CS 558 Spring 2015

CS558 : Introduction to Network Security
Boston University, Computer Science, Spring, 2015

Course Syllabus Assignments Schedule Calendar Link to websubmit Link to piazza

Instructor:     Sharon Goldberg
Office Hours:     Tuesdays 2-5PM, MCS135
Lectures:     Tuesday & Thursday 9:30-11AM, CAS326

Course Assistants:
Aanchal Malhotra (MCS135A)
Ethan Heilman (MCS135A)
Dimitris Papadopoulos (MCS134)

Course Assistant Office Hours: Mondays 9-11AM, MCS135

Discussions:
Friday, 11:00-12:00AM in MCS B19
Friday 1:00-2:00PM in MCS B19

Communications: We will use piazza to communicate with you. You are welcome to use Piazza to set up study groups, to post interesting security incidents you read about (please tag these as "interesting incident in the news"), or to discuss the course with other students. If you have a question about the course you should: (a) Come to office hours, OR (b) Post to Piazza. You are welcome to post to Piazza anonymously, but please don't use private posts to ask technical questions. The rest of the class is probably also interested in your question, so make it public!

If you need to talk to the course staff in private, you can send us a private message on Piazza to let us know that you want to have a private conversation during office hours. Then show up at office hours to discuss your issue. You should not expect a response; instead assume we have read your message and you should then just show up at office hours. If you want to talk to one of us in person but absolutely can't make office hours, please send the relevant person an email with at least three different options for when you are available to meet.

Ethics

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university's rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern ``hacking." Understand what this law prohibits.

Read BU's Conditions of Use and Policy on Computing Ethics and the BU's Academic Conduct Code. As members of the university, you are required to abide by these policies.

Schedule

The security mindset

Kerckhoff's Principle for cryptosystems. wiki ref
Threat modeling.
Game-based security definitions.

Assigned reading: Chapter 1 of Anderson's book

Symmetric-Key Encryption and Authentication

Perfect secrecy and the one-time-pad.
Security for encryption schemes: Ciphertext Only Attack (COA), Known Plaintext Attack (KPA), Chosen Plaintext Attack (CPA), Chosen Ciphertext Attack (CCA).
Stream ciphers.
Malleability.
Definition of authentication. Message authentication code (MAC).
Pseudorandom Functions (PRF); building a MAC from a PRF.
The order of encryption and authentication, and the fact that encypt-then-MAC is both a good secure channel implementation, and a CCA-secure symmetric encryption scheme.
The basics of AES.

Assigned reading: Sections 5-5.2.2, 5.3.2-5.3.3 of Anderson's book
Background reading: The Battle of the Clipper Chip New York Times, June 12, 1994.
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 1.2 (encryption), Section 1.4 (useful background), Section 2.1-2.3 (One Time Pad), Section 3.2-3.21 (more on encryption), Section 3.5 (CPA security) Section 3.7 (CCA security) Section 4-4.3 (MACs)

Hashing

Merkle Damgard construction for hash function.
Properties of cryptographic hash functions. Properties: Collision resistance. One-way functions (OWF). Currently we use SHA-256, SHA-3 to instantiate cryptographic hash functions. In the past we used MD5 (broken:collisions found) and SHA1 (cryptanalytic evidence suggest this will be broken soon, and is deprecated).
PRFs and HMAC. These are keyed hash functions. We model these as indistinguishable from random functions for an adversary that does not know the key.
Applications of hashing:
- Password hashing
The birthday paradox and the difference between collision resistance and target-collision resistance (or one-wayness) for random functions. OR: Why does SHA-256 provide only 128-bits of security against collision attacks.

Reference in Anderson: Sections 5.2.4, 5.3.1 of Anderson's book
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 3.6.1 (PRFs) Section 4.6 (Collision resistant hash functions) Section 4.7.2 (HMAC - just construction 4.17) Section 6.1.1 (one-way-functions) Appenix A.4 (the birthday paradox)

Public Key Cryptography: Digital Signatures, Encryption, And Key Exchange. (Feb 11-Feb 18)

PK Encryption
Digital Signatures
The basics of RSA encryption and RSA signatures. Why textbook RSA is not actually a secure encryption or digital signature. Why we need encryption standards like PKCS 1.5 and OEAP.
The hash-and-sign paradigm for digital signatures.
Key exchange protocols:
- The basics TLS handshake (i.e the key exchange protocol). See here. The gory details are here.
- Diffie Helman Key Exchange and Perfect Forward Secrecy (PFS). This article has a nice explanation, and talks about how SSL is moving towards using DH Key exchange, instead of the encryption-based protocol described above.
- Why classic Diffie Helman is not secure against a ``active'' man-in-the-middle adversary that tampers/alters the messages sent between Alice and Bob.

Readings in Anderson: Section 5.2.5 (Asymmetric primitives) Sections 5.7.1 (RSA) 5.7.2.2 (Diffie Helman Key Exchange), 5.7.5 (Certificates) of Anderson's book
Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 9.4 (Diffie Helman Key Exchange) 10-10.2.1 (public key encryption) 10.4-10.4.2 (RSA encryption [This section is a particularly good reference]). 12-12.4 (Signatures)

Public Key Infrastructure (PKI) and Certificates (Feb 20-Feb 25)

Public Key Infrastructure and the web PKI. The principle of least privilege. Certificate Authorities (CAs). The difference between CA certificates and EE certificates. Attacks on CAs and probles with the web's PKI.
- For instructions on how look at the preinstalled certificates on your browser, see here
- The DigiNotar attack: EFF report.
- Paper analyzing the web PKI.
- Color map of certificate authorities from 2010.
- An attack where TLS certs accidentally issued with CA permissions were then used it to make a rogue certificates. Here is a real world example where a *.google.com certificate was created.
- Certificate revocation.
  - Nice reference providing an overview of how certificate revocation lists are accessed today.
  - the OCSP protocols for distributing cert revocation lists (CRL).
  - OCSP "stapling", a less vulnerable way for transmitting CRLs.
  - Critique of certificate revocation and it's challenges.

