IT Security. Workshop Hot-Spots der Software-Entwicklung. 19. Februar Technische Universität München Institut für Informatik

Transkript

1 Workshop Hot-Spots der Software-Entwicklung IT Security 19. Februar 2013 Technische Universität München Institut für Informatik Software & Systems Engineering Prof. Dr. Dr. h.c. Manfred Broy BICC-NET Bavarian Information and Communication Technology Cluster Florian Deißenböck Daniel Méndez Fernández

2 Inhaltsverzeichnis 1 Einleitung 3 2 Teilnehmerliste 4 3 Programm 5 4 Das Sicherheitsnetzwerk München Peter Möhring 6 5 Sicherer Browser Schutz des Einfallstors Reto Weber 21 6 Einsatz von Zertifikatssystemen im Internet Jamshid Shokrollahi 42 7 Chipkartenbetriebssysteme Gefahrenpotentiale und Gegenmaßnahmen Helmut Scherzer 51 8 Cybersecurity-as-a-Service: strategische und technische Herausforderungen Philipp Müller, PeterRehäusser 66 2

3 1 Einleitung Durch die fortschreitende Digitalisierung und Vernetzung von Software-intensiven Systemen und Diensten sowie die daraus resultierende Bedrohung durch Angriffe nimmt das Thema IT Security eine immer zentralere Rolle ein. Ein besonderes Augenmerk gilt dabei der Sicherstellung der Verfügbarkeit, Integrität und Vertraulichkeit von Software-Systemen und deren Infrastruktur. Diese Aspekte müssen in allen Phasen des Software-Entwicklungsprozesses unter Einsatz geeigneter Methoden und Verfahren berücksichtigt werden. Betroffen hiervon sind nicht nur klassische betriebliche Informationssysteme, wie sie beispielsweise im Finanzdienstleistungssektor vorzufinden sind, sondern auch eingebettete Systeme, z.b. in den Bereichen Automobil und Avionik. Ziel dieses Workshops ist es, zum besseren grundsätzlichen Verständnis des Themas IT Security beizutragen und konkrete Erfahrungen aus der Praxis bzgl. des erfolgreichen Einsatzes unterschiedlicher Verfahren auszutauschen, aber auch über Erfahrungen mit dem Einsatz von Verfahren, die sich als weniger geeignet erwiesen. Themen sind unter anderem: Strategische und technische Herausforderungen der IT Security Überblick über Konzepte und Methoden zur Lösung derselben Einsatz von Zertifikatssystemen Cybersecurity & Zugangskontrolle 3

4 2 Teilnehmerliste Josef Wernke, Eurocopter Deutschland GmbH Stefan Finkenzeller, BLB Thomas Mey, Münchner Rück Dr. Florian Deißenböck, Technische Universität München Thomas Schön, Software Tomography Dr. Claudia Salazar Dorn, NTT Data Deutschland GmbH Helga Stephan-Dreinhoff, IBM Stefan Prechtl, ESG GmbH Alexander Bluhm, Gesellschaft fÿr Netzwerk- und Unix-Administration mbh Olaf Kaudelka, EADS Gabriele Käsberger-Hoschek, EADS Dr. Heinrich Hördegen Ingenieurbüro Guttenberg & Hördegen Dr. Martin Wechs, BMW Group Jan Philipps, Validas AG Manuel Then, Technische Universität München Bertram Janositz, CIBOteam esolutions AG Michael Schulz, EADS Michael Greulich, Interface AG Dr. Oscar Slotosch, Validas AG Klaus Lochmann, Technische Universität München Nils Oppermann, Audi Electronics Venture GmbH Dr. Daniel Méndez, Technische Universität München Christopher Schulz, SYRACOM Consulting AG Helmut Scherzer, Giesecke & Devrient GmbH Dr. Jamshid Shokrollahi, Bosch GmbH Peter Möhring, BICCNET-Clusterbüro I&K Dr. Philipp Müller, CSC Reto Weber, Consecom AG Martin Luy, ESG GmbH Roman Kochanek, Audi Stefan Kassal, MaibornWolff et al GmbH Jakob Tewes, MaibornWolff et al GmbH Kurt Meindl, Lorenz Software GmbH Norman Thomson, ATOSS Ovidiu Stan, ATOSS Dr. Philipp Guttenberg, Ingenieurbüro Guttenberg & Hördegen Bernhard Weber, msg systems ag Carsten Genth, ASM Assembly Systems Michael Spreng, Arcor AG & Co. KG Prof. Dr. Reiner Hüttl, Fachhochschule Rosenheim Walter Trapa, BMW Group Rainer Bitzer, Bosch GmbH Ümit Kusdogan, ABSC GmbH Carsten Tauss, ABSC GmbH Peter Rehäusser, CSC Christine Rittinger, Münchner Rück Tomas Benes, OSD Open Systems Design GmbH 4

