27 noticing how they might shoplift. They can't use a computer |
27 noticing how they might shoplift. They can't use a computer |
28 without wondering about the security vulnerabilities. They |
28 without wondering about the security vulnerabilities. They |
29 can't vote without trying to figure out how to vote twice. |
29 can't vote without trying to figure out how to vote twice. |
30 They just can't help it.'' |
30 They just can't help it.'' |
31 \end{quote} |
31 \end{quote} |
|
32 |
|
33 \noindent |
|
34 and |
32 |
35 |
33 \begin{quote} |
36 \begin{quote} |
34 \it ``Security engineering\ldots requires you to think |
37 \it ``Security engineering\ldots requires you to think |
35 differently. You need to figure out not how something works, |
38 differently. You need to figure out not how something works, |
36 but how something can be made to not work. You have to imagine |
39 but how something can be made to not work. You have to imagine |
43 \end{quote} |
46 \end{quote} |
44 |
47 |
45 \noindent In this module I like to teach you this security |
48 \noindent In this module I like to teach you this security |
46 mindset. This might be a mindset that you think is very |
49 mindset. This might be a mindset that you think is very |
47 foreign to you---after all we are all good citizens and not |
50 foreign to you---after all we are all good citizens and not |
48 hack into things. I beg to differ: You have this mindset |
51 hack into things. However, I beg to differ: You have this |
49 already when in school you were thinking, at least |
52 mindset already when in school you were thinking, at least |
50 hypothetically, about ways in which you can cheat in an exam |
53 hypothetically, about ways in which you can cheat in an exam |
51 (whether it is by hiding notes or by looking over the |
54 (whether it is by hiding notes or by looking over the |
52 shoulders of your fellow pupils). Right? To defend a system, |
55 shoulders of your fellow pupils). Right? To defend a system, |
53 you need to have this kind of mindset and be able to think like |
56 you need to have this kind of mindset and be able to think |
54 an attacker. This will include understanding techniques that |
57 like an attacker. This will include understanding techniques |
55 can be used to compromise security and privacy in systems. |
58 that can be used to compromise security and privacy in |
56 This will many times result in insights where well-intended |
59 systems. This will many times result in insights where |
57 security mechanisms made a system actually less |
60 well-intended security mechanisms made a system actually less |
58 secure.\medskip |
61 secure.\medskip |
59 |
62 |
60 \noindent |
63 \noindent |
61 {\Large\bf Warning!} However, don’t be evil! Using those |
64 {\Large\bf Warning!} However, don’t be evil! Using those |
62 techniques in the real world may violate the law or King’s |
65 techniques in the real world may violate the law or King’s |
160 like Ross Anderson's group was so important, because they and |
163 like Ross Anderson's group was so important, because they and |
161 others established that the banks' claim that their system is |
164 others established that the banks' claim that their system is |
162 secure and it must have been the customer's fault, was bogus. |
165 secure and it must have been the customer's fault, was bogus. |
163 In 2009 the law changed and the burden of proof went back to |
166 In 2009 the law changed and the burden of proof went back to |
164 the banks. They need to prove whether it was really the |
167 the banks. They need to prove whether it was really the |
165 customer who used a card or not. |
168 customer who used a card or not. The current state of affairs, |
|
169 however, is that standing up for your right requires you |
|
170 to be knowledgeable\ldots{}if not, the banks are happy to |
|
171 take advantage of you. |
166 |
172 |
167 This is a classic example where a security design principle |
173 This is a classic example where a security design principle |
168 was violated: Namely, the one who is in the position to |
174 was violated: Namely, the one who is in the position to |
169 improve security, also needs to bear the financial losses if |
175 improve security, also needs to bear the financial losses if |
170 things go wrong. Otherwise, you end up with an insecure |
176 things go wrong. Otherwise, you end up with an insecure |
223 the GET request is generated\ldots in this case it is just a |
229 the GET request is generated\ldots in this case it is just a |
224 simple string. This program is run on the server and will be |
230 simple string. This program is run on the server and will be |
225 executed whenever a browser initiates such a GET request. You |
231 executed whenever a browser initiates such a GET request. You |
226 can run this program on your computer and then direct a |
232 can run this program on your computer and then direct a |
227 browser to the address \pcode{localhost:8000} in order to |
233 browser to the address \pcode{localhost:8000} in order to |
228 simulate a request over the internet. |
234 simulate a request over the internet. You are encouraged |
|
235 to try this out\ldots{}theory is always good, but practice is |
|
236 better. |
229 |
237 |
230 |
238 |
231 For our web-application of interest is the feature that the |
239 For our web-application of interest is the feature that the |
232 server when answering the request can store some information |
240 server when answering the request can store some information |
233 on the client's side. This information is called a |
241 on the client's side. This information is called a |
300 (i.e.~practically impossible) to calculate the input from |
308 (i.e.~practically impossible) to calculate the input from |
301 knowing the output. This is often called \emph{preimage |
309 knowing the output. This is often called \emph{preimage |
302 resistance}. Cryptographic hash functions also ensure that |
310 resistance}. Cryptographic hash functions also ensure that |
303 given a message and a hash, it is computationally infeasible to |
