failed attempt at censorship via BGP. The renesys blog.
- The China Telecom traffic interception incident The renesys blog.
- See also this survey paper on BGP security.
- Here is some software for making Hilbert curves out of the IPv4 address space here.
Midterm information (April 4)
The following topics will be covered on the midterm:
- The material in David Seidman's three lectures
- Encryption, authentication, PRFs, collision-resistant hash, one-way function.
Public Key encryption, digital signatures.
- CCA vs CPA secure encryption; authenticated encryption.
- IPsec basics
- Key exchange protocols; the material in Hugo Krawzyck's lecture that we discussed in class.
- PKI. Attacks on PKI.
- Routing security, BGP.
Speaker: Emily. presentation
Speaker: Brian. presentation
Speaker: Jeff. presentation
Speaker: Dan. presentation
Speaker: Mateus. presentation
Speaker: Richard. presentation
Homework 4: BGP, DNS and TLS. Due April 22. Homework 4
History: Why was the Internet designed without security in mind?
Anonymity and Tor
We discuss the Tor protocol using these slides.