Transcript Slide 1
Objectives Get a non-product-specific perspective onto security in IT Demystify the commonly used terminology – know your RC2 from AES Bring together various aspects of security into an integrated whole Make some simple recommendations Agenda Defining Integrated Security (level 200) Some Techniques for Securing IT (level 250) Recommendations (level 200) Printed/online slides include a section that covers security risk analysis process – they are self-explanatory (7 easy slides – please read at your leisure) Warning: this is a fast and furious A-to-Z type of a session. Attend at your own risk. Defining Security Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat …therefore, in practice, an impossible goal What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition) Assets What we are securing? Data Services (i.e. business etc. applications or their individually accessible parts) This session is not about securing: People (sorry), cables, carpets, typewriters and computers (?!) Indeed: we (IT people) will secure the data on the computer or services it offers and we will often request that a PC should be locked up with an armed guard but how this is done is not really our business Sometimes known as physical security Digital Security as Extension of Physical Security of Key Assets Strong Physical Security of KA Weak Physical Security of KA Strong Physical Security of KA Strong Digital Security Strong Digital Security Weak Digital Security Good Security Everywhere Insecure Environment Insecure Environment Aspects of Security Confidentiality ◄ Your data/service provides no useful information to unauthorised people Integrity ◄ If anyone tampers with your asset it will be immediately evident Authenticity ◄ We can verify that asset is attributable to its authors or caretakers Non-repudiation ◄ The author or owner or caretaker of asset cannot deny that they are associated with it Identity ◄ We can verify who is the specific individual entity associated with your asset Additional Aspects of Data and Service Security Authorisation ◄ It is clear what actions are permitted with respect to your asset Loss ◄ Asset is irrecoverably lost (or the cost of recovery is too high) Denial of access (aka denial of service) ◄ Access to asset is temporarily impossible “Static” cryptography is useful but not sufficient: Backups etc. needed Behaviour (pattern) of access analysis needed Cryptography Using really hard mathematics to implement most of the security aspects mentioned earlier “Static” Cannot detect or prevent problems arising from a pattern of behaviour Relies of physical security of Key Assets (such as master private keys etc.) Strength changes with time, depending on the power of computers and developments in cryptanalysis Behaviour (Pattern) Analysis Prohibits reaching an asset if history of access is out-ofpattern, e.g.: Password lock-out after N unsuccessful attempts Blocking packets at a router if too many come from a given source Stopping a user from seeing more than N records in a database per day Time-out of an idle secure session “Active” Cannot prevent unauthorised use of asset – still need crypto Can prevent legitimate access – need easy and secure “unlock” mechanisms Strength varies with sophistication on known attacks Integrated Security Security should be Integrated Security: Static + Active Across All Your Assets Based On Risk Assessment st 1 Conclusion As 100% security is impossible, you need to decide what needs to be secured and how well it needs to be secured In other words, you need: Asset list Risk impact estimate for each asset Some Techniques for Securing IT What is Really Secure? Look for systems From well-know parties With published (not secret!) algorithms That generate a lot of interest That have been hacked for a few years That have been analysed mathematically Absolutely do not “improve” algorithms yourself Employ someone to attempt a break-in Behaviour (Pattern) Analysis Fairly new area (with exceptions) In addition to knowing your assets, you need to know your perimeter (edge) Do you? Active access inspection and pattern matching are the main techniques Many Perimeters External – Network Edge Between you and internet etc. DMZ – De-militarized Zone Between network edge and all protected resources Only minimal protection possible Default Security Zone The traditional LAN High Security Zone “Network inside network” For key assets Perimeter (Edge) of Isolation Assets physically not connected to networks Useful for some key assets (e.g. master keys) Network Edge High Default DMZ Isolation Tools for Behaviour Analysis Traditional: Firewalls and Proxies around the perimeters (edges) Stateful packet inspection Traditional: Limiting number of accesses to Key Assets Password lock-outs Newer: Event Analysis and Active Agents Rules can be programmed into some security servers (ISA) or monitoring tools (MOM) Neural networks are showing some promise for outof-pattern detection Basic Crypto Terminology Plaintext The stuff you want to secure, typically readable by humans (email) or computers (software, order) Ciphertext