security-part2-12-安全工程解说.ppt

Security Engineering Security Computer Science Tripos part 2 Ross Anderson Chosen protocol attack The Mafia demands you sign a random challenge to prove your age for porn sites! Building a Crypto Library is Hard! Sound defaults: AES GCM for encryption, SHA256 for hashing, PKC with long enough keys Defend against power analysis fault analysis, timing analysis (cache attacks on AES), and other side-channel attacks. This is nontrivial! Take great care with key management and interface design Don’t let keys be reused for more than one purpose (‘leverage’ considered harmful) My strong advice: do not build a crypto library! If you must, you need specialist (PhD-level) help But whose can you trust? How Certification Fails PEDs ‘evaluated under the Common Criteria’ were trivial to tap GCHQ wouldn’t defend the brand APACS said (Feb 08) it wasn’t a problem It sure is now… Cryptographic Engineering 19c Auguste Kerckhoffs’ six principles, 1883 The system should be hard to break in practice It should not be compromised when the opponent learns the method – security must reside in the choice of key The key should be easy to remember change Ciphertext should be transmissible by telegraph A single person should be able to operate it The system should not impose mental strain Many breaches since, such as Tannenberg (1914) What else goes wrong See ‘Why cryptosystems fail’, my website (1993): Random errors Shoulder surfing Insiders Protocol stuff, like encryption replacement Second big wave now (see current papers): ATM skimmers Tampered PIN entry devices Yes cards and other protocol stuff Watch this space! Security Engineering No different in essence from any other branch of system engineering Understand the problem (threat model) Choose/design a security policy Build, test and if need be iterate Failure modes: Solve wrong problem / adopt wrong policy Poor technical work Inability to deal with evolving systems Inability to deal with conflict over goals A Framework Economics