1. Security Procedures Y.C. Stamatiou Department of Mathematics, University of Ioannina and Research and Academic Computer Technology Institute Master Program in Web Science, Veroia, March 2010

2. Cryptography! It is all about the following simple, but highly important, scenario:

3. Cryptanalysis

6. An algorithm ! The “program” below computes the difference between two positive integers m and n ( only if m > n, otherwise it “returns” 0) given in the form 0 m 10 n on the tape of the Turing machine ( isn’t it, a bit, reminiscent of good, old Assembly?): q 0 q 1 q 2 q 3 q 4 q 5 q 6 0 (q 1 ,#, Δ) (q 1 , 0 , Δ) (q 3 , 1 , Α) (q 3 , 0 , Α) (q 4 , 0 , Α) (q 5 ,#, Δ) - ( stops ) 1 (q 5 ,#, Δ) (q 2 , 1 , Δ) (q 2 , 1 , Δ) (q 3 , 1 , Α) (q 4 ,#, Α) (q 5 ,#, Δ) - ( stops ) # - ( hangs ) (q 4 ,#, Α) (q 0 , # , Δ) (q 6 , 0 , Δ) (q 6 ,#, Δ) - ( stops )

8. Observe how the functions that are bounded from above by a polynomial have “reasonable” rate of increase !

9. Two important time complexity classes of problems P : Problems for which there exists a polynomial time deterministic Turing machine (algorithm) that solves them NP : Problems for which no polynomial time deterministic Turing machine has been discovered, yet, that solves them but for which a polynomial time non -deterministic Turing machine exists!

10. Integers! God made the integers; all else is the work of man Leopold Kronecker (1823 – 1891)

28. Public key cryptography

50. Details of the impersonation attack Step 1: Eve, acting as both herself and Alice, attempts to authenticate herself to Bob as both herself and Alice. Step 2: Bob, as he should, replies with two nonce challenges. Eve gets her nonce but, at the same time, intercepts the nonce directed to Alice. Step 3: Eve answers both challenges. Eve, naturally, can only send a wrong reply on behalf of Alice. She can, however, swap her response with Alice’s before contacting Bob. Step 4: Bob receives both responses and contacts Trent for translation. Step 5: Trent responds. One response consists, as expected, of garbage. The other respond, for Alice, is of course correct. Bob gets, correctly, back the challenge he issued for Alice and then authenticates Eve as Alice!

52. The Needham-Schroeder Key Exchange Protocol Step 1: Alice tells Trent what she is requesting Step 2: Trent gives Alice the session key and gives Alice a package to deliver to Bob. Step 3: Bob can get the session key, and the identity of who he is talking with (verified because it came from Trent). Step 4: Bob sends Alice a challenge Step 5: Alice answers challenge

54. The morale?

55. We will look into how theory and practice meet using two working systems: e-Lotteries! e-Voting!

58. An overview of the system Agencies Coupon File &Audit Information Audit Information Audit Information Audit Information Data to Optical Signal Connected in high Availability Configuration Optical Fibre Converter To TV Station Telephone lines Lottery Organization Computer Verifier Gen1 Gen2

63. Design Considerations Randomness Sources Approaches Disadvantages Advantages Common (e.g. as given by Java) Pseudorandom Number Generators Algorithm is susceptible to clever attacks Uniform distributed numbers Cryptographically Secure PNG In principle they could be guessed, given the initial state. Guessing is intractable however! Based on deterministic algorithms Handles the disadvantage above Truly Random Number Generators Physical processes often obey specific distribution laws They depend on environmental parameters (e.g. temperature) Hard to reproduce their output Non deterministic method, truly random output

69. A high-level description of the protocol Exchange keys for encryption & A private /public key for signature GEN1 VERIFIER Idle Drawing Initiation signal Random bits from the TRNG Hash value of the Coupon’s file Bit-commitment &Signature Seed 1 Seed 2 XOR NR function Generate the Numbers From PRNG Verify and decrypt Seeds & nums Encrypt and sign Seeds & numbers Verify that Gen1Commited on the True seeds From the retrieved seeds Regenerate the numbers System Failed SUCCESS! Check the numbers

70. Time Table 6 min before the Draw time 3 min later: If the verifier hasn’t received the numbers, he sends Initiation Signal to Gen2 Gen2 produces the numbers in 3 minutes, on time, with the same processes of the Gen1 Verifier GEN1 Draw initiation signal GEN2 Initiation signal GEN2

81. The trust-centered approach

96. CGS97 - The Protocol

106. Step 1: Context Identification Risk Analysis and Management ( 3/11) Abstract Class Diagram Activity Diagram Use Case DIagram

107. Step 1 ( continues ) Risk Analysis and Management (4/11) Example of Time Sequence Diagram (Decryption and Calculation of Result)

108. Step 2: Risk Identification Risk Analysis and Management (5/11) Part of high-level risk table Who/what causes it? How? What is the incident? What does it harm? What makes it possible? Keyholders Disclosure of secret keys Corrupted Keyholders (software ) Voter Disclosure of credentials ( id , password , πιστοποιητικό) to another person Malicious Voter EA Vote Alteration Corrupted ΕΑ EA Vote disclosure Corrupted ΕΑ EA Tallying error Software Error EA Result Alteration Corrupted ΕΑ Coercer Voter coercing Lack of monitoring during remote vote casting Hacker Vote Alteration Insufficient Security Hacker Final result Alteration Insufficient Security

