CS2107 Cheatsheet AY22/23

Security Requirements Encryption

A system can fail due to various reasons:
Symmetric Key Encryption
• Operator mistakes
A symmetric-key encryption scheme (also known as cipher)
• Hardware failures consists of two algorithms: encryption and decryption.
• Poor implementation The key space is the set of all possible keys. The key space size or
size of key space is the total number of possible keys. The key size
• Deliberate human actions desgined to cause failure
or key length is the number of bits required to represent a key.
Cyber security is concerned with intentional failures: Here, the key space size is (27!) key size is approximately 94 bits.
• Assets: Hardware, Software, Data and Information, Attacking Substitution Cipher
Reputation → which is intangible
The goal for attackers is to figure out the key. If the key can be
There are 2 requirements:
• Threat: Set of circumstances that has the potential to found, then the plaintext can be obtained. The converse is also
cause loss or harm • Correctness: For any plaintext: x, key: k, Dk (Ek (x)) = true. If the attacker can get information on the plaintext or even
x. It also must be secure. Formal formulation of security is the complete plaintext, they can also easily obtain the key.
• Vulnerability: Weakness in the system → in procedures /
difficult. Hence there are 2 levels of access to information:
design / implementation that might be exploited to cause
• ciphertext only – large number of ciphertexts all
loss/harm • Security: Given a ciphertext, it should be
encrypted using the same key
• Control: Control/countermeasure/security mechanism computationally difficult to derive useful information about
the key k and plaintext x. The ciphertext should resemble • plaintext pairs of ciphertext and the corresponding
meant to counter threats. It is an
a random sequence of bytes. plaintext
action/device/producedure or technique that
removes/reduces a vulnerability Known Plaintext Attack: Substitution Cipher:
Attack Models: Adversary’s Capabilites This attack occurs when the attacker has access to pairs of
There is a threat agent that gives rise to a threat that exploits ciphertexts and their corresponding plaintexts. Attacker can
a vulnerability that leads to a risk that can damage an asset If attacker wants to find the key → total break . However attacker
figure out the entries in the key that are used in both ciphertext
and cause an exposure, all of which can be counter measured by may be satisfy a partial break .
and plaintext. With a sufficiently long ciphertext, the entire key
a safeguard that directly affects the threat agent.
• Ciphertext only attack: adversary is given a collection can be determined. If the adversary can derive the key, we call
C-I-A Triad of a ciphertext c, they may know some properties of the the scheme ”insecure under known plaintext attack” or
plaintext (e.g. plaintext is an english sentence). ”broken undder known plaintext attack”.
We can describe a class of attacks by giving the attacker’s goals
and also the attacker’s resources. This is also known as the • Known plaintext attack: adversary is given a collection First Few Bytes
attack/adversary/security model. of plaintext m and corresponding ciphertext c, can be used Not unreasonable for attacker to obtain at least one pair of
• Confidentiality: Prevention of unauthorized disclosure of to guess the key and further decrypt other ciphertexts. ciphertext and plaintext as only a small number of bytes is
information. • Chosen plaintext attack (CPA): adversary has access required. Some of the following can be guessed directly:
• Integrity: Prevention of unauthorized modification of to a blackbox (an oracle). They may choose and feed any • Email data: e.g. certain headers or words are fixed
information/process. plaintext m to the blackbox and obtain the corresponding (”From”, ”Subject” . . . )
ciphertext a reasonably large number of times c (all • Network Protocols: similar to email, as they have fixed
• Availability: Prevention of unauthorized withholding of encrypted with the same key). headers.
information/resources.
• Chosen cipher attack CCA2: same as chosen plaintext Exhaustive Search – Brute Force
There are 2 more properties added by ISO 7498-2 [ISO89] that
attack, but the adversary chooses the ciphertext and the
are desirable, particularly in communication networks. • Assume attacker knows a ciphertext C and the
blackbox outputs the plaintext.
corresponding plaintext X.
• Authenticity/Authentication: Ability of a system to
confirm the identity of a sender. Indistinguishability (IND) The attacker may satisfy with • For S in all possible substition tables:
distinguishability of ciphertext: with some “non-negligible” Compute X’ = DS (C), if X’ == X: break
• Non-repudiation/Accountability: Ability of a system probability more than ½, the attacker is able to distinguish the
to confirm that a sender cannot convincingly deny having • Since a key in the above table can be represented by a
ciphertexts of a given plaintext (say, “Y”) from the ciphertext of
sent something. sequence of 27 symbols, size of the key space is 27!
another given plaintext (say, “N”).
Frequency Analysis
Security, Functionality and Ease-of-Use Classical Ciphers Suppose the plaintexts are English sentences. Letter frequency
The more secure something is, the less usable and functional it
Substitution Cipher distribution in english is non-uniform. The adversary is able to
becomes.
guess (given a sufficiently long plaintext) by:
• (ease-of-use) → Security mechanisms intefere with Plaintext and ciphertext: • Mapping the frequently-occuring letters in the ciphertext
working patterns users are familiar with. to the frequently-occuring letters of english.
• a string over a set of symbols U.
• (performance) → Security mechanisms consumes more • Carry out frequency analysis.
computing resources • Let U= { ”a”, ”b”, ”c” . . . , ”z”, ” ” }
? Substitution cipher is not secure under ciphertext-only
• (cost) → Security mechanisms are expensive to develop • Plaintext may be ”hello world” attack either.
Permutation Cipher – transposition cipher Modern Ciphers Image below is divided into blocks, and encrypted with some
The encryption first groups the plaintext into blocks of t Designs of modern ciphers take into consideration of deterministic encryption scheme* using the same key. Since it is
characters, and the applied a secret “permutation” to each block known-plaintext attack, frequency analysis and other known deterministic, any two blocks that are the same (for e.g. blocks in
by shuffling the characters. The key is the secret “permutation”, attacks the white background) will be encrypted to the same ciphertext.
which is an 1-1 onto function e from 1,2,..,t to 1,2,...,t. The size t • DES (Data Encryption Standard, 1977) → Key length too short
could be part of the key, that is, t is also kept secret. We can • RC4 (Rivest’s Cipher 4, 1987) → Broken in some adoptions
write the permutation p as a sequence • A5/1 (used in GSM, 1987)
p = (p1 , p2 , p3 , . . . , pt ) (1) • AES (Advanced Encryption Standard, 2001)
which shift the character at position i to the position pi Exhaustive Search, Key Length and Work Factor
If the key length is 32 bits, there are 232 possible keys. Hence, the
exhaustive search needs to “loop” for 232 times in the worst case.

We can quantify the security of an encryption scheme by the

length of the key. Consider a scheme A with 64-bit keys and a
scheme B with 54-bit keys. Scheme A is more secure w.r.t. To prevent leakages of information, there are the following
exhaustive search. solutions:
• Use a separate IV for each block (CBC mode) → less adopted
DES - Data Encryption Standard as final ciphertext would be twice that of plaintext.
Key length of DES is 56 bits (intentionally short key size). While • Linking of 2 blocks such that upon the encryption of one, we
exhaustive search on 56 bits seemed infeasible in the 70s, very would use that to XOR for the next block.
soon, it is possible using distributed computing or a specialized • CTR (Counter) mode, used as a stream cipher.
? Permutation cipher fails miserably under known-plaintext chip.
CBC - Cipher Block Chaining on AES (mode-of-op)
attack. Given a plaintext and a ciphertext, it is very easy to
determine the secret key. Permutation cipher is also easily broken AES - Advanced Encryption Scheme The Initial Value (IV) is an arbitrary value chosen during
under ciphertext only attack if the plaintext is English text AES has a block length of 128, and key length can be 128, 192, or encryption. (different in different encryptions of the same
256 bits. It is a symmetric block cipher developed comprising of plaintext) → y0 = IV, yi = Ek (xi ⊕ yi−1 ) for i > 0
One-Time Pad the following: Byte Sub, Shift Row, Mix Columns, Add Round
Given an n-bit plaintext (x1 x2 . . . xn ) and an n-bit key (k1 k2 key all repeated n times.
. . . kn ) we can output the ciphertext, C:
Block cipher & Mode-of-Operations
C = (x1 ⊕ k1 )(x2 ⊕ k2 ) . . . (xn ⊕ kn ) (2)
For a large plaintext, it is divided into blocks (of equal size)
The condition is that the key and the plaintext must be of the before the block cipher is applied. DES and AES are also known
same length. We can then decrypt the ciphertext by XORing the as “Block Cipher”. Block cipher are designed for some fixed size
cipher with the key once more to get the plaintext X: input/output.
X = (c1 ⊕ k1 )(c2 ⊕ k2 ) . . . (cn ⊕ kn ) (3)
For this to work, we need to be able to transfer the key securely! ECB Mode - Electronic Code Book
ECB divides the plaintext into blocks and then applies block
What is ⊕ or XOR?
cipher to each block, all with the same key. CTR - Counter Mode on AES (mode-of-op)
• Commutative: A ⊕ B = B ⊕ A → BUT, ECB leaks information!!!
Type of Stream Cipher.
• Associative: A ⊕ (B ⊕ C) = (A ⊕ B) ⊕ C
• Identity element: A ⊕ 0 = A, where 0 is the identity
element
• Self-inverse: A ⊕ A = 0
? From a pair of ciphertext + plaintext, attack can derive the key,
but since it is only used one time, this key is useless. One-time
pad leaks no information of the plaintext, even if the attacker has
arbitrary running time.
Perfect Secrecy
Attacker’s prior knowledge of the unknown plaintext will not
change even after they have seen the ciphertext y. Meaning the
chances that the attacker correctly predicts x before knowing y, ? An encryption scheme is “deterministic” in the sense that, the
and after knowing y, are the same. encryption algorithm will always produce the same output (i.e the
Definition: A crypto system has perfect secreccy if for any ciphertext) when given the same input (i.e. the key and plain-
distribution of X, for all x, y: text). GCM mode - Galois/Counter (mode-of-op)
? In contrast, a “probabilistic” encryption scheme produces dif- It is an authenticated-encryption, ciphertext consists of an extra
Pr (X = x — Y = y) = Pr(X = x) ferent ciphertext even with the same input (key, plaintext). tag for authentication. Secure in presence of decryption oracle.
Stream Ciphers Triple DES Padding Oracle Attack - Example (on CBC)
Inspired by one-time-pad. Suppose the plaintext is 220 bits, but DES not secure w.r.t. today computing power. We can improve it Suppose the attacker wants to find out what is t2 .
the secret key is only 256 bits. Stream cipher generates a 220 -bit by encrypting multiple times → using different keys. DES doesn’t • First, force the plaintext to have a padding of 2 (02 02) –
sequence from the key and treats the generated sequence as the form a group in the sense that, Ek1 (Ek2 (x)) is not the same as allow reverse engineering of the XOR operation to find out
secret key in one-time-pad. The generator must be carefully Ek3 (x) for some k3. the original plaintext in that byte position
designed, so that it gives cryptographically secure
Meet-in-the-middle Attack • Next, use exhaustive search to find out which values of t2
pseudorandom sequence.
from the previous block together with the ciphertext from
Known plaintext attack, where the attacker’s goal is to find the block C2, when XORed, will produce a ”YES” from the
keys k1 and k2. padding oracle.
• Compute two sets of C and M . C contains ciphertexts of – If ”NO”, repeat exhaustive search.
m encrypted with all possible keys. M contains plaintexts
of c decrypted with all possible keys. – If ”YES”, this means that the padding is correct, and
that means this value of t2 is the correct value for
• Find common element C and M , thereby obtaining both that byte.
keys.
• Finally, we XOR the value t2 with that of the ciphertext
• In general, for k-bit keys, it reduces the number of crypto from P2 to obtain the intemediary x2 .
operations to 2k+1 using approx 2k+1 units of storage • From the intemediary, we can use the unchanged key we
space. already know to get the original plaintext.
Initialization Vector (IV)
Most ciphers have an IV, which can be randomly chosen or from a
counter.
• Encryption: Long pseudorandom sequence generated from:
secret key + IV. Final ciphertext contains the IV followed by
the output of the one-time-pad encryption
• Decryption: IV extracted from ciphertext. Plaintext can be
obtained by: getting the same pseudorandom sequence
generated from key + IV.

