Contents

Preface to the Second Edition Foreword by Bruce Schneier Preface Acknowledgments Part I Chapter 1 What Is Security Engineering? Introduction A Framework Example 1A Bank Example 2A Military Base Example 3A Hospital Example 4The Home Denitions Summary Usability and Psychology Introduction Attacks Based on Psychology Pretexting Phishing Insights from Psychology Research What the Brain Does Worse Than the Computer Perceptual Bias and Behavioural Economics Different Aspects of Mental Processing Differences Between People Social Psychology What the Brain Does Better Than Computer

xxv xxvii xxix xxxv

3 3 4 6 7 9 10 11 15 17 17 18 19 21 22 23 24 26 27 28 30 ix

Chapter 2

Contents Passwords Difculties with Reliable Password Entry Difculties with Remembering the Password Naive Password Choice User Abilities and Training Design Errors Operational Issues Social-Engineering Attacks Trusted Path Phishing Countermeasures Password Manglers Client Certs or Specialist Apps Using the Browsers Password Database Soft Keyboards Customer Education Microsoft Passport Phishing Alert Toolbars Two-Factor Authentication Trusted Computing Fortied Password Protocols Two-Channel Authentication The Future of Phishing System Issues Can You Deny Service? Protecting Oneself or Others? Attacks on Password Entry Interface Design Eavesdropping Technical Defeats of Password Retry Counters Attacks on Password Storage One-Way Encryption Password Cracking Absolute Limits CAPTCHAs Summary Research Problems Further Reading Chapter 3 Protocols Introduction Password Eavesdropping Risks Who Goes There? Simple Authentication Challenge and Response The MIG-in-the-Middle Attack Reection Attacks Manipulating the Message Changing the Environment 31 32 33 34 35 37 39 40 42 43 43 44 44 45 45 46 47 47 48 49 49 50 52 53 53 54 54 55 55 56 56 57 57 59 60 61 61 63 63 65 66 70 73 76 78 79

Contents Chosen Protocol Attacks Managing Encryption Keys Basic Key Management The Needham-Schroeder Protocol Kerberos Practical Key Management Getting Formal A Typical Smartcard Banking Protocol The BAN Logic Verifying the Payment Protocol Limitations of Formal Verication Summary Research Problems Further Reading Chapter 4 Access Control Introduction Operating System Access Controls Groups and Roles Access Control Lists Unix Operating System Security Apples OS/X Windows Basic Architecture Capabilities Windows Added Features Middleware Database Access Controls General Middleware Issues ORBs and Policy Languages Sandboxing and Proof-Carrying Code Virtualization Trusted Computing Hardware Protection Intel Processors, and Trusted Computing ARM Processors Security Processors What Goes Wrong Smashing the Stack Other Technical Attacks User Interface Failures Why So Many Things Go Wrong Remedies Environmental Creep Summary Research Problems Further Reading 80 82 83 84 85 86 87 87 88 89 90 91 92 92 93 93 96 98 99 100 101 102 103 104 107 107 108 109 110 111 111 113 114 116 116 117 118 119 121 122 124 125 126 127 127

xi

xii

Contents Chapter 5 Cryptography Introduction Historical Background An Early Stream Cipher The Vigen` ere The One-Time Pad An Early Block Cipher Playfair One-Way Functions Asymmetric Primitives The Random Oracle Model Random Functions Hash Functions Properties The Birthday Theorem Random Generators Stream Ciphers Random Permutations Block Ciphers Public Key Encryption and Trapdoor One-Way Permutations Digital Signatures Symmetric Crypto Primitives SP-Networks Block Size Number of Rounds Choice of S-Boxes Linear Cryptanalysis Differential Cryptanalysis Serpent The Advanced Encryption Standard (AES) Feistel Ciphers The Luby-Rackoff Result DES Modes of Operation Electronic Code Book Cipher Block Chaining Output Feedback Counter Encryption Cipher Feedback Message Authentication Code Composite Modes of Operation Hash Functions Extra Requirements on the Underlying Cipher Common Hash Functions and Applications Asymmetric Crypto Primitives Cryptography Based on Factoring Cryptography Based on Discrete Logarithms Public Key Encryption Dife Hellman and ElGamal Key Establishment Digital Signature Special Purpose Primitives 129 129 130 131 132 134 136 138 138 140 141 142 143 144 146 147 149 149 150 150 151 151 152 153 153 155 157 157 160 160 161 161 162 163 163 164 165 166 167 170 170 173 174 175 176 178