5 3 Programm 13:30 Begrüßung Manfred Broy, Technische Universität München 13:45 Das Sicherheitsnetzwerk München Peter Möhrung, Sichernetzwerk München 14:30 Sicherer Browser Schutz des Einfallstors Reto Weber, Consecom AG 15:15 Kaffee-Pause 15:30 Einsatz von Zertifikatssystemen im Internet Jamshid Shokrollahi, Robert Bosch GmbH 16:15 Chipkartenbetriebssysteme Gefahrenpotentiale und Gegenmaßnahmen Helmut Scherzer, Giesecke & Devrient 17:00 Kaffee-Pause 17:15 Cybersecurity-as-a-Service: strategische und technische Herausforderungen Philipp Müller, PeterRehäusser, CSC 18:00 Abschlussdiskussion 18:30 Empfang 5

6 4 Das Sicherheitsnetzwerk München Peter Möhring Sicherheitsnetzwerk München Peter Möhring 19. Februar 2013, TU München, Garching 6

7 Vorgeschichte BMBF Spitzenclusterwettbewerb 2011 AISEC & G&D initiieren Netzwerk Skizze und Strategie Nominierung scheitert Januar 2012 Positive Netzwerkeffekte, Relevanz der Thematik Fortsetzung des Clusters Unterstützung durch Bay. Wirtschaftsministerium Einrichtung einer Geschäftsstelle am 1. Oktober 2012 Sicherheitsnetzwerk München, 19. Februar 2013 Forschung Sicherheitsnetzwerk München, 19. Februar

8 Forschung Industrie Sicherheitsnetzwerk München, 19. Februar 2013 Forschung Industrie Anwender Sicherheitsnetzwerk München, 19. Februar

9 Bündelung von Innovationskompetenzen Sicherheitsnetzwerk München, 19. Februar 2013 Warum dieses Netzwerk? IKT als Innovationstreiber IT-Sicherheit ist ein Wirtschaftsfaktor und schafft neue Märkte IT-Sicherheit unterstützt relevante Exportindustrien Vertrauenswürdigkeit, Manipulationsschutz, Wahrung der Privatsphäre, Verläßlichkeit in den Anwendungen notwendig München hat höchstes Wirtschafts- und Forschungsniveau in Deutschland und Europa im Bereich IT-Sicherheit Sicherheitstechnologien Made in Germany als langfristiger Wettbewerbsvorteil deutscher Anbieter Sicherheitsnetzwerk München, 19. Februar

10 Sicherheitsnetzwerk München, 19. Februar 2013 Warum dieses Netzwerk? IKT als Innovationstreiber IT-Sicherheit ist ein Wirtschaftsfaktor und schafft neue Märkte IT-Sicherheit unterstützt relevante Exportindustrien Vertrauenswürdigkeit, Manipulationsschutz, Wahrung der Privatsphäre, Verläßlichkeit in den Anwendungen notwendig München hat höchstes Wirtschafts- und Forschungsniveau in Deutschland und Europa im Bereich IT-Sicherheit Sicherheitstechnologien Made in Germany als langfristiger Wettbewerbsvorteil deutscher Anbieter Sicherheitsnetzwerk München, 19. Februar

11 Sicherheitsnetzwerk München, 19. Februar 2013 Industriegetrieben mit wirtschaftlichem Fokus Integrierte Erforschung, Entwicklung und schnelle Vermarktung innovativer Sicherheitstechnologien und Produkte Made in Germany Ausbau von Weltmarktstellung der beteiligten Unternehmen Deutschland mit München zum weltweit führenden Standort im Bereich IT-Sicherheit entwickeln Sicherheitsnetzwerk München, 19. Februar

12 Sicherheitsnetzwerk München, 19. Februar 2013 Umfeld des Clusters Politik IT Gipfel Underground economy Digitale Gesellschaft Mobilgeräte und Vernetzung Neue Geschäftsmodelle Sicherheitskonferenz Sicherheitsnetzwerk München, 19. Februar

13 Geschäftsstelle: Schwerpunktziele Aufstellung und Koordinierung von F&E Kooperationsprojekten Standort- und Branchenstärkung Netzwerkarbeit Übergreifende Themen: Forschung, Fachkräfte, Trends, Sicherheitsnetzwerk München, 19. Februar 2013 Maßnahmen 2013 Clusterkonferenz: Ermittlung neuer Kooperationspotenziale Kompetenzübersicht aller Mitglieder Anbahnung von Fördervorhaben, Konsortienbildung Platzieren von Themen in Förderprogrammen Bildung von Arbeitskreisen Schaffung einer Kommunikationsplattform Neue Partnerschaften (auch international) Schaffung informeller Austauschmöglichkeiten Beeinflussung politischer Gestaltungsaufgaben Gewinnung neuer Mitglieder Sicherheitsnetzwerk München, 19. Februar

14 Projektvorhaben Sicherheitsnetzwerk München, 19. Februar 2013 Verbundprojekte 1. SIBASE 2. ICEMAN 3. SIKOMFAN 4. Ambient security (neu) 5. Trust ME 6. Secure Appstore (neu) 7. Lagebild (neu) Sicherheitsnetzwerk München, 19. Februar

15 Schwerpunkt Mobile Endgeräte Sicherheitsnetzwerk München, 19. Februar 2013 Mobile werthaltige Dienste Sicherheitsnetzwerk München, 19. Februar