? Remedy – Use Triple Encryption, but with 2 keys. Both below

believed to have the same level of security:
• Ek1 (Ek2 (Ek1 ( x )))
• OR Ek2 (Ek1 (Ek2 ( x ))) Cryptography Pitfalls
Why must we use IV for Stream Ciphers? Wrong choices of IV
Without the IV, if an attacker can obtain two ciphertexts, they Padding Oracle Attack Some applications overlooked IV generation. As a result, under
can simply XOR the 2 ciphertexts together. Let’s say we have Attacker has a ciphertext including (IV, c) and access to a some situations, the same IV is reused.
ciphertext U & V, which are obtained from plaintexts X and Y padding oracle. Attacker’s goal is to get the plaintext of (IV, c) • e.g. To encrypt a file F, the IV is derived from the
respectively without using IV. The cipher text is encrypted with a secret key k and the oracle filename. It is quite common to have files with the same
knows k. filename → Schneier on Security, Microsoft RC4 Flaw:
U⊕V = (X⊕K) ⊕ (Y⊕K) = (X⊕Y) ⊕ (K⊕K) = (X⊕Y)
Padding - PKCS#7 – The stream cipher RC4 with key length up to 128 bits is
The above is obtained after doing some manipulation as a result used in Microsoft Word and Excel to protect
of the associative and commutative properties of XOR = X⊕Y. Suppose a block size is 8 bytes, and the last block has 5 bytes only documentss. But when an encrypted document gets
Let us take X and Y as black and white images, where every pixel (thus 3 extra bytes required), the padding will be done as follows modified and saved, the initialization vector remains the
corresponds to a bit. (if the last block is full, an extra block of all zeroes are added.): same, thus the same keystream generated from RC4 is
applied to encrypt different versions of that document.
DD DD DD DD DD DD DD DD DD DD DD DD DD 03 03 03 • When using AES under the “CBC mode”, the IV should
be unpredictable in order to prevent a certain type of
Padding oracle attack takes advantage of the deterministic natrue attack. (So, it is vulnerable to choose IV as 1,2,3,....)
of a Block Cipher, if the plaintext is unchanged, the resultant – The Browser Exploit Against SSL/TLS Attack
They look different because K1 and K2 are different due to it ciphertext (and vice versa) would also remain the same. Padding (BEAST) exploits this, as when encrypting multiple
being produced by different IVs, thus there is no cancelling out oracle attack also takes advantage of XOR operations: packets, the IV of a packet would be the last ciphertext
when XOR both images. IV makes an encryption probabilistic for any A, B, C if A ⊕ B = C, B ⊕ C = A, then A ⊕ C = B. block of the previous packet, which is visible to anyone.
Reusing One-Time-Pad Key Authentication (Password) • This protocol is ”weak authentication”, subjected to
Similar to reusing IV, if the one-time-pad key is reused and replay attack (packet sniffing/eavesdropper in
Authentication: The process of assuring that the communicating
attacker notices it, it is possible to decrypt entire messages. communcation channel).
entity, or origin of a piece of information, is the one that it claims
Project Venona saw the decryption of encrypted messages from to be. 3. Password reset
the Soviet Union by the US. There are 2 types of authentication: • Only authorized entities can reset the password. How do we
Predictable Secret Key Generation 1. Entity authentication:
verify the entity is authentic?
When progamming, we may use packages such as • Need to authenticate entity before allowing entity to change
java.util.Random despite the fact that it is not actually secure. • For connection-oriented communication password
java.security.SecureRandom is preffered because: • Verifying authenticity of entities involved in a connection
• Mechanisms: password, challenge and response,
Attacks on the Password System
• Size: Random class only has 48 bits, whereas SecureRandom, can Attacker may intercept the password during bootstrapping. They
cryptographic protocol
have up to 128 bits, smaller chance of repeated SecureRandom. can also target the use of default passwords (e.g. IP Security
• Seed Generation: Random uses system clock to generated the 2. Data-origin authentication: Cameras). No individual passwords: Cost increase for device
seed, attacker can easily replicate if they know when the seed manufacturer, print passwords on each equipment/manual/case.
• For connectionless communication
was produced. SecureRandom takes random data from OS as
• Verifying the origin of a piece of information Searching for the Password
most OSes collect and store these data in files (interval
• Mechanisms: Crypto primitives such as MAC or digital
between keystrokes etc.) and use that as the seed
signature.
Dictionary Attack
• Breaking the code: Random requries 248 tries (practically Ability to test → feed a guess into login screen:
possible with compute resources today), SecureRandom requires Authenticity vs Integrity
2128 attemps, may take many years. • Exhaustive search test all combinations to guess passwords
• Generating Function: Standard Oracle JDK 7 Authentic is an adjective to say that the claimed enity/origin is • Dictionary attack tests passwords stored in a ”dictionary”
implementation uses a Linear Congruential Generator to assured by supporting evidence. Authenticity is the condition of (contain words from English dictionary, known compromised
produce random values in java.util.Random. being authentic. passwords, most passwords are generated by Humans).
java.security/SecureRandom implements SHA1PRNG Authenticity and integrity are thus related. In the context of an • Dictionary attack could also exhaustively test combinations of
algorithm, using SHA1 to generate pseudorandom numbers. insecure channel, we can say that a message that has been words in dictionary. Exhaustively try all possible capitalization
• Security: java.util.Random must not be used for either modified in transit means that it no longer comes from its original of words (”a” substitute by ”@”).
security-critical applications/protecting sensitive data. source. Two scenarios in dictionary attacks:
In other words, a message whose integrity is compromised also • Online dictionary attack: an attacker must interact with
Designing your own crypto/cipher means that its authenticity is compromised. As such data-origin the authentication system during the searching process.
Don’t design your own crypto, or even make slight modification to authenticity implies data integrity. But data integrity (attacker must be online)
existing scheme... unless you have in-depth knowledge on the does not imply data-origin authenticity. Authenticity is • Offline dictionary attack: There are 2 phases
topic. thus a stronger requirement than integrity.
1. Attacker obtains some information D about password
Kerckhoffs’s principle Password System (sniff hash from interactions, or steal password file).
A system should be secure even if everything about the system, A password is part of an authentication system that usually 2. Next, attacker carries out the searches using D without
except the secret key, is public knowledge. consists of: interacting with the system.
Arguments against obscurity • Identity (Identification): need not be kept secret. It can be a Guessing the password from social information
• RC4 introduced in 1987 with its algorithm as a trade secret. In username in a system, bank account number, customer ID etc. Attacker gathers social information about user to guess password.
1994, a description of its algorithm was anonymously posted in • Password (Authentication): password is kept secret, only the
a mailing group. authentic user & server knows it. The fact that an entity Stealing the password
• MIFARE Classic is a contactless smartcard widely used in knows the password implies that it is either the server or Sniffing
Europe. It uses a set of proprietary protocols/algorithms. the authentic user.
Shoulder sniffing (look-over-the shoulder), or Sniffing the
However, they are reverse-engineered in 2007. It turns out that
1. Bootstrapping communication, not as common now, some older systems sent
the encryption algorithms are already known to be weak (with
passwords over public network (not encrypted).
48-bit keys) and breakable. • Password is to be established during Bootstrapping, done by:
– Server/user chooses a password and sends it to the
Viruses, Keylogger
Security through Obscurity
user/server through another communication channel. Key-logger records keystrokes, sends information back to attacker.
To hide the design of the system in order to achieve security.
– Default password. • (software) Some computer viruses are designed as a key-logger
• obscurity can be used as an addition layer in the
2. Password Authentication • (hardware) Hardware key-logger physically connected to device
defense-in-depth strategy.
• NOT advisable to reveal the computer network structure and • Protocol: Phishing
settings (for example, location of firewall and the firewall User → Server: My name is Alice A type of social engineering. Victim tricked to voluntarily send
rules), although these are not “secrets”. Server → User: What is your password the password to the attacker. Phishing attacks ask for passwords
• Although it is advisable to make the algorithm public, it is not User → Server: OpenSesame under some false pretense. Typically, it tricks the user to visit a
advisable to publish the actual program used in a smart-card. Server verifies whether password is correct. website, which is spoofed login page.
By publishing the program/code, advisory may able to identity
implementation flaw that was previously unaware of, or carry • Authentication can also be carried out without interactions: Spear Phishing
out side-channel attacks. User sends sms to server: UserId: Alice@nus.edu.sg Phishing can be targeted to a particular small group of users (for
• Usernames are not secret. However, it is not advisable to Password: OpenSesame. Instructions: Unsubscribe from example, NUS Staff). These are known as spear phishing which is
publish all the usernames your mailing list. No more junk mail. an example of targeted attacks.
Cache Additional Protection to password files There is inevitable noise in capturing biometric data, leading to
During authentication, password entered by entity is hashed, then error in making matching decision. False Match Rate(FMR)
Using shared workstation, information keyed in could be cached.
compared with value stored in password file. To verify whether and False Non-Match Rate (FNMR)
Next user still has access to cache.
password P belongs to a user U:
number of successf ul f alse matches (B)
Insider attack 1. Compute d = Hash(P) F MR = (7)
number of attempted f alse matches (B + D)
2. If ¡U, d¿ is in the password file, accept, else reject.
Malicious system admin steals password file. OR System admin’s
account compromised, lost of password file. We cannot have the same password being hashed to the same number of rejected genuine matches (C)
value for 2 different usernames. Allows attackers to obtain all F NMR = (8)
number of attempted genuine matches (A + C)
un-hashed passwords of the same value simply by comparing
Preventive Measures
hashed values. To prevent this, we add a salt: random string of
Accept Reject
1. User Training: characters to the front of the password before hashing. Salt
Genuine attempt A C
randomly generated for all users, stored in password file.
Workshop, reminders. Embedded Phishing Exercise (Authorized False attempt B D
entities send out ”phishing” emails to employees). Self-help Password Reset
1. Security Question • Equal-Error Rate (EER): FNMR = FMR
2. Blacklisting • False-to-enroll Rate (FER): Some user’s biometric data
Security-Cost-Usability Tradeoff: viewed as a mechansim for cannot be captured e.g. due to injury.
Repository site keeps list of phishing site, blacklisted by browser fallback authentication • Failure-to-capture (FTC): User’s biometric data may fail to
or firewall. • Enhance usability: user can still login if password is lost be captured during transactions e.g. dirty fingers.
• Reduce cost: reduces oeprating cost of helpdesk
3. Using Strong Password • Weak security: attackers have another mean to obtain access Attack of biometric system
Truly random password, using automated password generator. 2. Recovering email’s account Some biometric data can be easily spoofed. Other systems include
High ”Entropy” difficult to remember. liveness detection to verify if the entity being scanned is indeed
1. User → System: User id is X, I want to reset live or instead of something spoofed.
• User selection:
2. System → User: Send email to user, URL contains an OTP n-Factor Authentication (2FA)
– Mnemonic Method: Pbmbval!
– Altered Passphrases: Dressed*2*tge*9z 3. User → System: OTP is OTP1, This is my new password Require 2 different authentication factors:
– Combining/Altering Word: B@nkC@mera 4. System checks if OTP correct, if correct, reset 1. Something you know: Password, PIN
• Usability: Strong passwords are difficult to remember. Difficult 2. Something you have: Security token, mobile phone, ATM Card
to enter alphanumeric passwords on mobile devices. ATM Skimmer 3. Who you are: Biometric
For authentication, there is a (1) Card and (2) Pin. Card contains
3a. Password Ageing magnetic strip, storing user account id, PIN is the password. AN OTP Token
ATM Skimmer steals victim’s account id + password. Hardware generates one time password, each token and the server
Recommended for users to regularly change passwords.
1. card-reader attached on top of existing ATM reader; share some secrets.
Online vs Offline Attack 2. camera overlooking the keypad/spoofed key-pad on top of 1. Time-based: Based on shared secret and current time
existing keypad; interval, generate password K .
• Online: To check whether a password is correct, the attacker
needs to communicate with a server not under his control. E.g. 3. means to record/transmit the information back to attacker. 2. Sequence-based: An event (user pressing button) triggers
- Attacker obtained a list of 1000 valid nusnet id, to find the change of OTP.
Measures against ATM Skimmers
password for some of them. The attacker writes an automated Example: Password + SMS
1. Anti-skimmer device: prevents external card reader attachment
script that attempt to login to Canvas using guessed passwords Registration: User gives server mobile phone number and
2. Sheilding of keypad
for each of these 1000 valid nusnet id. password.
3. Awareness among users
• Offline: To check whether a password is correct, the attacker Authentication:
can execute some algorithm without connecting to a server. Biometric
- Attacker has an AES encrypted pdf file. The key is derived 1. User sends password and username to server
• enrollment, a template of user’s biometric data is captured 2. Server verifies password is correct, then sends OTP to user
from a password. The attacker wants to find the password.
and stored. (same as bootstrapping) through SMS
- In some password authentication protocols, a “hash” of the
• verification, biometric data of person-in question captured 3. User receives SMS, enters OTP
password is sent in clear. The attacker first obtained the hash
and compared with template using matching algorithm (algo 4. Server verifies OTP is correct
by eavesdropping a valid login session. Next, the attacker went
decides accept or reject).
offline and searched for the password. WPA2 personal is
• OTP generated from a factor.
vulnerable to this form of offline dictionary attack.
• Password is long term and can be the same for a long duration.
OTP is valid for a short period of time/for a specific
Enhancing Password System transaction.
• Online dictionary attacks more difficult, there may be • If attack somehow managed to eavesdrop session and steal
intentional delay into login sessions or account locking after a OTP with password, password can still be used as password +
few failed attempts. OTP insufficient for replay attacks of further sessions.
• Offline dictionary attacks more difficult, KDF applied to • OTP does not expose (non-password) factor during
password, forces intensive computation, but has delay during authentication. Even if session compromised, confidentiality
legitimate usage. still preserved.
Authenticity Property of RSA Security Requirements:
Public Key Encryption We can also use the decryption key d to encrypt and encryption • Preimage Resistant or One-way: Given a digest d, it is difficult
key e to decrypt. This does not hold in other public key schemes. to find a m such that h(m) = d. (Difficult to reverse engineer)
Public-key scheme uses different keys for encryption + decryption.
• Second-preimage resistant: Given m1 , difficult to find a second
Only with the private key kd can we decrypt the ciphertext. Algorithmic issues preimage m1 6= m2 such that h(m1 ) = h(m2 ).
• (step 1): How to find random prime? Rnadomly pick a number • Collision-resistant: Difficult to find 2 different menssages m1 6=
and test whether it is a prime. m2 that hashes into the same digest (h(m1 ) = h(m2 ))
• (step 3): Value of d can be efficiently computed from e and n Popular Hashes: SHA-0, SHA-1, SHA-2, SHA-3
using the Eucildean algorithm.
• SHA-0 was published by NIST in 1993. It produces a
• Encryption of plaintexts at different times give the same
160-bits digest. It was withdrawn shortly after publication
ciphertexts. Some form of IV or padding is needed to introduce
and superseded by the revised version SHA-1 in 1995.
Security Requirements an extra element of randomness.
• SHA-1 is a popular standard. It produces 160-bits message
Given the public key and ciphertext (not private key) it is difficult Issues that RSA faces digest. It is employed in SSL, SSH, etc.
to determine the plaintext. POOR EFFICIENCY AND PERFORMANCE • In 1998, an attack that finds collision of SHA-0 in 261
ADVANTAGES • RSA is significantly slower than AES (10,000x slower) operations was discovered. (Using the straight forward
In PKC, if there are multiple entities A1 , ... An each has their • A 128-bit AES has the same key strength as a 3072-bit RSA birthday attack, collision can be found in 2160/2 = 280
operations). In 2004, a collision was found, using 80,000
own <private key, public key>. Each entity only needs to To overcome this issue:
CPU hours. In 2005, Wang Xiaoyun et al. (Shandong
broadcast their public key, keeping private secret. When a large file is to be encrypted under the public key setting,
University) gave attack that can finds collision in 239
for efficiency, the following steps can be carried out:
operations.
If we do not use PKC, then any 2 entities must share a symmetric 1. Randomly choose an AES key k
key via a secure channel, requiring both entities to know one • In 2001, NIST published SHA-224, SHA-256, SHA-384,
2. Encrypt F using AES with k as the key to produce the
another before actual communication. (PKC still needs a secure SHA-512, collectively known as SHA-2. The number in the
ciphertext C
broadcast channel to distribute the public key). name indicates the digest length. No known attack on full
3. Encrypt k using RSA to produce the ciphertext q
SHA-2 but there are known attacks on “partial” SHA-2, for
4. The final ciphertext consists of 2 components: (q, C)
e.g. attack on a 41-rounds SHA-256 (the full SHA-256
takes 64 rounds)
The reverse is to be done for decryption:
• In 2005, Xiaoyun Wang et al gave a method of finding
1. Decrypt q using RSA to produce the key k collision of SHA-1 using 269 operations, which was later
2. Decrypt C using AES with k as the key to produce plaintext F improved to 263 . A collision was found in 2017. It took
110 GPU years, completed 263 SHA1 operations.
• In Nov 2007, NIST called for proposal of SHA-3. In Oct
2012, NIST announced the winner, Keccak (pronounced
“catch-ack”).
Popular but obselete: MD5
• Designed by Rivest. MD, MD2, MD3, MD4, MD5, MD6.
SECURITY OF RSA • MD6 was submitted to NIST SHA-3 competition but did
RSA not necessarily ’more secure’ than AES. It can be shown not advance to the second round of the competition.
that getting the private key from public key is as difficult as • MD5 was widely used. It produces 128-bit digest.
RSA – Rivest–Shamir–Adleman factorization. Unknown if the problem of getting the plaintext
1. Randomly choose 2 large primes p and q, computes n = pq • In 1996, Dobbertin announced a collision of the compress
from ciphertext and public key is as difficult as factorization.
2. Randomly choose encryption exponent e: function of MD5.

