Notes 20110321 CIS 6650 Computer Security

From SnOwy - Ed's Wiki Notebook

This day, I gave a presentation about SSL/TLS + HTTPS

Talk: Spencer Wilson -- Quatum Cryptography

• must be secure by virtue of inability of cypher to be broken even with unlimited computation
• originally came from a grad student, Stephen J Wiesner
• no cloning theorem: cannot make a copy of the unknown
• Heisenberg uncertainty: one measurement destroys all other properties
• quantum superposition:
• photons can be measured in two conjugate bases:
  • rectilinear {0, 90}
  • diagonal {45, 135}
• logical bits can be 1 xor 0
• qubits can be 1 and 0
• quantum key distribution -- a method for quantum security
  • closest to be realized
  • a few other ideas are impossible given the current state of technology
• Alice chooses how many to send
• randomly measures each one; measures the state {0, 45, 90, 135}
• she sends each photon to Bob
• Bob randomly measures each photon to Bob
• ..
• Bob uses his own filter and finds his own states
• incompatible states are thrown out
• parity checking done -- a few photons chosen to randomly match
• this increases the confidence that the photons are correct
• the photons that are discussed over the public channel are discarded
• remaining photons become the key
• entangled particles
  • share bases but have are opposite states
• Artur Ekert -- independently created E91 QKD protocol
  • this work: BB84 is improved (though independently rediscovered)
• bit commitment
  • coin tossing protocols
  • possible on classic computers; impossible on quantum computers
• Zero knowledge proofs -- demonstrating we know something without knowing what it is
• Alice has to demonstrate she knows the secret without giving it away
• weaknesses of QC
  • denial of service is easy -- key establishment can be denied
  • keys are always discarded if they are ever thought to have been seen by public
• currently, distance limit -- Alice and Bob cannot be more than 250km away
  • difficult to distinguish between noise and eavesdropping

Talk: Laura Richards -- Quantum Key Distribution - Implementation and Attacks

• implementation in the real world (and also the attacks)
• entanglement -- a pair of photons act as a system
  • when one photon is up, the other is down, when one flips so too does the other
• quantum key distribution (QKD)
  • theory is all there, the physics and math says this is secure
  • the difficulty is actually in the implementation
• a crystal is used to create pairs of entangled photons
  • the polarization of a photon is complementary to that of the other {0, 90}; {+45, -45}
• commercial units are available for QKD
  • MagiQ (New York)
  • ID Quantique (Geneva)
• key rate
  • detector deadtime -- a number of microseconds must elapse between detected bits
  • distance -- 100km -- no way to strengthen the signal (without measuring the photons)
  • disagreement in the literature: we don't have the hardware (not possible yet) vs we can never do this (not physically possible)
• attacks
  • when Eve is capable of disturbing the system just enough to get information without going over the noise threshold
• photon number splitting
  • the hardware is not entirely precise in emitting only a single photon all of the time (only approximately one photon).
• large pulse attack
  • sends a bright light pulse into Alice or Bob's set-up
  • parts of the pulse reflect from components, can make some conclusions on settings
• blinding attack
  • a continuous laser sent into a detector -- the detector then acts in a classical way
  • a classical detector is one where a {1} is registered given a bright pulse
• Quantum Hacking Group -- Norwegian University of Science ant Technology
  • finds such vulnerabilities and reports it to the manufacturers (before telling the public)
• read more: IQC (Waterloo)

Talk: Tarfa Yassen -- Secure Sockets Layer (SSL)

• network security
  • freedom from network attacks
  • freedom from illegal activities
• goal of achieving network security -- provided by SSL
• disagreement: RSA encryption only ???
  • I see -- yes, this is true for HTTPS (but SSL will allow other implementations as well)
• example -- e-commerce
  • authentication of protocol
• disagreement: public key used for encryption ???
  • I should look this up, is this absolutely true for SSL vs HTTPS?
  • do some versions do in fact use RSA instead of block ciphers?