Security Architectures In ISEC 413 PDF
Document Details
Uploaded by DelicateRationality307
UAEU College of Information Technology
Raena Al
Tags
Related
Summary
This document is an overview of security architectures in ISEC 413. It covers key concepts like security engineering, assurance requirements, and security protocols. The document focuses on building resilient systems capable of withstanding attacks and errors.
Full Transcript
10/21/24, 7:39 PM Summary | Raena AI Security Architectures in ISEC 413: An Overview This document outlines key concepts regarding security architectures as discussed in the ISEC 413 course, led by Dr. Ahmed Alfarsi. It empha...
10/21/24, 7:39 PM Summary | Raena AI Security Architectures in ISEC 413: An Overview This document outlines key concepts regarding security architectures as discussed in the ISEC 413 course, led by Dr. Ahmed Alfarsi. It emphasizes the importance of building resilient systems that can withstand both malicious actions and errors while detailing the necessary components for achieving robust security. Security Engineering Security engineering revolves around the development of resilient systems that are capable of withstanding attacks or errors. The primary goal is to ensure that informational systems are designed, implemented, and rigorously tested to meet security requirements. Key aspects of security engineering encompass: Cryptography: The practice of secure communication through the use of codes to protect information. Tamper resistant hardware: Physical devices designed to resist unauthorized modifications or access. Software Engineering: The use of engineering principles in the development of software applications to incorporate security measures effectively. Economics: Understanding the financial implications of security investments and the economic behavior of attackers. Applied Psychology: Examining human behavior to anticipate potential security threats and vulnerabilities. Law: Knowledge of legal frameworks governing information security and data protection. Artificial Intelligence: Utilizing AI technologies to enhance security measures and automate defensive strategies. Adversarial thinking: Engaging in practices such as chess, where strategic planning and foresight are vital, helping in the anticipation of attacks. Assurance Requirements Assurance in security engineering is critical, particularly in systems where failure can have dire consequences. Specific domains that exemplify this principle include: Nuclear safety and control systems: Systems that manage critical infrastructure and must ensure high reliability and security to prevent catastrophic failures. Cash machines and online payment systems: Financial systems requiring integrity and confidentiality to protect users' financial information. Medical Records: Health information systems that must safeguard patient confidentiality and data integrity. Prepayment meters: Utility payment systems that demand security to prevent fraud and unauthorized access. Burglar and car alarms: Security systems designed to deter crime and protect property. https://app.raena.ai/summary/it1p6amgsx 1/2 10/21/24, 7:39 PM Summary | Raena AI ““Many systems fail because their designers protect the wrong things, or protect the right things but in the wrong way.”” This quote encapsulates the essence of designing effective security systems, stressing the importance of appropriate risk management strategies. Framework for Building Dependable Systems To construct truly dependable systems, four critical elements must harmoniously align: Policy: Establishing what objectives the security system aims to achieve. Mechanism: Implementing tools such as ciphers, access controls, and hardware that support the established policy. Assurance: Evaluating the credibility of each security mechanism and understanding how well they work in tandem to achieve overall system security. Incentive: Recognizing the motivations of both system maintainers to act responsibly and attackers to compromise the system. This includes understanding the psychological and contextual factors that influence their actions. https://app.raena.ai/summary/it1p6amgsx 2/2 10/21/24, 7:39 PM Summary | Raena AI Security Protocols in SECB 425 Architecture and Mechanism In the domain of security systems, various protocols are implemented to ensure the safety and integrity of communications among people, companies, computers, and other hardware. Today, we will explore the fundamental aspects of security protocols, including real-world examples, challenge-response protocols, authentication strategies, and key management protocols. Understanding Security Protocols Security protocols are essential rules that dictate how communication occurs securely. These can be seen in everyday instances, such as ordering a drink at a restaurant. For example, when a sommelier presents a drink list to a host, and the host makes a selection, this establishes a communication protocol that ensures confidentiality of the drink's price from guests, integrity by preventing cheaper alternatives, and non-repudiation to ensure the host cannot falsely deny the order. Challenge-Response Protocols Challenge-response protocols are critical for ensuring two-way authentication between parties. This process employs a common password to encrypt