gcd(e, (p − 1)(q − 1)) The ’textbook’ RSA has to be modified so that difficult • In 2004, collision was announced by Xiaoyu Wang et al.
encryptions of the same plaintext to lead different ciphertexts, The attack was reported to take one hour.
3. Find decryption exponent d, where
and such modifications are not straightforward (e.g. PKCS#1). • In 2006, Klima give an algorithm that can find collision
d e mod(p − 1)(q − 1) = 1 within one minute on a single notebook.
Strengths of PKC
4. Published (n, e) as public key, safe-keeps (n, d) as private key Message Authentication Code (MAC)
Main strength is the public key setting, allowing the entity in
n = pq public to perform encryption without a pre-establihed pair-wise Also known as the Keyed-hash, it is a function that takes in an
φ(n) = (p − 1)(q − 1) secret key. This secret-key-less feature is also useful in providing arbitrarily long message and a secret key as an input, and outputs
d = e−1 modφ(n) authentication. PKC is rarely used to encrypt a large file. a fixed-size MAC.
Cryptographic Hash
A hash is a function that takes in an arbitrarily long message as
input and outputs a fixed size digest.
Security Requirements: Without knowing the key, it is
difficult to forge the MAC. After seen multiple valid pairs of
messages and their corresponding mac, it is difficult for the
attacker to forge the mac of a message not seen before.
Popular keyed-hash (MAC): CBC-MAC, based on AES operated Data-Origin Authenticity Birthday attacks
under CBC mode Similar to exhaustive search in encryption. When designing
What can we do if we do not have a secure channel to deliver the
digest. hashes, we want to do so such that attacks cannot do better than
Message Authentication Code a birthday attack. All hash functions are subjected to birthday
MAC can help to ensure integrity and authenticity as only the attack.
sender will know of the secret key used for the MAC. Comparing
MACk (F) (which can be sent through an insecure channel) and • In a class of 25 students, probability more than 0.5 that
MACk (F’), we can easily determine if the file is from the right there is a pair of students with the same birthday.
person. If the MAC matches, F is likely to be from someone who • Suppose M messages, each message tagged with a value
knows the key k. Else something has been modified, either F’, the randomly chosen from {1, 2, 3, ..., T }.
HMAC (—— means concatenation) MACk (F) sent through the insecure channel, or both.
• If M > 1.17 T0.5 then with probability more tha 0.5, there
is a pair of messages tagged with the same value.
• Suppose the digest of hash is 80 bits (T = 280 ) and the
attacker wants to find a collision.
• If the attacker randomly generates 241 messages (M = 241 ),
then M > 1.17 T0.5 . Hence with probability more than 0.5,
Data Integrity among the 241 messages, 2 of them give the same digest.
How do we know if an email we received or software we This has serious consequence on the digest length requried by a
downloaded is authentic? hash function to be collision resistant. When the key length of a
Unkeyed Hash for Integrity Protection Let us assume that there is symmetric key is 112, the recommended length for digest is at
a secure channel to send a short piece of information. We can least 224.
then carry out the following steps:
• Let F be the original file What would the attacker do: Forge a valid pair of (message, Using Encryption for Authenticity
• We obtain the digest h(F) from the secure channel mac). Typically the MAC is appended to F, then stored as a Common for people to claim that their communication channel is
• We then obtain the file F’ who origin claims that it is F single file or transmitted through the communication channel secure as they use a certain encryption scheme that provides a
• We can then compute and compare the two digests h(F), h(F’) together. There is no issue on confidentiality, and the data F can high level of security. False sense of security, as encryption scheme
be sent in the clear. Later, an entity who wants to verify the merely provide confidentiality. However it does not provide
– If h(F) = h(F’), then F = F’ – with very high confidence authenticity of F, can carry out the verification process using the INTEGRITY and AUTHENTICITY required for communication
– Else if h(F) 6= h(F’), then integrity of file is compromised secret key. channels.