Contents
Elliptic Curve Cryptography Certication The Strength of Asymmetric Cryptographic Primitives 179 179 181

xiii

Summary Research Problems Further Reading Chapter 6 Distributed Systems Introduction Concurrency Using Old Data Versus Paying to Propagate State Locking to Prevent Inconsistent Updates The Order of Updates Deadlock Non-Convergent State Secure Time Fault Tolerance and Failure Recovery Failure Models Byzantine Failure Interaction with Fault Tolerance What Is Resilience For? At What Level Is the Redundancy? Service-Denial Attacks Naming The Distributed Systems View of Naming What Else Goes Wrong Naming and Identity Cultural Assumptions Semantic Content of Names Uniqueness of Names Stability of Names and Addresses Adding Social Context to Naming Restrictions on the Use of Names Types of Name Summary Research Problems Further Reading Economics Introduction Classical Economics Monopoly Public Goods Information Economics The Price of Information The Value of Lock-In Asymmetric Information

182 183 183 185 185 186 186 188 188 189 190 191 192 193 193 194 195 197 198 200 200 204 204 206 207 207 208 209 210 211 211 212 213 215 215 216 217 219 220 220 221 223

Chapter 7

xiv

Contents Game Theory The Prisoners Dilemma Evolutionary Games The Economics of Security and Dependability Weakest Link, or Sum of Efforts? Managing the Patching Cycle Why Is Windows So Insecure? Economics of Privacy Economics of DRM Summary Research Problems Further Reading Part II Chapter 8 Multilevel Security Introduction What Is a Security Policy Model? The Bell-LaPadula Security Policy Model Classications and Clearances Information Flow Control The Standard Criticisms of Bell-LaPadula Alternative Formulations The Biba Model and Vista Historical Examples of MLS Systems SCOMP Blacker MLS Unix and Compartmented Mode Workstations The NRL Pump Logistics Systems Sybard Suite Wiretap Systems Future MLS Systems Vista Linux Virtualization Embedded Systems What Goes Wrong Composability The Cascade Problem Covert Channels The Threat from Viruses Polyinstantiation Other Practical Problems Broader Implications of MLS 239 239 240 242 243 245 246 248 250 252 252 253 253 254 255 256 256 257 257 258 260 261 261 261 262 263 265 266 267 269 223 225 226 228 229 229 230 232 233 234 235 235

Contents Summary Research Problems Further Reading Chapter 9 Multilateral Security Introduction Compartmentation, the Chinese Wall and the BMA Model Compartmentation and the Lattice Model The Chinese Wall The BMA Model The Threat Model The Security Policy Pilot Implementations Current Privacy Issues Inference Control Basic Problems of Inference Control in Medicine Other Applications of Inference Control The Theory of Inference Control Query Set Size Control Trackers More Sophisticated Query Controls Cell Suppression Maximum Order Control and the Lattice Model Audit Based Control Randomization Limitations of Generic Approaches Active Attacks The Value of Imperfect Protection The Residual Problem Summary Research Problems Further Reading 272 272 272 275 275 277 277 281 282 284 287 289 290 293 293 296 297 298 298 298 299 300 300 301 302 304 305 306 309 310 310 313 313 315 316 316 317 319 320 324 328 329 331 333 334

xv

Chapter 10 Banking and Bookkeeping Introduction The Origins of Bookkeeping Double-Entry Bookkeeping A Telegraphic History of E-commerce How Bank Computer Systems Work The Clark-Wilson Security Policy Model Designing Internal Controls What Goes Wrong Wholesale Payment Systems SWIFT What Goes Wrong Automatic Teller Machines ATM Basics

xvi

Contents
What Goes Wrong Incentives and Injustices 337 341

Credit Cards Fraud Forgery Automatic Fraud Detection The Economics of Fraud Online Credit Card Fraud the Hype and the Reality Smartcard-Based Banking EMV Static Data Authentication Dynamic Data Authentication Combined Data Authentication RFID Home Banking and Money Laundering Summary Research Problems Further Reading Chapter 11 Physical Protection Introduction Threats and Barriers Threat Model Deterrence Walls and Barriers Mechanical Locks Electronic Locks Alarms How not to Protect a Painting Sensor Defeats Feature Interactions Attacks on Communications Lessons Learned Summary Research Problems Further Reading Chapter 12 Monitoring and Metering Introduction Prepayment Meters Utility Metering How the System Works What Goes Wrong Taxi Meters, Tachographs and Truck Speed Limiters The Tachograph What Goes Wrong How Most Tachograph Manipulation Is Done