16 Eisattacke (cold boot) Sicherheitsnetzwerk München, 19. Februar 2013 TEE Sicherheitsnetzwerk München, 19. Februar

17 Sichere eingebettete Systeme Sicherheitsnetzwerk München, 19. Februar 2013 Schutz kritischer Infrastrukturen Sicherheitsnetzwerk München, 19. Februar

18 Sicheres Cloud Computing Sicherheitsnetzwerk München, 19. Februar 2013 Anwendungsorientierte Technologien Sicherheitsnetzwerk München, 19. Februar

19 Verbundprojekte: Zukünftige Fördermöglichkeiten LANDESEBENE Hoher Freiheitsgrad, Direktbeantragung auch ohne calls Kleine, effiziente Konsortien, geringeres Projektvolumen Industrieorientiert (wenn von Bay. WiMi gefördert) BUNDESEBENE Geringerer Freiheitsgrad durch vorgebene calls Größere Konsortien mit höherem Projektvolumen möglich Eher forschungsorientiert (speziell BMBF) EU-EBENE Horizon 2020 Internationale Konsortien, hohes Projektvolumen möglich Sicherheitsnetzwerk München, 19. Februar 2013 Verbundprojekte: Organisation, Rolle der Geschäftsstelle ORGANISATION Konsortien mit eigener Projektkoordination Konsortien sind für Beantragung und Durchführung der Verbundprojekte selbst verantwortlich ROLLE DER GESCHÄFTSSTELLE Unterstützung in Anbahnung, Beantragung und Durchführung Schaffung von Projekttransparenz für alle Mitglieder Plattform und Drehscheibe für Mitgliederkoordination, sowohl inhaltlich als auch organisatorisch Sicherheitsnetzwerk München, 19. Februar

20 Fragen Sicherheitsnetzwerk München, 19. Februar

21 5 Sicherer Browser Schutz des Einfallstors Reto Weber Bleicherweg 64a, CH-8002 Zürich,

22 Experienced IT Risk/Security Professional Consecom AG Senior Security Consultant Reto Weber Employment History IT Risk Officer, Credit Suisse AG CERT Analyst, Credit Suisse AG IT Security Engineer, UBS AG Education CAS in Risk Management, University of Zürich emba in International Management, Kalaidos Zürich Master in Information Technology, Bond University Australia Consecom AG -- We Secure Your Solutions Slide 2 Consecom your partner for securing technology Clients Main clients: SME, and major Swiss/international enterprises and organization of all sectors. Location of work: primarily in Switzerland and neighboring countries. Services Design Build Review concepts, strategies, policies, organization, processes, secure solutions programming, integration, special engineering audits, security reviews, risk assessments, penetration tests, technology assessments, organizational and process reviews History Founded in 2007 as a management buy out. Privately owned, substantial growth to seven employees today Consecom AG -- We Secure Your Solutions Slide 3 22

23 Agenda Problem Method Analysis Solution Experience Objectives Present lesson learned from a joining development with a University Exchange of experience of product development lifecycle Show result: a secure browser solution Consecom AG -- We Secure Your Solutions Slide 4 Global news about virus infections Earlier this month, security researchers discovered a new piece of malware had infected more than half a million Apple computers in what was the largest-scale attack on Apple s Mac OS X operating system to date. Nytimes, 04/2012 Unbekannte haben einem Bericht von Amorize zufolge zahlreiche Onlineshops mit einer veralteten Version von oscommerce zur Verbreitung von Schadcode missbraucht. Die Angreifer nutzten mindestens drei bekannte Schwachstellen in der Version 2.2. heise.de 08/2011 A serious flaw in the Java software found on most personal computers could expose the machines to being taken over by malicious attacks over the internet, the US agency responsible for policing such vulnerabilities warned on Thursday. ft, 01/2013 It s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware disguised as legitimate Microsoft code to unsuspecting users. wired.com 06/2012 A new piece of Mac malware has been discovered on a Web site linked to the Dalai Lama, using a well-documented Java exploit to install a Trojan on visitors' computers and steal personal information. cnet.com 12/2012 Hackers are increasingly targeting childfocused gaming websites, according to a leading anti-virus firm. Avast says it detected malware threats at more than 60 sites that contained "game" or "arcade" in their title, in the 30 days running up to 12 January. 01/2012 bbc.co.uk Consecom AG -- We Secure Your Solutions Slide 5 23

24 Malware is today one of the major threats and frequently used to attack Threat Agent: No clear pictures of attacking agents. Educated guesses possible e.g. profit driven, organized crime. Threat Facts: Malware shows an exponential growth since years. Various method of infection vectors: mail, USB, social engineering, remote exploit, web-browsing. Impact: Massive infection rate on end-user desktop environments. Key question, are you at risk or not (large unreported cases)? Results: Breaches in Confidentiality, Integrity and Availability Multiple second order effects Consecom AG -- We Secure Your Solutions Slide 6 Most infections come through the browser channel Infected systems: Web technologies are mostly used to place malware. Source Microsft.com Consecom AG -- We Secure Your Solutions Slide 7 24

25 Drive By Infection is a common issue 1 Open page 2 Send Exploit 3. Compromise Consecom AG -- We Secure Your Solutions Slide 8 25