311 given a message and a hash, it is computationally infeasible to |
304 find another message with the same hash. This is called |
312 find another message with the same hash. This is called |
305 \emph{collusion resistance}. Because of these properties hash |
313 \emph{collusion resistance}. Because of these properties, hash |
306 functions are often called \emph{one-way functions}: you |
314 functions are often called \emph{one-way functions}: you |
307 cannot go back from the output to the input (without some |
315 cannot go back from the output to the input (without some |
308 tricks, see below). |
316 tricks, see below). |
309 |
317 |
310 |
318 There are several such hashing function. For example SHA-1 |
311 |
319 would hash the string \pcode{"hello world"} to produce the |
312 |
320 hash-value |
313 |
|
314 There are several such |
|
315 hashing function. For example SHA-1 would hash the string |
|
316 \pcode{"hello world"} to produce the hash-value |
|
317 |
321 |
318 \begin{center} |
322 \begin{center} |
319 \pcode{2aae6c35c94fcfb415dbe95f408b9ce91ee846ed} |
323 \pcode{2aae6c35c94fcfb415dbe95f408b9ce91ee846ed} |
320 \end{center} |
324 \end{center} |
321 |
325 |
340 |
344 |
341 \begin{center} |
345 \begin{center} |
342 \pcode{1-356a192b7913b04c54574d18c28d46e6395428ab} |
346 \pcode{1-356a192b7913b04c54574d18c28d46e6395428ab} |
343 \end{center} |
347 \end{center} |
344 |
348 |
345 \noindent If we now read back the |
349 \noindent If we now read back the cookie when the client |
346 cookie when the client visits our webpage, we can extract the |
350 visits our webpage, we can extract the counter, hash it again |
347 counter, hash it again and compare the result to the stored |
351 and compare the result to the stored hash value inside the |
348 hash value inside the cookie. If these hashes disagree, then |
352 cookie. If these hashes disagree, then we can deduce that the |
349 we can deduce that the cookie has been tampered with. |
353 cookie has been tampered with. Unfortunately, if they agree, |
350 Unfortunately, if they agree, we can still not be entirely |
354 we can still not be entirely sure that not a clever hacker has |
351 sure that not a clever hacker has tampered with the cookie. |
355 tampered with the cookie. The reason is that the hacker can |
352 The reason is that the hacker can see the clear text part of |
356 see the clear text part of the cookie, say \pcode{3}, and also |
353 the cookie, say \pcode{3}, and also its hash. It does not take |
357 its hash. It does not take much trial and error to find out |
354 much trial and error to find out that we used the SHA-1 |
358 that we used the SHA-1 hashing function and then the hacker |
355 hashing function and then the hacker can graft a cookie |
359 can graft a cookie accordingly. This is eased by the fact that |
356 accordingly. This is eased by the fact that for SHA-1 many |
360 for SHA-1 many strings and corresponding hash-values are |
357 strings and corresponding hash-values are precalculated. Type, |
361 precalculated. Type, for example, into Google the hash value |
358 for example, into Google the hash value for \pcode{"hello |
362 for \pcode{"hello world"} and you will actually pretty quickly |
359 world"} and you will actually pretty quickly find that it was |
363 find that it was generated by input string \pcode{"hello |
360 generated by input string \pcode{"hello world"}. Similarly for |
364 world"}. Similarly for the hash-value for \pcode{1}. This |
361 the hash-value for \pcode{1}. This defeats the purpose of a |
365 defeats the purpose of a hashing function and thus would not |
362 hashing function and thus would not help us with our |
366 help us with our web-applications and later also not with how |
363 web-applications and later also not with how to store |
367 to store passwords properly. |
364 passwords properly. |
|
365 |
368 |
366 |
369 |
367 There is one ingredient missing, which happens to be called |
370 There is one ingredient missing, which happens to be called |
368 \emph{salts}. Salts are random keys, which are added to the |
371 \emph{salts}. Salts are random keys, which are added to the |
369 counter before the hash is calculated. In our case we must |
372 counter before the hash is calculated. In our case we must |
404 beginning and lock it only when the data in the cookie states |
407 beginning and lock it only when the data in the cookie states |
405 that the allowed free number of visits are up. As said before, |
408 that the allowed free number of visits are up. As said before, |
406 this can be easily circumvented by just deleting the cookie or |
409 this can be easily circumvented by just deleting the cookie or |
407 by switching the browser. This would mean the New York Times |
410 by switching the browser. This would mean the New York Times |
408 will lose revenue whenever this kind of tampering occurs. The |
411 will lose revenue whenever this kind of tampering occurs. The |
409 quick fix to require that a cookie must always be present does |
412 `quick fix' to require that a cookie must always be present |
410 not work, because then this newspaper will cut off any new |
413 does not work, because then this newspaper will cut off any |
411 readers, or anyone who gets a new computer. In contrast, our |
414 new readers, or anyone who gets a new computer. In contrast, |
412 web-application has the resource (discount) locked at the |
415 our web-application has the resource (discount) locked at the |
413 beginning and only unlocks it if the cookie data says so. If |
416 beginning and only unlocks it if the cookie data says so. If |
414 the cookie is deleted, well then the resource just does not |
417 the cookie is deleted, well then the resource just does not |
415 get unlocked. No major harm will result to us. You can see: |
418 get unlocked. No major harm will result to us. You can see: |
416 the same security mechanism behaves rather differently |
419 the same security mechanism behaves rather differently |
417 depending on whether the ``resource'' needs to be locked or |
420 depending on whether the ``resource'' needs to be locked or |