343 344 345 346 347 348 350 351 352 356 356 357 358 361 362 363 365 365 366 367 368 370 372 376 378 379 380 382 383 386 387 388 388 389 389 390 392 393 395 397 398 399 400

Contents
Tampering with the Supply Tampering with the Instrument High-Tech Attacks The Digital Tachograph Project System Level Problems Other Problems The Resurrecting Duckling 401 401 402 403 404 405 407

xvii

Postage Meters Summary Research Problems Further Reading Chapter 13 Nuclear Command and Control Introduction The Evolution of Command and Control The Kennedy Memorandum Authorization, Environment, Intent Unconditionally Secure Authentication Shared Control Schemes Tamper Resistance and PALs Treaty Verication What Goes Wrong Secrecy or Openness? Summary Research Problems Further Reading Chapter 14 Security Printing and Seals Introduction History Security Printing Threat Model Security Printing Techniques Packaging and Seals Substrate Properties The Problems of Glue PIN Mailers Systemic Vulnerabilities Peculiarities of the Threat Model Anti-Gundecking Measures The Effect of Random Failure Materials Control Not Protecting the Right Things The Cost and Nature of Inspection Evaluation Methodology Summary Research Problems Further Reading

408 412 413 414 415 415 417 418 419 420 422 424 426 427 429 430 430 430 433 433 434 435 436 437 443 443 444 445 446 447 448 449 450 451 451 453 454 454 455

xviii Contents Chapter 15 Biometrics Introduction Handwritten Signatures Face Recognition Bertillonage Fingerprints Verifying Positive or Negative Identity Claims Crime Scene Forensics Iris Codes Voice Recognition Other Systems What Goes Wrong Summary Research Problems Further Reading Chapter 16 Physical Tamper Resistance Introduction History High-End Physically Secure Processors Evaluation Medium Security Processors The iButton The Dallas 5000 Series FPGA Security, and the Clipper Chip Smartcards and Microcontrollers History Architecture Security Evolution The State of the Art Defense in Depth Stop Loss What Goes Wrong The Trusted Interface Problem Conicts The Lemons Market, Risk Dumping and Evaluation Security-By-Obscurity Interaction with Policy Function Creep So What Should One Protect? Summary Research Problems Further Reading Chapter 17 Emission Security Introduction History 457 457 458 461 464 464 466 469 472 475 476 477 481 482 482 483 483 485 486 492 494 494 495 496 499 500 501 501 512 513 513 514 514 515 516 517 517 518 518 520 520 520 523 523 524

Contents Technical Surveillance and Countermeasures Passive Attacks Leakage Through Power and Signal Cables Red/Black Separation Timing Analysis Power Analysis Leakage Through RF Signals Active Attacks Tempest Viruses Nonstop Glitching Differential Fault Analysis Combination Attacks Commercial Exploitation Defenses Optical, Acoustic and Thermal Side Channels How Serious are Emsec Attacks? Governments Businesses Summary Research Problems Further Reading Chapter 18 API Attacks Introduction API Attacks on Security Modules The XOR-To-Null-Key Attack The Attack on the 4758 Multiparty Computation, and Differential Protocol Attacks The EMV Attack API Attacks on Operating Systems Summary Research Problems Further Reading Chapter 19 Electronic and Information Warfare Introduction Basics Communications Systems Signals Intelligence Techniques Attacks on Communications Protection Techniques Frequency Hopping DSSS Burst Communications Combining Covertness and Jam Resistance Interaction Between Civil and Military Uses 526 530 530 530 531 531 534 538 538 539 540 540 540 541 541 542 544 544 545 546 546 546 547 547 548 549 551 552 553 554 555 557 557 559 559 560 561 563 565 567 568 569 570 571 572