26 Problem Methods Analysis Solution Experience Consecom AG -- We Secure Your Solutions Slide 10 Multiple areas with limited influence Measure Reduce complexity in web-pages Improve security with web-pages Extend to cloud-av solutions Change user-behavior Reduce EuP flexibility and usability Myth: Keyboard encryption Feasibility / Applicability No governance; not applicability No governance; limited reach Partial success; confidentiality breach Only partially applicable Change in working model; limited reach There is no keyboard encryption! EuP: End-user Platform Consecom AG -- We Secure Your Solutions Slide 11 26

27 Where can we start Conclusion: Start with the web-browser Browsers, an integral part of the operating system. Provide a platform based on international standards/languages (HTML, http, CSS, JavaScript, ). Having a super secure browser would reduce the risk of infection dramatically Consecom AG -- We Secure Your Solutions Slide 12 EuP: End-user Platform 27

28 Problem Methods Analysis Solution Experience Consecom AG -- We Secure Your Solutions Slide 14 The security product has multiple dimentions Dimensions Criteria Trust Administrator and manufacturer trust (prerequisite) Life-cycle trust (deployment and update) Threat Coverage On-line (in-bound): Vulnerabilities in applications Off-line threats: Malicious host At run-time At rest Protection Methods to protect from infected hosts Isolation Methods to isolate applications from infected hosts Integration Capabilities to integrate into standard work process Deployment Method and scalability Maintenance Patch and update capabilities, and scalability Usability Technological user support Weaknesses Limitations and weaknesses Consecom AG -- We Secure Your Solutions Slide 15 EuP: End-user Platform 28

29 Overview Secure Browser Browser on USB Stick, Hardened Web-browsers Browser Sandbox, Hardened Web-browsers Browser on Native Boot-Platform VM Browser in VM Consecom AG -- We Secure Your Solutions Slide 16 A USB stick or «wrapper» approaches Design Paradigm Run on shared commodity platform Hardened Web-Browser Application Application Share of central operating system tables Commodity Operating System Interrupt Vectors Memory Map Exemplary implementation variants Hardened Web-Browser Application Application USB-stick based web-browser Windows Hardened web-browser by platform extension, e.g. Trusteer Rapport Consecom AG -- We Secure Your Solutions Slide 17 29

30 Main weakness is a shared platform Dimensions Criteria Details Trust Life-cycle trust High trust for stick rollout, common otherwise Threat Coverage On-line (in-bound) Off-line threats: Malicious host At run-time At rest Gradual improvement against known threads (Low) gradual improvement Only if stored on read-only medium Protection Capabilities Application internal only Isolation Method None Integration Capabilities Stick: limited; Platform: full Deployment Method and scalability Stick: shipment; Platform: software Maintenance Method and scalability Stick: replacement, both: incremental updates Usability Support by technology Stick: non-ie; browser independent Weaknesses Limitations Shared platform Web-browser only protection Consecom AG -- We Secure Your Solutions Slide 18 A USB stick or CD boot systems Design Paradigm Boot-off clean OS from dedicated media Requires respective interface Provides conceptual improvement only with trusted read-only media Exemplary implementation variants Controlled Application 1 Isolation LPS Controlled Application 2 Isolation Hardened OS User Space SELinux Mandatory Access Control Minimal Linux Kernel Controlled Application 3 stateful firewall c t bankix: Linux Knoppix (Debian)-based boot-cd Lightweight Portable Solution (LPS) by US DoD: Hardened Linux for remote access Consecom AG -- We Secure Your Solutions Slide 19 30

31 Usability and mobile technology makes it harder to use Dimensions Criteria Details Trust Life-cycle trust No protection of image at download Threat Coverage On-line (in-bound) Off-line threats: Malicious host At run-time At rest Platform hardening No exposure. If stored on read-only medium Protection Capabilities Hardened Linux platform Firewall Isolation Method Native boot Integration Capabilities None (remote access only) Deployment Method and scalability CD image download Maintenance Method and scalability None, full image deployment Usability Support by technology Base-installation too complicated Weaknesses Limitations No integration, no incremental maintenance no image-protection Consecom AG -- We Secure Your Solutions Slide 20 A VM system to browse resolves a lot problems. Design Paradigm Run web-browser in a VM Application 1 (Browser) Application 2 (PDF-Reader) Application 3 (Flashplayer) Isolate web-browser from host Virtualization layer Separate OS constrained disk access Debian Linux Virtual Machine Isolation Windows Exemplary implementation BitBox Browser in the Box by German BSI/Sirrix AG Consecom AG -- We Secure Your Solutions Slide 21 31

32 Generally OS independent Dimensions Criteria Details Trust Life-cycle trust Update-only Threat Coverage On-line (in-bound) Off-line threats: Malicious host At run-time At rest Technical improvement (Standard Linux) Gradual improvement Only if stored on read-only medium Protection Capabilities Isolation by VM, controlled read-write Isolation Method Platform virtualization by VMs Integration Capabilities Integrated for default-browser launch Constrained data exchange Deployment Method and scalability Full image deployment Maintenance Method and scalability Standard Debian update mechanisms Usability Support by technology Base-installation too complicated Weaknesses Limitations Protection by standard Linux combined with Oracle VirtualBox abstraction Consecom AG -- We Secure Your Solutions Slide 22 32