What would an attacker do: attacker’s goal is to make Alice

Data-Origin Authenticity (Signature), Asymm key Example
accept any file other than F. To trick Alice, the attacker needs to The public key version of MAC is called Signature. Here, the The mobile phone and a server share a secret 256-bit key k. The
have a F’ such that h(F’) = h(F) and F 6= F’. owner uses the private key to generate the signature. The public server can send instructions to the mobile phone via sms.The
can use the public key to verify the signature. Anyone can verify format of the instruction is: X P
With the digest, the verifier can be assured that the data is the authenticity of the data, but only the person who know the
authentic, thus the authenticity of the data origin is acheived. private key can generate the signature. If the signature is valid, it
Nonetheless, when there is no secret key involved, the hash means F must be authentic.
where X is an 8-bit string specifying the operation, and P is a
function only provides INTEGRITY not AUTHENTICTY.
120-bit string specifying the parameter. So, an instruction is of
size 128 bits. If an operation doesn’t need a parameter, P will be
This is because a man-in-the-middle attack can potentially edit
ignored. There is a total of 15 valid instructions.
the original message before rehashing it using the same hash
function, then send the new digest over. This is the reason for the
digest to be sent separately via some secure channel. • An instruction is to be encrypted using AES CBC-mode with
256-bit key, encoded to readable characters and sent as sms.
(recap: block size of AES is 128 bits).
• After a mobile phone received a sms, it decrypts it. If the
instruction is invalid, it ignores the instruction. Otherwise, it
executes the instruction.
What is special about signature comapred to MAC? • This is not secure as the SMS does not provide any form of
Ease of key management. We can view the digital signature as authenticity and integrity if it simple encrypts the message. A
the counterpart of the handwritten signature in legal document. secure design could use a MAC instead of encryption.
A legal document is authentic or certified, if it has the correct • Opportunity for replay attacks. If intercepted one
handwritten signature. No one, except the authentic signer, can message, even with MAC appended, attacker can simply
generate the signature. Signature scheme achieves repeatedly send the message they intercepted, which will result
Non-repudiation. in some command or instruction repeatedly executing. (can use
Non-Repudiation: Assurance that someone cannot deny previous a cryptographic nonce to prevent this instead).
commitments or actions.
Public Key Infrastructure With Certificate: • Convenient in manual installation of public key. If user wants
to include a binding of name and public key of an entity D, but
Public Key Distribution 1. Alice sends email + certificate, email signed with private key
D does not have a certificate signed by CA. D can ‘self-sign’ a
There needs to be a way to transfer public key securely. If public and public key is listed in certificate.
certificate and pass to the user.
key is distributed insecurely, there may be a possibility of facing a 2. Bob verifies that signature in certificate is indeed signed by
• User can manually accept the certificate (provided they trust
man-in-the-middle attack. CA.
the source). By accepting the self-signed cert user instructs
3. Since no one except CA can produce valid signature,
Public key vs Symmetric key distribution machine to accept the binding of D’s name and their public
authenticity of information in certificate is as good as coming
key. User takes responsibility in ensuring they are correct
Both need secure channel to distribute keys. Easier to securely directly from CA.
‘broadcast’ compared to ‘establish’ a different symmetric key for Most OSes/Browsers have preloaded CA’s public keys, aka root Certificate Authority and Trust Relationship
every pair. CAs. Certificate Chain-of-trust
Public Key Symmetric key What is a Certificate? • Suppose Alice’s certificate issued, signed by CA#1, but Bob
securely establish different does not have public key of CA#1
only broadcasted
symmetric key with each
A certificate is a digital document that contains at least the • Alice anticipating Bob might not have the pulic key of CA#1
once (linear) following 4 items: can send her email, certificate and CA#1 certificate to Bob,
of the rest (quadratic)
1. name (e.g. alice@yahoo.com or bbc.com or *.bbc.com) allowing him to verify:
does not need to
both entities needs to 2. public key of owner
know existence – CA#1’s certificate using root CA’s public key
interact to establish 3. time window that this certificate is valid
of receiver while – Alice’s certificate using CA#1’s public key
the key 4. signature of CA → computed from CA’s private key
broadcasting
– Alice’s email using Alice’s public key
There is additional information based on the intended purpose of
3 Different methods for Public Key Distribution the certificate. • If Alice does not attach CA#1’s cert, Bob can obtain it from
other sources
1. Public Annoucement • Usage of certification: (1) type of ‘name’ (email/domain name)
Owner broadcasts her public key (email, social media or physical or if it can take the role of CA (chain of trust) Revocation
namecard etc.) Many owners list their ‘PGP public key’ in blog, • Digest (Fingerprint) for verification without CA’s public key Non-expired certificates to be revoked for different reasons:
personal webpage etc. • Meta data such as type of algorithm (ECC/RSA/key length) • Private key compromised
Limitations: • Entity left an organization
Standard: X509:
Not standardized, no systematic way to search/verify the public • Business entity closed
key • ITU-T X.509: Specifies formats for certificates, certificate • Issuing CA compromised
revocation lists, and a certification path validation algorithm
2. Publicly Available Directory A verifier needs to check whether a certificate in question is still
• The Public-Key Infrastructure (X.509) Working Group
valid, even when not expired. Recommended for users (e.g.
List all names/email addresses and public keys in a public-key (PKIX): IETF working group that creates Internet standards
browsers) to periodically update its local cache of revocation list
directory server. on issues related PKI based on X.509 certificates
2 different approaches:
Limitations: • Structure:
Anyone can post their public keys in the server. Not clear how • Certificate Revocation List (CRL): CA periodically signs and
– Certificate: publishes a revocation list
to verify the information. How does server verify information is
authentic. Not everyone might trust the server as well. • Online Certificate Status Protocol (OCSP): OCSP Responder
∗ Version Number ∗ Validity period: Not validates cert
3. PKI ∗ Serial Number Before, Not After Limitations/Attacks on PKI
Standardized system to distribute public keys. Addresses ∗ Signature Algorithm ID ∗ Issuer Unique Identifier
∗ Issuer Name (optional) Implementation Bugs
limitations of previous 2 methods. Aims to be deployable on a
large scale. They are centered around Certificate and Chain of ∗ Subject Name ∗ Unique Identifier Some browsers ignore substrings in the ‘name’ field after the null
trust of Certificate Authority (CA) ∗ Subject Public Key Info: (optional) character when displaying it in address bar but include them
Public Key Algorithm, ∗ Extensions (optional) when verifying certificate.
Certificates and Trust Subject Public Key 1. Name appeared in certificate:
Certificate Authority www.comp.nus.edu.sg\0.hacker.13525.com OR
CA issues + signs digital certificates. Cryptography involves that – Certificate Signature Algorithm *.hacker.13525.com
of digital signatures. It keeps a directory of public keys, and also – Certificate Signature 2. Browser displays as www.comp.nus.edu.sg
has its own public-private key pair. We assume that CA’s public Cause viewers to thought that they are connecting to 1., but in
How do I get a certificate
key has been securely distributed to all entities involved.
Get a cert from a CA ( $10 - $50 per year). fact is connecting to 2.
Let’s Encrypt provides (basic) TLS certs at no charge Abuse by CA
Without Certificate:
• Launched in 2016, valid for 90 days Many CAs, one could be malicious. Rogue CA can practically
1. Alice sends email + public key to Bob, email signed with
• Renewal can take place at anytime forge any cert.
private key.
• Automated process of cert creation, validation, signing,
2. Bob asks the CA for what is the public key of Alice’s email. • Trustwave issued a “subordinate root certificate” (i.e. the
installing and renewal
3. CA sends the public key of Alice back to Bob in a message. receipt can now issue certificate) to an organization for
(This message is signed by CA). Self-signed certificate monitoring the network. With this certificate, the organization
4. Bob verifies that both public keys received are the same. Self-signed certificate is signed by its owner, said to be verified can “spoof” X.509 certificates and hence is able to act as the
using the ‘public key’ listed in the certificate. man-in-the-middle of any SSL/TLS connection.
• see ComputerWorld, Trustwave admits issuing • This protocol is called unilateral authentication as 4. Alice uses her private key kd to decrypt and obtain k.
man-in-the-middle digital certificate; Mozilla debates authenticity of Bob is verified only.
punishment, Feb 8 2012. • Protocols that verify both parties are called mutual
• OR Lenovo’s SuperFish scandal authentication
Social Engineering Unilateral Authentication: PKC
Attacker first rightfully register domain name that resembles We can also have a public key version using signature. Suppose
targetted domain name. Next, use registered domain to confuse Alice wants to authenticate an entity P who claims to be Bob.
the victim in phishing attack. (Domain spoofing (typosquatting),
URL spoofing, Fake URL). 1. (Challenge) Alice chooses a random message r and sends to P:
〈 “Bob, here is your challenge”, r 〉
• Method 1 (typosquatting):
2. (Response) P uses his private key to sign r. P also attaches a
1. An attacker registered for a domain name: certificate 〈sign(r ), certificate 〉
luminus.nus.edv.sg and obtained a valid certificate of the 3. Alice verifies the certificate indeed belong to Bob and is valid.
above name. No one has registered edv.sg and thus the Next, extracts the public key from the certificate and verifies • Attacker (Eve) can obtain public key ke and the ciphertext c.
attacker is about to get it. that the signature sign(r ) is correct. If so, accept. • By security of PKC, from the public and ciphertext, attacker
2. The attacker employed “phishing attack”, tricking the cannot get any information of the plaintext, which is the key k.
If Alice already knows Bob’s public key, certificate can be omitted.
victim to click on the above link, which was a spoofed site of
Similarly, we assume an attacker can observe multiple interaction
luminus.nus.edv.sg Diffie-Hellman Key-exchange
between Alice and the real Bob. After that, the attacker try to
3. The address bar of the victim’s browser correctly displayed
convince Alice that it knows the private key. By security property We assume both Alice and Bob have agreed on two public
https://luminus.nus.edv.sg but the victim didn’t notice that
of signature, the eavesdropper can’t derive Bob’s private key and parameters, a generator g and a large (e.g. 1000 bits) prime p.
and logged in using the victim’s password
can’t forge the response. Nonce r ensures freshness. Both g and p are not secret and known to the public
• Method 2 (sub-domain):
Handling Mallory using Authenticated Key
1. A more commonly deployed method uses sub domain. E.g.
Attacker is the rightful owner of 134566.com. Exchange
2. Attacker creates a sub.domain: Consider a malicious Mallory, they can impersonate Bob and can
luminus.nus.edu.sg.134566.com. sniff, spoof and modify the message. After Alice is convinced that
3. Since attacker is the owner of 134566.com, it can get a valid P is Bob, Mallory can interrupt and take over the channel,
certificate of luminus.nus.edu.sg.134566.com or thereby pretending to be Bob.
*.134566.com
Authentication – Symmetric Key / Public Key
An entity wants to convince Bob that she is indeed Alice. The
entity does so by convincing Bob that she knows some ‘secrets’.
Eve can sniff the communicatoin between the authentic Alice and
Bob, and use stolen information to impersonate Alice.
Weak Authentication
Password is a type of secret. Sending the secret over is a simple
method, but Eve can simply ‘replay’ it to impersonate.
Authentication: Challenge-response
Authenticated Key-exchange
Suppose Alice and Bob have a shared secret k, both agreed on a • Authentication key-exchange: Outcome is a new shared secret
MAC. An entity who knows k is either Alice or Bob. Now, an k known as session key. What if the adversary is malicious? Example, a man-in-the-
entity P, prover wants to convince Alice that he is Bob. An • Subsequently, all communication will be protected (encrypted middle? In this case, Alice mistaken that Mallory is Bob.
attacker first sniffs all interactions between Alice and Bob. + mac) using k . Communication from Alice is encrypted using kA . Mallory can
Attacker than communicates with Alice to try to trick Alice that decrypt using kA and re-encrypt using kB . Hence, Mallory can
it knows the secret k. A protocol is secure if this attacker can be Key-exchange —— Sniff then Steal session key see and modify the message.
prevented. Alice and Bob want to establish a common key. Key can be used
1. P sends Alice a hello message to protect subsequent communication. The interaction could be
2. (Challenge) Alice randomly picks message m, sends m to P. eavesdropped by Eve, after sniffing, Eve wants to guess the
3. (Response) P computes t = mack (m). P then sends t to Alice. established key.
4. Alice verifies the tag received is indeed the mac of n. If so
accept, else reject. PKC-based Key-exchange
1. Alice generates a pair of private/public key
• By property of mac, even if Eve sniffs, and obtain multiple • Key-exchange protocol assumes that the adversary can only
2. Alice sends public key ke to Bob
valid pairs of m and t, Eve still (1) cannot get secret key k and sniff but not malicious.
3. Bob carries out the following:
(2) cannot forge mac for messages Eve have not seen before. • Authenticated key-exchange can easily be obtained from
• Cannot replay response since challenge is randomly chosen. • Randomly chooses secret k existing key-exchange. (either PKC-based key-exchange or
Challenge m ensures freshness of authentication process. It is • Encrypts k using ke DH-based key-exchange). This can be done by signing all
also known as a cryptographic nonce. • Sends the ciphertext c to Alice communication using private key.
Station-to-Station protocol STS 1. Using long-term keys (i.e. Bob’s public and private Network Security
Authenticated key-exchange based on DH. We assume both Alice key), carry out authenticated key-exchange (aka handshake in
Computer Network establishes communicating connections
and Bob have agreed on two public parameters, a generator g and TLS). Outcomes are:
between entities. To share networking resources and enhance
a large (e.g. 1000 bits) prime p. Both g and p are not secret and • Alice is convinced that she is interacting with Bob. robustness, instead of having dedicated lines between any 2 nodes,
known to the public. Here, we consider unilateral authentication. • Both Alice and Bob have a shared session key. Mallory packet switching is deployed.
Alice want to authenticate Bob. unable to get the key.
• Messages route via multiple switches and routers → Messages
2. Subsequent communication protected by the session key. are broken into packets/frames
TLS • Network security focuses on effects on attackers among
intermediate nodes. Attacker wants to steal, modify, disrupt
1. Alice obtains Bob.com’s public key. This is done by having Bob CIA.
sending his certificate to Alice. • Routing:
2. Alice and Bob.com carry out unilateral authenticated key
exchange protocol with Bob’s private/public key. After the 1. Route traffic to nowhere: Availability
protocol, both Bob and Alice obtain two shared keys t , k 2. Know who is talking to who.
where t is the secret key of the MAC, and k is the secret key of 3. Route traffic to attacker, become MITM.
the symmetric-key encryption, say AES. They are called the Multiple hops and netowrk layers
session keys. From Alice’s point of view, the protocol is
secure in the sense that, only an entity who knows Bob’s To handle different types of intermediate nodes, network protocols
private key can complete the protocol. So, Alice is convinced are abstracted as layers. Conceptually, layer (N-1) provides a
• (Asymmetric) Previous authenticated key-exchange protocols that the entity who now holds t, k is Bob. Here, Bob doesn’t ‘virtual’ channel for entities in layer N. The peer entities in the N
such as Station-to-station are based on public key. That is, an care about Alice’s authenticity. layer communicate using the virtual channel in layer (N-1). In
entity is considered authentic if it can convince the other that 3. Subsequent interactions between Alice and Bob.com will be turn, layer N provide yet another virtual channel for layer N+1.
it know the private key of the associated public key. protected by t, k and a sequence number. Suppose m1 , m2 ,
• (Symmetric) There are also symmetric key version, i.e both m3 , . . . are the sequence of message exchanged, the actual
entities share a symmetric key. An entity is authentic if it can data to be sent for mi is
prove to the other that it knows the key. Ek (i||m)||mact (Ek (i||m))
• (Password) A special case of symmetric key is when the key is a
password. Password usually has very low entropy, and thus where i is the sequence number. This is known as
potentially could be vulnerable to “offline” dictionary attack ‘encrypt-then-MAC’. There are other variants:
(see tutorial). There are secure protocols that, even if the ‘mac-then-encrypt’ and ‘mac-and-encrypt’. Using the wrong
entropy of password is low, it is still secure against offline variant might leak info. When in doubt, use “authenticated
dictionary attack. These are called “Password-Authenticated encryption” such as AES GCM mode. GCM is fairly new and
Key agreement” (PAKE). was not established when TLS was designed.

