CS 558 Spring 2014

CS558 : Introduction to Network Security
Boston University, Computer Science, Spring, 2014

Course Syllabus Assignments Schedule Calendar Link to websubmit Link to piazza


		Instructor: Sharon Goldberg Office Hours: Thursdays 3:30-4 PM AND 5-7:15PM, MCS135 Lectures: Tuesday & Thursday 9:30-11AM, CAS116 Teaching Fellow: Ethan Heilman Office Hours: Mondays 9-11AM, MCS135 Discussions: Friday, 9:00-10:00AM in MCS B19 Friday 11:00-12:00AM in SCI 115 Course Assistant: Dimitris Papadopoulos Communications: We will use piazza to communicate with you. You are welcome to use Piazza to set up study groups, to post interesting security incidents you read about (please tag these as "interesting incident in the news"), or to discuss the course with other students. If you have a question about the course you should: (a) Come to office hours, OR (b) Post to Piazza. Questions posted to Piazza will be answered by the course staff on Friday, Sunday, and Monday, and on a best-effort basis throughout the rest of the week. If you need to talk to the course staff in private, you can send us a private message on Piazza to let us know that you want to have a private conversation during office hours. Then show up at office hours to discuss your issue. You should not expect a response; instead assume we have read your message and you should then just show up at office hours. If you want to talk to one of us in person but absolutely can't make office hours, please send the relevant person an email with at least three different options for when you are available to meet.

Ethics

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university's rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern ``hacking." Understand what this law prohibits.

Read BU's Conditions of Use and Policy on Computing Ethics and the BU's Academic Conduct Code. As members of the university, you are required to abide by these policies.

Schedule

The security mindset (Thursday Jan 17 )

Kerckhoff's Principle for cryptosystems. wiki ref
Threat modeling.
Game-based security definitions.

Assigned reading: Chapter 1 of Anderson's book

Symmetric-Key Encryption and Authentication (Jan 21-28)

Perfect secrecy and the one-time-pad.
Security for encryption schemes: Ciphertext Only Attack (COA), Known Plaintext Attack (KPA), Chosen Plaintext Attack (CPA), Chosen Ciphertext Attack (CCA).
Stream ciphers.
Malleability.
Definition of authentication. Message authentication code (MAC).
Pseudorandom Functions (PRF); building a MAC from a PRF.
The order of encryption and authentication, and the fact that encypt-then-MAC is both a good secure channel implementation, and a CCA-secure symmetric encryption scheme.
The basics of AES.

Assigned reading: Sections 5-5.2.2, 5.3.2-5.3.3 of Anderson's book
Background reading: The Battle of the Clipper Chip New York Times, June 12, 1994.
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 1.2 (encryption), Section 1.4 (useful background), Section 2.1-2.3 (One Time Pad), Section 3.2-3.21 (more on encryption), Section 3.5 (CPA security) Section 3.7 (CCA security) Section 4-4.3 (MACs)

Hashing (Jan 30 - Feb 6)

Merkle Damgard construction for hash function.
Properties of cryptographic hash functions. Properties: Collision resistance. One-way functions (OWF). Currently we use SHA-256, SHA-3 to instantiate cryptographic hash functions. In the past we used MD5 (broken:collisions found) and SHA1 (cryptanalytic evidence suggest this will be broken soon, and is deprecated).
PRFs and HMAC. These are keyed hash functions. We model these as indistinguishable from random functions for an adversary that does not know the key.
Applications of hashing:
- Manifests (or hash-and-MAC)
- Password hashing
- Hash proofs of work. (Used in bitcoin! This specific scheme we talk about in class (ie. to find a nonce n such that H(n,message)=00000000000........ was devised as part of hashcash)
The birthday paradox and the difference between collision resistance and target-collision resistance (or one-wayness) for random functions. OR: Why does SHA-256 provide only 128-bits of security against collision attacks.

Reference in Anderson: Sections 5.2.4, 5.3.1 of Anderson's book
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 3.6.1 (PRFs) Section 4.6 (Collision resistant hash functions) Section 4.7.2 (HMAC - just construction 4.17) Section 6.1.1 (one-way-functions) Appenix A.4 (the birthday paradox)

Public Key Cryptography: Digital Signatures, Encryption, And Key Exchange. (Feb 11-Feb 18)

PK Encryption
Digital Signatures
The basics of RSA encryption and RSA signatures. Why textbook RSA is not actually a secure encryption or digital signature. Why we need encryption standards like PKCS 1.5 and OEAP.
The hash-and-sign paradigm for digital signatures.
Key exchange protocols:
- The basics TLS handshake (i.e the key exchange protocol). See here. The gory details are here.
- Diffie Helman Key Exchange and Perfect Forward Secrecy (PFS). This article has a nice explanation, and talks about how SSL is moving towards using DH Key exchange, instead of the encryption-based protocol described above.
- Why classic Diffie Helman is not secure against a ``active'' man-in-the-middle adversary that tampers/alters the messages sent between Alice and Bob.
- Key exchange protocols that are based on Diffie Helman and are secure against active adversaries. My source for this is Hugo Krawcyzk's excellent slides on SIGMa protocols. These protocols are used for IKE (internet key exchange) for IPsec.