33 Problem Methods Analysis Solution Experience Consecom AG -- We Secure Your Solutions Slide 24 Security Enhanced Linux the answer to the web-infection problem Objective Protect a system against unauthorized access/execution Function A technical policy enforcement framework. Any operation executed is validated by a security filter prior to execution. Implementation A kernel module is compiled into the machine with predefined rules. The kernel s security filter preforms the checks. No one can overwrite the rules at run-time (since denied by the security filter) and compiled into the system. History Ref SELinux was originally a development project by the National Security Agency (NSA). It is an implementation of the Flask operating system security architecture. The Flask architecture defines MAC with focus on providing an administratively-defined security policy that can control all subjects and objects, basing decisions on all security-relevant information. Flask was then renamed to SELinux Consecom AG -- We Secure Your Solutions Slide 25 33

34 A combination of methods into a browsing platform SEBPS Controlled Application 1 (Firefox) Isolation SEBPS Controlled Application 2 (Acroread) Isolation SEBPS Controlled Application 3 (Flashplayer) Trusted Update Server Scalable Trusted Maintenance Hardened OS User Space SELinux Mandatory Access Control constrained disk access Minimal Linux Kernel Virtual Machine Isolation stateful firewall Commodity Operating System Consecom AG -- We Secure Your Solutions Slide 26 Multiple benefits and usability for end users are important Deployment Web-Installer abstracts installation complexity Prepare the platform: pre-required tools Reduce the installation to the minimally needed steps: Two Clicks to securebrowse Use Support the user Launch the Web-browser Support system hibernate and standby Logout shuts down securebrowse Administration Relieve the user from interfering with administrative tasks Consecom AG -- We Secure Your Solutions Slide 27 34

35 securebrowse -- the answer to the web-infection problem Dimensions Criteria Details Trust Life-cycle trust Full trust: Deployment, Maintenance Threat Coverage On-line (in-bound) Off-line threats: Malicious host At run-time At rest Platform hardening (MAC) Separate OS-addr- space, separate IVT If stored on read-only medium Protection Capabilities Hardened Linux platform (MAC) Isolation Method Virtualized platform Integration Capabilities Cut-and-Paste between host and platform Deployment Method and scalability Trusted web-based Installer Maintenance Method and scalability Trusted incremental updates Usability Support by technology Straightforward web-supported installer Standard applications Weaknesses Limitations Limited integration Consecom AG -- We Secure Your Solutions Slide 28 35

36 36

37 37

38 Problem is reality, solution is around. Companies are daily in the news because of incidents with malware. Moreover, old browsers are still used. The main entry gate, the Web-Browser, can be secured. Where and when infections happen really, remains undiscovered. Non of the frequently used standard products proves complete protection. A VM with Mandatory Access Control Browser is very secure approach. A solution is around and free to use Consecom AG -- We Secure Your Solutions Slide 35 38

39 Problem Methods Analysis Solution Experience Consecom AG -- We Secure Your Solutions Slide 36 Solving a problem doesn't make you millionaire but the knowledge brings you forward Product never reached the mass market (by now) Generally users and companies still accept the risk by drive-by infections. Windows / ios look and feel is absolutely essential. Usability change require a large investment and are not accepted. Nish market Forensic Investigators, Fraud Analyzers (Analyze Dangerous Websites). Selective usage for untrusted web-pages (i.e. all). Highly secured areas (Nuclear Power Plants, Military). New business by knowledge gain Expert in secure platforms. Providers of secure platform for Web Entry Systems. Provider of secure appliances for major financial institutes Consecom AG -- We Secure Your Solutions Slide 37 39

40 40

41 41

42 6 Einsatz von Zertifikatssystemen im Internet Jamshid Shokrollahi Certificates: How to Build Trust in the Internet Jamshid Shokrollahi, hi Corporate Research (CR/AEA) Robert Bosch GmbH 1 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 42

43 Certificates: How to Build Trust in the Internet Overview Solved problem (Public Key Infrastructure and Certificates) Symmetric Key Cryptography Public key Cryptography Man in the Middle attack X.509 Certificate Not Completely solved problem (Secure Deployment) Different levels of realization Potential Vulnerabilities 2 Department 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Mission Alice and Bob want to securely communicate in the presence of Eve and Mally! Eve: eavesdropping Mally: read, write, and modify the messages 3 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 43

44 Certificates: How to Build Trust in the Internet Bob shops in the Internet! What can go wrong? 4 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Eavesdropping Eve sees Bob s credit card number and uses it next time for shopping! What is the solution? 5 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 44

45 Certificates: How to Build Trust in the Internet Symmetric Encryption is a solution Enc. / Dec Enc /Dec. Communication partners have the secret common key 6 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Public Key Cryptography (PKC) Bob and the Server can establish the secret Key using asymmetric Encryption Bob can encrypt its symmetric key using Server s public key, but only the server has the private key to decrypt it. In practical realizations there are more details which are ignored here 7 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 45