Summary: Mutual Key-exchange

• Before the protocol:
1. Alice has a pair of public, private key (Apublic , Aprivate ).
2. Bob has a pair of public, private key (Bpublic , Bprivate ).
3. Alice knows Bob public key and vice versa. These two sets
of keys are known as the Long-term key or Master key .
• They carry out Authenticated key exchange protocol (e.g. • Domain name: bbc.com • MAC-address:
STS). If an entity is not authentic, the other will halt. • Port Number: 60 10:12:A3:44:55:61
• After the protocol: Both A and B obtain a shared key k, • IP-address: 151.101.64.81
known as the Session key
• Security Requirement: SSL and Transport Layer Security (TLS) are protocols that
secure communication using cryptographic means. SSL is the Data units generated by layers
– (Authenticity) Alice is assured that she is communicating predecessor of TLS and HTTPS is built on top of TLS.
with an entity who knows Bprivate . • Layer-N channel invoked to send message n, protocol in layer N
– (Authenticity) Bob is assured that he is communicating with might transform m into pieces of ‘payload’. Each payload has a
an entity who knows Aprivate. header generated by protocol. Both header and payload forms
– (Confidentiality) Attacker unable to get the session key a data unit in layer N to be sent by layer N-1.
• Layer N at receiver from a series of received data units,
reconstruct back to m.
Securing Communciation Channel —— TLS
Public channel facilitates communication, but not secure with – Transport layer: datagram
presence of Mallory. We can use crypto primitive on the – Network layer: packet
messages, so that it is as secure as a ‘private channel’. – Datalink layer: frame
Alice wants to visit a website Bob.com. ALice using the free wifi • Each header contains 2 pieces of information: (1) src address,
in a cafe called Mallory. How to secure the communication under sender’s address (at layer N) and (2) dest address, receiver’s
the presence of malicious Mallory. In TLS/SSL: address (at layer N)
 – (Legacy and security tradeoff) Initial design of netowrking Name Resolution and Attacks: DNS/ARP
protocols did no consider intentional attacks. (e.g. DNS To use virtual connection in layer (N-1), need to know receiver
does not employ strong protoection mechanisms for name in layer (N-1) Method of finding the corresponding name is
performance sake.) called resolution protocol.
– (Management) There is a need to isolate and control data • Domain Name System (DNS): resolution of Domain name
flow (firewall). to IP address
• Address Resolution Protocol (ARP): resolution of IP
TCP/IP and UDP/IP address to MAC address
Transport Layer + IP Domain Name System (DNS)
• Transport layer and IP layer often treated as a single layer: Given a domain name e.g. www.comp.nus.edu.sg, ip address can
ip-address and port number. be found by querying a remote DNS server. The client who
• Each node in the network has a total of 65535 ports initiates the query is called the resolver. If the address is found,
• Communication channel between 2 nodes established by we say domain name is resolved.
connecting 2 ports. e.g. between 11.11.1.1:2 and
55.55.5.5:65535

