CS558 : Introduction to Network Security
Boston University, Computer Science, Spring, 2015
Link to websubmit
Link to piazza
| || |
Tuesdays 2-5PM, MCS135
Tuesday & Thursday 9:30-11AM, CAS326
Aanchal Malhotra (MCS135A)
Ethan Heilman (MCS135A)
Dimitris Papadopoulos (MCS134)
Course Assistant Office Hours:
Mondays 9-11AM, MCS135
Friday, 11:00-12:00AM in MCS B19
Friday 1:00-2:00PM in MCS B19
We will use piazza to communicate with you. You are welcome to use Piazza to set up study groups, to post interesting security incidents you read about (please tag these as "interesting incident in the news"), or to discuss the course with other students. If you have a question about the course you should: (a) Come to office hours, OR (b) Post to Piazza. You are welcome to post to Piazza anonymously, but please don't use private posts to ask technical questions. The rest of the class is probably also interested in your question, so make it public!
If you need to talk to the course staff in private, you can send us a private message on Piazza to let us know that you want to have a private conversation during office hours. Then show up at office hours to discuss your issue. You should not expect a response; instead assume we have read your message and you should then just show up at office hours. If you want to talk to one of us in person but absolutely can't make office hours, please send the relevant person an email with at least three different options for when you are available to meet.
To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university's rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy is that you must respect the privacy and property rights of others at all times, or else you will fail the course.
Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern ``hacking." Understand what this law prohibits.
Read BU's Conditions of Use and Policy on Computing Ethics
and the BU's Academic Conduct Code. As members of the university, you are required to abide by these policies.
The security mindset
Assigned reading: Chapter 1 of Anderson's book
- Kerckhoff's Principle for cryptosystems. wiki ref
- Threat modeling.
- Game-based security definitions.
Symmetric-Key Encryption and Authentication
Assigned reading: Sections 5-5.2.2, 5.3.2-5.3.3 of Anderson's book
- Perfect secrecy and the one-time-pad.
- Security for encryption schemes: Ciphertext Only Attack (COA), Known Plaintext Attack (KPA),
Chosen Plaintext Attack (CPA),
Chosen Ciphertext Attack (CCA).
- Stream ciphers.
- Definition of authentication. Message authentication code (MAC).
- Pseudorandom Functions (PRF); building a MAC from a PRF.
- The order of encryption and authentication, and the fact that encypt-then-MAC is both a good secure channel implementation, and a CCA-secure symmetric encryption scheme.
- The basics of AES.
Background reading: The Battle of the Clipper Chip New York Times, June 12, 1994.
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 1.2 (encryption), Section 1.4 (useful background), Section 2.1-2.3 (One Time Pad), Section 3.2-3.21 (more on encryption), Section 3.5 (CPA security) Section 3.7 (CCA security) Section 4-4.3 (MACs)
Reference in Anderson: Sections 5.2.4, 5.3.1 of Anderson's book
- Merkle Damgard construction for hash function.
- Properties of cryptographic hash functions. Properties: Collision resistance. One-way functions (OWF). Currently we use SHA-256, SHA-3 to instantiate cryptographic hash functions. In the past we used MD5 (broken:collisions found) and SHA1 (cryptanalytic evidence suggest this will be broken soon, and is deprecated).
- PRFs and HMAC. These are keyed hash functions. We model these as indistinguishable from random functions for an adversary that does not know the key.
- Applications of hashing:
- The birthday paradox and the difference between collision resistance and target-collision resistance (or one-wayness) for random functions. OR: Why does SHA-256 provide only 128-bits of security against collision attacks.
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 3.6.1 (PRFs) Section 4.6 (Collision resistant hash functions) Section 4.7.2 (HMAC - just construction 4.17) Section 6.1.1 (one-way-functions) Appenix A.4 (the birthday paradox)
Public Key Cryptography: Digital Signatures, Encryption, And Key Exchange. (Feb 11-Feb 18)
Readings in Anderson: Section 5.2.5 (Asymmetric primitives) Sections 5.7.1 (RSA) 184.108.40.206 (Diffie Helman Key Exchange), 5.7.5 (Certificates) of Anderson's book
- PK Encryption
- Digital Signatures
- The basics of RSA encryption and RSA signatures. Why textbook RSA is not actually a secure encryption or digital signature. Why we need encryption standards like PKCS 1.5 and OEAP.
- The hash-and-sign paradigm for digital signatures.
- Key exchange protocols:
- The basics TLS handshake (i.e the key exchange protocol). See here. The gory details are here.
- Diffie Helman Key Exchange and Perfect Forward Secrecy (PFS). This article has a nice explanation, and talks about how SSL is moving towards using DH Key exchange, instead of the encryption-based protocol described above.
- Why classic Diffie Helman is not secure against a ``active'' man-in-the-middle adversary that tampers/alters the messages sent between Alice and Bob.
