Créer une présentation
Télécharger la présentation

Télécharger la présentation
## Modeling Security Threats to Cryptographically Protected Data

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Modeling Security Threats to Cryptographically Protected**Data Alexandra A. Savelieva Supervisor: Prof. Sergey M. Avdoshin State University –Higher Sсhool of Economics, RussiaSoftware Engineering Department**Old Chinese Curse**寧為太平犬，不做亂世人* *May you live in interesting times Higher School of Economics - 2009**Data Protection and Financial Chaos**• Human factor • Malicious insiders • Fired employees • Hardware loss • Laptop theft • Storage theft • And this means good crypto! CIO challenge: how to select an appropriate information security strategy within budget limitations and growing risks of unauthorized access to information assets? Higher School of Economics - 2009**Agenda**1. Analysis of relevant approaches 2. Problem statement 3. Solution 4. Conclusions Higher School of Economics - 2009**Evaluation Methods**• Cryptographic Security Analysis • Mathematical model designed by V.P. Ivanov • Formalized security risk analysis and management methodologies • Various tools for cryptographic protocols analysis Higher School of Economics - 2009**Evaluation Methods**• CryptographicSecurityAnalysis • Mathematical model designed by V.P. Ivanov • Formalized security risk analysis and management methodologies • Various tools for cryptographic protocols analysis Higher School of Economics - 2009**Cryptographic Security Analysis**• «… it becomes increasingly clear that the term "security" doesn't have meaning unless also you know things like "Secure from whom?" or "Secure for how long?“» Higher School of Economics - 2009**Evaluation Methods**• Cryptographic Security Analysis • Mathematical model designed by V.P. Ivanov • Formalized security risk analysis and management methodologies • Various tools for cryptographic protocols analysis Higher School of Economics - 2009**Mathematical model designed by V.P. Ivanov**• The problem of breaking a cipher is reduced to engineering analysis of the program implementing the encryption mechanism • This allows the time to be measured by means of Halstead complexity metrics • Average timeT for analyzing of the enciphering mechanism implementation: T = 3N3 , whereNisprogram length (bytes) Higher School of Economics - 2009**Mathematical model designed by V.P. Ivanov**• Drawbacks: • The technique can only apply to the so-called restricted-use cryptographic systems whose security depends on keeping both the encryption and decryption algorithms secret (contradicts Kerckhoffs’s fundamental principle) • The context of a cryptosystemusage is not taken into account Higher School of Economics - 2009**Evaluation Methods**• Cryptographic Security Analysis • Mathematical model designed by V.P. Ivanov • Formalized security risk analysis and management methodologies • British CRAMM (by Insight Consulting, Siemens) • American RiskWatch (by RiskWatch) • RussianGRIF (by Digital Security) • Various tools for cryptographic protocols analysis Higher School of Economics - 2009**Formalized security risk analysis: CRAMM**• A comprehensive risk assessment method with the ability to carry out various functions including: • Pre-defined risk assessments coveringgeneric information systems • BS7799: 2005 Compliance • Production of Security Documentation • Investigation against Standards • Drawbacks: • peculiarities of cryptographic systems are not taken into account! Higher School of Economics - 2009**Evaluation Methods**• Cryptographic Security Analysis • Mathematical model designed by V.P. Ivanov • Formalized security risk analysis and management methodologies • Various tools for cryptographic protocols analysis Higher School of Economics - 2009**Tools for cryptographic protocols analysis**• Main classes: • Deductive methods • Static analysis methods • State exploration methods • Drawbacks: • the supposition that cryptographic algorithms satisfy perfect encryption assumptions, so the strength of ciphers remains out of scope Higher School of Economics - 2009**Comparative analysis**Higher School of Economics - 2009**In our paper, we aim to…**• formulate the steps of cryptographic systems evaluation process; • develop a mathematical model of security threats; • design software tools to facilitate the process of cryptosystem efficiency assessment by a computer security specialist; • select appropriate economic indicators as a basis to build an economic rationale for investments to cryptographic systems and to provide sound arguments for implementing an information security strategy Higher School of Economics - 2009**Cryptosystem security assessment process**Make conclusions regarding conformity of the system to the organization needs Step 5 Evaluate the cryptosystem’s resistance to the attacks Step 4 Determine the attacks that the cryptosystem is exposed to Step 3 Define the potential attackers Step 2 Define the cryptosystem Step 1 Higher School of Economics - 2009**Code-Breaker**uses Attack to break Cryptosystem ABC-Model of Security Threats • “A”forAttack • “B”forcode-Breaker • “C”forCryptosystem