46 Certificates: How to Build Trust in the Internet Verifying Public Keys How can Bob be sure that Mally is not performing man in the middle attack? Mally s public key Server s public key 8 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Public Key Infrastructure CA(Certification Authority) CA s public key is embedded into most of browsers Secure Connection User s browser Server s identity Server s public key: Signed by CA Certificate, e.g., X.509 Server s private ke ey 9 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 46

47 Certificates: How to Build Trust in the Internet Example: X.509 Certificate Structure (1) Version... Serial Number Certificate Signature Algorithm Algorithm ID Certificate t Signature Issuer (E.g. Certificate Authority) Validity Not Before Not After Subject (E.g., server) Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (optional) Subject Unique Identifier (optional) Extensions (optional) 10 1) Source: Wikipedia Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Server Authentication and Key Exchange (simplified) 3) Verifies the signature of the certificate, and if the subject matches the server 2) Provides the certificate 1) https: request a secure connection Browser 4) Generates a random 128 bit key, 8) encrypts using the public key in the Ensures certificate and send to the server the security 5) Generates a random 128 bit key 7) XORes the two by and sends to the browser (client) in sequences to seeing plain generate the https symmetric key 6) De XOR gene ecrypts the Res the two erate the sy e received o sequenc ymmetric packet, es to key 11 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 47

48 Certificates: How to Build Trust in the Internet Realization Aspects Issuer s Infrastructure API Level Digital Signatures 12 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Digital Signature Hash Function Padding m d mod N Nonlinear mapping Adding The to compress large messages Must be collision resistant specific patterns to the compressed message fundamental and most time consuming operation Nonlinearity cancels the multiplicative property of the exponentiation 13 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 48

49 Certificates: How to Build Trust in the Internet Digital Signatures, lessons learned Do not use hash functions like MD4 with known collisions Always use large modulo numbers N which are generated according to the standards d The parameters and functions get obsolete. Never issue the certificate for very long time Always choose the functions and parameters according to the most recent standards, e.g., BSI Technische Richtlinie, BSI TR-02102, Version chnischerichtlinien/tr02102/bsi-tr _pdf.pdf? blob=publicationfile 14 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Vulnerabilities in using API Always verify if the certificate matches the identity of the provider (server)? Even consider the possibility of having '\0' in the identity of the provider of certificate t who wants to impersonate a famous identity SSL and several other software also provide the PKI verification as functions. Always read the documentation carefully to enable the verification of the signatures Several examples of to dos and not to dos can be found in Georgiev et al., The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software, In proceedings of ACM CCS '12, pp , Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 49

50 Certificates: How to Build Trust in the Internet Issuer's s Infrastructure Certificates are your identity and their security depends on the private key of the issuer If the private key is not stored, or used, in the right way, attackers can impersonate you Revocating certificates and the lost reputation can cause high costs! Always think about the reputation of the issuer and if possible ensure that they have enough security in the processes 16 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Certificates: How to Build Trust in the Internet Conclusion For the selection and the realization of digital signatures always use the most recent standards and follow them carefully When verifying i signatures, always be careful about the identities, and also variables and flags if you use verification functions from others' libraries When buying the certificates think about the reputation and history of the provider! 17 Jamshid Shokrollahi, CR/AEA3 2/19/2013 Robert Bosch GmbH All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 50

51 7 Chipkartenbetriebssysteme Gefahrenpotentiale und Gegenmaßnahmen Helmut Scherzer SmartCard Operating Systems Potential Risks and Security Measures Helmut Scherzer Giesecke & Devrient 51

52 SmartCard Operating Systems P Standards < ISO 7816/1..9 < CEN TC224/EN726 < GSM 11.xx < ETSI < JAVA 2.x P Specifications < JAVA < EMV < Mondex < Multos < SECCOS(ZKA) <...and others Standards and Specifications PPlatform < ST Microelectornics < Infenion < Philips < Samsung < Sharp < Renesas < Atmel <... and others P Hidden Agenda < Security Features < Attacks < Countermeasures < Programming Tricks < Performance Optimization < Memory Optimization < Algorithms PIN Attack Attack PCut Off Power before updating the PIN error counter Correct PIN- Entry Wrong PIN-Entry PIN - Check Update of PIN error counter Attack: Detection and interruption 52

53 PIN Attack Countermeasures PUpdate PIN error counter prior to PIN verification Cnt = 2 PIN - Check Cnt = 3 Power Break Attack or Accident... PPower Drop in the SmartCard < Unintentionally (Accident) Withdraw SmartCard Functional misbehaviour in Terminal Bad Contacts Environmental Factors (Vibration in Car etc...) < Intentionally (Attack) Data manipulation 53

54 Power Break Intention of the attack EEPROM Write Cycle EEPROM ) Delete EEPROM cell EEPROM ) Write new value EEPROM Best possible moment of power cut Power Break EEPROM Random No. Pseudo Random Attack 35 BC 01 A7 48 D5 3B 1C DES Old Random No. New Random No. is written to EEPROM EEPROM EEPROM Random No New Random No. EEPROM Random No. AB 33 2F 8E 46 7A 29 FD New Random No. 54

55 Power Break Countermeasures PLimited Transaction Protection < Recognition and Indication of Power Breaks < Protection of sensitive data < Card Blocking PFull Transaction Protection < Backtrace / Write Ahead Buffer < Atomized Transaktionens < Data Committment PCountermeasures : Absolutely MANDATORY Power Break Command Message Full Transaction Protection Target Data Backtrace Buffer ????

