Modeling Security Threats to Cryptographically Protected Data

1
Modeling Security Threats to Cryptographically
Protected Data

• Alexandra A. Savelieva
• Supervisor Prof. Sergey M. Avdoshin

State University Higher S?hool of Economics,
RussiaSoftware Engineering Department
2
Old Chinese Curse

• ?????,?????

May you live in interesting times
3
Data Protection and Financial Chaos

• Human factor
• Malicious insiders
• Fired employees
• Hardware loss
• Laptop theft
• Storage theft
• And this means good crypto!

CIO challenge how to select an appropriate
information security strategy within budget
limitations and growing risks of unauthorized
access to information assets?
4
Agenda
1. Analysis of relevant approaches
2. Problem statement
3. Solution
4. Conclusions
5
Evaluation Methods

• Cryptographic Security Analysis
• Mathematical model designed by V.P. Ivanov
• Formalized security risk analysis and management
  methodologies
• Various tools for cryptographic protocols
  analysis

6
Evaluation Methods

• Cryptographic Security Analysis
• Mathematical model designed by V.P. Ivanov
• Formalized security risk analysis and management
  methodologies
• Various tools for cryptographic protocols
  analysis

7
Cryptographic Security Analysis

• it becomes increasingly clear that the term
  "security" doesn't have meaning unless also you
  know things like "Secure from whom?" or "Secure
  for how long?

8
Evaluation Methods

• Cryptographic Security Analysis
• Mathematical model designed by V.P. Ivanov
• Formalized security risk analysis and management
  methodologies
• Various tools for cryptographic protocols
  analysis

9
Mathematical model designed by V.P. Ivanov

• The problem of breaking a cipher is reduced to
  engineering analysis of the program implementing
  the encryption mechanism
• This allows the time to be measured by means of
  Halstead complexity metrics
• Average time T for analyzing of the enciphering
  mechanism implementation
• T 3N3 ,
• where N is program length (bytes)

10
Mathematical model designed by V.P. Ivanov

• Drawbacks
• The technique can only apply to the so-called
  restricted-use cryptographic systems whose
  security depends on keeping both the encryption
  and decryption algorithms secret (contradicts
  Kerckhoffss fundamental principle)
• The context of a cryptosystemusage is not taken
  into account

11
Evaluation Methods

• Cryptographic Security Analysis
• Mathematical model designed by V.P. Ivanov
• Formalized security risk analysis and management
  methodologies
• British CRAMM (by Insight Consulting, Siemens)
• American RiskWatch (by RiskWatch)
• Russian GRIF (by Digital Security)
• Various tools for cryptographic protocols
  analysis

12
Formalized security risk analysis CRAMM

• A comprehensive risk assessment method with the
  ability to carry out various functions including
• Pre-defined risk assessments covering generic
  information systems
• BS7799 2005 Compliance
• Production of Security Documentation
• Investigation against Standards

• Drawbacks
• peculiarities of cryptographic systems are not
  taken into account!

13
Evaluation Methods

• Cryptographic Security Analysis
• Mathematical model designed by V.P. Ivanov
• Formalized security risk analysis and management
  methodologies
• Various tools for cryptographic protocols
  analysis

14
Tools for cryptographic protocols analysis

• Main classes
• Deductive methods
• Static analysis methods
• State exploration methods
• Drawbacks
• the supposition that cryptographic algorithms
  satisfy perfect encryption assumptions, so the
  strength of ciphers remains out of scope

15
Comparative analysis
Evaluation technique Applicability Economic indicators Adversary resourses
Cryptographic security analysis -
Mathematical model by Ivanov -
Formalized security risk analysis -
Tools for cryptographic protocols analysis - -
16
In our paper, we aim to

• formulate the steps of cryptographic systems
  evaluation process
• develop a mathematical model of security threats
• design software tools to facilitate the process
  of cryptosystem efficiency assessment by a
  computer security specialist
• select appropriate economic indicators as a basis
  to build an economic rationale for investments to
  cryptographic systems and to provide sound
  arguments for implementing an information
  security strategy

17
Cryptosystem security assessment process
Make conclusions regarding conformity of the
system to the organization needs
Step 5
Evaluate the cryptosystems resistance to the
attacks
Step 4
Determine the attacks that the cryptosystem is
exposed to
Step 3
Define the potential attackers
Step 2
Define the cryptosystem
Step 1
18
ABC-Model of Security Threats

• A for Attack
• B for code-Breaker
• C for Cryptosystem

19
Cryptosystem security assessment process
Make conclusions regarding conformity of the
system to the organization needs
Step 5
Evaluate the cryptosystems resistance to the
attacks
Step 4
Determine the attacks that the cryptosystem is
exposed to
Step 3
Define the potential attackers
Step 2
Define the cryptosystem
Step 1
20
Classification of cryptosystems

• Ueli Maurer's idea is to distinguish
  cryptosystems by the number of keys used for data
  processing
• unkeyed
• single-keyed
• double-keyed
• Gilles Brassard's scheme 4 has to do with the
  secrecy of algorithm
• Restricted-use
• General