challenges and responses, thus maintaining security during communication. Challenge Phase: A random number (N) is generated and sent as a challenge. Response Phase: The responding party encrypts their response (N+1) using the shared password, ensuring that sensitive information, such as the security password, is never explicitly transmitted. Challenge-response mechanisms also appear in various applications, such as using remote controls to access gates or car doors. However, employing a serial number as a password introduces vulnerabilities that are addressed through advanced cryptographic authentication protocols. Simple Authentication Example Consider a scenario in a car parking system. An access token in a car communicates with the parking garage: The vehicle sends its name alongside an encrypted message containing its identity (T) and a nonce (N). N serves to ensure the message's freshness, which may be a random number, serial number, or timestamp. The parking garage server verifies the message by using the corresponding key linked to the vehicle, checks the freshness of the nonce, and then allows access. Challenge and Response Protocols https://app.raena.ai/summary/fjeqxg2vwq 1/3 10/21/24, 7:39 PM Summary | Raena AI Challenge-response methods also manifest in critical systems, such as car engines. For instance: The engine control unit triggers a challenge by sending a random number to the vehicle's key. The key generates a response through encryption, allowing secure engine start operations. This protocol can be classified as: Non-interactive: where the transponder directly engages with the engine controller. Interactive: requiring the engine controller to communicate back and forth with the transponder. Potential Vulnerabilities Despite robust protocols, vulnerabilities can emerge: In cheaper devices, the nonce may be either random or sequential without proper synchronization, leading to denial-of-service attacks. Weak cryptographic practices, as evidenced by Eli Biham's 2008 attack on the Keeloq cipher, further threaten security. Two-Factor Authentication Two-factor authentication adds an extra layer of security. This often includes the integration of multiple credentials, as seen in the communication flow between users and servers, ensuring that both unique identifiers (like PIN) and nonces are securely transmitted and authenticated. Identify Friend or Foe (IFF) In military contexts, Identify Friend or Foe (IFF) systems play a pivotal role: A fighter may issue a challenge to a suspected bomber, who must respond appropriately. Considerations for potential man-in-the-middle attacks arise, necessitating specific encrypted challenges that prevent tampering and misuse. Issues in Previous Protocols Historical errors, such as those observed in the 1993 IBM ATM systems, illustrate the pitfalls of offline operations and static PIN management. Lessons learned from these incidents emphasized the necessity for protocols that provide both fresh challenges and robust encryption. Chip Authentication Program (CAP) Developed in response to phishing threats, CAP allows secure transactions through unique EMV chip cards, incorporating varying levels of security depending on transaction complexity. Key Management Protocols https://app.raena.ai/summary/fjeqxg2vwq 2/3 10/21/24, 7:39 PM Summary | Raena AI In scenarios where multiple parties wish to communicate securely using shared keys, protocols must be established to manage these keys effectively: Alice, who shares a key with Bob via a trusted server (Sam), can request that Sam encrypt a new key for Bob. Upon receiving the encrypted key, both parties can communicate securely while ensuring the freshness of the keys and messages exchanged. Notable Protocol Example: Needham-Schroder and Kerberos The Needham-Schroder protocol successfully introduced the use of nonces to avoid replay attacks. Although revised, the later Kerberos protocol substituted timestamps for nonces to address synchronization issues. Implementations of Kerberos are widespread in modern security systems. Formal Methods in Security Protocols Errors in protocols often stem from incorrect key usage or failure to verify message freshness. Formal methods can facilitate the examination and verification of security protocols in practice, ensuring that they meet the required standards for secure communication. In conclusion, mastering security protocols is essential for safeguarding communications in various fields, especially in the digital age where vulnerabilities can lead to significant consequences. Understanding and applying these protocols effectively, alongside constant vigilance for potential risks, remain critical components for a secure operational environment. https://app.raena.ai/summary/fjeqxg2vwq 3/3 Comprehensive Overview of Access Control Introduction to Access Control Access control is a fundamental aspect of security engineering that intersects with computer science. It encompasses two primary components: authentication, which involves verifying a claim of identity, and authorization, which determines whether an identity has permission to perform specific actions. Another important concept is trust, which pertains to the reliability of entities within a system. A significant challenge in computer security is preventing one program from interfering with another, highlighting the necessity of effective access control mechanisms. The main function of access control (AC) is to mitigate potential damage inflicted by specific users, groups, or programs, whether such actions arise from errors or malicious intent. Controlling Access Effective access control requires a structured policy that outlines: Who can access the system. Whom they can interact with. What actions they are allowed to perform. When these actions can take place. Key Elements of Access Control 1. Subjects: These are the active entities seeking to perform actions, such as users and processes. 