56 Memory Defragmentation Defragmentation by multiple file deletion PCreation of files by < Additional Applications < JAVA - Applets < Version Control/Update < Application Deletion < Application Buy and Run < Temporary Files EF EF EF EF EF EF EF EEPROM EF EF EF EF EF EF Free Memory EEPROM EF EF EF EF EF EF EF EF 1.) Initialization 2.) Erase EF Free Memory EF EEPROM 3.) New layout EF EF EF EF Memory Full! EF EF EF EF EF EF Memory Defragmentation Defragmentation Process EEPROM EEPROM EF EF EF EF EF EF EF EF Defrag... EF EF EF EF EF EF EF EF EF EF EF EF P Difficulties < References must be recorded < Defragmentation (up to 10 Sec.) must be 100 % Power Break resistant P Solution < Atomic operations with wear-leveling mechanism Defragmentation possible very effectively New Application Perspectives for SmartCards Smart Card Development PAuto-Defrag < 100 % Power brk.prot. < High Performance! < on Auto-Demand only P100 % Fail resistant < Theoretically proovable 56

57 EEPROM Errors Few Bits dropping P Chip Mfg.Guaranty : 10 Years Data retension < Credible and proven value < Very seldom, accidential drops have been reported P Bit Drop Situation < Most embarassing situation as no obvious reason available < Murphy s Law: Always the most crucial bit drops" P Countermeasures < CheckSum on any EEPROM boundary < Update of Checksum must also be power break resistant EEPROM Timing Attack PTime pattern of current samples PIN/Key Verification // Compare PIN for (i = 0; i<length(pin); i++) { if (PIN[i]!= Correct_PIN[i]) return(1); } return(0); Reference Point ) t Difference Measurement 57

58 Timing Attack The Square-Multiply 'always' problem PNew programming styles rlc r2 jnc NoSwap xchg r0,r1 NoSwap: ret ; r2 = exponent SmartCard StoneAge 2013 Coding // evaluate exponent bit if (ExpBit == 1) Swap(Source,Target); else Keep(Source,Target); return(0); push r0 push r1 push r0 ; <- bp mov bp,sp ; rlc r2 ; r2 = exponent addc bp,#0 mov r0,[bp] inc bp mov r1,[bp] add sp,#3 ret ; remove '3 x push' Differential Fault Analysis The DES Bellcore Attack P Assumption: < Bits in RAM may be altered intentionally PAttack by comparison of output 0 Key: ) Xy202 01aM b201 2.) Xy202 01aM b201 DES Alice is pretty a839 x15k b7fm 58

59 Reaction of the market Decrease of Orders since June 1998!!! DPA-Attack! January March May July September November SmartCard Orders Single Power Analysis Direct Evaluation of Current Samples P Direct evaluation of Current Samples < Insider knowledge required < Program Code must be locally known P Countermeasures < No bit operation with sensitive data < Source Code CONFIDENTIAL < Support by Chip Hardware 59

60 Differential Power Analysis Attack Scenario P Statistical Attack < Many DES Calculations required! < No Source Code Knowledge required! Key Shift S-Box Output Perm. DES Round # n The Final Attack Correlate Signed Samples P If the hypothized key was correct, each calculation will contribute a deterministic part to the final signal P If the hypothized key was wrong, only 'noise' will be added and no singularity will be found Signal + Signal Noise + Noise P For each n of 64 possible subkeys a particular hypothesis on the signal signs exist. P For each n of 64 possible subkeys the addition (correlation) of the N samples will be performed + Signal = - + Noise = = N 3 /N 60

61 Differential Power Analysis Attack Scenario Key Shift S-Box Output Perm. DES Round # n High number of samples required! Key : 48 bits Subkey Subkey Subkey Subkey Subkey Subkey Subkey Subkey Data 0110 S-Box S-Box S-Box S-Box S-Box S-Box S-Box S-Box S-Box being attacked Attacked bit Finding the Key... Maximum Evaluation PIn one of 64 correlation signals we will find a significant maximum PThis maximum confirms our 'guess' for the subkey. PWe may confirm the guess by evaluation of the other three bits on the same S-Box Subkey 17/64 : wrong hypothesis Subkey 18/64 : wrong hypothesis Subkey 19/64 : wrong hypothesis Subkey 20 : CORRECT HYPOTHESIS! 61

62 Differential Power Analysis Countermeasures PSystem Level < Limited Usage of Error Counters < Logging of Error Counters in Host System PHardware Level < Bus Scrambling < Power Noise < Redundant Clock Cycles PSoftware Level < Relative Protection Make the Alignment 'impossible' Nonsens Statements < Absolute Protection Theoretical Proove of Effectiveness ITSEC Evaluation possible! IBM DPADES9 : Excellent Protection! PCritical Factor: PERFORMANCE Table compression Partitioning attack CPU ROM 256 Bytes page 256 Bytes page 256 Bytes page... ; 512 byte table db 01,45,62,F3, 8F,7B,2A,3F, db... db... PAddress and value of a (EEP)ROM table may leak DPA information PAddressing another (EEP)ROM page may leak SPA information PCountermeasures (srambled RAM table) requires too much memory (here 512 bytes) 62