21
Classification of cryptosystems

• By secrecy of the algorithm
• Restricted ? General
• By the number of keys
• Unkeyed ? Single-keyed ? Double-keyed ?
  Multiple-keyed
• By breakability
• Theoretically unbreakable
• Provably unbreakable
• Supposedly unbreakable
• By the type of key storage
• Smart-card ? e-token ? Windows register ?
  File system
• By the means of implementation
• Software ? Hardware ? Software and hardware
• By certification
• Certified ? Uncertified

22
Classification of codebreakers

• Bruce Schneier suggests using motivation as a key
  parameter to identifying an adversary this
  results in the following classification scheme
• opportunists
• emotional attackers
• friends and relatives
• industrial competitors
• the press
• lawful governments
• the police
• national intelligence organizations

23
Classification of codebreakers

• By equipment
• PC
• Network
• Supercomputer
• By expertise
• PC user
• Mathematician
• Software developer
• Physicist/electrical engineer
• Psychologist aware of social engineering
  techniques
• By initial knowledge on the cryptosystem
• User of the cryptosystem
• Designer of the cryptosystem
• By final objective
• Discovering a vulnerability
• Total break
• By access
• Insider
• Outsider

24
Classification of Attacks

• The fundamental classification of attacks by
  access to plaintext and ciphertext introduced by
  Kerckhoffs is no longer complete since it does
  not include a new powerful cryptanalysis
  technique called Side-Channel attacks
• Modern schemes for computer system attack
  classification
• Landwehr C.E., Bull A.R. A taxonomy of computer
  program security flaws, with examples // ACM
  Computing Surveys, 26(3) p. 211254, September
  1994.
• Lindqvist U., Jonsson E. How to systematically
  classify computer security intrusions. // IEEE
  Symposium on Security and Privacy, p. 154163,
  Los Alamitos, CA, 1997.
• Paulauskas N., Garsva E. Computer System Attack
  Classification // Electronics and Electrical
  Engineering 2006. nr. 2(66)
• Weber D. J. A taxonomy of computer intrusions.
  Masters thesis, Department of Electrical
  Engineering and Computer Science, Massachusetts
  Institute of Technology, June 1998.

Are not suitable for cryptoattacks identification!
25
Classification of Attacks (1/2)

• By access to plaintext and ciphertext
• Ciphertext-only
• Known-plaintext
• Chosen-plaintext
• Adaptive-chosen-plaintext
• Side-channel
• By control over the enciphering/deciphering
  process
• Passive
• Active
• By the outcome
• Total break
• Global deduction
• Instance (local) deduction
• Information deduction
• Distinguishing algorithm
• By the level of automation
• Manual
• Semi-automatic
• Automatic

26
Classification of Attacks(2/2)

• By critical amount of resources
• Memory
• Time
• Data
• By applicability to various ciphers
• Multi-purpose
• For a certain type of ciphers
• For a certain cipher
• By tools and techniques
• Mathematics
• Special-purpose devices taking physical
  measurements during computations
• Evolution programming techniques
• Quantum computers
• By consequences
• Breach in confidentiality
• Breach in integrity
• Breach in accessibility
• By parallelizing feasibility
• Distributed

27
Classification Schemes

• Classification of ?ryptosystems
• By secrecy of the algorithm
• By the number of keys
• By breakability
• By the type of key storage
• By the means of implementation
• By certification

• Classification of Attacks
• By critical amount of resources
• By applicability to various ciphers
• By tools and techniques
• By consequences
• By parallelizing feasibility
• By access to plaintext and ciphertext
• By control over the enciphering/deciphering
  process
• By the outcome
• By the level of automation

• Classification of Codebreakers
• By equipment
• By expertise
• By initial knowledge on the cryptosystem
• By final objective
• By access
• By manpower

28
Parametric models of Attacks, Code-Breakers and
Cryptosystems

• Let

be a set of parametric
models of attacks, where
represents
a domain for the i - th parameter as per our
taxonomy

• Let

be a set of parametric
models of codebreakers, where
represents
a domain for the j - th parameter as per our
taxonomy

• Let

be a set of parametric
models of cryptosystems, where
represents
a domain for the j - th parameter as per our
taxonomy
29
Mathematical Model for Cryptosystem Efficiency
Assessment
Risk
Impact
Probability
30
Mathematical Model for Cryptosystem Efficiency
Assessment
31
Efficiency Criterion
Satisfied when a cryptosystem that consists of
subsystems being exposed to
codebreakers can resist the attacks out
of the set
where
- admissible risk level
32
Cryptosystem security assessment process
Make conclusions regarding conformity of the
system to the organization needs
Step 5
Evaluate the cryptosystems resistance to the
attacks
Step 4
Determine the attacks that the cryptosystem is
exposed to
Step 3
Define the potential attackers
Step 2
Define the cryptosystem
Step 1
33
Available tools for cryptanalysis

• C/C Multiprecision libraries
• Mathematical packages Maple and Mathematica

34
Available tools for cryptanalysis

• Mathematical packages Maple and Mathematica
• unlimited precision
• easy-to-program algorithms
• - extremely low efficiency of
  number-theoretical computations

