introduction to computer security
play

Introduction to Computer Security Session 1.5 Usable Security and - PowerPoint PPT Presentation

Jan 16, 2024 •546 likes •1.24k views

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

  1. CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi

  2. 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  3. “ Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations.” – Kaufmann, Perlman and Speciner. 3 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  4. The last word on your identity: you. But this isn’t the case in computer security. Two-factor authentication? Attacker can ● manipulate a trusted party while you’re away. Trusted internal network? Attacker breaks ● into mail room employee’s email and sends a bugged PDF to the CEO. 4 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  5. We know humans are fallible. So we need security to be easy. If humans had only 1KB of resilient storage, ● we’d be fine! If secure systems aren’t easy, they either ● fail open , or they lead to forced compromises on behalf of the user. 5 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  6. Email encryption: PGP. “Pretty Good Privacy” (1990s.) ● Created for email encryption: ● Asynchronous (no online handshake ○ necessary.) Non-repudiable (binding signatures.) ○ 6 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  7. Did you know? PGP’s author, Phil Zimmermann, was criminally investigated in 1991 because PGP allegedly violated the Arms Export Control Act and was supposed to be classified as a munition. 7 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  8. Remember: Diffie-Hellman. a b g a g b g a mod p g b mod p Public values: g, p Private keys: a, b Public keys: g a , g b Shared secret: g ab mod p 8 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  9. PGP works in a similar way (but with RSA.) A sk B sk A pk B pk A pk B pk c = RSAENC(B pk , m) s = RSASIG(A sk , c) (true|false) = RSAVER(A pk , c) m = RSADEC(B sk , c) RSA can be used for both public key encryption and for public key signatures . 9 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  10. What’s a possible attack for this scheme? A sk B sk A pk B pk A pk B pk c = RSAENC(B pk , m) s = RSASIG(A sk , c) (true|false) = RSAVER(A pk , c) m = RSADEC(B sk , c) RSA can be used for both public key encryption and for public key signatures . 10 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  11. PGP Step 1: Generate a key pair. 11 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  12. PGP Step 2: export your public key. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQINBFuiMDMBEACtolKCi+6PipgggL4LjBfWXq8G4bviAPVJSl0kyE9YdHZ++51u PGP public keys contain metadata, ● 23sJT4vgNat/sJGLHC9v8eEqwlhuQyoSeXYELChoxFsVxrDD3vSqdgALyx2cu9vM QR+Q8MTfJlnzpqeW9wzbnmb8ciCRTguBJnHHylye1w6A9X57VtjZVu7/13WiWR1v Sy83SvjayA1x0g3ioX9ENCbBGC0IPVMTvpvzq1MwqUK3g4geclov8mHC1ad0DqJt HdjvKD1C1U/lZkRdo0wS7edSJd0n1hfXW4emhUiZbViYbaoMjOTExJftDTR05hC+ encryption public keys, signing public keys, eYa3W0wlvYHNi7NuXbrzHB5vN5JLeSBMzH5dQ3+ytD8Nilk6b18zrZ0jRj628uon QSkbl5hD9QaE9rUa+ie0bOUsZ1e4qoDizwkesKu/rqQwXISP3MieHkx2LzFsFI6A 0WFftNOt787xkptjuNXNxYK3gR2pfKJEEqW9PbCRG8BT6sMBEN5pNXzWXp9d5ikB FIR8i7UriHxIfYq48GjtzK6dq8c5LXFlSrEg1A8XOf9KE9ccrBDcKC9GggF7/1yH etc. ExPciPvCq1XjCdCbj2HGzsn+ZpmOlM+zW6nOnTCpcCJw/nreHHD53aA6kcBshsf1 GNDorHI8gTestduMmz7oya2nstEmAaiH3CI/9J2Un1JTmF46Y14dt7VFWQARAQAB tDNOYWRpbSBLb2JlaXNzaSAoVGVzdCBrZXkgZm9yIGNsYXNzLikgPG5rNzZAbnl1 LmVkdT6JAj4EEwECACgFAluiMDMCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB Ah4BAheAAAoJEHFqprgyYrCXt4sP+QFlPztNTyFZIycnahTfeRSYipkcq9ND20sz Public keys are uploaded to “key servers.” ● NiHNu53uTkGDt6fPUydyuMkm6M2xCqHy63VNmXtwThYoQpCpvwV2yZ6bULn7dCjh usBmJuBl2aQVjFE8ZyXFi5V1mmkoiRqAOWrdvgy3ACqk3WSapeFWAZlYEJgVFWSY Jk3nt2Twz3OJb4+LsKo6J9/kWCqp/7nRRJ8/iIsOTEvBjrwBL98acFbuxGrers6+ MGNdpLdkj4uDDgmsr+/Z30fgtk6cTIWevUKzOyJNB4Dkzhyy8QvVxRjCR2FGsLtU Other party must then fetch this key (some ● qXoFTqoK6wBwedROAwBRRwmVO3t07jogDu+RiXCMM4IROhzZhL9MPPbkESmg0CLY USFXYh5d1/BN2SWj3Z3ExFGtf6YS0MhKDk0FEGcqfDuQoJ99ffiM/o6mpoXSCJdS Hc7yGnt4FfYk+yCwdg3F7tjxt0GT6aDtl4d40hNeJQJtKEFJB06IQPmmLCKYkXdB 5j/Ii0VwW6olq/UNiWpAy6IPZ3MMjobz0f9GsIpyXCD3UMJ5nrYm5rhn530eAEMh mail clients do this automatically.) ZkjyTd1izTBRtFNLsNL6Fwet55afa0X7Zv8wcIK0GDMue1ANxfzSRdtUvIyz3h3j cQLl03yDOB8xtc5Q3PnS5D5jHgWB1Nt8AesazOp0pEKVl0t2r9G0tx7iWz4AA+v8 uJsoK81GuQINBFuiMDMBEACpZHp4cMT7nBaAZAjJDlXOFSRZuGkAf5UIAKxZMQC/ Ym3Z6yB6/uDW0tuaKeaeUKbFKPmFAHUAKIAMQG0WenvxH4Ftyuc7psiJQevQyouR KUDb/WqRHsYMFm5cCaBmBe2zSKAOMLRRSAJp8Yxa3eQZ6XvDmBRoegFKC7g/AA0t hZ5/rxgLUQaCYhz9qaz87luYuKos6+EPDpku21HX7nfMcYwZ+jfsgcnVrtxu+s7t bSHd2unrfTS1jwTVCuBdFSYNrUMv4EUWxUFEhJw+yId74aeB/ENTyAJn6B+6hlU5 KbO4aRlcngDsgxC9fRqsiW+FtLK4TsO6KomgBwt1WjhqQiTPxpXIMcbssshwYjk3 9lej9j35o2b2dES2mg2yndrRJNyvj7hDYz5p/xJOu4cEy33jNk9CigzkiWm1Kfv4 50W6fq8ZOVhf44UjZ5H0oSwzrriMvPyzaUxjIoluQNErir0nwv3r4v41nfI81A+L RMAszMLEVta2g7dy1zYxdUT5ZcMxpA8R/k+B9J6QZd7cu4s9k7FIPynU5JFfHyah JBnDNYt9T1UoyQujyXPjITZqEaYpG4Q6vW0oLdDSRfT27gWWyI3hf4eXFVe96Ekh +XdNPw55usULy8+2U3hLbIT2yMyQvAYJshHUMX2Mla1VAnNqmCFGX1OwA5eqXhdT ewARAQABiQIlBBgBAgAPBQJbojAzAhsMBQkB4TOAAAoJEHFqprgyYrCXU/AQAJJD 0XRXLIVOd6TRIgrhi+8TEfzWK71KKfXDtzaWsCqBueHdX/q6dq9skieunPufNspQ dhMGzlaJiuI50oC9OC3fy9wT08G1Gt2L2lKbCrmsQ6yOSpWNW3g7Gn1jiJSmf/Z4 S1ENgnRi2zsU4BVyLWkeosyzquBEeGrg3uKhI2FxOSSEVQJROMXQbRiRKHGCButx GvvUWBumgbt50gkLo5yXXXhJUILiRJdVVCBTcU40E8pT7wSa2decBpj94LTu5Exv B3TXXAycHgUxUcNyvzNAYc5GpaE5ldxVkapgFM8uTta299uUbPzSLvt5AMAB7KQ8 Z7u02WeyfmstUiOpPM5/06Nof95dXijNnUK4nIbRhcRZyjqW8uM7MeLhgJzUAx8D Qxd1ZRx/XLktAvHSKHA+eziVrlcHYiFPJtR6hE/rZsxy43adsKMdunhl2IjI9Ofk YoDfPb5TEQHO6mXVtFE4WkX0YkOn2LVe340jDN60i4pcvKIznOrKaxX2p+jnBOJc 8rEQK9US4r+noiP4JFSqgTYf4PmC9sAUpYzu4STz+luknaWxTZvp7yo6izfb3jq0 mg7OHqf6uZbL+5cy2hSCV/hJrxAR8iA9OQYUvtk8dA69XWlgJvOu9MsFRmbNUwSb 95AgRCY+hQWlDItVDdcsksEtk3w3sKvDKzLP27o8 12 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi =ndd4 -----END PGP PUBLIC KEY BLOCK-----