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 9.4 (Diffie Helman Key Exchange) 10-10.2.1 (public key encryption) 10.4-10.4.2 (RSA encryption [This section is a particularly good reference]).
Public Key Infrastructure (PKI) and Certificates (Feb 20-Feb 25)
- Public Key Infrastructure and the web PKI. The principle of least privilege. Certificate Authorities (CAs). The difference between CA certificates and EE certificates. Attacks on CAs and probles with the web's PKI.
- For instructions on how look at the preinstalled certificates on your browser, see here
- The DigiNotar attack: EFF report.
- Paper analyzing the web PKI.
- Color map of certificate authorities from 2010.
- An attack where TLS certs accidentally issued with CA permissions were then used it to make a rogue certificates. Here is a real world example where a *.google.com certificate was created.
- Certificate revocation.
- Nice reference providing an overview of how certificate revocation lists are accessed today.
- the OCSP protocols for distributing cert revocation lists (CRL).
- OCSP "stapling", a less vulnerable way for transmitting CRLs.
- Critique of certificate revocation and it's challenges.
- The topics we will cover include: image tag security issues, same-origin policy, insecurities that arise from mixing http and https content on a page, security issues relating to session management with cookies, SQL injection, cross site scripting (XSS), cross site request forgery (CSRF).
- We discuss SQL injection using this excellent techtip from Steve Freidl.
http://www.cs.bu.edu/~goldbe/teaching/index.html; to look at it, do "view source" on your browser.
- These slides from CS155 at Stanford provide an overview of web vulnerabilities, including SQL injection, CSRF, and XSS. Alternatively, use these slides from Vitaly Shmatikov.
- Please read Parts 1-4 of this simple article on Secure Session Management With Cookies for Web Applications. In class on March 17, I talked about the session fixing attack mentioned in this article.
- On March 17 in class I mentioned how the grey-hat hacker weev was prosecuted for writing a script that altered the query field in URL in order to acquire personal data about ATT customers. Here is an article in WIRED discussing his case; notice the even here in WIRED, the details of the attack are not very clearly described and it sounds like quite a sophisticated attack. This other article in Forbes gives a better sense of the vulnerability that weev exploited, and shows how insecure the ATT's website was at the time of the attack. Quoting this artice "When they discovered that AT&T would actually reveal those addresses to anyone who entered a URL based on a 19 or 20 digit number unique to every iPad SIM card known as an ICC-ID, they used a simple script to generate every possible ICC-ID and visit the associated pages of AT&T’s site, essentially impersonating thousands of iPads to reveal their owners’ email addresses." You can ask yourself if the average internet user would be able to tell how trivial this attack is; I think that probably most users can't tell.
- Here is a reference on CSRF.
TCP/IP and its security
- My slides are here!
- We played with traceroute during lecture. If you have never done this before, log into csa2 and run the command traceroute example.com and see what happens; (obviously replacing example.com with whatever destination you like). How many hops does it take to get to a destination in India? A destination in the US? A destination in Singapore? A destination in South Africa?
- Here is a decent explanation of how traceroute works from wikipedia
- We talked about port numbers. Here is a list of port number to application allocations from IANA.
- We talked about NATs (Network Address Translation). Here is a reference NATs.
- A tutorial on IPsec in detail, from Steve Friedl's illustrated guide.
- In lecture, we'll try to think about why SSL (that is, "secure" TCP) caught on so much more effectively than IPsec ("secure IP").
DDoS and Amplification attacks
- Classic (1997!) slides about the smurf attack.
- The spring 2013 DDoS attack on Spamhaus that used DNS amplication.
- The winter 2014 DDoS attack that used NTP: cloudflare blog.
Core resources. Please review the below:
Extra resources, for those interested in further work on this topic:
- A gentle introduction to DNS is here http://www.isoc.org/briefings/016/index.shtml.
- A list of the DNS root zones is here: http://www.root-servers.org/
- A very interesting FAQ about root zone operations, (e.g. why there is diversity in the code used to operate the root zone servers),
by Daniel Karrenberg, an operator of the K-root.
- We discuss Kaminsky's famous attack on DNS using this UnixWiz article. See also this figure explaining the Kaminsky attack.
- We discuss DNSSEC using this presentation from Olaf M. Kolkman in 2004. This slide deck from Paul Wouters at Blackhat'09 is an additional resource, but you need not review this one in great detail.
- You can run you own DNS queries by logging into csa2.bu.edu and running dig +trace example.com, obviously replacing example.com with whatever domain you want to look at. Dig can let you look at pretty much anything in the DNS; type man dig on csa2 to see some options, or find a dig tutorial online. If you want to look at DNSSEC deployments using dig, this tutorial is a good place to start.
We discussed BGP security, the RPKI, Secure BGP/BGPSEC, and Secure Origin BGP.
Final poster session: Web security audits! (May 2)
Done! Thanks for a great semester and enjoy your summer!