```Studying for Security Midterm

A principle is something that makes a statement. A key is an example of a principle.

TCB (trusted computing base): the small amount on which we build our trust. So we want to minimize what is trusted.

p.s means “who p calls s”.
key(s) means promoting the key s to be a principal. So now it can have “says” statements. Essentially it could be read as “who owns the key s”.

Computational infeasability: for every PPT, A, there is a negglibile v_A that bounds the chance, for lambda large enough. Where v_A(lambda) < 1/p(lambda) where p is all polynomials.

Message Authentication Code (MAC). Symmetric.
, triplet of functions.
G outputs secret key.
T takes a key K and message m, and outputs a tag t.
V takes message, tag, and key K, and outputs a bit if tag was made with message.
Computationally infeasible to generate matching m,t even given verified pairs without knowing K.

Digital Signatures. Asymmetric.

G outputs public and private key.
S generates signature with private key and message.
V uses public key to verify message was created with private key.
Computationally infeasible to generate match without private key.

Hash function:
Maps x to y using h(x). (output fixed bit length, input arbitrary)
Preimage resistance: given y, computationally infeasible to find x where h(x)=y.
2nd pre: given an x, computationally infeasible to find another x’ such that h(x) = h(x’)
Collision: given range of x,y, computationally infeasible to find any such that h(x) = h(y).

K signed x, means that the message x has been signed by K.

Roles and namespaces, sort of an abuse, but N.D means N running program D. Or N as D.

Channel can “speaks for”, meaning messages over that channel should consider to be issued by who it speaks for.

Trusted Processing Module (TPM): hardware component resistant to software and some hardware tampering. This is the running record of what ran on a machine, stored in PCRs.

Secure boot: actually check the TPM values, PCRs, against expected values.

Certificate Revocation Lists (CRLs): recanting all certificates whose private key could be compromised.

DNS Security (DNSSEC): keeping current way of DNS I think would need to have all root servers’ public keys hardware embedded.

BGP False Origin: AS claims to be directly connected address block when it isn’t.
BGP False Path: AS claims to have a path it doesn’t have.

Protected by IANA providing them a certificate that they own a certain address space, called RPKI. This prevents false origin.
BGPSEC: False path can be protected by each AS signing the path they advertise.

Goals of secure communication:
1. Confidentiality (secrecy)
2. Integrity (data stays same)
3. Identity (who you’re talking to)

Existential Forgery: adversary forges signature of one message, not necessarily of his/her choice.
Selective: adversary can forge signatures of some messages of choice.
Universal: adversary can forge sig of any message.
Total break: adversary knows private key.

Pseudorandom function: adversary’s ability to distinguish between pseudorandom and random is bounded (see: computationally infeasible).

Pseudorandom functions make good MACs.

Counter Mode (think “counting”): given a K and your function, take a random initialization vector, r, run r+1 through f_K and xor it with message block 1, then do the same with r+2.

CPA-secure: given an encryption oracle and test oracle, the adversary can’t predict which of two messages it passes the test oracle got encrypted (diff bounded above by v_A). Sort of have to think that between two runs, the encryption of the same thing has to change otherwise this isn’t satisfied.

ECB encryption (Electronic Code Book): just run f_K on each block of the message and append the cipher texts.

CPA-Secure: must be non-deterministic or stateful.

Stateful counter mode: set your initialization vector to be something based on your first run of the encryption. Your first r should be inited randomly.

Cipher Block Chaining: use the cipher block of the previous block in the xor of your message before running the result through the function. Initialization vector is inited randomly.

CCA (chosen ciphertext attack). Given decryption oracle as well. Could break Counter and CBC with these oracles.

Lunchtime attack: adversary can query decryption oracle only before padding test oracle.

It is usually leaked if packet’s padding was valid or not, consider this a padding oracle. Padding oracles break CBC and counter mode, but you can do counter mode without padding. Public key systems are also vulnerable to padding attacks.

Hierarchy of security protocol specifications:
Aliveness, if A initiates and completes run of protocol, apparently with B, then B was previously running protocol.
Weak agreement: same, but now B is apparently running it with A.
Non-injective: above, but A and B agree on the values in the protocol.
Agreement: all above but each run was unique (1 to 1 correspondence).
(strengthen all by adding “recent” on B’s part)

Be sure time is grouped with a nonce, otherwise it’s not useful for freshness.

Type flaws: when one parameter in a message in confused as another, or multiple.

Parallel session attacks: two or more protocol sessions are executed concurrently. Attacker can get answers by asking the same questions to the victim and sending the victim’s answers. Also can sort of be like man in the middling, where you run the protocol with the intended destination of the request but with different params, make the victim think the key they’re getting is someone else’s when it’s really yours.

Bastion Host: computer that needs to be highly concerned because it’s in a vulnerable position, usually exposed to Internet.
Dual-homed host: has two NICs, interfacing between two networks.
Perimeter network (DMZ): network acting as buffer between internal network and wild internet.
Choke router: gateway to interior network.
Access router: gateway to perimeter network.

Screened host: bastion host on internal network, with just a screening box between external and internal (no perimeter).
Screened subnet: perimeter with bastion host, two screen routers. No central point of failure.
Split screen subnet: dual homed host separating two parts of perimeter network.
Independent screened subnets: allows redundancy, two portals to the outside world (each with perimeter and bastion host), and isolates traffic on each. ISP might use something like this, could have all inbound on one side and all outbound on the other.

Danger: multiple interior routers connected to the same perimeter means internal traffic could be routed over perimeter network.
```