# Lecture 1 - threat - vulnerability - passive attack - interception - active attack - interruption - modification - fabrication - Confidentiality - Integrity - Authenticity and Availability - encryption - encryption key - decryption key - one time pad # Lecture 2 - access control - entity authentication - password based entity authentication - challenge-response protocol - Physical security - MAC (preshared key) - digital signature (no preshared key) - Availability - Confidentiality (encryption), Integrity and authenticaty (MAC or digital signature - Cryptanalysis - Symmetric key - public key - public key infrastructure - certification authorities # Lecture 3 - threat from processing and computing capacity - physical threat - side channel attack - threat from wireless transmission - Man in the middle attack - Buffer overflow # Lecture 4 - arguments - return address - previous frame pointer - local variables - frame pointer - Stack smash attackm - Heap smashing - Return-to-libc - code analyzer - separation - non-executable stacks - canaries - address randomization - argument validation - integer overflow # Lecture 5 - TOCTOU (Time-of-Check to Time-of-Use) - race conditions - critical section - speculative execution - Spectre attack (?) # Lecture 6 - Malware - Malicious code, rogue program, malware - Virus - replicate iteself, pass malicious code to other non-malicious program - Worm - spread copies through a network, dwongrade performance - Trojan horse - benign apparent effect but hidden malicious effect - Types of malicious code - Mirai - rapid scanning - Brute-force login - a separate loader program - download malware - attempt to conceal its presence - bots may attack while simultaneously scanning for new victims - Cryptojacking - botnet - internet connected devices each running one or more bots - DDoS (distributed denial of service) - Telnet - Software simplicity - Infomation hiding - isolated modules - Encrypted virus # Lecture 7 (read again) - Trusted platform - Bootstrapping - Booting -> OS -> applications chain - software attacks - physical attacksdifferential default analysis (DFA) - Side-channel analysis - Timing analysis - Root of trust - launched by authorized party trusted by all stakeholder, cannot be modified or bypassed - Transitive trust principle - execusion of an upper layer entity $\Sigma$ depends on certain entities in the lower layers (e.g. booting) - These entities are called dependencies of $\Sigma$ - Set of all dependencies is $D(\Sigma)$ - Entity $\Delta$ is dependency of $\Sigma$, or $\Delta \in D(\Sigma)$ means: - $\Delta$ has read/write access to the data of $\Sigma$, or - $\Delta$ has write privilege to the code of $\Sigma$ - $\Delta \leftarrow \Sigma$ denotes that entity $\Delta$ is a dependency of $\Sigma$ - $\leftarrow$ is transitive => can form trust chain that goes to root of trust - Booting process - sequential events, each starting one entity - loading OS into memory from power-off: bbooting or bootstrapping - Secure booting: prevent attacker potentially seize execution of a computer at several points in the boot process, - Trusted boot: forces platform to boot to a correct config - Secure boot: detects difference from correct configuration and halt - Authenticated boot: faithfully reports the configurated it is booted to a party which relies on the trust status of the platform - Boot string: each component will take cobntrol and activate next component in booting - Root public key - $pk_A$ certified by $pk_B$ means it is signed by private key $sk_B$, denomted by $pk_B \Rightarrow_C pk_A$ - public-key chain - validation authority - make sure entity to be installed is valid (created by legitimate party and its authenticity and integrity are not compromised when being transmitted to the platform) - attestation - validation by a remote party - Authentication data (AD), a digital signature verified vertically and horizontally - One-time programable memory - Tamper response hardware - Secure storage # Lecture 8 - Feedback shift register - Feedback function - LFSR (linkear feedback shift register) - m-sequence - LFSR of period $2^n - 1$ - characteristic polynomial - Run - Autocorrelation and crosscorrelation - Colomb's Three Randomness Postulates - $\# 0 = \# 1$ - length of runs - autocorrelation N if $\tau = 0$ else $K$, $K=-1$ for odd $N$ and 0 for even $N$ - Linear span - Berlekamp-Massey algorithm (BMA) - Linear span attack - Filter function generator - Combinatorial function generator - Clock-controlgenerator and shrinking generator - Operations on the LFSR - output transform by non-linear functions - Change clock to irregular one (use an LFSR to control clock of another one), delete some output bits - Combination of above - To increase the linear span while preserving randomness - Pseudorandom - distribution of the string is indistinguishable from the uniform distribution over the strings - Probabilistic polynomial time (PPT) algorithm - Psueudorandom generator - receives a short input, ouput long pseudorandom sequence # Lecture 9 - Correlation attack - recover initial state of LFSR using correlation between input and output - initial state of LFSR $i$ can be found independent of LFSR $j$, $i \not = j$ with $2^{n_i}$ tests. - $T_2 = \sum_{i=0}^{m-1}2^{n_i}$ is the complexity for $m$ sub generators - Use divide-and-conquer strategy - $S_i = \{C_{(s^T, x_i)}(\tau) | \tau = 0, ...., 2^{n_i} - 1\}$ - Find $\tau_{max}$ that results in the maximum value in the set above, the initial state of LFSR$_i$ for generating $S^T$ is decoded as the initial state of $x_i$ shifted by $\tau_{max}$ - Stream cipher - Like one time pad but key is generated by key stream generator implementd as pseudorandom number generator - Kerchoff's Principle - Algorithms for cipher system are public, only secret is pre-shared key - Two Phases in Stream Cipher - Two inputs to KIA (key initialization algorithm) - initial vector (IV, public) and key (k, secret), preshared - Goal: scramble bits with IV to get bit stream as random as possible - Output of KIA is iniial value to PSG (pseudo-sequence generator) which is used to get key stream for encryption - Attacks - correlation attacks - linear cryptanalysis - differential cryptanlysis - time and memory trade-off attack - algebraic attacks - GSM - RC4 (Ron's Code 4) - WG stream cipher # Lecture 10 - Block Ciphers (DES and AES) - encryption / decryption are key dependable functions which maps n-bit vectors to n-bit vectors in 1:1 fashion - Confusion property - make statistical relationship bewteen a ciphertext and a key in which each bit of the ciphertext should depend on all or multiple key bits - Diffusion property - each plaintext digit affects many cipher text digits - Structure of Block Ciphers - Feistel structure - NLFSR with input - Substitute permutatio network (SPN) - a FSM structure - A round function - add keys - nonlinear permutation S-box layer (confusion) - Linear permutation layer (diffusion) - Substitution boxes (S-boxes) - a number of small nonlinear functions - **DES** - Feistel (NLFSR) cipher with 16 rounds -  - 64 bit block length, each register holds 32 keys ($a_1, a_0$), 56 bit key, each round of DES uses a 48 bit subkey (subset of the 56 bit key) - NLFSR where plaintext $(a_0, a_1)$ serves as initial state, clocks 16 times, then the internal state is the ciphertext $(a_16, a_17)$ - $f$ maps 32 bits to 48 bts in which each 2 bits is used to select a 4 bit nonlinear permutation, so consisting of 8 S-boxews and each S0box is composed of 4 bit permutations - **AES** - 3 block sizes: 128, 192, 256 - 3 key lengths: 128, 192, 256 (indep of block size) - Number of rounds varies from 10 - 14 dpending on key length - Each roudn consists of 3 functions, which are in three "layers" as - 8-bit inverse permutation (sub-byte transform) - 32-bit linear transformation (mix columns operation), and - 128-bit permutation (mix ros operation) - **Time-memory trade-off attack** (birthday attack) - $S$ is a set with size $n$, and one randomly picks $m$ elements in $S$ with replacfement - Probability that two elements among these $m$ selected ones are the same is $1 - e^{-m^2 / (2n)} \leq \frac{m^2}{2n}$ - Collision lemma - This basically means if attacker stores $m = \sqrt{N}$ key, cipher pairs for a fixed plaintext where $N$ is the number of keys, then when one key is picked the probability of it the ciphertext being in the set is $m^{2}/2N = 1/2$ - By TMT attack, security strength of the cipher is reduced by half of the key size! - Block Cipher Modes - Electronic Codebook (ECB) Mode - Cipher Block Chaining (CBC) Mode - Encryption $C_0 = E_K(IV + M_0), C_i = E_K(C_{i-1} + M_i)$ - Decryption $M_0 = D_K(C_0) + IV, M_i = D_K(C_i) + C_{i-1}$ - $E_K, D_K$: encryption and decription with key $K$, $M_i$ is plaintext - Block Cipher Implemented as Stream Cipher Modes - Cipher Feedback Mode - Key stream generation $K_i = E_K(C_{i-1})$, $C_0 = IV$ - Encryption: $C_i = K_i + M_i = E_K(C_{i-1}) + M_i$ - Problematic with error because a different stream will be generated - Counter Mode - Key stream generation $K_i = E_K(Counter + i - 1)$ - Encryption: $C_i = K_i + M_i$ - No error propagation # Lecture 11 - Chosen-Plaintext Attack - Adversary $A$ is allowed to ask for encryption of multiple messages chosen adaptively (can interact with encryption oracle freely) - Guess which ciphertext correspond with one of the two messages $m_0$ and $m_1$ chosen by $A$ - Formally, - A key $k$ is generated by $Gen$ - $A$ picks two plaintexts $m_0$ and $m_1$ and presents the to the encryption oracle ($O$) - $O$ randomly chooses $b \in \{0, 1\}$ and provides $c = Enc_{c_k}(m_b)$ to $A$ - $A$ can further query the Enc $O$ to get more ciphertexts - $A$ outputs $b' \in \{0, 1\}$ - adversary is succcessful if $b' = b, Priv^{cpa} = 1$ - CPA-secure if all probabilistic polyhnomial time (PPT) adversary A there exists a negligible function $negl$ such that - $Pr(\{Priv^{cpa} = 1\}) \leq \frac{1}{2} + negl(n)$ - ECB Mode is NOT CPA secure - No deterministic encryption can be CPA-secure - CPA-secure: CBC, CFB, CTR - Parallel