35
Available tools for cryptanalysis

• C and C built-in types have limited precision
• long 32 bits
• long long 64 bits
• double 53 bits mantissa, 11 bits
  characteristic
• long double 64 bits mantissa, 15 bits
  characteristic
• Java has multiprecision capabilities
• Highly portable
• Not so efficient

36
Available tools for cryptanalysis

• Multiprecision mathematical libraries
• high performance
• wide range of solutions freely available
  (LIP, LiDIA, CLN, PARI, GMP, MpNT)

37
LIP (Large Integer Package)

• One of the first libraries for long integer
  computations
• Written by Arjen K. Lenstra and later maintained
  by Paul Leyland
• ANSI C
• Highly portable
• - Not efficient

38
CLN (a Class Library for Numbers)

• Written by Bruno Haibleand currently maintained
  by Richard Kreckel
• C library that implements elementary
  arithmetical, logical and transcendental
  functions
• Rich set of classes
• Integers
• Rational numbers
• Floating-point numbers
• Complex numbers
• Modular integers
• Univariate polynomials etc.
• - high universality gt low efficiency for
  number-theoretical problem solving

39
LiDIA

• Developed at the Technical University of
  Darmstadt (Thomas Papanikolau)
• C library
• Highly optimized implementations
• Multiprecision data types
• Time-intensive algorithms
• Can use different integer packages (like Berkley
  MP, GMP, CLN, libI, LIP etc.)
• - not portable to Windows platform

40
GMP (GNU Multiple Precision arithmetic library)

• Developed by Torbjord Granlund and the GNU free
  software group
• C library for arbitrary precision arithmetic
• General emphasis on speed
• Highly optimized ASM
• for the most common inner loops
• for a lot of CPUs
• Faster than most multiprecision libraries
• Its advantage increases with the operand
  sizesFaculty
• - not portable to Windows platform
• - lack of primitives to support integer
  factorization and DLP methods

41
NTL (a Library for doing Number Theory)

• Written and maintained mainly by Victor Shoup
• C library
• High performance
• Polynomial arithmetic
• Lattice reduction
• Portable
• outperforms other libraries in terms of big
  integer operations
• - lack of algorithms for index-calculus,
  sieve, factorization

42
Available tools for cryptanalysis

• C/C Multiprecision libraries
• Mathematical packages Maple and Mathematica

43
CRYPTO high-level structure
44
Implementation
45
User Interface
46
Certificates of Authorship
47
Cryptosystem security assessment process
Make conclusions regarding conformity of the
system to the organization needs
Step 5
Evaluate the cryptosystems resistance to the
attacks
Step 4
Determine the attacks that the cryptosystem is
exposed to
Step 3
Define the potential attackers
Step 2
Define the cryptosystem
Step 1
48
ROI, NPV, IRR Metrics Usage

• Source CSI Computer Crime Security Survey
  2008, http//www.gocsi.com/

49
Key Financial Metrics Overview
Financial Metric Advantages Drawbacks
Return on Investment (ROI) Popular with economists Lack of trusted methods for calculation Static indicator
Total Cost of Ownership (TCO) Allows to evaluate a project based on costs only The costs are assumed to be evaluated throughout the whole lifecycle of a product ?? ????????? ???????? ??????? ???????????? Static indicator IT-specific
Discounted Cash Flow (DCF) Popular with economists Time relation is taken into account Not only costs but all cash flows related to a project are considered Complexity
50
Discounted Cash Flow

• Net present value (NPV) the sum of the present
  values of all cash inflows minus the sum of the
  present values of all cash outflows.
• The internal rate of return (IRR)
• (1) the discount rate that equates the sum of
  the present values of all cash inflows to the sum
  of the present values of all cash outflows
• (2) the discount rate that sets the net present
  value equal to zero.
• The internal rate of return measures the
  investment yield.
• Profitability index (PI)

51
Cash flow for a cryptographic system
52
Investment Efficiency Assessment Example

• Cost of implementation 120 000,00 RUR.
• Value of information 205 000,00 RUR/YR.
• Risk reduction 1 YR - 95, 2 YR 70, 3 YR
  35
• Cash flows (annual rate 20,8)
• NPV 4 574,20 ?. IRR 26,5
  PI 1.04 (PI lt 1,2)

53
Conclusion

• As information security is about power and money
  , the evaluator should not restrict herself to
  technical tools like cryptanalysis and
  information flow, but also apply economic tools

Ross Anderson, Professor in Security Engineering
at the University of Cambridge Computer
Laboratory
54
Future work

• Development of a built-in expert knowledge base
  to aid in-house cryptographic systems expertise
• evaluating the dependency between the parameters
  of a cryptosystem model and the applicable
  attacks
• evaluating the dependency between the parameters
  of an attacker model and the types of attacks
  that they are likely to use
• Design of new algorithms and improving of present
  methods for factorization and computing discrete
  logarithms using CRYPTO software tools
• Extending the library to include modern
  techniques to analyze the security of
• hash-functions
• symmetric cryptosystems

55
Modeling Security Threats to Cryptographically
Protected Data
alexandra.savelieva_at_gmail.com