  13. PGP Step 3: verify public key authenticity. To prevent man-in-the-middle attacks, Alice ● and Bob must verify a “key fingerprint,” which is essentially a hash of the public key. This is done out of band, sometimes even at ● “key parties” (the saddest kind of party.) New efforts: Autocrypt. ● Automates key exchange (as we will see in ○ secure messaging apps like WhatsApp.) Does not yet support out-of-band auth. ○ 13 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  14. PGP Step 4: set up a PGP-enabled mail client. Mozilla Thunderbird (desktop application.) ● Mailvelope (Gmail browser plugin.) ● K-9 Mail (Android phones.) ● Step 5: install PGP plugin. ● Step 6: import public keys. ● Step 7: send email. ● 14 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  15. Test your knowledge! Does PGP provide message integrity ? ☐ A : Yes. ☐ B : No. 15 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  16. Test your knowledge! Does PGP provide message integrity ? 🗺 A : Yes. ☐ B : No. 16 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  17. Test your knowledge! Does PGP provide forward secrecy ? ☐ A : Yes. ☐ B : No. 17 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  18. Test your knowledge! Does PGP provide forward secrecy ? ☐ A : Yes. 🗺 B : No. 18 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  19. Test your knowledge! Does PGP provide ease of use ? ☐ A : No. ☐ B : No. 19 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  20. Test your knowledge! Does PGP provide ease of use ? 🗺 A : No. 🗺 B : No. 20 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  21. 1.5b From PGP to Usable Systems 21 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  22. Reasons not to use PGP. Very high likelihood of user error. ● Sending or forwarding a single plaintext ● email: leak entire thread. Downgrade attacks. ● Lack of obfuscation or traffic masking. ● No forward secrecy. ● Conflating authentication with non- ● repudiation. Complexity. ● Targeted attacks. ● 22 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  23. Usability patterns exist. Passphrases instead of random bytes. ● Two-factor, hardware-based authentication. ● Security by default. ● “Failing closed” instead of “failing open.” ● Upgrading user security with minimal ● changes to user behavior. 23 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  24. Examples of usable security systems. Touch ID, Face ID. ● Apple Pay, Android Pay, Samsung Pay. ● YubiKey and two-factor authentication. ● HTTPS and TLS. ● Let’s Encrypt. ● Secure messaging. ● ATMs and more. ● 24 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  25. What do these systems have in common? Fail closed, not open. ● Minimal memorization of user secrets. ● High availability. ● Resilience to user error. ● 25 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL injection Web security, part 1 Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering Web