efficient: ECB, CTR - Secure Hash Functions (SHA) - hash function: map from $m$ bits to $n$ bits where $m > n$ - Collision resistence: prob collision negligible (strongest, implies second pre-image resistance) - Second pre-image resistance: given $x$, prob find $y \not = x$ $h(y) = h(x)$ negligible (implies pre-image resistance) - Pre-image resistance: given $z$, prob find $x$ s.t. $z = h(x)$ negligible - Security parameters: - MD5: $n = 128$, SHA-1: $n = 160$, SHA-2: $n \in \{224, 256, 384, 512\}$ - non-linear function lyers are the same except number of registers smaller or larger than SHA-1 - SHA-1 - input: any length bit stream divided as 512-bit blocks - output: 160 bits - SHA 3 - Keccak - resist preimage, second preimage, and collision attack - MAC (Message Authentication Code) - provide authenticity of a user or source originality - pre-shared key - MAC = (Gen, MAC, Ver) - generating parameters, producting authentication tag, verify validity of tag - for message m, tag t Ver(m,t) = 1 => verification success, 0 for failure - MAC-forge oracle - key $k$ from Gen, adversay $A$ ouput pairs of $(m, t)$ forming $O$ with access to $MAC_K(\cdot)$ - MAC-forge = 1 if $Ver(m, t) = 1$ and $m \in O$ otherwise 0 - A message auth code is secure or existentially unforgeable under an apative chosen-message attack if for all probabilistic polynomial-time adversary, the probability of MAC-forge equal to 1 is negligible - CBC-MAC: MAC from block cipher - $f$: PRF, message $m = m_1, ... m_d$ of $n$-bit blocks - gnereate CBC-MAC, send to verifier, check tag - Public-key cryptography - Public-key scheme (Gen, Enc, Dec), each user hais a key pair ($pk_x, sk_x$) - One-way function - a function that is easy to compute but hard to revert (poly time forward to find image, no probablistic poly time for computing preimage) - Trapdoor one-way function - easy to find image, hard to find preimage without trapdoor (extra info) # Lecture 12 - Prime Finite Fields $GF(p)$ - $p$: prime number, finite field with $p$ elements is $GF(p) = \{0, \dots, p - 1 \}$ - Primitive Elements in $GF(p)$ - $g$ is called primitive element or generator in $GF(p)$ if - $g^{p -1} = 1$ and $g^r \not = 1$ for $1 \leq r <p - 1$ - Note: for checks, only need to check for all prime factors of $p - 1$, call it $q$, $g^{p-1} \not = 1$ - Inverse: Euclidean algorithm - Exponentiation: Square and Multiplication - Diffie-Hellmanm (DH) key exchange - Domain parameters: $n$ security parameter -number of bits of $p$; prime $p$ s.t. $2^{n-1} \leq p < 2^n$; primitive element $g$ in $GF(p)$ - Alice: $sk_A$: select $a$ s.t. $0 < a < p$ and $gcd(a, p - 1) = 1$, $sk_A = a$, $pk_A = g^a$. Similar for Bob with $B, b$ - after key exchange: shared key is $g^{ab} \mod p$ - $p = 2q+1$ for prime $q$ $\Rightarrow$ $p$ is a strong prime - RSA encryption and digital signature - Each user has own domain parameter - Not CPA secure - RSA-DSA (DSA Digital Signature Algorithm) - Faulty attack on RSA-DSA - Digital Signature Standard (DSS) # Lecture 14 - Hash chain based one-time password authentication (countermeasure for intercepting communication and gaining access stored in system) - user generates a hash chain and stores $k_0$ in the system and use $k_i$ as passwords (different each time) - at $t_1$ system verifies $k_0 = h_{k_1}$ - System stores $k_0, k_{i-1}$ when $i - 1$ passwords have been used and verifies $k_{i - 1} = h(k_{i})$ for next use - Can be used $n-1$ times before need password regeneration - Merkle tree (countermeasure for intercepting communication) - GEneration - $n$ data $x_0, \dots, x_{n-1}$ generated by set of users $B$, will be authenticated by $A$ - $B$ generates a tree of height $h = \lceil {\log n} \rceil$ with $n$ leavse attacked to each of $h_{x_i}$ - Each parent is attached with $a_{i, j} = h(v_{left} || v_{right})$ - $B$ submits root value $r$ to server $A$ by either singing it or tranmit via protected channel - Authentication - Find a path from leaf $x_i$ to root $r$, $Auth(x_i) = \{a_i, a_{1, j_1}, \dots, a_{h-1, j_{h-1}}, r\}$ and $Sib(x_i) = \{a_t, a_{1. l_1}, \dots, a_{h-1, l_{h-1}}\}$ where $a_t$ is sibling of $a_i$, and it consists of all siblings of $a_i$ - $A$ requests $B$ to submit all sibling values in $Sib(x_i)$ to calculate the root $d$ from the values and see whether $d = r$ - Honest-but-curious model - server will perform right functions client asked for but may violate confidentiality (access) and integrity (change) - Owner can add and mofiy, Client can only query data - Construct tree - Owner generate data set $D = \{x_0, \cdot, x_{n-1}\}$, sign the root $\Sig_{owner}(MT_{root})$, generate Merkle tree - Submit data and signature to server and keep the root while disposing all other intermediate results including data - Server generate Merkle trtee to verify validity of the root and verify validity of the root (valid $\rightarrow$ store). Tree can be computed upon request - Client queries data $x_i$ - Server sends $(x_i, Sib(x_i))$ - Client or owner compute root, check validity - Bitcoin chain - Network of