System security: Lectures taught by David Seidman (January 28-31)

• Tuesday lecture on vulnerabilities and mitigations.
• Wednesday lecture on return oriented programming. Here is the original paper on ROP.
• Thursday lecture on Web vulnerabilities.

A note on ethics:In these classes you learned a number of web and software exploits. Please read the statement of ethics, law, and university policy here and do NOT try these on any site where you do not have explicit permission to do so!

Fuzzing Lab. Due Feb 22. Instructions.      testfile      testprogram.c      Link to websubmit.

System security homework. Due February 12. ho1

Extra security related reading recommended by David:

• DarkReading.com
• ThreatPost.com
• Microsoft's own Security Research and Defense blog written by David's teammates at MS.
• BugTraq not a news feed per se but a mailing list to discuss and share vulnerabilities, exploits, and related information. Note that you may see unethical, rude, and generally bad behavior on this mailing list, but there is lots of good technical information mixed in as well.
• Following security researchers on Twitter e.g. Dan Kaminsky, Jacob Applebaum, Charlie Miller,....
• Another talk David has given about Stuxnet and the vulnerability economy.

Reference books: "Writing Secure Code", or see also this site. The book "Windows Internals".

Hashing and Entropy (Week of Feb 4)

Speaker: Adam. flame presentation

Speaker: Yieli. password cracking presentation

• We discussed Shannon Entropy and min entropy.
• We also discussed Kerckhoff's Principle for cryptosystems. wiki ref
• We talked about the entropy in the GS cookie. Here's an interesting paper that shows how to reduce the entropy by 15 bits.
• We also talked about 3 different properties of hash functions. One way fucntions (see Katz and Lindell page 194-198), Pseudorandom functions (Katz and Lindell page 86) and Collision Resistant Hashes (Katz and Lindell page 127).
• Here is a page with references to different kinds of hash functions. Most modern crypto uses SHA-256. There is also a competition to create a new SHA-3. The winner was finally announced just this October 2012!
• Password hashing article. It has a section called "The WRONG Way: Double Hashing and Wacky Hash Function" which mentions using double hashing or a combination of hash functions.
• Cryptographers have also looked at the question of combining hash functions. Here are a few papers:
  • Marc Fischlin, Anja Lehmann. "Multi-property Preserving Combiners for Hash Functions" Theory of Cryptography 2008. paper.;
  • Here's an earlier paper on the subject by the same authors.
  • The problem was first studied in a formal cryptographic way by Hertzberg in 2002; this is the same Hertzberg's who gave a talk on DNS security here at BU on Wednesday morning!
• In class someone asked why the hash-function h(key,message) is not used (i.e. where the key is appended to the message), and instead we use more complicated things like HMAC when we want a pseudorandom function. To see why, you can refer to the HMAC paper for details; page 16 shows why this construction fails to be secure.

Encryption and authentication ( Feb 12-21)

Speaker: Sachin. red october presentation

Speaker: Marc. java facepalm presentation

Encryption. Definitions: perfectly secure encryption (Katz Lindel page 30-34), CPA secure encryption (Katz Lindel page 82-85) . Schemes: one time pad (Katz Lindel page 34-36), stream ciphers (Katz Lindel page 69-80). Public key encryption.

Authentication. Message authentication codes (Katz Lindel page 114-118), digital signatures.

Basic crypto homework. Due March 1. Deadline extended to March 6. ho2 ho2 solution

IPsec: Symmetric Encryption and Authentication. (Feb 26 - March 5)

Speaker: Allan. presentation
Speaker: David. presentation
Speaker: Zhouqun. presentation

We discuss how IPsec and TLS/SSL are used, covering both the high-level issues about where in the Internet each protocol is used, as well as the underlying cryptographic issues related to encryption and authentication.

• We discussed the notion of CCA security and CPA security for encryption, and how, when we talk about encryption in practice, most schemes are ony CPA secure (i.e. AES, DES, blowfish, etc.). However, on the internet we almost always want CCA security, so we can defend against active attackers; to do this, we need to combine CPA secure encryption with a secure MAC. For a reference, see the Katz and Lindell textbook.
• Note on the order of encryption and authentications are based on Hugo Krawcyzk's amazing paper from 2001 (one of my favorites) that was rewritten as Chapter 4.9 of Katz and Lindell's "Introduction to Modern Cryptography" textbook.
• We cover IPsec in detail, using Steve Friedl's illustrated guide.

