Tuesday, May 21, 2013

Security, Part 1

As much as we'd like it to be true, security is not all about ciphers; it's also about physical security, the human factor, and an often overlooked area called side channels.

Physical Security

We all know that you need a password to keep a computer secure, right? But what happens when the hard drive is stolen? Your data can walk right out the door, that's what!

But even the transmission of secret keys and plain text is an issue. For instance, a keystroke logging program can easily intercept all the passwords you type. So you want to make sure that such a program never gets onto your computer.

With some cipher text, the more you get of it the easier it is to decode it. While this usually describes not-so-good security, things like feedback shift register xor cipher techniques are still employed in stream ciphers. To combat this, the feedback shift register must be re-initialized periodically to prevent the code from being broken. This is usually done by using a more secure encryption technique, like an RSA public-key cryptosystem.

But the best thing would be to make the transmission un-interceptable. This leads to the use of quantum key cryptography.

The Human Factor

The mobile computing revolution didn't invent the need for accessing your data externally, but it did make it a lot more common. So we use passwords to protect our data.

Passwords are secret keys that are possible to remember. But humans are frail and forgetful and so often they use passwords that are easy to guess. Ones they can't forget. Like 12345. I talk about just how insecure these kinds of passwords are in my first post on hackers.

But humans are always doing dumb, insecure things, like leaving doors unlocked or ajar, leaving a key under the flower pot, or leaving the keys to the car behind the visor. This kind of behavior happens out of force of habit to some people and represents a massive security breach.

But the most powerful kinds of attacks are called social engineering attacks.

Side Channels

This is the most interesting kind of insecurity, because it really describes an indirect attack.

One side channel is comprised of signals emanating from a device like an LCD screen. The video signals are generally leaked out and can be intercepted and reconstructed for spying on the device. For CRTs, a fellow named Wim Van Eck demonstrated in 1985 that he could display on a TV monitor the contents of a CRT screen, captured from hundreds of meters away, just by tuning into the video frequency emanations. The technique, known as Van Eck phreaking, can work on any display hardware.

When it comes to radio frequency (RF) emanations, a standard, known as TEMPEST since the 1960s, covers the techniques and methods used in shielding devices and components from being surveilled in this way.

Simple things like wi-fi are easily broken into, in a process called wardriving. There are published approaches for how to crack WEP and other security protocols used in wi-fi. But other methods can also be used to gain the password. Once the wi-fi is accessed, then anything transported on the wi-fi is also accessible. Google got in trouble for accessing wi-fi from their street view vehicles, but the fact is it is too easy to collect data in this manner. Thus, the mobile computing revolution introduces a whole new set of insecurities.

Another side channel concerned cryptography and this one is a doozy: just by observing the process that is encrypting or decrypting some data, you can infer information about, for instance, the size of the prime numbers used in an RSA public-key cryptosystem. If you can tell how long it takes to divide the public key by a secret key, you can infer some valuable information about the size and bitwise complexity of the secret key. If, when producing a prime number pair, you can determine how long it took to produce it, you can tell a bit about the algorithm used to produce them. Each bit of information is useful in chopping away at the space of all possible answers to the question of what the secret is.

The data you observe about the cryptography process can be power consumption, the timing, or really anything that can be measured externally. With a power consumption curve, you can do differential analysis to get really precise information about how big the multiply was, and even which parts of the multiply are more complicated than others.

And you can also measure thermal and acoustic signatures as well. For instance, by focusing an infrared camera at a chip during a certain computation, you can determine which parts of the chip are active and at what times.



No comments:

Post a Comment