UDP/IP
• DatagramSend(srcPort, destIp, destPort, message)
• DatagramSend library constructs an IP datagram and then an
IP packet and passes to Data Link layer.
• There is a limit on the size of the array message → 65,000
bytes.
• DatagramSend does not return a result indicating whether the
Intermediate nodes destination received the packer. There is a possibility that the
packet is lost, arrived late or the recipient does not exist.
Data are routed through multiple hops. Intermediate nodes could
• UDP protocol is unreliable, data might get lost of arrive in a
be owned by different third parties, e.g. Internet service provider
different order.
(ISP), company’s firewall. To facilitate routing, intermediate
DNS Spoofing: Attack scenario
nodes see routing/header information, and might also change
TCP/IP: reliable communication WHEN NOT UNDER ATTACK
them (e.g translate the address, add “hop count”).
• Application make library calls in the following form: • Alice using cafe wifi to surf web and wants to visit and login to
Man-In-The-Middle —— MITM nus.edu.sg. She types domain name into browser address bar.
MITM sits between 2 communicating parties. Unless otherwise P = open connection (2 , ” 3 3 . 4 3 . 1 0 0 . 2 ” , 65535) • Browser makes query to DNS server to determine ip address
stated, the MITM can sniff, spoof, modify, drop the data. Very send (P , o u t m e s s a g e ) // can have m u l t i p l e (nslookup) Browser obtains and connects to ip address.
often, when mentioning a MITM, it is clear from context what r e a d (P , i n m e s s a g e ) // rounds o f send / r e a d
c l o s e c o n n e c t i o n (P) ATTACK
info the MITM has access to.
• Consider an attacker who is also in the cafe, since wifi no
• MITM sits in Layer 3, MITM can see input (e.g. datagram, • open_connection carries out some form of handshake-protocol protected, attacker can
transport header) to Layer 3 and decide what the output of (TCP 3-way handshake) to make sure recipient is listening.
Layer 3 (packet, network header etc.) and know all internal – sniff data from communication channel
• send constructs ip packets of the following form and pass them
info stored in Layer 3 (e.g. secret key). – inject spoofed data into communication channel
to datalink layer. If message too long, form multiple ip packets.
• MITM sits between Layer 2 and 3, or just above layer 2, • Protocol also has mechanism for re-sending, re-ordering, • Attacker cannot remove/modify data sent by Alice (sits below
just below layer 3, we mean that the MITM can see and acknowledgement to ensure destination did in fact receive the physical layer).
modify output of Layer 3, but do not have access to internal message. • Attacker owns a webserver at 100.10.10.3 which is a spoofed
data in Layer 3. NUS website. ATTACK:
Challenges in Network Security Reliability does not imply Security 1. Alice ask for address.
• TCP/IP reliable but not secure. Intermediate nodes along 2. Attacker sniffs and knows about it, quickly spoofs a reply
• (Intermediate nodes and layers) There are many intermediate
communication route can still modify data in header or with the same QID.
nodes, each handling routing-related information at a different
payload. 3. DNS server also sends a reply, since attacker closer to Alice,
layer.
• Malicious intermediate node might act as MITM in IP layer. their reply likely reaches Alice first.
• (Security Requirements)
4. Alice takes first reply as answer and connects to spoof NUS
– Availability main concern in networking – spoof IP packet to inform one node to close the connection website 100.10.10.3
– Confidentiality and integrity of Routing: – reorder the packets
∗ Modifying routing process would break connections
(availability) redirect traffic to adversary (confidentiality) Listening to a port / Closed port
——could lead to side-channel leakages or implementation • Behind certain ports, there are applications waiting to process
flaws if attacker can see ciphertext still. data coming via the respective port. → node/process is
∗ Leakage of routing information could reveal connectivity listening to the port
information like A talking to B → Anonymity and • If port is not listening → closed port, data sent to closed port
Privacy. will be dropped.
 Denial of Service Attack Botnet
DOS is an attack on availability. • Bot: aka zombie is a ccompromised machine
• Botnet: aka zombie army is a large collection of connected
• Availability: The property of being accessible and usable bots, communicating via covert channels.
upon demand by an authorized entity. • A botnet has a command-and-control mechanism, and thus can
• Denial of service (DOS): The prevention of authorized be control by an individual to carry out DDOS.
access to resources or the delaying of time-critical operations. • Possible usages of a botnet:
• Many successful DOS attacks simply flood the victims with
– DDoS flooding, vulnerability scanning, anonymizing
overwhelming requests/data.
– HTTP proxy, email address harvesting, cipher breaking
Example of DOS attack
• DNS important component as it resolves domain name, can be
a single-point of failure of network. E.g. MyDoom worm which targeted SCO’s website. Attacks start
• DDOS attacks on web service, instead of directly attacking on Feb 12, 2004, sending a large number of DNS requests to the
server, could conduct DOS to DNS server instead. → When DNS server. For DOS to be effective, large number of attackers
DNS server downed, web service no longer reachable. required. When DOS is carried out by large number of attackers,
called DDOS: Distributed Denial of Service.
Poisoning Attack on ARP Table
A switch connects a few nodes. There is one node N0 that acts as Reflection Attack
a gateway, which is a virtual node in the switch device that
Reflection attack is a type of DOS in which the attackers send
connects to the Internet.
requests to intermediate nodes, which in turn send overwhelming
• Switch is similar to telephone switchboard, it connects 2 ports. traffic to the victim. Indirect, and thus more difficult to trace.
• Switch does not understand ip-addresses and does not store
ip-addresses (router), it conencts ports based on Amplification Attack
MAC-addresses.
• Switch keeps a table that maps port to MAC-addresses. Refection attack mechanism can be measured by its amplification
• Resolution of ip-address to MAC-address is done by nodes, factor, which is the size of traffic the victim received over the size • there is a new trend of using ‘non-PC’ such as IoT devices as
each node also has a switch table. of traffic sent by the attacker. A single request could trigger bots in launching DDOS.
• Nodes update each other using protocols on information on multiple responses from the intermediate nodes. Reflection attack
aka amplification attack.
Useful tools
ip/MAC-addresses
Wireshark —— Packet Analyzer
ARP Poisoning is an attack that modifies (poison) the tables so Example of Reflection attacks: ICMP/Smurf Flood
as to gain MITM access • Wireshark listens to “interactions” between the OS and the
This attacker is no longer effective, as routers are configured to network card driver. (In other words, it is a MITM between OS
ARP Poisoning attack and network card).
not broadcast by default.
Under normal circumstances,, these are carried out when N2 • Hence, header added by the network card, or modification
sends a packet to 10.0.1.4. 1. Attacker sends request ICMP PING to router, instructing router made by the network card, may not be captured by Wireshark.
to broadcast request. Source ip-address of request is spoofed This depends on the OS and the hardware. (usually Wireshark
1. N2 looks up the table T2, resolved to fa:16:3e:ed:05:e4.
with victim ip address. operates in layer 2)
2. N2 sends the frame to switch, with destination
2. Router broadcast this request.
fa:16:3e:ed:05:e4. Nmap —— Port Scanning
3. Each entity who has received this request, replies to it by
3. Switch looks up table T0, redirect frame to port 3.
sending an ‘echo reply’ to the source which is the victim. • Multiple processes running in a server. When the server
Suppose N1 wants to be MITM between 10.0.3.5 and 10.0.1.4 4. Victim’s network overwhlemed with the echo reply. receives a packet, base on the port number, it will decide which
1. N1 informs N2 that MAC address of 10.0.1.4 is process handle that packet. So, by saying that a
fa:16:3e:d5:e0:14. process/service is “listening” to a particular port, we mean
2. N1 informs N3 that MAC address of 10.0.3.5 is that the process is running and ready to handle arriving
fa:16:3e:d5:e0:14. packets with that particular port number.
After tables are poisoned, all frames will be sent to N1 , which • When a port is “open”, there exist such a process running in
can relay the frames, modify the frames before relaying. N1 the server. When a port is “closed”, no process is listening to
becomes MITM in layer 2. that port.
• If a port is “closed”, attacker is unable to feed malicious data
to that port.
• Port scanning: process of determining which ports are open
Example of Reflection attacks: DNS reflection attack in a network
• Port scanner: tool used for port scanning. Port scanning is
During a DNS amplification attack, the perpetrator sends out a a useful tool for attacker, and network administrator to scan
DNS query with a forged IP address (the victim’s) to an open for vulnerabilites.
DNS resolver, prompting it to reply back to that address with a
DNS response. With numerous fake queries being sent out, and Protection —— Secure communication channel
with several DNS resolvers replying back simultaneously, the Very often, when referring to a security protocol, we indicate the
victim’s network can easily be overwhelmed by the sheer number “layer” the protocol targets to protect. When analyzing an attack,
of DNS responses. (e.g. Github using Memcache on 5 Mar 2018.) it is also insightful to figure out at what layer the attacker resides.
A security protocol that protects layer k, would protect • IPsec is an end-to-end security scheme operating in the
information in that layer and above. Hence, if an attacker resides Internet Layer of the Internet Protocol Suite, while some other
at layer 1, and there is a security protocol that protect layer 3, Internet security systems in widespread use, such as Transport
then information generated in layer 3 and above will be protected, Layer Security (TLS) and Secure Shell (SSH), operate in the
but information generated in layer 2 would not be protected by upper layers at Application layer. Hence, only IPsec protects
the security protocol any application traffic over an IP network. Applications can be
automatically secured by IPsec at the IP layer.”
SSL/TLS
SSL/TLS sit on top of transport layer. When an application Firewall
wants to send data to the other end point, it first passes the data Some nodes contain more sensitive information than others. Some
and the ip address to SSL/TLS. SSL/TLS first ‘protects’ the data nodes are more secure, available patches might take some time to
using encryption (confidentiality) and MAC (authenticity) and patch all systems and need these secure nodes to be prioritized.
then instructs the transport layer to send the protected data. Certain protocols do not have protection / light-weight protection
