Securityarchitecture&engineering:introduc2on
SumanJanaColumbiaUniversity
*someslidesareborrowedfromVitalyShma2kovandAriJuels
1
Coursegoals
• Understandthefundamentalprinciplesofsecurity– Whatarethecommonsecuritymechanisms?WhytheyoEengowrong?
– Whataretheunderlyingprinciplesbehindbuildingsecuresystems?
– Whybuildingsecuresystemsishard?
2
Logis2cs
• Notextbookbutassignedreadingsfromdifferentsources
• Grading– Sixprogrammingassignments(54%)– Midterm(20%)– Non-cumula2vefinal(20%)– Classpar2cipa2on(6%)
• Classwebpage:hVp://sumanj.info/security_arch.html
3
Theartofadversarialthinking
4
What’sadversarialthinking?
“Securityrequiresapar/cularmindset.Securityprofessionals--atleastthegoodones--seetheworlddifferently.Theycan'twalkintoastorewithoutno/cinghowtheymightshopli?.They
can'tuseacomputerwithoutwonderingaboutthesecurityvulnerabili/es.Theycan'tvotewithouttryingtofigureouthow
tovotetwice.Theyjustcan'thelpit.”
-BruceSchneier
5
Adversarialthinkingdisclaimer
Hopefully,youwilllearntothinklikeacriminalmastermindbutbehavelikeagentleman/woman!
6
Adversarialthinking:keyques2ons
• Securitygoal:whatsecuritypolicytoenforce?
• Threatmodel:whoistheadversary?Whatac2onscantheadversaryperform?
• Mechanisms:Whatsecuritymechanismscanbeusedtoachievethesecuritygoalsgiventheadversarialmodel
7
Keysecuritygoals
• Confiden2ality:Datanotleaked
• Integrity:Datanotmodified
• Availability:Dataisaccessiblewhenneeded
• Authen2city:Dataorigincannotbespoofed
8
Youcanapplyadversarialthinkinganywhere
• ColumbiaIDcards– CanyoufakeanIDcard?
• ATMmachine– Howdoestheservicepersongetsaccesstorefillitwithcash?
• MTAmetrocard– Canyouincreasethecardbalancewithoutpaying?
9
Example:airtravel
Printboardingpassathome
IDcheckbyTSA
Boardingpasscheckatthegate
10
Adversarialthinkingexample:airtravel
• Securitygoal:Ensurethateachpersongelnginsideanairporthasavalidboardingpassandisauthorizedtofly(i.e.,notontheno-flylist)
• Mechanisms– TSAchecksvalidityoftheID(e.g.,driver’slicense)andtheboardingpassHow?
– TSAmatchesnameintheIDagainstthenameintheboardingpass
– TSAensuresthatthenameisnotontheno-flylist– GateagentcheckswhethertheboardingpassisvalidandhasbeencheckedbyTSAHow?
11
CananaVackerwhoisontheno-flylistfly?
12
Whatisthethreatmodel?
• CananaVackercreateafakeboardingpass?
• CananaVackerfakeadriver’slicense?
13
Securityunderdifferentthreatmodels
• Securitygoal:Ensurethateachpersongelnginsideanairporthasavalidboardingpassandisauthorizedtofly(i.e.,notontheno-flylist)– WhataretheminimumrequirementsforsomeonetoviolatethisgoalinthecurrentTSAsystem?
– ThecurrentTSAsystemissecureunderwhichthreatmodels?
14
Notallthreatmodelsareequal
• Whichoneisharderandwhy?– Crea2ngafakeaboardingpass– Crea2ngafakedriver’slicense
15
Securitymeasuresinadriver’slicense?
16
Securitymeasuresinaboardingpass?
Canthebarcodebefaked?
17
Airtravelrevisited:adifferentsecuritygoal
Printboardingpassathome
IDcheckbyTSA
Boardingpasscheckatthegate
Securitygoal:everybodyboardinganaircraEmustpassthroughTSAsecuritycheck
18
EverybodymustgothroughTSAchecks
• HowdoesthecurrentTSAsystemensurethis?• WhatisanexamplethreatmodelwherethisgoalcanbeviolatedbyanaVacker?
19
Yetanothersecuritygoal
• Onlyauthorizedtravelersshouldbeallowedtoenterpremiumlounges– Howwilltherecep2onistattheloungeknowwhoisauthorized?
20
WhatisthethreatmodelforthisaVack?
Howwillyoufixit?
21
WhataboutTSAPre-Check?
• HowdoesTSAPre-Checkwork?– PassengersapplyforPre-Check– TSArandomlydecidewhetherthepassengeriseligibleforPre-Checkornotandsendstheinforma2onbacktotheAirline.
– TheAirlineencodesthatinforma2oninabarcodethatisontheissuedboardingpass.
22
HackingTSAPre-Check
1meansnoPre-Checkand3meansPre-Check
Source:hVps://puckinflight.wordpress.com/2012/10/19/security-flaws-in-the-tsa-pre-check-system-and-the-boarding-pass-check-system/
Noencryp2on
23
Unintendedside-effectsoftheboarding-passdesign
• Whathappensifsomeoneelsegetsholdofyourboardingpass?
Allthisinforma2onisintheboarding
passincleartext
24
Adifferentselng:money
• Coun2ngtokensmustbekeptinasafeplacetopreventtampering– Inatempleorinclayenvelopesonshippingroutes
• Howtomakecoun2ngtokenscompletelyportablefortrade?
25
Adifferentselng:money
• Securitygoals– Tokenscanonlybecreatedbyatrustedauthority– Authen2cityoftokensshouldbeeasilyverifiablebyanyone
• Threatmodel– AVackerscanforgeormodifytokens
• Claytokenscanbeeasilyforged!
26
Adifferentselng:money
• Coinswereintroducedaround6/7thcenturyBCE– Maketokensoutofscarceresources(goldandsilvers)
– Applyasignaturethatishardtocopy(dependsontheskillsoftheengravers)
– Harshpenaltyforforgers
27
Moderncrypto-currencies
• Sameprinciples!– Scarceresource:computa2on– Hard-to-forgedata:cryptography– Wewilltalkaboutbitcoinslaterintheclass
28
Whoistheadversary?dependsonwhoyouare
29
Hackers
• EvgeniyMikhailovichBogachev– GameoverZeusbotnet:bankingfraudandransomwaredistribu2on
30
Chinesegovernment
• Censorshipofmaterialscri2caltothecurrentregime
• Monitoringdissidents
31
Na2onalSecurityAgency(NSA)
32
Top Related