More Books
Introduction to Computer Security
Introduction to Computer Security
Table of Contents
Copyright
Preface
Goals
Philosophy
Organization
Differences Between this Book and Computer Security: Art and Science
Special Acknowledgment
Acknowledgments
Chapter 1. An Overview of Computer Security
Section 1.1.  The Basic Components
Section 1.2.  Threats
Section 1.3.  Policy and Mechanism
Section 1.4.  Assumptions and Trust
Section 1.5.  Assurance
Section 1.6.  Operational Issues
Section 1.7.  Human Issues
Section 1.8.  Tying It All Together
Section 1.9.  Summary
Section 1.10.  Further Reading
Section 1.11.  Exercises
Chapter 2. Access Control Matrix
Section 2.1.  Protection State
Section 2.2.  Access Control Matrix Model
Section 2.3.  Protection State Transitions
Section 2.4.  Summary
Section 2.5.  Further Reading
Section 2.6.  Exercises
Chapter 3. Foundational Results
Section 3.1.  The General Question
Section 3.2.  Basic Results
Section 3.3.  Summary
Section 3.4.  Further Reading
Section 3.5.  Exercises
Chapter 4. Security Policies
Section 4.1.  Security Policies
Section 4.2.  Types of Security Policies
Section 4.3.  The Role of Trust
Section 4.4.  Types of Access Control
Section 4.5.  Example: Academic Computer Security Policy
Section 4.6.  Summary
Section 4.7.  Further Reading
Section 4.8.  Exercises
Chapter 5. Confidentiality Policies
Section 5.1.  Goals of Confidentiality Policies
Section 5.2.  The Bell-LaPadula Model
Section 5.3.  Summary
Section 5.4.  Further Reading
Section 5.5.  Exercises
Chapter 6. Integrity Policies
Section 6.1.  Goals
Section 6.2.  Biba Integrity Model
Section 6.3.  Clark-Wilson Integrity Model
Section 6.4.  Summary
Section 6.5.  Further Reading
Section 6.6.  Exercises
Chapter 7. Hybrid Policies
Section 7.1.  Chinese Wall Model
Section 7.2.  Clinical Information Systems Security Policy
Section 7.3.  Originator Controlled Access Control
Section 7.4.  Role-Based Access Control
Section 7.5.  Summary
Section 7.6.  Further Reading
Section 7.7.  Exercises
Chapter 8. Basic Cryptography
Section 8.1.  What Is Cryptography?
Section 8.2.  Classical Cryptosystems
Section 8.3.  Public Key Cryptography
Section 8.4.  Cryptographic Checksums
Section 8.5.  Summary
Section 8.6.  Further Reading
Section 8.7.  Exercises
Chapter 9. Key Management
Section 9.1.  Session and Interchange Keys
Section 9.2.  Key Exchange
Section 9.3.  Cryptographic Key Infrastructures
Section 9.4.  Storing and Revoking Keys
Section 9.5.  Digital Signatures
Section 9.6.  Summary
Section 9.7.  Further Reading
Section 9.8.  Exercises
Chapter 10. Cipher Techniques
Section 10.1.  Problems
Section 10.2.  Stream and Block Ciphers
Section 10.3.  Networks and Cryptography
Section 10.4.  Example Protocols
Section 10.5.  Summary
Section 10.6.  Further Reading
Section 10.7.  Exercises
Chapter 11. Authentication
Section 11.1.  Authentication Basics
Section 11.2.  Passwords
Section 11.3.  Challenge-Response
Section 11.4.  Biometrics
Section 11.5.  Location
Section 11.6.  Multiple Methods
Section 11.7.  Summary
Section 11.8.  Further Reading
Section 11.9.  Exercises
Chapter 12. Design Principles
Section 12.1.  Overview
Section 12.2.  Design Principles
Section 12.3.  Summary
Section 12.4.  Further Reading
Section 12.5.  Exercises
Chapte 13. Representing Identity
Section 13.1.  What Is Identity?
Section 13.2.  Files and Objects
Section 13.3.  Users
Section 13.4.  Groups and Roles
Section 13.5.  Naming and Certificates
Section 13.6.  Identity on the Web
Section 13.7.  Summary
Section 13.8.  Further Reading
Section 13.9.  Exercises
Chapter 14. Access Control Mechanisms
Section 14.1.  Access Control Lists
Section 14.2.  Capabilities
Section 14.3.  Locks and Keys
Section 14.4.  Ring-Based Access Control
Section 14.5.  Propagated Access Control Lists
Section 14.6.  Summary
Section 14.7.  Further Reading
Section 14.8.  Exercises
Chapter 15. Information Flow
Section 15.1.  Basics and Background