computers maintains a collective bookkeeping via the Internet. Each owns an exact full copy of the bookkeeping. Bookkeeping is not closed or controlled by one party. This fully distributed publicly available ledger is called the **Blockchain** - Each entity has public key pair $sk_i, pk_i$ where $pk_i$ serves as wallet address - Transaction: $(pk_i, pk_j, amt)$, $pk_i$: input address, $pk_j$: output address, $amt$: amount entity $i$ wish to send to entity $j$ - inputs: bitcoin address used to send to - amount: amount] - output(s): receiver's bitcoin address - Contents will be digitally signed - Alice signs $T_x = (pk_A, pk_B, 3)$ in transaction to Bob. Signed data is broadcasted to the network and ends up in a block in blockchain - A bitcoin in a chain of transactions is tracing its flow from mining up until the current owner address - Validation: - sjneder's signature, spending authorization, entity $A$ referenced input transaction once (prevent double spending) - Proof-of-Work - distributed timestamp server to prove transaction - A miner finds nonce in the block such that its hash value has the required number of zeros - $h(h(Tx_{prev} || pk_1 || pk_2 || amt_1 || nonce) = 00000\dots0****\dots**$ where $Tx_{current}$ is current transaction - When first miner finds the preimage, he broadcasts it and other miners verify its validity. This is un-fungible - If you tamper with one block, you will need to re-calculate proof of work for all subsequent blocks - Integrity and authenticity of transactions is conducted by a Merkle tree authentication - miner get sibling path from other miners who store the transactions to validate a transaction - Double-spending - second transaction will have the same origin as the first one so it will be detected - 51% attack - miner has more than 50% of computing power so nothing can be prevented # Lecture 15 - Application, (Presentation), (Session), Transport, Network, Data Link, Physical; - Certificate Authority - sign the public key with the owner's identity to generate signal so that it can be verifiies the public key is from an individual (Eve cannot forge Bob's key) - PKI (public key infrastructure) - Format: X.509 format - CA's public key must be recognized as authentic, everyone trusts CA - Adversary model - limited polynomial power, passive (can observe for at most polynomial times), active (can observe, abort, and inject) - Entity authentication needed to prevent MITM attack - Assurance of claimed Identities - Authentication credentials - long-term key certificed by CA - Binding identities with keys - mutual authentication - both parties conduct entity authentication - Notations - $ID_x$: identity of party $X$ - $R_x$: random number by party $X$ - $MAC(K, U_1, \dots, U_n)$ or $MAC_K(U)$: authentication tag which is generated by a MAC using $K$ over $n$ data fields - $Sig_x(U) = Sig_{sk_X}(U)$: digital signature generated by party $X$ over $n$ data fields $U$ - $[U]_X$ authenticated data fields $U_1 \dots U_n$ by $X$'s authentication key - MAC: [U]_X = (U, MAC(K_{XY}, U)) - Digital signature: $[U]_X = (U, Sig_X(U))$ - Protocol A - Mutual Authentication -  - attacker $E$ need forge authentication tag $Tag_A$ to impersonate $A$ - selective forgery vs. existential forgery, challenged is used to prevent replay attack - Two parties now trust each other, how to authenticatekey exchange (share session key as opposed to long term key), Protocol B -  - Secret value: $\alpha$ - $E_A$: encrypted by $A$'s public key or a shared symmetric key - At the end both party shares $\alpha$ - Key derivation: dervie key from cryptographic scheme (uses PSG) - Key confirmation: confirm another party has the established key - Perfect forward secrecy - An authtenticated key exchange protocol provides perfect forward secrecy if disclosure of long-term secret key does not compromise the secrecy of the exchanged keys from e4arlier sessions - Often achieved through DH key exchange (agreement) # Lecture 16 - Protocol C that achieves perfect forward secrecy - IKE -  - $ID_A$ not exchanged in the beginning to help with privacy protection of $A$ - Certificate based authentication for session public key $g^a, g^b$, signed by $A$, $B$'s public key (verified by CA) to prevent MITM attack - So in the second round $B$ also sends $cert_{CA}(pk_B, ID_B, \dots)$ and siomilarly for $A$ - Certificate based authentication - Trust relationship established by verifying certificate first then signature on $DH$ session key - Key confirmation with $MAAC$ - Authenticated key establishment: mutual authentication, mutual key generation, freshness of keys, known-key security, perfect forward secrecy, non-repudiation - Internet Security Protocols - IKE (Internect key exchange) - IPsec - Authentication (AH): authenticity and integrity - Encapsulating Security Payload (ESP): encryption, authenticity, and integrity for IP packets - Security association (SA): set of cryptography alogrithms and keys as well as their lifetimes. - Unidirectional (src-> is one SA, dest -> src is another SA) - Contains