Higher School of Economics - 2009**Cryptosystem security assessment process**Make conclusions regarding conformity of the system to the organization needs Step 5 Evaluate the cryptosystem’s resistance to the attacks Step 4 Determine the attacks that the cryptosystem is exposed to Step 3 Define the potential attackers Step 2 Define the cryptosystem Step 1 Higher School of Economics - 2009**Classification of cryptosystems**• Ueli Maurer's idea is to distinguish cryptosystems by the number of keys used for data processing • unkeyed • single-keyed • double-keyed • Gilles Brassard's scheme [4] has to do with the secrecy of algorithm • Restricted-use • General Higher School of Economics - 2009**Classification of cryptosystems**• By secrecy of the algorithm • Restricted ▪ General • By the number of keys • Unkeyed ▪ Single-keyed ▪ Double-keyed ▪ Multiple-keyed • By breakability • Theoretically unbreakable • Provably unbreakable • Supposedly unbreakable • By the type of key storage • Smart-card ▪ e-token ▪ Windows register ▪ File system • By the means of implementation • Software ▪ Hardware ▪ Software and hardware • By certification • Certified ▪ Uncertified Higher School of Economics - 2009**Classification of codebreakers**• Bruce Schneier suggests using motivation as a key parameter to identifying an adversary; this results in the following classification scheme: • opportunists: • emotional attackers • friends and relatives • industrial competitors • the press • lawful governments • the police • national intelligence organizations Higher School of Economics - 2009**Classification of codebreakers**• By equipment • PC • Network • Supercomputer • By expertise • PC user • Mathematician • Software developer • Physicist/electrical engineer • Psychologist aware of social engineering techniques • By initial knowledge on the cryptosystem • User of the cryptosystem • Designer of the cryptosystem • By final objective • Discovering a vulnerability • Total break • By access • Insider • Outsider • By manpower • Individual • Team Higher School of Economics - 2009**Classification of Attacks**• The fundamental classification of attacks by access to plaintext and ciphertext introduced by Kerckhoffs is no longer complete since it does not include a new powerful cryptanalysis technique called Side-Channel attacks • Modern schemes for computer system attack classification • Landwehr C.E., Bull A.R. A taxonomy of computer program security flaws, with examples // ACM Computing Surveys, 26(3): p. 211–254, September 1994. • Lindqvist U., Jonsson E. How to systematically classify computer security intrusions. // IEEE Symposium on Security and Privacy, p. 154–163, Los Alamitos, CA, 1997. • Paulauskas N., Garsva E. Computer System Attack Classification // Electronics and Electrical Engineering 2006. nr. 2(66) • Weber D. J. A taxonomy of computer intrusions. Master’s thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, June 1998. Are not suitable for cryptoattacks identification! Higher School of Economics - 2009**Classification of Attacks (1/2)**• By access to plaintext and ciphertext • Ciphertext-only • Known-plaintext • Chosen-plaintext • Adaptive-chosen-plaintext • Side-channel • By control over the enciphering/deciphering process • Passive • Active • By the outcome • Total break • Global deduction • Instance (local) deduction • Information deduction • Distinguishing algorithm • By the level of automation • Manual • Semi-automatic • Automatic Higher School of Economics - 2009**Classification of Attacks(2/2)**• By critical amount of resources • Memory • Time • Data • By applicability to various ciphers • Multi-purpose • For a certain type of ciphers • For a certain cipher • By tools and techniques • Mathematics • Special-purpose devices taking physical measurements during computations • Evolution programming techniques • Quantum computers • By consequences • Breach in confidentiality • Breach in integrity • Breach in accessibility • By parallelizing feasibility • Distributed • Non-distributed Higher School of Economics - 2009**Classification Schemes**• Classification of Сryptosystems • By secrecy of the algorithm • By the number of keys • By breakability • By the type of key storage • By the means of implementation • By certification • Classification of Attacks • By critical amount of resources • By applicability to various ciphers • By tools and techniques • By consequences • By parallelizing feasibility • By access to plaintext and ciphertext • By control over the enciphering/deciphering process • By the outcome • By the level of automation • Classification of Codebreakers • By equipment • By expertise • By initial knowledge on the cryptosystem • By final objective • By access • By manpower Higher School of Economics - 2009**Parametric models of Attacks, Code-Breakers and**Cryptosystems • Let be a set of parametric models of attacks, where represents a domain for the i - th parameter as per our taxonomy; • Let be a set of parametric models of codebreakers, where represents a domain for the j - th parameter as per our taxonomy; • Let be a set of parametric represents models of cryptosystems, where a domain