# Security

## Attacks

### Concepts
1. __Leakage__ Unathorized access to service or data
    * Knowing your bank balance
1. __Tampering__ Unauthorized modification of service or data
    * Modifying your bank balance
1. __Vandalism__ Interference with normal service
    * DDOS
    
### Methods
1. __Eavesdropping__ Listening to network traffic
1. __Masquerading__ Spoofing identity
1. __Tampering__ Modifying messages
1. __Replay__ Replaying old messages
1. __Denial of service__ Bombarding a port

## The CIA Properties
Desirable properties in a secure system.

1. __Confidentiality__ Proteted against unauthorized data disclosure
1. __Integrity__ Only authorized users may alter (write) data
1. __Availability__ Data is always available (reads) (protection against vandalism)

### Policies vs Mechanisms
* __Policies__ indicate *what* a secure system accomplishes
    * Only auth'd individuals are allowed to access files in a file system
* __Mechanisms__ indicate *how* these goals are accomplished
    * ACLs, permission sets

#### Mechanisms
* __Authentication__ Alice is, in fact, Alice
* __Authorization__ Sure she's Alice, but can Alice perform this operation?
* __Auditing__ How did Alice fuck everything up? Log everything.



### Principals

* A __Process__ carries out actions on behalf of users
* __Key__ Sequence of bytes, assigned to a user
    * Keys can "lock" messages


### Symmetric vs. Asymmetric

* Many systems use a public/private key system to generate a shared key
    * Shared key is used to encrypt/decrypt messages
   

## Implementing Cryptography Mechanisms

### Authentication
1. __Direct Authentication__ Only between the two involved parties
1. __Indirect Authentication__ Involves a trusted third-party
    * Verisign
    
__nonce__ A random number, used for proving encryption methods between parties    
    
#### Direct Authentication
##### Shared Key
![](img/direct_auth_shared_key.png)

Attempting to *optimize* by sending nonce's alongside requests & replies makes for vulnerability to replay attacks:
![](img/direct_auth_replay_attack.png)

#### Indirect Authentication
We'll use an Auth Server and Shared Keys
__ticket__ Means of passing encrypted information that only a limited number of parties can decrypt
* If you encrypt a secret with each parties key, only the involved parties will be able to decrypt
* $ K_{A,AS}(K_{A,B}), K_{B,AB}(K_{A,B}) $

### Digital Signatures

* Encrypting a message with a private key is a form of signing
    * Only public key can be used to decrypt
    * Having nonsense come out from decryption can 
* You can improve performane by *hashing* the message first
    * reduces the size of the message
    * $M, K_{Apriv}(Hash(M))$
    
### Digital Certificates

* Implemented using Digital signatures
* Usually have a standard format, so many principles can verify its authority
* Have a transitive property
    * Tracing chain backwards ends at a common root

#### Example
Here's a client cert:

1. Certificate Type: Account
1. Name: Alice
1. Account #: 12345
1. Certifying Authority: Charlie's Bank
1. Signature
    * $K_{Cpriv}(Hash(Name + Account#)$
* Anyone receiving this cert can use $K_{Cpub}$ to decrypt the signature
* From there, by adding the Name + Account # and hashing you can verify its good.

And here's what Charlie's Bank cert would look like:

1. Certificate Type: Public Key
1. Name: Charlie's Bank
1. Public Key: $K_{Cpub}$
1. Certifying Authority: Banker's Federation
1. $K_{Fpriv}(Hash(Name+PublicKey))$

Aaaand here's what Charlie's Bank's signing authority, Banker's Federation, might look like:
1. Certificate Type: Public Key
1. Name: Banker's Federation
1. Public Key: $K_{Fpub}$
1. Certifying Authority: Verisign
1. Signature
    * $K_{Verisign,priv}(Hash(Name+Public key))$
    
And everybody trusts Verisign, so now you know you can trust leaves of the chain.

## Authorization

1. Access Control Matrix
    * Maintain a mode of access for every pair of (principal, object)
    * Can be sparse, many entries may be ("no access")
1. Access Control List
    * Per object, list of allowed principals and allowed level of access
1. Capability List
    * Per principal list of files and allowed mode of access
    * Can split into capability, so by r/w/x level you list (principal, object)