four algorithms - A DH group - A pseudorandom function - an integrity protection algorithm (MAC) - an encryption algorithm (Enc) - Each SA has a security parameter index (SPI), a 32 bit value identifying an SA. - SPI may not be globally unique but (SPI, source IP, and protocol (AH and ESP)) uniquely identify an SA at receiving host - Use SAs to Process IPsec Packets -  - IKEv2 - two parties: Initiator and Responder (both IP hosts) - exchange - Four main exchange: - IKE SA INIT: Negotiate parameters for IKE SAs; -IKE AUTH: Transmit identities and prove knowledge of authentication credits corresponding to the identities; - CREATE CHILD SA: Create CHILD SAs for ESP, AH, or both; and - INFORMATIONAL: Delete an SA, report error condition, or pass other housekeeping information. - see slides for exchange details - Attack: - attack through flooding target host (Dos - denial of service) attack - Multiple responder - Solution: - cookies # Lecture 17 - IPSec Modes - Transport Mode: source and destination for IPsec protocols are also the actual source and destination of the IUP packets - IPsec header in transport mode -  - IPsec header in transport mode -  - Tunnel mode - IPsec protection is applied between two different IP hosts other than the source and destination - Provides a security gateway for an enterprise network instead of the real destination (example: VPN) -  - Authentication Header (AH) - IPSec protocol to provide message origin authentication, integrity protection, and anti-replay attack - MAC with other information instead into the header - details see slides - Encapsulating Security Payload (ESP) - multipl;e protection combinations - confidentiality only, integrity only, and confidentiatlity aned integrity - anti-replay feature when integrity is provided - TFC (traffic flow confidentiality) in tunnel mode with confidentiality - Enc-then-Auth - TLS (Transport Layer Security) - Based on Secure Socket Layer (SSL) - establish a secure connection through Internet to a server - server authentication is required, client authentication is optional - Layered protocol consisting of a record protocol and client protocols - On top of a transport protocol (example: TCP) - TLS record protocol encapsulates 4 upper layer protocols: - handshake protocol - change cipher spec protocol - alert protocol - application data protocol - Record layer takes messages from the upper client to be transmitted, fragment to manageable blocks, apply authentication and encryption then transmit - Received data will be decrypted, verified, decompressed, reconstructed and delivered to upper layer - TLS Handahske -  - cipher suite negotiation, mutual authentication, key establishment, and using keys to protect application data - ClientHello and ServerHello negotiate cipher suite and compression method - hash function: **HMAC** - used as a PRF to form a KDF - KeyExchange and Key Establishment - selected algorithm will be used to generate key exchange messages - ``ClientKeyExchange`` and ``ServerKeyExchange``: client and server establish a secret value - the _pre-master secret_ - Three key exchange options: DHE (ephemeral Diffie-Hellman), DH, and RSA -  - Only DHE provide perfect forward secrecy - The pre-master secret is used to derive **master secrt** through PRF which generate keyring materials and result in multiple keys # Lecture 18 - Certificate and Authentication - server authentication: explicitly (DHA) or implicitly (DH / RSA) - random number prevents replay attack - Application data protection - Application data is processed by record layer before transmitted - Protection mode: **Auth-then-Enc** - Security Analysis on TLS: - make sure server and client is connecting to what they want to connect to - TLS protocol cannot be considered a trusted cmomunication if client authentication is not conducted, TLS cannot be considered a trusted communication - Slow due to auth-then-enc - Used to establish a protect channel for user to enter password - Attacks - Compression side-channel attack - if $P$ is more random than $P'$, then after compression the length of $S$ is larger than $S'$ - Downgrade attack - MITM attack that tricks the server to only pick cipher suite from SSL - downgrade cipher - CRIME - side-channel attack that can be used to discover session tokens or other secret information based on compressiond size of HTTP requests - change input and compare length to guess the secret value - No simple countermeasure besides diabling compression # Lecture 19 - Hop-by-hop vs. end-to-end protections -  - end-to-end: node 1 and n establish keys, when ecrypted by node 1, only node n can decrypt - hop-by-hop: each link between node i and i + 1 estbalishes a key. Data encrypted by node i-1 can be decrypted by node i. Data is decrypted and encrypted at every link - Most of the tttime they co-exist - Intra-domain vs. inter-domain protections - intra-domain: hop-by-hop protection - inter-domain protections: use a gateway in each domain to tunnel communications - Virtual Private Networks (VPN) - protect remote