2. Objects: These are the passive entities being accessed or manipulated, like files, direc- tories, and memory. 3. Access Rights: The specific permissions that define what actions a subject can perform on an object. 4. Time Restrictions: Constraints on when access rights are applicable. Access Rights and Typical Manipulations Access rights pertain to various operations that can be executed on objects, typically including: READ: View the content of an object. MODIFY: Change the content of an object. CREATE: Generate a new object. CHANGE: Alter the properties of an existing object. DELETE: Remove an object. Types of Access Control Access control mechanisms can be categorized into two main types: 1. Mandatory Access Control (MAC): In this system, a central authority determines access permissions based on predefined policies. 2. Discretionary Access Control (DAC): Here, the object owner has the autonomy to control access permissions, making it a decentralized approach. Access Control and Objects Common objects in an access control context include: Files Directories (or folders) Memory segments Interestingly, an entity can sometimes serve as both a subject and an object, depending on the context of the operation being performed. Access Control Mechanisms in a System Access control occurs at multiple levels within a computing environment: Application Level: Restricts access based on application-specific policies. Middleware Level: Acts as a bridge between operating system services and application requests. Operating System Level: Authenticates users using methods like passwords or Kerberos and regulates their access to objects and resources. Hardware Level: Provides foundational support for implementing access controls. Access Control Matrix (ACM) The Access Control Matrix is a structured way to represent permissions: Each row corresponds to a subject (user/program). Each column corresponds to an object (file/resource). Each cell indicates the access rights of a subject over an object. An example of an ACM may look like this: This matrix helps implement protection mechanisms and serves as a policy model rather than a direct enforcement tool. Groups and Roles in Access Control When managing access in large organizations, roles and groups are essential for streamlining permissions: 1. Groups: Lists of users that share common access rights. 2. Roles: Defined sets of permissions that can be assigned to users based on their responsibilities. Access Control Lists (ACLs) vs Capabilities ACLs specify which users or groups have permissions to access particular resources. Capabilities are tickets that grant a user permission to interact with a resource, facilitating delegation of rights. Role-Based Access Control (RBAC) RBAC enables organizations to assign permissions based on user roles, which simplifies the management of access rights and aligns them with organizational structures. Unix File Permissions In Unix-based systems, permissions for files are defined using a triplet notation (rwx): r: Read w: Write x: Execute For example, the notation drwxrwxrwx indicates a directory where the owner, group, and others have read, write, and execute permissions. Special User Accounts The superuser account (often referred to as root) has unrestricted access and control over the operating system, which raises concerns about audit trails and secure logging. To mitigate risks, such as unauthorized access or modifications, logs should be stored in separate locations or monitored rigorously. Implementing Security Control Mechanisms Reference Monitor The reference monitor is a critical component of the security kernel, tasked with controlling access to objects. Key characteristics of an effective reference monitor include: Tamperproof: Should be isolated from user modifications. Always Invoked: Must be consistently engaged during access requests. Concise: Should be minimal to be easily verifiable. Trusted Computing Base (TCB) The Trusted Computing Base consists of the components within the operating system that enforce security policy. It comprises: Process activation and deactivation. Memory protection for confidentiality and integrity. I/O operations. Multilevel Security (MLS) Multilevel security is used extensively in military and intelligence contexts. The core concept is to facilitate the flow of information according to security clearances while preventing unauthorized disclosure. Bell-LaPadula Model The Bell-LaPadula model enforces MLS restrictions with two main principles: 1. No Read Up (Simple Security Property): A subject can access an object only if it has a security clearance at or above that of the object. 