109. Step 2 ( continues ) Risk Analysis and Management (6/11) Part of HazOp Table Asset : Keys Κ i (step 1) Guideword Threats Likelihood Consequence Countermeasures Manipulation Alteration of key generator operation by authorized person Small Keys are not secret or are not random Testing of key generator before elections Restricted access to software Disclosure Disclosure of some K i by their holders Medium Corruption in elections is possible Key sharing (k out of k). In order for the overall Key to be disclosed, all keyholders need to disclose their keys Programming Ε rrors Errors in generator software Medium The keys are not randomly generated ( fake randomness ). The keys do not satisfy the requirements (e.g. length) Application of good programming practices. Extensive testing and debugging. Use of secure random number generators

110. Step 2 ( Continues ) Risk Analysis and Management ( 7/11) Fault Tree Diagram (ITEM Toolkit)

112. Step 3 ( Continues ) Risk Analysis and Management (9/11) Qualitative assessment of Consequence using FMEA ID Function/ Entity Failure Mode Effects Causes Consequences Local System wide 1 GenerateElGamalParameters (size) Size parameter is not available in system config file The public parameters may not be created System initialization is not possible Config file is not properly updated by system administrator. Access to config file/database is not possible Voting process may not begin 2 Publish(elGamalParameters) Bulletin Board is not updated with the public parameters Keyholders may not produce keys System initialization is not possible Connection to database is not possible Voting process may not begin

113. Step 4: Risk Assessment Risk Analysis and Management (10/11) Risk Categorization Matrix Consequence Value Likelihood Value Rare Unlikely Possible Likely Certain Insignificant Minor 4, 10, 12, 30, 31 29, 32, 34, 35, 36, 39, 40 14 Moderate 3 8, 22 Major 1, 9, 21, 23, 26, 27 7, 17 , 20, 24, 25, 28, 33, 37 13 Catastrophic 2, 5, 11, 47 6, 15, 16, 18, 19, 41, 43, 44, 45, 46 38, 48, 49 42

114. Step 5: Risk Treatment (taken into account in the design/implementation phases) Risk ID Description Risk Level Treatment options - measures Risks with regard to Partial Keys disclosure or non-availability 2 Disclosure of some of K i by their keyholders Extreme The disclosure of partial keys would be catastrophic, as it would allow the decryption of individual votes and the final result by unauthorized parties (or even the EA) Threshold cryptography techniques are used as a countermeasure. Such techniques require for at least t out of n keyholders to cooperate for the conduction of the elections. Moreover, colluding interests of the keyholders discourage potential alliances among them. For ultimate security, we suggest that t=n, which means that all keyholders need to cooperate. 5 Some of the K i are not available Extreme

124. 5. Trust by extensive logging and auditing of system activities (logging and auditing activities are scheduled on daily basis, results available for public scrutiny). 6. Trust by contingency planning (failures in system that offer e-services are not acceptable, contingency plan publicly available). 7. Trust by regulation and laws (system operator introduces suitable legislation for the protection of the public in case of mishaps). 8. Trust by reputation and past experience (the involvement of engineers and experts should be accompanied by credentials that prove their expertise). Convincing the public

131. High availability and fault tolerance: mon, heartbeat, and coda (1/2)

133. Database replication: Slony-I (2/2)

134. Heartbeat and Slony-I: An architecture for high availability and fault tolerance

136. Performance aspects/ System simulation Network architecture: Directed Acyclic Graph (DAG) Traffic: open Jackson network of M/M/1 queues (Poisson distributed arrival rate – exponentially distributed service rate – one server – unlimited queue size) Voters’ arrival behavior: Weibull distributed with a peak around noon Simulation tool: Uses the CSIM 19 (C and C++) simulation library

137. Performance aspects/ System simulation Shifted Weibull distribution with parameters α = 2.5, b = 5 and t 0 = 8 Time interval λ s i [8:00,10:00) 5.67 [10:00,12:00) 10.32 [12:00,14:00) 6.70 [14:00,16:00) 2 [16:00,18:00) 0.26 [18:00,20:00) 0.026 Time interval s i (incoming vote rate) [8:00,10:00) 0.11 [10:00,12:00) 0.20 [12:00,14:00) 0.13 [14:00,16:00) 0.039 [16:00,18:00) 0. 005 [18:00,20:00) 0. 0005

138. Performance aspects/ System simulation

148. The Complex Multiplication Method Input:an integer D Calculate the Hilbert polynomial H D (x) YES Is one of them suitable? Choose prime p = x 2 +Dy 2 and find integers (x,y) Possible orders: m = p+1  2x NO Calculate the roots of the Hilbert polynomial From every root generate a pair of ECs Find the EC which has order m

155. Architecture

156. Architecture

163. Threshold phenomena in other problems: 3-SAT Many combinatorial problems exhibit a threshold behavior: Instances generated with their critical parameter (clause/variable ratio in 3-SAT) around the value (4.2 in 3-SAT) that marks the transition from almost certain solubility (satisfiability in 3-SAT) to almost certain insolubility , seem to be among the hardest to solve with the best of algorithms available PROBLEM: Proof of existence and calculation of the critical value