Unreadable, secure data that must be decrypted before it can be used Key You must have it to encrypt or decrypt (or do both) Cryptanalysis Hacking it by using science Complexity Theory How hard is it and how long will it take to run a program Symmetric Key Cryptography Plain-text input “The quick brown fox jumps over the lazy dog” Cipher-text Plain-text output “AxCv;5bmEseTfid3) fGsmWe#4^,sdgfMwi r3:dkJeTsY8R\s@!q3 %” “The quick brown fox jumps over the lazy dog” Encryption Decryption Same key (shared secret) Symmetric Pros and Cons Weakness: Must agree the key beforehand Securely pass the key to the other party Strength: Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms) Super-fast if done in hardware (DES, Rijndael) Hardware is more secure than software, so DES makes it really hard to be done in software, as a prevention Public Key Cryptography Knowledge of the encryption key doesn’t give you knowledge of the decryption key Receiver of information generates a pair of keys Publish the public key in a directory Then anyone can send him messages that only she can read Public Key Encryption Clear-text Input “The quick brown fox jumps over the lazy dog” Cipher-text Clear-text Output “Py75c%bn&*)9|fDe^ bDFaq#xzjFr@g5=&n mdFg$5knvMd’rkveg Ms” “The quick brown fox jumps over the lazy dog” Encryption public Recipient’s public key Decryption Different keys private Recipient’s private key Public Key Pros and Cons Weakness: Extremely slow Susceptible to “known ciphertext” attack Strength Solves problem of passing the key Hybrid Encryption (Real World) Launch key for nuclear missile “RedHeat” is... Symmetric encryption (e.g. DES) User’s public key (in certificate) RandomlyGenerated symmetric “session” key RNG *#$fjda^j u539!3t t389E *&\@ 5e%32\^kd Symmetric key encrypted asymmetrically (e.g., RSA) Digital Envelope As above, repeated for other recipients or recovery agents Digital Envelope Other recipient’s or agent’s public key (in certificate) in recovery policy Hybrid Decryption *#$fjda^j u539!3t t389E *&\@ 5e%32\^kd Launch key for nuclear missile “RedHeat” is... Symmetric decryption (e.g. DES) Symmetric “session” key Recipient’s private key Asymmetric decryption of “session” key (e.g. RSA) Digital envelope contains “session” key encrypted using recipient’s public key Digital Envelope Session key must be decrypted using the recipient’s private key Digital Signatures Want to give plain text data to someone, and allow them to verify the origin Integrity, authenticity & non-repudiation Much more on this in my PKI session SEC390 at 16:45 in room 6 today DES, IDEA, RC2, RC5 Symmetric DES (Data Encryption Standard) is the most popular Keys very short: 56 bits Brute-force attack took 3.5 hours on a machine costing US$1m in 1993. Today it probably is done real-time. Triple DES (3 DES) not much more secure but may thwart NSA Just say no, unless value of data is minimal IDEA (International Data Encryption Standard) Similar to DES, but “not” from NSA 128 bit keys RC2 & RC5 (by R. Rivest) RC2 is older and RC5 newer (1994) - similar to DES and IDEA Rijndael Standard replacement for DES for US government, and, probably for all of us as a result… Winner of the AES (Advanced Encryption Standard) competition run by NIST (National Institute of Standards and Technology in US) in 1997-2000 Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen. “X-files” stories less likely (unlike DES). Symmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too) Fast and a lot of good properties, such as good immunity from timing and power (electric) analysis Construction deceptively similar to DES (S-boxes, XORs etc.) but really different CAST and GOST CAST Canadians Carlisle Adams & Stafford Tavares 64 bit key and 64 bit of data Chose your S-boxes Seems resistant to differential & linear cryptanalysis and only way to break is brute force (but key is a bit short!) GOST Soviet Union’s “version” of DES but with a clearer design and many more repetitions of the process 256 bit key but really 610 bits of secret, so pretty much “tank quality” Backdoor? Who knows… Careful with Streams! Do NOT use a block cipher in a loop Use a crypto-correct technique for treating streams of data, such as CBC (Cipher Block Chaining) .NET Framework implements it as ICryptoTransform on a crypto stream with any supported algorithm RC4 Symmetric Fast, streaming encryption R. Rivest in 1994 Originally secret, but “published” on sci.crypt Related to “one-time pad”, theoretically most secure But! It relies on a really good random number generator And that is the problem RSA, DSA, ElGamal, ECC Asymmetric Very slow and computationally expensive – need a computer Very secure Rivest, Shamir, Adleman – 1978 Popular and well researched Strength in today’s inefficiency to factorise into prime numbers Some worries about key generation process in some implementations DSA (Digital Signature Algorithm) – NSA/NIST thing Only for digital signing, not for encryption Variant of Schnorr and ElGamal sig algorithm ElGamal Relies on complexity of discrete logarithms ECC (Elliptic Curve Cryptography) Really hard maths and topology Better