522 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer Security Studies in what ways security mechanisms may fail Can we gain access to a computer system without authorizaDon? Can we compromise

986 views • 84 slides
Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1:

Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1:

Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1: Introduction and Logistics Course Logistics Stephen McCamant University of Minnesota, Computer Science & Engineering What is computer security? Two

362 views • 7 slides
Outline Brief introduction to networking CSci 5271 Introduction to Computer Security

Outline Brief introduction to networking CSci 5271 Introduction to Computer Security

Outline Brief introduction to networking CSci 5271 Introduction to Computer Security Announcements intermission Day 13: Network, etc., security overview Some classic network attacks Stephen McCamant University of Minnesota, Computer Science

504 views • 5 slides
Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard Institute for Computer Science Security instruments learned so far Symmetric and asymmetric cryptography confidentiality, integrity, non-repudiation

319 views • 29 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

608 views • 8 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

395 views • 7 slides
INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Introduction to Computing Principles

Introduction to Computing Principles

Introduction to Computing Principles Computer Safe Computer Security Attacks Practices What is Computer Security? Computer Security, also known as cybersecurity or IT

974 views • 63 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

690 views • 42 slides
Experiment Talks (RIXS/XES) A new x-ray emission spectrometer is available at the CLSS beamline

Experiment Talks (RIXS/XES) A new x-ray emission spectrometer is available at the CLSS beamline

Experiment Talks (RIXS/XES) A new x-ray emission spectrometer is available at the CLSS beamline of ALBA Laura Simonelli CLSS beamline responsible Dominique Heinis Wojciech Olszewski Carlo Marini Laura Simonelli Nitya Ramanan Laura

703 views • 17 slides
Combinatorics and topology of toric arrangements II. Topology of arrangements in the complex torus

Combinatorics and topology of toric arrangements II. Topology of arrangements in the complex torus

Combinatorics and topology of toric arrangements II. Topology of arrangements in the complex torus (An invitation to combinatorial algebraic topology) Emanuele Delucchi (SNSF / Universit e de Fribourg) Toblach/Dobbiaco February 23, 2017

543 views • 42 slides
rr tt ts r

rr tt ts r

r str rs tt strts stt rr

511 views • 49 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin

Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin

Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin 27th July 2016 1/22 Borel reducibility In the framework of Borel reducibility, relations are defined over Polish or standard Borel spaces.

467 views • 44 slides
Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End

Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End

Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End Encryption Only the two parties communicating can decrypt messages Forward Secrecy Key compromise doesnt compromise past session keys

424 views • 23 slides
Launchpad GPG & SSH Key Basics Class on making and importing your own GPG & SSH Key(s)

Launchpad GPG & SSH Key Basics Class on making and importing your own GPG & SSH Key(s)

Launchpad GPG & SSH Key Basics Class on making and importing your own GPG & SSH Key(s) into Launchpad Making your GPG Key Ok the things you'll need for this process. 1) Email Client such as Thunderbird. 2) A GPG/PGP Key Plugin for

449 views • 6 slides

More recommend