Section 15.2.  Compiler-Based Mechanisms
Section 15.3.  Execution-Based Mechanisms
Section 15.4.  Example Information Flow Controls
Section 15.5.  Summary
Section 15.6.  Further Reading
Section 15.7.  Exercises
Chapter 16. Confinement Problem
Section 16.1.  The Confinement Problem
Section 16.2.  Isolation
Section 16.3.  Covert Channels
Section 16.4.  Summary
Section 16.5.  Further Reading
Section 16.6.  Exercises
Chapter 17. Introduction to Assurance
Section 17.1.  Assurance and Trust
Section 17.2.  Building Secure and Trusted Systems
Section 17.3.  Building Security In or Adding Security Later
Section 17.4.  Summary
Section 17.5.  Further Reading
Section 17.6.  Exercises
Chapter 18. Evaluating Systems
Section 18.1.  Goals of Formal Evaluation
Section 18.2.  TCSEC: 19831999
Section 18.3.  FIPS 140: 1994Present
Section 18.4.  The Common Criteria: 1998Present
Section 18.5.  SSE-CMM: 1997Present
Section 18.6.  Summary
Section 18.7.  Further Reading
Section 18.8.  Exercises
Chapter 19. Malicious Logic
Section 19.1.  Introduction
Section 19.2.  Trojan Horses
Section 19.3.  Computer Viruses
Section 19.4.  Computer Worms
Section 19.5.  Other Forms of Malicious Logic
Section 19.6.  Defenses
Section 19.7.  Summary
Section 19.8.  Further Reading
Section 19.9.  Exercises
Chapter 20. Vulnerability Analysis
Section 20.1.  Introduction
Section 20.2.  Penetration Studies
Section 20.3.  Vulnerability Classification
Section 20.4.  Frameworks
Section 20.5.  Summary
Section 20.6.  Further Reading
Section 20.7.  Exercises
Chapter 21. Auditing
Section 21.1.  Definitions
Section 21.2.  Anatomy of an Auditing System
Section 21.3.  Designing an Auditing System
Section 21.4.  A Posteriori Design
Section 21.5.  Auditing Mechanisms
Section 21.6.  Examples: Auditing File Systems
Section 21.7.  Audit Browsing
Section 21.8.  Summary
Section 21.9.  Further Reading
Section 21.10.  Exercises
Chapter 22. Intrusion Detection
Section 22.1.  Principles
Section 22.2.  Basic Intrusion Detection
Section 22.3.  Models
Section 22.4.  Architecture
Section 22.5.  Organization of Intrusion Detection Systems
Section 22.6.  Intrusion Response
Section 22.7.  Summary
Section 22.8.  Further Reading
Section 22.9.  Exercises
Chapter 23. Network Security
Section 23.1.  Introduction
Section 23.2.  Policy Development
Section 23.3.  Network Organization
Section 23.4.  Availability and Network Flooding
Section 23.5.  Anticipating Attacks
Section 23.6.  Summary
Section 23.7.  Further Reading
Section 23.8.  Exercises
Chapter 24. System Security
Section 24.1.  Introduction
Section 24.2.  Policy
Section 24.3.  Networks
Section 24.4.  Users
Section 24.5.  Authentication
Section 24.6.  Processes
Section 24.7.  Files
Section 24.8.  Retrospective
Section 24.9.  Summary
Section 24.10.  Further Reading
Section 24.11.  Exercises
Chapter 25. User Security
Section 25.1.  Policy
Section 25.2.  Access
Section 25.3.  Files and Devices
Section 25.4.  Processes
Section 25.5.  Electronic Communications
Section 25.6.  Summary
Section 25.7.  Further Reading
Section 25.8.  Exercises
Chapter 26. Program Security
Section 26.1.  Introduction
Section 26.2.  Requirements and Policy
Section 26.3.  Design
Section 26.4.  Refinement and Implementation
Section 26.5.  Common Security-Related Programming Problems
Section 26.6.  Testing, Maintenance, and Operation
Section 26.7.  Distribution
Section 26.8.  Conclusion
Section 26.9.  Summary
Section 26.10.  Further Reading
Section 26.11.  Exercises
Chapter 27. Lattices
Section 27.1.  Basics
Section 27.2.  Lattices
Section 27.3.  Exercises
Chapter 28. The Extended Euclidean Algorithm
Section 28.1.  The Euclidean Algorithm
Section 28.2.  The Extended Euclidean Algorithm
Section 28.3.  Solving ax mod n = 1
Section 28.4.  Solving ax mod n = b
Section 28.5.  Exercises
Chapter 29. Virtual Machines
Section 29.1.  Virtual Machine Structure
Section 29.2.  Virtual Machine Monitor
Section 29.3.  Exercises
Bibliography
Index
SYMBOL
A
E
F
I
L
T