2. No Write Down (*-Property): A subject can write to an object only if it holds a security clearance at or below that of the object. Variants and Extensions Several models have arisen from the Bell-LaPadula framework: Biba Model: Focuses on data integrity, allowing information to flow downward from high integrity to low integrity. Role-Based Access Control (RBAC): Supports policy neutral implementations while maintaining security principles like least privilege and separation of duties. Conclusion Access control mechanisms are vital for ensuring security in computer systems. Understanding the various models, principles, and technologies of access control enables organizations to protect sensitive information and maintain integrity within their operational environments. Through the effective application of authentication, authorization, and access rights manage- ment, organizations can mitigate risks and safeguard their assets against unauthorized access and potential breaches. 10/21/24, 7:40 PM Summary | Raena AI Physical Tamper-Resistance Introduction The protection of computers and similar devices, particularly those holding sensitive information, is crucial. While safeguarding such devices is often straightforward in controlled environments, there are various scenarios that complicate this, such as PayTV cards distributed to individuals, prepayment electricity meters installed in homes, and tachographs utilized in trucks, which may be tampered with by their operators. Moreover, the market offers portable tamper-resistant processors aimed at protecting themselves from unauthorized access and intrusion. So, what does tamper resistance imply? Tamper resistance refers to the ability of a device, specifically a processor in this context, to keep confidential keys secure from extraction. A device is considered tamper-resistant if sensitive keys stored within it cannot be retrieved through unauthorized means. This concept can be contrasted with tamper evidence, where even if the key is not critically important, the awareness of an extraction event is vital. Tamper evidence signifies that if a key is indeed extracted, there is apparent evidence of such tampering. High-end Physically Secure Processors Historically, the physical security of computers was primarily driven by their value. However, with the emergence of multi-user operating systems and the increasing frequency of vulnerabilities within these systems, the risk of data exposure grew significantly. Sensitive information, such as long-term cryptographic keys and personal identification numbers, necessitated a higher level of protection than what standard commercial operating systems could provide. This demand for security led to the creation of standalone security modules, with the IBM 3848 and the VISA security module being among the first successful implementations. These modules employed specialized hardware for encryption and used unique memory configurations, like static RAM designed to erase sensitive data when the device’s tamper-proof enclosure is breached. Historical Context of Tamper Resistance and Evidence The principles of tamper resistance and evidence predate modern technologies. For instance, naval codebooks were designed to be weighted such that they would sink if a ship was captured, while the codes themselves were printed in water-soluble ink, rendering them useless if submerged. The Russian military utilized onetime pads printed on cellulose nitrate, ensuring they would burn rapidly if ignited. Similarly, older Japanese electronic devices featured self-destruction mechanisms when tampering was detected, relying heavily on the vigilance of their operators. Despite these precautions, systems remained vulnerable to surprise attacks. Examples of Tamper-Resistant Devices IBM 4758 https://app.raena.ai/summary/whpcmgjs13 1/4 10/21/24, 7:40 PM Summary | Raena AI The IBM 4758 is a standout example, recognized for its high level of tamper resistance, frequently employed in banking systems for PIN processing. The device encapsulates a programmable PCI board, specialized cryptographic electronics, microprocessor, memory, and random number generators. All components function collectively within a tamper-responsive environment, ensuring secure data processing and cryptographic operations. iButton by Dallas Semiconductor This medium-security processor incorporates various essential features including a microcontroller with a modular exponentiation circuit, static RAM for key storage, a clock, tamper sensors, and a battery. Common applications for the iButton span access control systems, parking meters, and mass transit systems, with newer versions programmable using Java. Smart Cards Smart cards are another key application, notably exemplified by the VISA security module used across banking transactions to generate and verify personal identification numbers (PINs). These smart cards aim to prevent bank personnel from accessing customer PINs, thus supporting claims that any transaction disputes stem from customer responsibilities. The secure design includes a microcomputer managing all cryptographic operations while safeguarding key material through mechanisms that disrupt power during unauthorized enclosure access. Attacks on Tamper-Resistant Devices The subsequent section explores various attacks targeting