63 Table compression Partitioning attack CPU 256 Bytes page ROM 256 Bytes page 256 Bytes page... PAddress and value of a (EEP)ROM table may leak DPA information PAddressing another (EEP)ROM page may leak SPA information PCountermeasures (srambled RAM table) requires too much memory (here 512 bytes) Table compression Large Table attack countermeasures ROM 128 Bytes page 128 Bytes page 128 Bytes page... data + index masking RAM 128 Bytes POverlay ROM table entries in RAM Pindex/value mask 'on the fly' PDecoding can only be done with help of the original ROM table, but this can be achieved in a well protected way. 63

64 ROM 256 Bytes page 256 Bytes page 256 Bytes page... Table compression Large Table attack countermeasures Encode Generate rand1..rand4 [each ] for (i = 1 to 128) { RAM[i] = ROM[i r rand1] r ROM[i r rand ] r ROM[i r rand ] r ROM[i r rand ] } RAM 128 Bytes Decode (e.g. value from ) j = i r rand1 ROM[i] = RAM[j] r ROM[j r rand ] r ROM[j r rand ] r ROM[j r rand ] Decode (e.g. value from ) j = (i-128) r rand2 ROM[i] = RAM[j] r ROM[j r rand1] r ROM[j r rand ] r ROM[j r rand ] End SmartCard Operating Systems Potential Risk and Security Measures 64

65 65

66 8 Cybersecurity-as-a-Service: strategische und technische Herausforderungen Philipp Müller, PeterRehäusser Cybersecurity-as-a-Service Dr. Philipp Müller Peter Rehäußer CSC Proprietary and Confidential 66

67 Hackerangriffe sind allgegenwärtig. Was nun? CSC Proprietary and Confidential March 25, Unsere Welt heute Zunehmende Digitalisierung von Geschäftsprozessen Die neue Art von Bedrohungen: Gezielter, strukturierter und mit uneingeschränkten Ressourcen für Angriffe Private und geschäftliche IT verschmelzen: Cloud, ByoD, Social Media, Wachsende Anzahl an Regularien und Compliance-Vorschriften CSC Proprietary and Confidential March 25,

68 Wie denken wir Sicherheit auf der Vorstandsebene? Wie denken wir Sicherheit gesamtgesellschaftlich? CSC Proprietary and Confidential March 25, Sicherheit ganzheitlich angehen: der Cybersecurity Stack Ebene 4: Nationale Sicherheitsstrategie Bedrohungsalarm Nation/Staat Ebene 3: Situationsbewusstsein Event- Korrelation Organisation Ebene 2: Sicherheitsschicht Perimeter & Gateway Ebene 1: Sichere Infrastruktur Klassisches Vorgehen: Vorbeugen-Aufdecken- Reagieren LAN-WAN- Applikationen und -Daten Einzelne Systeme CSC Proprietary and Confidential March 25,

69 Den Security-Live-Cycle komplett abdecken Awareness Trainings Methodology Coaching IT Security Concepts IT Risk Management Cyberconfidence Check Compliance with Security Policies Comprehensive Audits Penetration Test IdM Prequalification Checks Controlling Coordination Communication IT Security Principles Security Policy IT Security Organisation Implementation Standards Business Continuity Planning Identity Management IT Security for Outsourcing Managed Security Services Common Criteria Evaluations CSC Proprietary and Confidential March 25, Warum Cybersecurity-as-a-Service? Cost CSC Proprietary and Confidential March 25,

70 The CSC Cybersecurity Demonstration Center CSC Proprietary and Confidential March 25, Storyline der Live-Demo Der Feind beauftragt einen Hacker, die Daten eines Großprojektes zu löschen und dem Unternehmen damit Schaden zuzufügen und fortwährend zu überprüfen, ob die Organisation am Ende des Projektes in der Lage war, die Informationen wieder herzustellen. CSC Proprietary and Confidential March 25,

71 Wie gehen Hacker vor? Analysieren von Netzwerken 1 Potentielle Opfer? Beobachtung der potenziellen Opfer 2 Wo kann man am einfachsten eindringen? Angriff 3 Ausnutzen von Unachtsamkeit 4 Illegale Tätigkeit Löschen von Projektdaten Installation eines maßgeschneiderten Trojanischen Pferdes, das alle neu erstellten Dokumente sofort an den Hacker sendet Escape 5 Der Remote-Zugriff wird unterbrochen CSC Proprietary and Confidential March 25, The CSC Cybersecurity Demonstration Center Global Learning Threat Alerting Nation / States Situational Awareness Event Correlation Organization Real-time Detect and Respond Data-loss prevention End-point security Classical Prevent- Detect-Respond Perimeter & Gateway Ongoing Vulnerability Analysis Identity Management LAN-WAN-Applications and Data Single Systems CSC Proprietary and Confidential March 25,