access to enterprise netowrk; protect inter-domain communications - Can be established through IP layer protection or TCP layer protection - establishes an IPsec tunnel with a gateway of the network (VPN gateway) - Firewalls - designed to priotect internal (intranets) from outside threats - all traffic in/out must pass through firewall - only authorzied traffic allowed to pass - firewall msut be immue to penetration - Policy: service control. user control, behaviour control - Spoofing - create IP packets with false source IP address for the purpose of impersonating another computing system - source routing attack - tiny fragement attack - Gateways - application level - Gateways - application level gateway - ciruit level gateway - Protected wireless links - Point of Attachment (PoA) - protection applied at lower layer - Must use same mechanism with max possible security strength - stream cipher often used for efficiency - Concerns on PoA Protection - must implement in hardware - limited choice of algorithms - compromised algorithm - need to replace hardware - Vulnerabilities - easily eavesdropped - can be jammed - key need to be updated frequently to avoid cracking the cipher # Lecture 20 - 4G-LTE EUTRAN network structure -  - UTRAN: UE (user equipment), base stations, RNCs(radio network controller) - 4G-LTE adopted that + simplifying some blocks - EUTRAN - physical layer: between the UE and the base station through wireless and base station and RNC through wired media - link layer: MAC (Media access control) and RLC sublayer - Network layer: only the lowest sublayer, radio resource control (RRC) is in RNC - 4G-LTE radio access network - radio access network of EPS: "evolved:" UTRAN network (EUTRAN) - the EPS IP network involves less network entities and ahas a rather flat hierarchy - new core network elemtn in EPS: Mobility Mangement Entity (MME) - core network for user plane is called Serving Gateway (S-GW) - HLR and GSM and 3G is extneded to a Home Subscriber Server (HSS) - LTE adopted packet switches in the netire network. A formal name for the system developed through LTE is Evolved Packet System (EPS) - 4G-LTE adopts UMTS (3G)'s AKA protocol - 4G-LTE -  - Base staion and MME: considered to be one entity when conducting AKA, HSS store keys - 4G-LTE Access Authentication and Key Agreement (AKA) Protocol - AKA - $f_i$s are AES or TUAK (based on SHA3) - Long term credential for authentication is key $K$ shared by UE and AuC - challenge-response protocol - MME: access server and verify validity of RES using XRES received from AuC - Entity authentication of network: through sequence number based authentication (UE did not challenge network) - Not a mutual authentication protocol as SQN is not random - multiple AVs: - for eaxmple, rogers -> france -> organge - When make first call, foward IMSI to rogers, then rogers forward many AVs so subsequent calls will not require contact to rogers - EEA: evolved encryption algorithm, EIA: evolved integrity algorithm - Snow 3G - GHASH -  - add left padding and segment it into # bits asked - $GHASH(P, H) = \sum_{i=1}^n P_iH^{i}$ - Might actually be easier to use formula above but Horn's algorithm is just more efficient - linear function - $GHASH(P, H) + GHASH(P'H) = GHASH(P + P', H)$ - wen can forge the gahsh value of $P + P'$ from $P$ and $P'$, this is a val;id MAC - Therefore, $H$ should be different for each MAC generation to prevent this, but attackers can try to reuse IV - EIA1 -  - $MAC-I(M) = [\sum_{i=1}^n P^i M_{n + 1 - i} \cdot Q]_{0\dots31} + [LENGTH \cdot Q]_{0 \dots 31} + OTP$ - Encryoption and Authenticity of User Data and Control Signals - Encryption in 4G-LTE air link is applied to both user data in MAC layer and control signal in Radio Resource Control layer - Integrity and authenticity is ony applied to control signal, not including user data # Lec 21 - IEEE 802.11 Security Solutions - broadband communication - two modes: infrastructure mode (access point) and ad hoc mode (form local network through wireless interface among a group of wireless stations) - infrastruction mode: no implications for security infrasturecture support - AP is identified by a SSID. Access point and wireless stations: BSS (basic service set) - Diffierence between cellular and IEEE 802.11 - Cellular: dedicated infrastructure to support access authentication and key establishment for air link protections - no dedicated insfrastructure for security - WEP (Wired Equivalent Privacy) - protect wireless link to achieve the same security as wired link - protocl between a station and an access point, symmetric key used to authenticate and encrypt - Two options for client authentication - open authentication: only need correct SSID - pre-shared key authentication: key is shared among stations in a BSS, no mechanism for key update (bad) - Two versions - 40 bit and 104 bit key support. Authentication and ecnryption uses RC4 (stream cipher) - RC4: generate key stream and initite vector $IV = v$ for each packet such that key stream is generated as - $K_S = RC4(k, v)$ - Generating integrity check vector (ICV) using CRC - IV is 24 bits, so after 2^{24} bits keystream will repeat - challenge-response authentication - if attacker recovers challenge $ch$ and response $ch + K_s$ he can recover keystream - Security flaw: - RC4 is weak - short IV, collision will happen after 2^{12} by birthday attack - same key stream - problem if $P_1$ and $P_2$ are encrypted by same key stream - may be able to rocover plaintext - CRC for integrity protection - forgeable, no cryptographic keys - Authentication gives out key stream $K_s = ch + (ch + K_s)$ - Lack of key update - does not support key update, makes attack practical - Robust Security Network (RSN) - set of mechanisms consisting of access authentication, key establishment, local authentication, security association establishment, key management, and data traffic protection algorithms - a set of cipher suites - IEEE 802.1X authentication enables session key update through **four-way handshaking** key establishment protocl - Wireless Protection Algorithms (WPA) - overcome security flaws of WEP, Counter Mode with CBC-MAC protocol (CCMP) - uses AES block cipher (CBC-MAC) in CCM mode - data and message integrity code (MIC) are encrypted in AES counter mode - MAC-then-Enc (same as TLS) - Used GCM to secure Wifi - GCM protocol (GCMP) - WPA2 - GCMP - Galois/CounterMode Protocol, support for short range communication - susceptible to nonce reuse attack (GHASH) - Wifi location system - client -> probe, ask for surrounding AP info - AP -> reply with SSID and MAC - client -> send to wifi-based location system - LSP (Location service provider) provide location information, database lookup - Attack: - jam legitmate access points, setup fake access points # Lecture 22 - HTTP: hypertext transfer protocl, used for retrieving the requested web page - no protection - HTTPS - HTTP over TLS - security and data integrity - Relies on a PKI system to verify the authentication of the website, applications, and any other Intenet endpoints - Security of HTTPS - rely on server certificate to verify identity of server (and client) to establish protected channel - depend on PKI (using CA) - check whether certificate is valid! - Sessions - HTTP protocol is stateless - session: encapsulates information about a visitor that persists beyond the loading of a single page - pass session information to wb server each time the user nagivates to a new page using GET/POT - use cookies to implement server-side session variables - Session's security concerns - session hijacking: attackers can impersonate victim's identity by gaining access to the user's session information and aurthenticating to a web site - Cookies - create user sessions using small packets of data called cookies, which are sent to the client by the web server and stored on the client's machine - When user visits the website, these cookies are returned, unchanged, to the server - can "remember" that user and access their information - Cookies also carry sensitive information of sessions - in HTTPS, cookies are encrypted and only web server can decrypt it but it is tranmitted in plaintext in HTTP - compression side-channel attack! - Server-side sesions - use a session ID or session token that correspond to user session - Privacy of cookies - encrypted for HTTPS but may allow attacker to assume user's session - make it expire - Third party cookies - server sets cookies through HTTPS response - a website may have embedded image from another site, the site hosting the image can set a cookie on user's machine - **Thid party cookies** - Can be used to track user across multiple sites for usage statistics # Lecture 23 - Session hijacking - take over TCP session results in a session hijacking attack. - defences: - encrypt session IDs - fresh number should be sent - associate session token with IP address of the client - XSS (cross-site scripting) attack - attacker inject executable code in the interaction between client and server, executable code could either be executed by client or server, user thinks he/she is directly connected to the server but he/she isn't - client-side vulnerability because it exploits a user instead of the server, but root cause is on the server side - Defences: - strip malicious characters from user inputt - NoScript plugin - disable client-side scripts - CSRF (Cross-site request forgery) - exploits website's trust to a user - malicious website causes a user to unknowningly execute commands on a third party site that trust the user - Attack on servers - SQL injection - Certificate Transparency (CT) - create system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities - Logging (issue SCT - Signed certificate timestamp) -> SCT validation -> monitoring/auditing # Lecture 24 - Attack on emails - fake emails, spam, phishing - countermeasureL PGP, S/MIMI, Enhance authentication and password enforced - PGP (Pretty GOod Privacy) - authenticity of user's public key is through a right of trust - Has PGP CA with uses three algorithms to issue the