9.5. Digital Signatures

As electronic commerce grows, so does the need for a provably high degree of authentication. Think of Alice's signature on a contract with Bob. Bob not only has to know that Alice is the other signer and is signing it; he also must be able to prove to a disinterested third party (called a judge) that Alice signed it and that the contract he presents has not been altered since Alice signed it. Such a construct is called a digital signature.

Definition 96. A digital signature is a construct that authenticates both the origin and contents of a message in a manner that is provable to a disinterested third party.

The "proof " requirement introduces a subtlety. Let m be a message. Suppose Alice and Bob share a secret key k. Alice sends Bob m || { m }k (that is, the message and its encipherment under k). Is this a digital signature?

First, Alice has authenticated the contents of the message, because Bob deciphers { m }k and can check that the message matches the deciphered one. Because only Bob and Alice know k, and Bob knows that he did not send the message, he concludes that it has come from Alice. He has authenticated the message origin and integrity. However, based on the mathematics alone, Bob cannot prove that he did not create the message, because he knows the key used to create it. Hence, this is not a digital signature.

Public key cryptography solves this problem. Let dAlice and eAlice be Alice's private and public keys, respectively. Alice sends Bob the message m || { m }dAlice. As before, Bob can authenticate the origin and contents of m, but in this situation a judge must determine that Alice signed the message, because only Alice knows the private key with which the message was signed. The judge merely obtains eAlice and computes { { m }dAlice } eAlice. If the result is m, Alice signed it. This is in fact a digital signature.

A digital signature provides the service of nonrepudiation. If Alice claims she never sent the message, the judge points out that the originator signed the message with her private key, which only she knew. Alice at that point may claim that her private key was stolen, or that her identity was incorrectly bound in the certificate (see Chapter 13, "Representing Identity"). The notion of "nonrepudiation" provided here is strictly abstract. In fact, Alice's key might have been stolen, and she might not have realized this before seeing the digital signature. Such a claim would require ancillary evidence, and a court or other legal agency would need to handle it. For the purposes of this section, we consider the service of nonrepudiation to be the inability to deny that one's cryptographic key was used to produce the digital signature.

9.5.1. Classical Signatures

All classical digital signature schemes rely on a trusted third party. The judge must trust the third party. Merkle's scheme is typical [621].

Let Cathy be the trusted third party. Alice shares a cryptographic key kAlice with Cathy. Likewise, Bob shares kBob with Cathy. When Alice wants to send Bob a contract m, she computes { m }kAlice and sends it to Bob. Bob sends it to Cathy, who deciphers m, enciphers it with kBob, and returns { m }kBob to Bob. He can now decipher it. To verify that Alice sent the message, the judge takes the disputed messages { m }kAlice and { m }kBob and has Cathy decipher them using Alice's and Bob's keys. If they match, the sending is verified; if not, one of them is a forgery.

9.5.2. Public Key Signatures

In our earlier example, we had Alice encipher the message with her private key to produce a digital signature. We now examine a specific digital signature scheme based on the RSA system (see Section 8.3.1).

We observe that using RSA to authenticate a message produces a digital signature. However, we also observe that the strength of the system relies on the protocol describing how RSA is used as well as on the RSA cryptosystem itself.

First, suppose that Alice wants to trick Bob into signing a message m. She computes two other messages m1 and m2 such that m1m2 mod nBob = m. She has Bob sign m1 and m2. Alice then multiplies the two signatures together and reduces mod nBob, and she has Bob's signature on m. (See Exercise 6.) The defense is not to sign random documents and, when signing, never sign the document itself; sign a cryptographic hash of the document [796].

EXAMPLE: Let nAlice = 95, eAlice = 59, dAlice = 11, nBob = 77, eBob = 53, and dBob = 17. Alice and Bob have 26 possible contracts, from which they are to select and sign one. Alice first asks Bob to sign contract F (05):

0517 mod 77 = 3

She then asks him to sign contract R (17):

1717 mod 77 = 19

Alice now computes 05 x 17 mod 77 = 08. She then claims that Bob agreed to contract I (08), and as evidence presents the signature 3 x 19 mod 77 = 57. Judge Janice is called, and she computes

5753 mod 77 = 08

Naturally, she concludes that Bob is lying, because his public key deciphers the signature. So Alice has successfully tricked Bob.


A second problem [31] demonstrates that messages that are both enciphered and signed should be signed first, then enciphered. Suppose Alice is sending Bob her signature on a confidential contract m. She enciphers it first, then signs it:

and sends the result to Bob. However, Bob wants to claim that Alice sent him the contract M. Bob computes a number r such that Mr mod nBob = m. He then republishes his public key as (reBob, nBob). Note that the modulus does not change. Now, he claims that Alice sent him M. The judge verifies this using his current public key. The simplest way to fix this is to require all users to use the same exponent but vary the moduli.

EXAMPLE: Smarting from Alice's trick, Bob seeks revenge. He and Alice agree to sign the contract G (06). Alice first enciphers it, then signs it:

(0653 mod 77)11 mod 95 = 63

and sends it to Bob. Bob, however, wants the contract to be N (13). He computes an r such that 13r mod 77 = 6; one such r is r = 59. He then computes a new public key reBob mod f(nBob) = 59 x 53 mod 60 = 7. He replaces his current public key with (7, 77), and resets his private key to 43. He now claims that Alice sent him contract N, signed by her.

Judge Janice is called. She takes the message 63 and deciphers it:

(6359 mod 95)43 mod 77 = 13

and concludes that Bob is correct.


This attack will not work if one signs first and then enciphers. The reason is that Bob cannot access the information needed to construct a new public key, because he would need to alter Alice's public key. (See Exercise 7.)