for the j - th parameter as per our taxonomy; Higher School of Economics - 2009**Mathematical Model for Cryptosystem Efficiency Assessment**Risk Impact Probability Higher School of Economics - 2009**Mathematical Model for Cryptosystem Efficiency Assessment**Higher School of Economics - 2009**Efficiency Criterion**Satisfied when a cryptosystemthatconsists of subsystemsbeing exposed to codebreakerscan resist the attacks out of the set: where - admissible risk level Higher School of Economics - 2009**Cryptosystem security assessment process**Make conclusions regarding conformity of the system to the organization needs Step 5 Evaluate the cryptosystem’s resistance to the attacks Step 4 Determine the attacks that the cryptosystem is exposed to Step 3 Define the potential attackers Step 2 Define the cryptosystem Step 1 Higher School of Economics - 2009**Available tools for cryptanalysis**• C/C++ Multiprecision libraries • Mathematical packagesMaple andMathematica Higher School of Economics - 2009**Available tools for cryptanalysis**• Mathematical packagesMaple andMathematica • “+”: unlimited precision • “+”: easy-to-program algorithms • “-”: extremely low efficiency of number-theoretical computations Higher School of Economics - 2009**Available tools for cryptanalysis**• Cand C++ built-in types have limited precision • long – 32 bits • long long – 64 bits • double: 53 bits – mantissa, 11 bits – characteristic • long double:64 bits – mantissa, 15 bits – characteristic • Javahas multiprecision capabilities • Highlyportable • Not so efficient Higher School of Economics - 2009**Available tools for cryptanalysis**• Multiprecision mathematical libraries • «+»: high performance • «+»: wide range of solutions freely available(LIP, LiDIA, CLN, PARI, GMP, MpNT) Higher School of Economics - 2009**LIP (Large Integer Package)**• One of the first libraries for long integer computations • Written by ArjenK. Lenstraand later maintained by Paul Leyland • ANSI C • “+”: Highly portable • “-”: Not efficient Higher School of Economics - 2009**CLN (a Class Library for Numbers)**• Written by Bruno Haibleand currently maintained by Richard Kreckel • C++ library that implements elementary arithmetical, logical and transcendental functions • Rich set of classes • Integers • Rational numbers • Floating-point numbers • Complex numbers • Modular integers • Univariatepolynomials etc. • “-”: high universality =>low efficiency for number-theoretical problem solving Higher School of Economics - 2009**LiDIA**• Developed at the Technical University of Darmstadt (Thomas Papanikolau) • C++ library • Highly optimized implementations • Multiprecision data types • Time-intensive algorithms • Can use different integer packages (like Berkley MP, GMP, CLN, libI, LIP etc.) • «-»: not portable to Windows platform Higher School of Economics - 2009**GMP (GNU Multiple Precision arithmetic library)**• Developed by Torbjord Granlund and the GNU free software group • C library for arbitrary precision arithmetic • General emphasis on speed • Highly optimized ASM • for the most common inner loops • for a lot of CPUs • Faster than most multiprecision libraries • Its advantage increases with the operand sizesFaculty • «-»: not portable to Windows platform • «-»: lack of primitives to support integer factorization and DLP methods Higher School of Economics - 2009**NTL (a Library for doing Number Theory)**• Written and maintained mainlyby Victor Shoup • C++ library • High performance • Polynomial arithmetic • •Lattice reduction • Portable • outperforms other libraries in terms of big integer operations • «-»: lack of algorithms for index-calculus, sieve, factorization Higher School of Economics - 2009**Available tools for cryptanalysis**• C/C++ Multiprecision libraries • Mathematical packagesMaple andMathematica Higher School of Economics - 2009**CRYPTO high-level structure**Higher School of Economics - 2009**Implementation**Higher School of Economics - 2009**User Interface**Higher School of Economics - 2009**Certificates of Authorship**Higher School of Economics - 2009**Cryptosystem security assessment process**Make conclusions regarding conformity of the system to the organization needs Step 5 Evaluate the cryptosystem’s resistance to the attacks Step 4 Determine the attacks that the cryptosystem is exposed to Step 3 Define the potential attackers Step 2 Define the cryptosystem Step 1 Higher School of Economics - 2009**ROI, NPV, IRR Metrics Usage**** Source: CSI Computer Crime & SecuritySurvey 2008, http://www.gocsi.com/ Higher School of Economics - 2009**Key Financial Metrics Overview**Higher School of Economics - 2009**Discounted Cash Flow**• Net present value (NPV): the sum of the present values of all cash inflows minus the sum of the present values of all cash outflows. • The internal rate of return (IRR): • (1) the discount rate that equates the sum of the present values of all cash inflows to the sum of the present values of all cash outflows; • (2) the discount rate that sets the net present value equal to zero. • The internal rate of return measures the investment yield. • Profitability index (PI) Higher School of Economics - 2009