Readings in Anderson: Section 5.2.5 (Asymmetric primitives) Sections 5.7.1 (RSA) 5.7.2.2 (Diffie Helman Key Exchange), 5.7.5 (Certificates) of Anderson's book
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 9.4 (Diffie Helman Key Exchange) 10-10.2.1 (public key encryption) 10.4-10.4.2 (RSA encryption [This section is a particularly good reference]). 12-12.4 (Signatures)

Public Key Infrastructure (PKI) and Certificates (Feb 20-Feb 25)

Public Key Infrastructure and the web PKI. The principle of least privilege. Certificate Authorities (CAs). The difference between CA certificates and EE certificates. Attacks on CAs and probles with the web's PKI.
- For instructions on how look at the preinstalled certificates on your browser, see here
- The DigiNotar attack: EFF report.
- Paper analyzing the web PKI.
- Color map of certificate authorities from 2010.
- An attack where TLS certs accidentally issued with CA permissions were then used it to make a rogue certificates. Here is a real world example where a *.google.com certificate was created.

Ethics and law. Lecture visit from Dennis Hart (Feb 27)

Ethan's presentation on the history of responsible disclosure and full disclosure: slides.
BU researchers find vulnerability in yelp and airbnb, leading to the development of responsible disclosure policies for these sites.
Computer Fraud and Abuse Act CFAA.
List of websites with bug bounties: bugcrowd.com.

Web security (March 4-20)

The topics we will cover include: image tag security issues, same-origin policy, insecurities that arise from mixing http and https content on a page, security issues relating to session management with cookies, SQL injection, cross site scripting (XSS), cross site request forgery (CSRF).
We discuss SQL injection using this excellent techtip from Steve Freidl.
These slides from CS155 at Stanford provide an overview of the basic web security model.
These slides from CS155 at Stanford provide an overview of web vulnerabilities.

Required readings: Please read the Friedl techtip on SQL injection that was discussed in class, and this excellent article on Secure Session Management With Cookies for Web Applications. You should also review the sides above to understand XSS and CSRF.
Optional readings: Here is a reference on CSRF.

TCP/IP and its security (March 27-April 3)

My slides will be posted on Piazza.
We played with traceroute during lecture. If you have never done this before, log into csa2 and run the command traceroute example.com and see what happens; (obviously replacing example.com with whatever destination you like). How many hops does it take to get to a destination in India? A destination in the US? A destination in Singapore? A destination in South Africa?
Here is a decent explanation of how traceroute works from wikipedia
We talked about port numbers. Here is a list of port number to application allocations from IANA.
We talked about NATs (Network Address Translation). Here is a reference NATs.
A tutorial on IPsec in detail, from Steve Friedl's illustrated guide.
In lecture, we'll try to think about why SSL (that is, "secure" TCP) caught on so much more effectively than IPsec ("secure IP").

DDoS and Amplification attacks (?)

Slides from Dan Boneh in 2007, on DoS attacks of various flavors: ppt.
Classic (1997!) slides about the smurf attack.
The spring 2013 DDoS attack on Spamhaus that used DNS amplication.
- The DDoS attack on spamhaus: Blog post from cloudflare
- Smurf attacks and DNS amplification, from cloudflare
- New York Times
- List of open resolvers here .
The winter 2014 DDoS attack that used NTP: cloudflare blog.

DNS security (April 17)

Core resources. Please review the below:

A gentle introduction to DNS is here http://www.isoc.org/briefings/016/index.shtml.
A list of the DNS root zones is here: http://www.root-servers.org/
A very interesting FAQ about root zone operations, (e.g. why there is diversity in the code used to operate the root zone servers), by Daniel Karrenberg, an operator of the K-root.
We discuss Kaminsky's famous attack on DNS using this UnixWiz article. See also this figure explaining the Kaminsky attack.
We discuss DNSSEC using this presentation from Olaf M. Kolkman in 2004. This slide deck from Paul Wouters at Blackhat'09 is an additional resource, but you need not review this one in great detail.
You can run you own DNS queries by logging into csa2.bu.edu and running dig +trace example.com, obviously replacing example.com with whatever domain you want to look at. Dig can let you look at pretty much anything in the DNS; type man dig on csa2 to see some options, or find a dig tutorial online. If you want to look at DNSSEC deployments using dig, this tutorial is a good place to start.

Extra resources, for those interested in further work on this topic:

DNS and censorship - the china I-root incident. renesys blogpost 1 and blogpost 2.
DNSSEC deployment at the root zone. Talk at NANOG'48
Track the progress of DNSSEC deployment with UCLA's security spider.
Research: Here is an interesting research paper on the security risks associated with DNSSEC and NSEC Bau-Mitchell'10. Another nice paper on DNS cache poisoning: A hitchhikers guide to DNS cache posioning. See also Haya Shulman's DNS security research here, especially her IP fragmentation attack.

BGP security (April 29-May 1)

We discussed BGP security, the RPKI, Secure BGP, and Secure Origin BGP.

This survey is a good source of information about BGP security.
This talk I gave a few months ago provides a decent overview of BGP security issues.

Final poster session: Web security audits! (May 2)

Done! Thanks for a great semester and enjoy your summer!