Reading. Please read sections 1-3 and 7 from this EuroCrypt'2006 paper on attacks on encryption-only uses of IPsec; email me a 200 word summary of the attack described in the paper in time for class on February 28. Email subject should be: CS558 Reading 1.

IKE: Internet Key Exchange. (March 7 - )

We discuss SigMA protocols used for IKE (internet key exchange) for IPsec using Hugo Krawcyzk's excellent slides. The corresponding paper may also be useful pdf.

IPsec and IKE homework. Due March 20. ho3. ho3 solution

TLS and PKI (March 18)

We discuss SSL/TLS and public key infrastructures.

• You can refer to Gene Itkis's slides on the SSL handshake protocol.
• More discussion on the SSL handshake is in Lindell's old lecture notes, section 13.1.
• For instructions on how look at the preinstalled certificates on your browser, see here
• The Iranian DigiNota attack on SSL certificates: EFF report.
• The SSL observatory tracks SSL certificate use; this is an under-utilized research gold mine; explore it!
• Color map of certificate authorities.
• In class, we discussed an attack where TLS certs accidentally issued with CA permissions were then used it to make a rogue certificates. Here is a real world example where a *.google.com certificate was created.

Lab 2: SSL certificates. Due April 11. Lab 2

DDoS and Amplification attacks (March 28)

We discussed the DDoS attack on spamhaus that is happened this week.

• Blog post from cloudflare
• Smurf attacks and DNS amplification, from cloudflare
• New York Times
• List of open resolvers here .

Routing security and BGP attacks (March 28-April 2)

• See the handout describing BGP operation; it's available in the box outside MCS135.
• References on the RPKI: slides.
• See also Danny Cooper's talk on our RPKI research from BFOC'13 .
• Slides on BGP security here. We discussed the first 25 slides. This slide deck is based on our SIGCOMM'10 paper
• The Pakistan Telecom / YouTube incident - a failed attempt at censorship via BGP. The renesys blog.
• The China Telecom traffic interception incident The renesys blog.
• See also this survey paper on BGP security.
• Here is some software for making Hilbert curves out of the IPv4 address space here.

Midterm information (April 4) The following topics will be covered on the midterm:

• The material in David Seidman's three lectures
• Encryption, authentication, PRFs, collision-resistant hash, one-way function. Public Key encryption, digital signatures.
• CCA vs CPA secure encryption; authenticated encryption.
• IPsec basics
• Key exchange protocols; the material in Hugo Krawzyck's lecture that we discussed in class.
• PKI. Attacks on PKI.
• Routing security, BGP.

DNS security
Speaker: Emily. presentation
Speaker: Brian. presentation
Speaker: Jeff. presentation
Speaker: Dan. presentation
Speaker: Mateus. presentation
Speaker: Richard. presentation

• A gentle introduction to DNS is here http://www.isoc.org/briefings/016/index.shtml.
• A list of the DNS root zones is here: http://www.root-servers.org/
• A very interesting FAQ about root zone operations, (e.g. why there is diversity in the code used to operate the root zone servers), by Daniel Karrenberg, an operator of the K-root.
• We discuss Kaminsky's famous attack on DNS using this UnixWiz article.
• See also this figure explaining the Kaminsky attack.
• Here is a paper on DNS cache poisoning A hitchhikers guide to DNS cache posioning
• Defending your DNS in a post-Kaminsky world. slides from Paul Wouters at Blackhat'09.
• Slides on DNS security from Olaf M. Kolkman in 2004.
• Some advice on how to run DNSSEC from isc
• DNSSEC deployment at the root zone. Talk a NANOG'48
• Tracking the progress of DNSSEC deployment with UCLA's security spider.
• Paper on the security risks associated with DNSSEC and NSEC Bau-Mitchell'10.
• DNS and censorship - the china I-root incident. renesys blogpost 1 and blogpost 2.

Homework 4: BGP, DNS and TLS. Due April 22. Homework 4

History: Why was the Internet designed without security in mind?

• Dave Clark on the design principles of the Internet The Design Philosophy of the DARPA Internet Protocols.
• The tussle in cyberspace paper. My favorite quote from the paper: "[The Internet] is not a single happy family of people dedicated to universal packet carriage."

Anonymity and Tor

We discuss the Tor protocol using these slides.

Data privacy

• Cluster based methods. We use these Slides from class, borrowed with permission from V. Shmatikov. The slides are based on Li, Li, Venkatasubramanian. This paper by Ganta, Kasiviswanathan, Smith '08 is also interesting.
• Differential privacy. We discuss this using Section 2 of McSherry'09.