mechanisms. As such Firewall, Intrusion detection system (IDS)
Suppose Alice uses LumiNUS to upload a report a.pdf to used to control access to the network.
LumiNUS server, LumiNUS uses HTTPS (HTTP on top of TLS.) WPA2 Principle of least privilege and compartmentalization
Alice’s machine carries the following:
Wifi Protected Access II (WPA2) is a popular protocol employed • The principle of least privilege (PoLP, also known as the
1. The LumiNUS application passes the file a.pdf to https, and in home Wifi access point. WPA2 provides protection at layer 2 principle of minimal privilege or the principle of least
then to TLS. (Link) and layer 1 (Physical). Not all information in layer 2 is authority) requires that in a particular abstraction layer of a
2. TLS protects the data by encryption and mac. protected. computing environment, every module (such as a process, a
3. TLS passes the protected data to the transport layer. user, or a program, depending on the subject) must be able to
LumiNUS’s server carries out the following: access only the information and resources that are necessary
for its legitimate purpose.
1. The transport layer passes the protected data to TLS.
• Compartmentalization: Generally, it refer to the notion of
2. TLS decrypt the data and verify the mac for integrity.
confining information within compartments.
3. TLS passes the decrypted data to LumiNUS’s application.
• Firewall controls what traffic is allowed to enter the network
Scenario 1 —— Attacker @ Physical Layer (ingress filtering) or leave the network (egress filtering).
Attacker at physical layer who can sniff/spoof message at that • Firewalls are devices or programs that control the flow of
layer. Alice uploading her report in cafe using free wifi (without network traffic between networks or hosts that employe
WPA protectection). → anyone in the cafe has access to the Scenario 3 —— Attacker @ physical layer differing security polices.
physical layer and thus can sniff and spoof messages in that layer. • DMZ: Demilitarized zone. A sub-network that exposes the
Attacker at physical layer and is able to sniff and spoof.
organization’s external service to the (untrusted) Internet.
• Attacker cannot learn Alice’s report, as data is encrypted by • Attacker cannot learn Alice’s report and cannot learn the fact
TLS → attacker only sees encrypted report. that Alice is visiting LumiNUS website, since above Layer 2 is
• Attacker can learn the Alice is visiting LumiNUS website, since encrypted.
only those above TSL/SSL layer encrypted. Network layer is • Attacker is able to determine MAC-address of Alice.
not encrypted, meaning attacker can still see the ip.
IPSec
IPSec provides “integrity/authenticity” protection of ip-address,
but not confidentiality. Hence, attackers are unable to “spoof” the
source ip-source, but can learn the source and destination
ip-address of the sniffed packets.
• IPSec needs to modify the OS, and is a mechanism whose goal
is to protect the IP Layer.
• Internet Protocol Security (IPsec) is a protocol suite for
securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a
communication session. IPsec includes protocols for
establishing mutual authentication between agents at the Firewall’s controls are achieved by packet filtering. Filtering may
beginning of the session and negotiation of cryptographic keys occur in router, gateway/bridge or host. Packet Filtering inspects
to be used during the session. IPsec can be used in protecting every single packet, typically only the TCP/IP packet’s header
data flows between a pair of hosts (host-to-host), between a information (Network and Transport layer). If payload is
pair of security gateways (network-to-network), or between a inspected, we call it a deep packet inspection (DPI). Actions
security gateway and a host (network-to-host). taken after inspection:
Scenario 2 —— Adversary @ Application Layer
• Internet Protocol security (IPsec) uses cryptographic security
Adversary in application layer, e.g. malicious javascript injected
services to protect communications over Internet Protocol (IP) • Allow packet to pass • Log info
into LumiNUS, executed on Alice’s browser.
networks. IPsec supports network-level peer authentication, • Drop packet • Notify system admin
• Attacker can learn Alice’s report AND can learn Alice’s data origin authentication, data integrity, data confidentiality • Reject the packet (drop + • Modify packet (advanced
MAC-address. (encryption), and replay protection. inform sender) devices)
Firewall Rules Access Control
A firewall enforces a set of rules provided by the network We want to restrict operations on objects by subjects. Access
administrator. control provides security perimeter which in turn facilitates
• Drop packets with “source ip-address” not within the segregation of accesses. Such segregation confines and localize
organization’s network. (To stop attacks originated within the damage caused by attacks.
network).
• Whitelist: Drop all packets except those specified in the
Security Perimeter
white-list. (e.g. drop all except http, email protocol, and DNS) Access controls setup perimiters/boundaries. With boundary,
Access Control List
• Blacklist: Accept all packets except those specified in the malicious activities outside of boundary would not affect resources
black-list. (e.g. allow https except ip-address in the blacklist). within perimiter, and stays within boundary. Designed by the ACL stores access rights to an object as a list.
following principles:
• Principle of Least privilege: A camera apps shouldn’t need
to have access to the contact list to function. So, it is better
not to grant the camera apps access to the contact list. With
that, in case the camera app is malicious, confidentiality of the
contact still preserved. Capabilities
• Compartmentalization: A school website hosts two services:
(1) course’s fee payment and (2) exam result. With the A subject is given a list of capabilities, where each capability is
perimeter between them, the exam result system would remain the access rights to an object.
intact even if an SQL injection attack has been successfully
carried out on the fee payment system.
• Compartmentalization: Colonial Pipeline’s ransomware
attack compromised the IT’s system that handle client’s
database. If proper perimeter being setup between the IT and
OT (Operation Technology) system, the failure of the client’s For ACL, it is difficult to obtain the list of objects a particular
database system should not affect OT system that manages the subject has access to. Conversely, for capabilities, it is difficult to
Types of Firewalls fuel pipeline. get the list of subjects who have access to a particular object.
NIST’s document groups firewalls into 3 types • Defence in depth: A company deploys a firewall separating
their server from DMZ. In addition, activities of server is logged Intermediate Control
1. Packet filters (inspect packet header)
and regularly inspected. So, even if attacker able to sneak in,
2. Stateful Inspection (Deep packet inspection) —— e.g. count Not practical for an owner to specific each single entries in the
their activities could be discovered by the monitoring team.
number of connections made in past hour access control matrix. “Group” the subjects/objects and define
• Segregation of duties: A company keeps a backup copy of
3. Proxy (Modify packets) the access rights on the group.
the “production” copy. The company implements a policy: a
single person must not have access to both the production copy In Unix file permission, subjects are divided into groups. Unix file
Intrusion Detection System permission uses ACL. For each object, the owner specific the
and the backup copy. Assigning different components to
An IDS system consists of a set of “sensors” who gather data. rights for owner, group, world (everyone).
different person is aka Segregation of Duties. The goal is to
Sensors could be in the host, or network router. The data are
eliminate single-point-of-failure. With that, a single rogue
analyzed for intrusion. Three types of IDS: Role-based access control
system admin (insider) is unable to corrupt all the data.
• Attack signature Detection: The attack has specific,
Grouping can be determined by the role of the subject. Role
well-defined signature. For e.g. using certain port number, Terminologies associates with a collection of procedures, in order to carry them
certain source ip address.
A principal (or subject) wants to access an object with some out, access rights to certain objects are required.
• Anomaly Detection: The IDS attempt to detect abnormal
operation. The reference monitor either grants or denies the
pattern. For e.g. a sudden surge of packets with certain port
access. Principal → Do operation → Reference Monitor → Object Privelleges
number.
• Behavior-based IDS: Can be viewed as a type of anomaly • Principals vs Subjects: Principals are human users, Subjects We sometime use the term privilege to describe the access right.
detection that focuses on human behavior. For e.g. The system are entities in system operating on behalf of principals. Privilege can also be viewed as an intermediate control. It can be
might keep the profile of each user. It then tries to detect any • Accesses to objects can be: represented by a number, e.g. 1,2,3. if a subject can access an
user who deviates from the profile (e.g. start to download large object, another subject with higher privilege can also access the
– Observe: read the file
files). object. (Can be viewed as a ladder, p2 subset of what p3 can
– Alter: Writing/Deleting or changing file properties
Management – Action: Executing a program access.)
• Management needed in order to monitor + adjust network • Owner: Who decides access rights to object?
characteristics
• Security Operations Center (SOC): a centralized unit in – Discretionary AC: Owner object decides the rights.
an organization that monitors the IT systems and deals with – Mandatory AC: System-wide policy decides, strict rules
security issues everyone follows.
• Security Information and Event Management (SIEM):
Pronounced as “SIM”. Approaches and tools for SOC. Popular Access Control Matrix
systems: Splunk ( https://www.splunk.com/ ), ELK Stack – Specify access rights of a particular principal to particular object.
Elasticsearch and Kibana (open sourced) r:read, w:write, x:execute, s: execute as owner, o: owner
Protection Rings Unix File System • The programmer who write the application bear the
responsibility to make sure that the application only performed
In OS, “privilege” is often called protection rings. They are the
intended limited operation. In other words, the user stay
same but with different name. Here, each object (data) and
within the planned boundary when using the application.
subject (process) is assigned a number. Whether a subject can
access an object is determined by their respective assigned With Controlled Escalation
number. Object with smaller number are more important. If a
process is assigned a number i, we say that the process runs in
ring i. We call processes with lower ring number as having
“higher privilege”. A subject cannot access (both read/write) an
object with smaller ring number.