than RSA, in general and under a mass of research Quantum Cryptography Method for generating and passing a secret key or a random stream Not for passing the actual data, but that’s irrelevant Polarisation of light (photons) can be detected only in a way that destroys the “direction” (basis) So if someone other than you observes it, you receive nothing useful and you know you were bugged Perfectly doable over 10-50km long fibre-optic link But seems pretty perfect, if a bit tedious and slow Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer… MD5, SHA Hash functions – not encryption at all! Goals: Not reversible: can’t obtain the message from its hash Hash much shorter than original Two messages won’t have the same hash MD5 (R. Rivest) 512 bits hashed into 128 Mathematical model still unknown But it resisted major attacks SHA (Secure Hash Algorithm) US standard based on MD5 Diffie-Hellman, “SSL”, Certs Methods for key exchange DH is very clever since you always generate a new “keypair” for each asymmetric session STS, MTI, and certs make it even safer Certs (certificates) are the most common way to exchange public keys Foundation of Public Key Infrastructure (PKI) SSL uses a protocol to exchange keys safely See session on PKI Cryptanalysis Brute force Good for guessing passwords, and some 40-bit symmetric keys (in some cases needed only 27 attempts) Frequency analysis For very simple methods only (US mobiles) Linear cryptanalysis For stronger DES-like, needs 243 plain-cipher pairs Differential cryptanalysis Weaker DES-like, needs from 214 pairs Power and timing analysis Fluctuations in response times or power usage by CPU Breaking It on $10 Million Symme-tric Key ECC Key RSA Key Time to Break Machines Memory 56 112 420 < 5 mins 10000 Trivial 80 160 760 600 months 4300 4GB 96 192 1020 3 million years 114 170GB 128 256 1620 10E16 years 0.16 120TB From a report by Robert Silverman, RSA Laboratories, 2000 Some Recommendations Strong Systems It is always a mixture! Changes all the time… Symmetric: Min. 128 bits for RC2 & RC5, 3DES, IDEA, carefully analysed RC4, 256 bit better Asymmetric: RSA, ElGamal, Diffie-Hellman (for keys) with minimum 1024 bits (go for the maximum, typically 4096, if you can afford it) Hash: Either MD5 or SHA but with at least 128 bit results, 256 better Weak Systems Anything with 40-bits (including 128 and 56 bit versions with the remainder “fixed”) CLIPPER A5 (GSM mobile phones outside US) Vigenère (US mobile phones) Dates from 1585! Unverified certs with no trust Weak certs (as in many “class 1” personal certs) Summary Decide what to secure and how Have someone fulfil the role of CSO (Chief Security Officer) Combine static crypto-based security with active behaviour (pattern) analysis Use reasonably strong security mechanisms Balance security against accessibility Resources & Reading Visit www.microsoft.com/security Attend sessions on PKI (incl. SEC390) For more detail, read: Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-12845-7 Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCCBooks/oded_book_readme.html Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7 PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3 Cryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD) evaluations… Please don’t forget to complete your online Evaluation Form Risk Analysis for IT Security A Bonus Section for Your Reading Pleasure Examples Asset: Internal mailbox of your Managing Director Risk Impact Estimate (examples!) Risk of loss: Medium impact Risk of access by staff: High impact Risk of access by press: Catastrophic impact Risk of access by a competitor: High impact Risk of temporary no access by MD: Low impact Risk of change of content: Medium impact Creating Your Asset List List all of your named assets starting with the most sensitive Your list won’t ever be complete, keep updating as time goes on Create default “all other assets” entries Divide them into logical groups based on their probability of attacks or the risk of their “location” between perimeters Risk Impact Assessment For each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbers with agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex: Asset: Internal MD mailbox Risk: Access to content by press Impact: Catastrophic (5) Risk Probability Assessment Now for each entry measure probability the loss may happen Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9) Ex: Asset: Internal MD mailbox Risk: Access to content by press Probability: Low (2) Risk Exposure and Risk List Multiply probability by impact for each entry Exposure = Probability x Impact Sort by exposure High-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanisms or ignored Example: Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples Mitigation and Contingency For high-exposure risks have a plan: Mitigation: Reduce its probability or impact (so exposure) Transfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes reality nd 2 Conclusion Security risk management is an ongoing activity which requires someone to be responsible for it Who? Your CSO – Chief Security Officer Do you have one?