certificate (Gen, Sig, Ver) - different from PKI CA - Mutual entity authentication - encryption and integrity protection - PGP's three algorithms: Sign, encryption, and encrytpion and sign - S/MIME: Secure / Multipurpose Internet Email Extensions - privacy, authentication and user data integrity - Password hashing - resistant to attacks - one-wayness and collision resistance and resistant to known attacks - heavyness - computation and memory to deter brute force attacks - server-specific shortcut - KDF: implemented with PRF - Randomness extraction - Key expansion, for kerying material - counter mode - feedback mode - PBKDF - KDF, unaggressive usage of memory - susceptible to parallel cracking and hardware based attacks - bcrypt - adaptive iteration to make it slower - performs poorly toward thwarting attacks using dedicated hardware - scrypt - strong security - heavy on memory # Lecture 25 - HMAC - $HMAC_k(m) = t$ with $n$ bits key $k$ and $3n$ bits constant $(IV, ipad, opad)$ - collision resistant if $h$ is collision resistant -  - PBKDF2 - a KDF -  - not memory heavy, but does defeat parallel computing - Salting - expand search space is salt is not known. Known value of salt - search space remains the same - ROMix - sequential memory hard (heavy in memory) # Lecture 26 - Do not store password as plaintext or with the same key - hashing - vulnerable to pre-computed values, and weak passwords, but it is hard to reverse - salting $tag = hash(password || salt)$, prevent pre-computing but can be defeated by parallelism - Multi-factor authentication - additional authentication besides password - need to be user friendly - Need to memorize password - Solution: - store user's credentials in a single device or service, and use certain key derivation functions to generate temporal passwords for sequential logins - exposes authentication server as a primary target - employ an Internet-scale authentication system that defines standard mechanism enabling the identity attributes of its users to be shared between web applications and cloud servers - Loxin system - passwordless authentication # Lecture 27 - Loxin server registration -  - Authentication process -  - Security of Loxin - run on TLS - check validity of tag to defeat MITM attack - defeat replay attack with random numbers - $SK$ is not known to the server - it's OK even if server is compromised - reply on trustworthiness of IDP - Kerberos - single sign-on authentication token to use resource servers - AAA (authentication, authorization, and accounting) protocol -  - Oauth # Lecture 28 - IoT - embedded / contrained environment - limited computation power for security - underprotected - personal privacy - Challenges - `security - scalability - reliability - Attacks - weak login password conjunct with malware - Mirai - weakness of password (e.g. Mirai, used 60 passwords)\ - Phillip - one masterkey is used! - wweakness of underlying cryptographic algorithm - Sony - TLS (downgrade attack) - private algorithm - attacks on protocls with which connect IoT devices - WPA2, 4G-LTE GCMP suffer from integrity forgery attacks (due to GHASH used) - 5G will too - Lightweight Crypto Standardization competition - Classification - single Tx/Rx pairs - Single-input and single-output - More complicated structures # Lecture 29 - Lightweight crypto? - accommodate for small, limited memory - RFID (Radio Frequency Identification) - microchip attached to a radio antenna mounted on a substrate - RFID tag: microchip attached to a radio antenna mounted on a substrate - RFID reader: deviec that emits radio waves and receive signals back from tag - information carried by tag is stored to backend database -  - Types of RFID tags - Passive tag (no battery, harvest power from electromagnetic field) - Semi-passive tags (need battery to power up, but communicate with harvested signal) - Active tags (battery for communication and computing) - Risks - inventory or rogue scanning of tags (leaking product info) - tracing or tracking of tag-holdesr - Security Concerns - Replay attack - Tag counterfeiting or cloning - Replay attack Man-in-the-middle atack - Denial of service - Reverse engineer of tags - Privacy preserving entity authentication - reader and database - secured via known security mechanisms - challenge-response protocol (entity authentication protocol), reader send challenge, tag send response - device's ID is not sent, back-end server need to do exhaustive search for pairing ID and key to identify the tag - need to be high speed - deterministic verification - probabilistic verification - Mifare Classic - Crypto-1 - stream cipher - Use PRG (Pseudorandom Generator) - LFSR with degree 16, after which replay attack can be done # Lecture 30 - Mutual Authentication for Mifare -  - Flaws - key size is small (48 bits, $2^{24}$ by TMT attack, UID is fixed - key stream repeate over time) - Keeloq cipher - lightweight block cipher - Power analysis - Relay attack with proxy reader and proxy tag # Lecture 31 - Machine Learning - model training and prediction -