• Principals are user-identities (UIDs) and group-identities

Bridges with Elevated Privilege
(GIDs).
Bell-LaPadula Model —— data confidentiality • Information of the user accounts are stored in the “password”
file
The following restrictions are imposed by the model:
– The file is made world-readable because some information in
• No read up: A subject does not have read access to object in /etc/passwd is needed by non-root program. In earlier
higher level. This prevent a lower level from getting info in the version of Unix, the “*” in the file was the hashed password
higher level. H(pw), where H() is some cryptographic hash, and pw the
• No write down: A subject does not have append-right to password of the user. Hence, previously all users can see the
object in lower level. This prevents a malicious insider from hashed passwords of others.
passing information to lower levels. (e.g. a clerk working in the – The file is made world-readable because some information in
highly classified department is forbidden to gossip with other /etc/passwd is needed by non-root program. In earlier
staff). version of Unix, the “*” in the file was the hashed password
• For “Confidentiality”. (A subject can append to objects at H(pw), where H() is some cryptographic hash, and pw the
higher security level. Is it possible that, by appending to an password of the user. Hence, previously all users can see the
object, one could distort its original content? Yes. See e.g. in hashed passwords of others.
renegotiation attack.)
• superuser (root): A special user is the superuser, with UID 0
Biba Mode —— process integrity and usually with the username root. All security checks are
The following restrictions are imposed by the model: turned off for root. • “Bridge” is not implemented correctly and contains exploitable
vulnerabilities.
• No write up: A subject does not has “write” access to Checking for file access • In some vulnerabilities, an attacker can trick the bridge to
objects in higher level. This prevent a malicious subject from The objects are files. Recall that each file is associated with a perform “illegal” operations not expected by the
poisoning upper level data, and thus ensure that a process will 9-bit permission. Each file is owned by a user, and a group. The programmer/designer. This would have serious implication,
not get compromised by lower level subjects. owner of a file, or superuser can change the permission bits. since the process is now running with “elevated privilege”.
• No read down: A subject does not has read access to objects • Known as Privilege escalataion
lower level. This prevents a subject from reading data poisoned • If the user is the owner, the permission bits for owner decide
by lower level subjects. the access rights
• For “Integrity”. If a model imposes both Biba and • If the user is not the owner, but the user’s group (GID) owns
Bell-LaPadula, subjects can only read/write to objects in the the file, the permission bits for group decide the access rights.
same level (not practical). • If the user is not the owner, nor member of the group that own
the file, then the permission bits for other decide.

Controlled Invocation & privilege elevation

Some sensitive resources (such as network port 0 to 1023, printer)
should be accessible only by the superuser. However, users
sometime need those resources.
• The system provides a predefined set of applications that have
access to F.
• These application is granted “elevated privilege” so that they
can freely access the file, and any user can invoke the
application. Now, any user can access F via the application.
Controlled Invocation in Unix
A process has an identification (PID). New process can be created
by executing a file or by “forking” an existing process, and
associated by Real UID and Effective UID.
• Real UID: inherited from the user who invokes the process.
For e.g. if the user is alice, then the real UID is alice.
• Effective UID: Processes can be created by executing a file.
Each executable file has a SUID flag.
– If the Set User ID (SUID) is disabled (the permission will be
displayed as “x”), then the process’ effective UID is same
as real UID.
– If the Set User ID (SUID) is enabled (the permission will be
displayed as “s”), then the process’ effective UID is
inherited from the UID of the file’s owner.
• When process wants to access a file, the effective UID of the
process is treated as the “subject” and checked against the file
permission to decide if it is granted or denied access.

Need temp access to root file

• Create an executable file editprofile owned by root:
-r-sr-xr-x 1 root staff 6 Mar 18 08:00 editprofile
• The program is made world-executable so that any user can
execute.
• Furthermore, the permission is set to be “s”: when it is
executed, its effective UID will be “root”
• Now, if alice executes the file, the process’ real UID is alice,
but its effective UID is root. Following the checking rule,
this process can now read/write the file employee.txt.
Elevated Privilege
• In this example, the process editprofile is temporary elevated to
superuser (i.e. root), so that it can access sensitive data. We
can view the elevated process as the interfaces where a user can
access the “sensitive” information.
– They are the predefined “bridges” for the user to access data.
– The “bridge” can only be built by the root.
• These bridges solve the problem. However, it is important that
these “bridges” are correctly implemented and do not leak
more than required.