E- Encryption in Unix

UNIVERSITY of WISCONSIN-MADISON Computer Sciences Depar tment CS 537 A. Ar paci-Dusseau Intro to Oper ating Systems Spr ing 2000 Questions ans w ered in these notes:

Ho w does one increase le vel of secur ity?

What is pub lic k e y encr yption?

What is pr iv ate k e y encr yption?

Ho w is each used f or secur ity?

Ho w is each used f or authentication? Reading f or topic: Chapter 19 & 20

Secur ity Solutions and Encr yption

Regaining Secur ity Ma y be impossib le to secure system once penetr ated

Not all possib le to tell that secur ity violation occurred Villain can remo ve all tr aces from log fi les

Hooks could ha ve been left around f or the imposter to regain control

Cannot restore system from bac kup tapes Attac k could ha ve occurred ear lier than suspected Only solution

Remo ve all files from disk and reinstall all softw are

Wh y Less a Prob lem with Humans? Humans do not easily f orget e vents

Computer memor y is v olatile

Ma y lea ve no tr ace of past e vents Humans usually kno w who the y are inter acting with

Anon ymity occurs easily on computers

Cannot tell who is doing what

Assume person logged as tr ue self Do not usually tr ust personal proper ty to ne w acquaintances

More tr usting of computers

An y prog ram y ou r un could modify an y of y our files

Secur ity Solutions Logging

Record all impor tant e vents and uses of pr ivilege in an indelib le fi le Wr ite-once disk

Examples Attempts to specify an incorrect pass w ord All logins All super-user actions

Can be used to catch imposters dur ing initial attempts and f ailures

Ev en better to get humans in volv ed at k e y steps One of the solutions f or Electronic Funds T ransf er (EFT) P er iodically chec k logs f or str ange e vents

Dr a wbac k: Can leak pass w ords into logs

A.Arpaci-DusseauCS 537:Operating Systemsencryption.fm.5

More Secur ity Solutions Caller identifi cation

Telephone: tr aditional f or callers to be anon ymous , b ut not receiv ers V er y diffi cult to catch electronic thie ves

Need a change of polic y to eliminate caller anon ymity

Solution: Callbac k Pr inciple of minim um pr ivilege (need-to-kno w):

Each piece has access to minim um inf or mation, f or minim um time

Example File system cannot touch memor y map , memor y manager cannot touch disk b loc ks

Reduces chances of accidental or intentional damage

Impossib le to pro vide absolute inf or mation containment Co ver t channels

Encr yption Goals

Secure comm unication: No one can ea vesdrop

A uthentication : Estab lish identify of source; inf o cannot be modifi ed Mechanism: Con ver t data to f or m that does not mak e sense

Initial readab le te xt that needs protection: clear te xt

Encr ypt the clear te xt so that it does not mak e sense: cipher te xt Controlled b y function or n umber :

Encr ypted te xt can be stored in readab le fi le or tr ansmitted o ver unprotected channels

To mak e sense of cipher te xt, decr ypt it bac k into clear te xt P erf or med with secret function or n umber : decr

Based on f actor ing v er y large n umbers (product of tw o pr imes)

Necessar y Conditions Encr yption function cannot be easily in ver ted

Cannot disco ver clear te xt unless kno w decr yption k e y K e ys m ust be protected

If encr yption and decr yption k e ys are identical, cannot leak either k e y Encr yption and decr yption m ust be done in saf e place

Otherwise , could snoop clear te xt

Tr usted computing base (TCB) Softw are and hardw are that m ust beha ve correctly

Pub lic K e y Encr yption Tw o k e ys f or e ver y user : Pub lic and pr iv ate k e y

Ev er yone kno ws all pub lic k e ys

Only host kno ws the pr iv ate k e y (secret k e y) Requirements

Cannot der iv e one from kno wing the other

Pub lic and pr iv ate k e ys are in verses of the other Encode with pr iv ate k e y of A --> Decode with pub lic k e y of A {Message}

Encode with pub lic k e y of A --> Decode with pr iv ate k e y of A {Message}

A.Arpaci-DusseauCS 537:Operating Systemsencryption.fm.9

A uthentication with Pub lic K e ys A uthentication

Reliab ly identify the sender of a message

Example: A sends to B; B m ust kno w A sent message A->B: {Message}

B: Can decode {Message}

with P A No one else b ut A could ha ve encoded a v alid message P ositiv e Identifi cation

Example: “I ag ree to pa y Mar y $100 per y ear f or dur ation of m y lif e”

If message can be decr ypted with your pub lic ke y, then wr itten b y you An yone can v er ify author of message

Electronic signature: Can be legally binding

Secur ity & A uthentication with Pub lic K e ys Secure comm unication

Ensure that no one can snoop on messages

Example: A sends to B A->B : {Message}

B: Can decode {Message}

with SB No one else b ut B can decode {Message}

An yone can send such a message to B Combine abo ve str ategies f or both secur ity and authentication

Example: A sends a message to B that only B can read; B kno ws that only A could ha ve created message A->B : {{Message}

}

B: Can decode {{Message}

}

with P A to {Message}

B: Can decode {Message}

with SB to get Message

Example with Pub lic Encr yption Ho w to encr ypt a message giv en the f ollo wing requirements?