Web security
Required readings:

The topics we will cover include: image tag security issues, same-origin policy, insecurities that arise from mixing http and https content on a page, security issues relating to session management with cookies, SQL injection, cross site scripting (XSS), cross site request forgery (CSRF).
We discuss SQL injection using this excellent techtip from Steve Freidl.
These slides from CS155 at Stanford provide an overview of the basic web security model. We discussed these slides on Tuesday March 17. I implemented the John Mitchell's using-img-tags-for-scanning JavaScript code on my (now-malware-looking) webpage: http://www.cs.bu.edu/~goldbe/teaching/index.html; to look at it, do "view source" on your browser.
These slides from CS155 at Stanford provide an overview of web vulnerabilities, including SQL injection, CSRF, and XSS. Alternatively, use these slides from Vitaly Shmatikov.
Please read Parts 1-4 of this simple article on Secure Session Management With Cookies for Web Applications. In class on March 17, I talked about the session fixing attack mentioned in this article.

Optional reading:

On March 17 in class I mentioned how the grey-hat hacker weev was prosecuted for writing a script that altered the query field in URL in order to acquire personal data about ATT customers. Here is an article in WIRED discussing his case; notice the even here in WIRED, the details of the attack are not very clearly described and it sounds like quite a sophisticated attack. This other article in Forbes gives a better sense of the vulnerability that weev exploited, and shows how insecure the ATT's website was at the time of the attack. Quoting this artice "When they discovered that AT&T would actually reveal those addresses to anyone who entered a URL based on a 19 or 20 digit number unique to every iPad SIM card known as an ICC-ID, they used a simple script to generate every possible ICC-ID and visit the associated pages of AT&T�s site, essentially impersonating thousands of iPads to reveal their owners� email addresses." You can ask yourself if the average internet user would be able to tell how trivial this attack is; I think that probably most users can't tell.
Here is a reference on CSRF.

TCP/IP and its security

My slides are here!
We played with traceroute during lecture. If you have never done this before, log into csa2 and run the command traceroute example.com and see what happens; (obviously replacing example.com with whatever destination you like). How many hops does it take to get to a destination in India? A destination in the US? A destination in Singapore? A destination in South Africa?
Here is a decent explanation of how traceroute works from wikipedia
We talked about port numbers. Here is a list of port number to application allocations from IANA.
We talked about NATs (Network Address Translation). Here is a reference NATs.
A tutorial on IPsec in detail, from Steve Friedl's illustrated guide.
In lecture, we'll try to think about why SSL (that is, "secure" TCP) caught on so much more effectively than IPsec ("secure IP").

DDoS and Amplification attacks

Classic (1997!) slides about the smurf attack.
The spring 2013 DDoS attack on Spamhaus that used DNS amplication.
- The DDoS attack on spamhaus: Blog post from cloudflare
- Smurf attacks and DNS amplification, from cloudflare
- New York Times
- List of open resolvers here .
The winter 2014 DDoS attack that used NTP: cloudflare blog.

DNS security

Core resources. Please review the below:

A gentle introduction to DNS is here http://www.isoc.org/briefings/016/index.shtml.
A list of the DNS root zones is here: http://www.root-servers.org/
A very interesting FAQ about root zone operations, (e.g. why there is diversity in the code used to operate the root zone servers), by Daniel Karrenberg, an operator of the K-root.
We discuss Kaminsky's famous attack on DNS using this UnixWiz article. See also this figure explaining the Kaminsky attack.
We discuss DNSSEC using this presentation from Olaf M. Kolkman in 2004. This slide deck from Paul Wouters at Blackhat'09 is an additional resource, but you need not review this one in great detail.
You can run you own DNS queries by logging into csa2.bu.edu and running dig +trace example.com, obviously replacing example.com with whatever domain you want to look at. Dig can let you look at pretty much anything in the DNS; type man dig on csa2 to see some options, or find a dig tutorial online. If you want to look at DNSSEC deployments using dig, this tutorial is a good place to start.

Extra resources, for those interested in further work on this topic:

DNS and censorship - the china I-root incident. renesys blogpost 1 and blogpost 2.
Some advice on how to run DNSSEC from isc
DNSSEC deployment at the root zone. Talk at NANOG'48
Track the progress of DNSSEC deployment with UCLA's security spider.
Research: Here is an interesting research paper on the security risks associated with DNSSEC and NSEC Bau-Mitchell'10. Another nice paper on DNS cache poisoning: A hitchhikers guide to DNS cache posioning. See also Haya Shulman's DNS security research here, especially her IP fragmentation attack.

BGP security

We discussed BGP security, the RPKI, Secure BGP/BGPSEC, and Secure Origin BGP.

Our discussion was based on my survey article in the Communications of the ACM.

Final poster session: Web security audits! (May 2)

Done! Thanks for a great semester and enjoy your summer!