tamper-resistant microcontrollers and the defensive measures designed to counter such threats. The primary goal of each attack is to unveil information related to secret keys or sensitive data stored within the chip's memory. Attackers typically gain access to multiple instances of the targeted devices and exploit vulnerabilities bypassing other hardware tamper protections. Critical inquiries involve whether an adversary can access the device without oversight. If unsupervised access exists, a broader range of countermeasures is necessary. For instance, in the case of the VISA security module, while banks maintain controlled access to security modules, the vulnerability arises when service personnel can disable tamper protection during visits. This becomes problematic when adversaries can exploit unsupervised access to a larger stockpile of cryptographic devices, such as pay-TV smart cards and car locking mechanisms. Hacking Methods Operator-Based Manipulations An operator may illegally access the keys in several ways, such as reading PROMs (Programmable Read-Only Memory) at unauthorized locations. To combat this, methods involving shared control, such as distributing master keys across different secure locations, have been proposed. Maintenance Staff Interference Maintenance engineers pose another threat, capable of disabling security measures and later retrieving sensitive information. A countermeasures strategy includes separating components such as batteries from core security elements, encasing those critical parts in tough, opaque substances. https://app.raena.ai/summary/whpcmgjs13 2/4 10/21/24, 7:40 PM Summary | Raena AI Competent Attacker Access Compromising access by skilled individuals requires high-end tamper sensing barriers. For instance, IBM’s μABYSS device employs a system where physical tampering breaks sensing loops, prompting immediate data destruction. However, it remains vulnerable to slow attacks via methodologies like sandblasting. Memory Remanence Exploitation A significant issue lies in the phenomenon of memory remanence, revealing that several types of computer memory can retain residual data post-power. Techniques are in place to counter this remanence, such as temperature and radiation alarms. However, failures in memory security have led to threats where former secure modules, once operational, can yield data upon reboot. Tempest and Power Analysis The Tempest initiative identifies risks associated with monitoring electromagnetic emanations within devices. Solutions like solid aluminum shielding and low-pass-filtering power sources have been suggested to safeguard sensitive information from egress during computation. Design Constraints for Security Processors Security processors face practical constraints, balancing security robustness against potential alarm inaccuracies. Systems designed with self-destructive features to enhance security may not function reliably in standard operating environments that can experience extreme temperatures. Commercial Security Processors and Their Vulnerabilities iButton Projects The iButton serves multiple applications, such as secure access for government laptops or across transportation systems. Although lacking a tamper-sensing barrier, this device remains innovative in design and functionality. Dallas 5002 Attacks Another prominent security processor works in point-of-sale terminals, protecting customer data. Attack methods include memory address observation; thus, maintaining strict encrypted key protocols is paramount. Clipper Chip Vulnerabilities The Clipper chip, introduced for U.S. government signals, allows lawful decrypting of communication encrypted with the standard, underscoring the design's trust issues and vulnerabilities. Smartcards and Advanced Attacks https://app.raena.ai/summary/whpcmgjs13 3/4 10/21/24, 7:40 PM Summary | Raena AI A conventional smart card integrates microprocessors and memory while facing unique challenges, such as erasure charges in EPROM memory. Evolving hacking techniques have targeted smartcards where programming voltage extraction can be manipulated, illustrating vulnerabilities inherent in current technologies. Non-Invasive Attacks Various non-invasive attack methods exploit environmental controls such as voltage variations or supply transients. Techniques that manipulate functioning frequencies may introduce erroneous outcomes within a device’s operational cycle, creating avenues for potential cyber exploits. Physical Attacks Physical methods of hacking are often simpler, involving direct access to silicon underneath protective casings. As described, once access is obtained, the chip may often be functional, leading to critical security breaches. Advanced Attack Techniques Classified as advanced techniques, destructive reverse engineering entails peeling back chip layers to uncover operational details, while memory mappings and signal monitoring reveal secrets through innovative storage decoding methods. Countermeasures, including conformal coatings, can obscure chip designs but present their own complexities. These elements collectively depict a robust landscape concerning physical tamper resistance and its relationship to security vulnerabilities that exist within today's technology-driven environment. https://app.raena.ai/summary/whpcmgjs13 4/4