Network Security Exercise #1

Network Security – Exercise #1

Falko Dressler and Christoph Sommer Computer and Communication Systems

Institute of Computer Science, University of Innsbruck, Austria 22.03.2012

Administrative Issues

I Welcome to the Proseminar!

I What you need

I _{Registration for the PS} I _{Active ZID (Linux) account} I _{Basic C/C++ programming skills}

Proseminar

I Objectives of the proseminar

I _{Hands-on experiences}

I _{In-depth study of lecture topics}

I _{In case of questions, please do ask! Drop by our offices or} simply send emails!

I Schedule

Exercises

I Exercises

I _{Once per week} I _{Can be done at home}

I _{Announcement during the proseminar and on the web site} http://www.ccs-labs.org/teaching/netsec-2012s/

I _{Group work!}

I _{Programs in C/C++}→_{check for buffer overflows!}

I Submission and evaluation

I _{Electronically, via scp to our server} I _{Deadlines are Tuesday, 23:59h}

Credits and grading

I All exercises must be completed in time(!)

I Keep in mind that the proseminar is organized in form of

group work

I The grade will reflect both the discussions in the

Topics in the Proseminar

I Enigma

I RSA, modes of encryption

I Hash collisions I WEP I OpenSSL I IPSec I Spoofing I MIX networks I Firewalls I Monitoring

Our scp submission system

I We arenowsetting up working groups (2–3 students per

group)

Attack Trees

I Formal method to model threats on a (computer) system

I Possible attacks can be visualized in form of a tree:

I _{The root is the final objective}

I _{Edges represent necessary steps to achieve this goal}

I Can be used for security analysis of a system

I _{Security estimation (How secure is my system?)} I _{“What-if” questionnaire}

I _{Cost estimation} I _{. . .}

Example

Open safe

Pick lock (I) Learn combo

Find written

combo (I) from target Get combo

Threaten (I) Blackmail (I) Eavesdrop

Listen to conversation (P) Get target to state combo (I) Bribe (P) Cut open safe

(P) improperly (I) Install

Example – Marking all impossible actions

Open safe

Pick lock (I) Learn combo

Find written

combo (I) from target Get combo

Threaten (I) Blackmail (I) Eavesdrop

Listen to conversation (P) Get target to state combo (I) Bribe (P) Cut open safe

Example – Estimating costs

Open safe ($10 K) Pick lock ($30 K) Learn combo ($20 K) Find written combo ($75 K) Get combo from target ($20 K) Threaten ($60 K) Blackmail ($100 K) Eavesdrop ($60 K) Listen to conversation ($20 K) Get target to state combo ($40 K) Bribe ($20 K) Cut open safe

($10 K)

Install improperly

($100 K)

Enigma

I The term Enigma is Greek, meaning “riddle”

I Invented by Arthur Scherbius (1878–1929)

I Primarily used during World War 2 by the German army

Internal Structure

I 5 different rotos, can be

arbitrarily used

I Each rotor has 26 positions

I Additional plug

connections to swap characters

I Key concept: each input

character must not map to the same character in ciphertext

I Encryption process is the

Cryptanalysis

I Polish mathematician Marian Rejewski

deciphered the rotors using permutation theory in 1932

I _{Weaknesses in using the Enigma, e.g.,} submission of the rotor start positions in encrypted form

I Mechanical decoding became possible

I The Polish submitted their information to the

British in 1939

I Alan Turing invented thebombin 1940

I _{More than 30 000 radio messages have been} deciphered

Weaknesses

I 2×1023 different keys assuming 3 out of 5

rotors, plug connections, and two possible reflectors, which roughly translates to a key length of 77 bit

I The period of the middle and leftmost rotors

are too long

I Weaknesses introduced by the reflector

Copyleft

I Slide 13: Wikipedia, User Littlejoe, GNU Free Documentation Licence

I Slides 14, 18, 17: Wikipedia, GNU Free Documentation Licence

I Slides 15, 16: Copyright (c) 2008 Frode Weierud, http://cryptocellar.web.cern.ch/cryptocellar/Enigma/