All comm unication channels are insecure

There are three par ties in volv ed P: the or iginal sender of the message S: an inter mediar y receiv er of the message E: the fi nal receiv er of the message

Only E can read the message

E m ust kno w that the message w as wr itten b y P

The message m ust pass through S bef ore getting to E

P otential Limitations of Encr yption Ea vesdroppers can repla y messages

Repla ying old messages ma y confuse par ties Ev en though ea vesdropper does not kno w what the y are repla ying...

Solution: Sequence n umbers (nonces) or timestamps in messages Ho w do y ou tr ust pub lic k e y?

Y ou hear : “Andrea’ s pub lic k e y is K” Prob lem: Who said this?

Solution: A uthentication Ser ver that e ver yone tr usts Ev er yone kno ws pub lic k e y of authentication ser ver : P AS AS -> A: {Pub lic k e y of B is PB}

A can decode and kno w that only AS could ha ve sent PB F ail-Secure: Secure if par t of system f ails

A.Arpaci-DusseauCS 537:Operating Systemsencryption.fm.1

Tr aditional Encr yption Another prob lem: Slo w encoding and decoding

200 Kbits/sec in hardw are

.5 Kbits/sec/MIPS in softw are Alter nativ e: Single pr iv ate k e y f or better speed

1200 Kbits/sec in hardw are

400 Kbits/sec/MIPS in softw are Example: Data Encr yption Standard (DES)

Associate pr iv ate k e y with session betw een tw o users Prob lem: Ho w do y ou e xchange pr iv ate session k e y?

Cannot send pr iv ate k e y unencr ypted o ver channel!

Solution #1: Use pub lic k e y encr yption to e xchange session k e y

Exchanging Session K e ys A uthentication ser ver : Kno ws pr iv ate k e ys of all users Example

A w ants to talk securely with B , B m ust authenticate A is sender Simplifi ed algor ithm (without w orr ying about repla y attac ks)

A asks authentication ser ver f or a session k e y with B No encr yption needed

A uthentication ser ver replies with ne w con versation k e y CK AS->A: {CK, {A,CK}

}

If decr ypted message mak es sense , only AS could ha ve sent message Only A can decr ypt message and get CK

A sends message to B telling it the k e y A->B: {A,CK}

No one could modify message to change name of sender

Secure Signatures with Pr iv ate K e ys Prob lem: Ho w do I kno w if binar y fi le w as modifi ed in tr ansit?

If not w orr ied about ea vesdropping, f aster to not encr ypt entire fi le Solution: Secure chec ksum or char acter istic v alue

Also called Message Digests or Digital fi nger pr int

Function(Message) = large integer (e .g., 1024 bits) Diffi cult to fi nd another message that maps to same integer Example: A sends fi le to B

A calculates chec ksum of fi le; ask authentication ser ver to encr ypt

A sends message and encr ypted chec ksum to B A->B: fi le , {CK}

B receiv es fi le and computes chec ksum

B asks AS to decode CK so it can compare tw o B->AS: {CK}

AS->B: {CK}

Impro ving Encr yption Saf ety Ho w saf e is encr yption?

DES 56 bit k e y --> 2

possib le k e ys

Cr ac k b y guessing with man y machines --> RSA Challenge Solutions

Upg rade encr yption as computers become more po w erful

Remo ve kno wn patter ns from the clear te xt Example: Y our name Compress clear te xt bef ore encr yption

Do not send large amounts of inf or mation with the same k e y Change k e ys frequently Implication f or digital signatures o ver lif etime?

A.Arpaci-DusseauCS 537:Operating Systemsencryption.fm.1

Tw o Philosophies f or Protection K eep the mechanism secret

Adv antage: Harder to break in if kno w nothing about str ucture

Disadv antage: Harder to k eep secure if secret is released Pub lish the mechanism

Disadv antage: Easier to break in if can fi nd design fl a ws or b ugs

Adv antage: Encour age bad person — good person fi ght Off er re w ard f or repor ting secur ity holes Find holes and fi x quic kly

Encr yption T oda y Theor y more adv anced than pr actice

Must impro ve to suppor t electronic commerce Currently in Unix

No encr yption perf or med f or netw or k ser vices

Rlogin, NFS , ftp , etc. K erberos

Based on DES

Get tic kets from ser ver