- Security is economics.
- Least privilege.
- Use fail-safe defaults.
- Separation of responsibility.
- Defense in depth.
- Psychological acceptability.
- Human factors matter.
- Ensure complete mediation.
- Know your threat model.
- Detect if you can’t prevent.
- Don’t rely on security through obscurity.
- Design security in from the start.
- Conservative design.
- Kerckhoffs’ principle.
- Proactively study attacks.
Standards often define security
Separation of responsibility
Only as secure as the weakest link
Trusted Computing Base (TCB)
TCB is the portion of the system that must operate correctly in order for the security goals of the system to be assured. Requires: • Is correct (Verifiable) • Is complete (Unbypassable) • Is itself secure (Tamper-resistant).
Best way to assure correctness and security • KISS = Keep It Simple, Stupid! • Simple = Small
Kerckhoff ’s Principle
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
The enemy knows the system.
- Buffer overflow vulnerabilities (Stack smashing)
- Format string vulnerabilities
- Integer conversion vulnerabilities
- memory safe languages
- Non-Executable Stack Space
- Data Execution Protection/ W^X (write or execute)
Preconditions: what must hold for function to operate correctly
Postconditions: what holds after function completes
Invariants: conditions that always hold at a given point in a function
General correctness proof strategy for memory safety: (1) Identify each point of memory access (2) Write down precondition it requires (3) Propagate requirement up to beginning of function
attacker eavesdropper adversary
main goals of Cryptography: Confidentiality, Integrity, Authenticity.
IND-KPA, IND-CPA, IND-CCA
Three properties: 1. Correctness: EK(M) is a permutation (bijective 双射 / one-to-one function) 2. Efficiency 3. Security
Symmetric Encryption Schemes
ECB Mode (Electronic Code Book)
CBC Mode (Cipher Block Chaining)
C0 = IV, Ci = EK(Ci-1 xor Mi)
OFB Mode (Output Feedback Mode)
Z0 = IV, Zi = EK(Zi-1), Ci = Zi xor Mi
Counter Mode (CTR)
Zi = EK(IV + i), Ci = Zi xor Mi
CFB Mode (Cipher feedback)
C0=IV, Ci=Ek(Ci-1) Xor Mi
Stream cipher Enc(K, M): C = PRG(K, IV) XOR M, Output (IV, C)
Discrete log problem(DLP) -> One Way Function(OWF)
f(x) = g^x mod p
p is large prime (2048bits), random g (1 ~ p-1)
Diffie-Hellman key exchange
A = g^a mod p, B = g^b mod p.
Session key: g^ab mod p
Man-In-The-Middle (MITM) Attack
solutions: certificates, publish pk on a trusted service, display and check if agreed on same key.
El Gamal encryption
Public key is (pk = g^k mod p ; g ; p). Private key is k. (1 < g < p-1, 0 <= k <= p-2)
Ciphertext: (R ; S) -> (g^r mod p ; m * pk^r mod p). (random r, 0 <= r <= p-2, 1 <= m <= p-1)
Decrypt: R^-k * S mod p;
C = (Ckey = Enc(pk, k), Cmsg = Enc(k, m))
Efficiency: fast to compute
Security: one-way function (preimage resistant); collision resistance(CR)
four particularly significant types of cryptographic primitives:
Symmetric-key Asymmetric-key Confidentiality Symmetric-key encryption (e.g., AES-CBC) Public-key encryption (e.g., El Gamal, RSA encryption) Integrity and authentication MACs (e.g., AES-CBC-MAC) Digital signatures (e.g., RSA signatures)
Message Authentication Codes (MACs):
T = MAC(K, M)
Si = AESk1(Si-1 Xor Mi), T = AESK2(Sn)
key长度不够补0，太长hash一下 o_key_pad = 0x5c5c… ⊕ key i_key_pad = 0x3636… ⊕ key return hash(o_key_pad || hash(i_key_pad || message))
RSA (hard to find prime factors of large integers.)
n = p*q, φ(n) = (p-1)(q-1)
random 2 < e < φ(n), d = e^-1 mod φ(n)
n, e are public, d, p, q, and φ(n) are secret
c = m^e mod n
m = c^d mod n
RSA-OAEP: X = [m,0…] ⨁ G®, Y = H(X) ⨁ r (G and H are hash functions)
s = (H(m))^d mod n
v = s^e mod n
Send: E(M,Ksess), E(Ksess,Bpub), S(H(M),Apriv)