xix

xx

Contents Surveillance and Target Acquisition Types of Radar Jamming Techniques Advanced Radars and Countermeasures Other Sensors and Multisensor Issues IFF Systems Improvised Explosive Devices Directed Energy Weapons Information Warfare Denitions Doctrine Potentially Useful Lessons from Electronic Warfare Differences Between E-war and I-war Summary Research Problems Further Reading Chapter 20 Telecom System Security Introduction Phone Phreaking Attacks on Metering Attacks on Signaling Attacks on Switching and Conguration Insecure End Systems Feature Interaction Mobile Phones Mobile Phone Cloning GSM Security Mechanisms Third Generation Mobiles 3gpp Platform Security So Was Mobile Security a Success or a Failure? VOIP Security Economics of Telecomms Frauds by Phone Companies Billing Mechanisms Summary Research Problems Further Reading Chapter 21 Network Attack and Defense Introduction Vulnerabilities in Network Protocols Attacks on Local Networks Attacks Using Internet Protocols and Mechanisms SYN Flooding Smurng Distributed Denial of Service Attacks 574 574 575 577 578 579 582 584 586 587 588 589 591 592 592 593 595 595 596 596 599 601 603 605 606 607 608 617 619 621 623 624 625 627 630 631 632 633 633 635 636 638 638 639 640

Contents
Spam DNS Security and Pharming 642 643

xxi

Trojans, Viruses, Worms and Rootkits Early History of Malicious Code The Internet Worm How Viruses and Worms Work The History of Malware Countermeasures Defense Against Network Attack Conguration Management and Operational Security Filtering: Firewalls, Spam Filters, Censorware and Wiretaps Packet Filtering Circuit Gateways Application Relays Ingress Versus Egress Filtering Architecture Intrusion Detection Types of Intrusion Detection General Limitations of Intrusion Detection Specic Problems Detecting Network Attacks Encryption SSH WiFi Bluetooth HomePlug IPsec TLS PKI Topology Summary Research Problems Further Reading Chapter 22 Copyright and DRM Introduction Copyright Software Books Audio Video and Pay-TV Typical System Architecture Video Scrambling Techniques Attacks on Hybrid Scrambling Systems DVB DVD HD-DVD and Blu-ray AACS Broadcast Encryption and Traitor Tracing

644 644 645 646 647 650 652 652 654 654 655 655 657 657 660 661 662 664 665 665 666 668 668 669 670 672 675 676 677 678 679 679 680 681 688 689 690 690 691 693 697 698 701 701

xxii

Contents
Blu-ray and SPDC General Platforms Windows Media Rights Management Other Online Rights-Management Systems Peer-to-Peer Systems Rights Management of Semiconductor IP Information Hiding Watermarks and Copy Generation Management General Information Hiding Techniques Attacks on Copyright Marking Schemes Applications of Copyright Marking Schemes Policy The IP Lobby Who Benets? Accessory Control Summary Research Problems Further Reading 703 704 705 706 707 709 710 711 712 714 718 718 720 722 723 725 725 726

Chapter 23 The Bleeding Edge Introduction Computer Games Types of Cheating Aimbots and Other Unauthorized Software Virtual Worlds, Virtual Economies Web Applications eBay Google Social Networking Sites Privacy Technology Anonymous Email The Dining Cryptographers and Mixes Anonymous Web Browsing Tor Condential and Anonymous Phone Calls Email Encryption Steganography and Forensics Countermeasures Putting It All Together Elections Summary Research Problems Further Reading Part III Chapter 24 Terror, Justice and Freedom Introduction Terrorism Causes of Political Violence

727 727 728 730 732 733 734 735 736 739 745 747 749 751 753 755 757 759 764 764 765

769 769 771 772

Contents xxiii
The Psychology of Political Violence The Role of Political Institutions The Role of the Press The Democratic Response 772 774 775 775

Surveillance The History of Government Wiretapping The Growing Controversy about Trafc Analysis Unlawful Surveillance Access to Search Terms and Location Data Data Mining Surveillance via ISPs Carnivore and its Offspring Communications Intelligence on Foreign Targets Intelligence Strengths and Weaknesses The Crypto Wars The Back Story to Crypto Policy DES and Crypto Research The Clipper Chip Did the Crypto Wars Matter? Export Control Censorship Censorship by Authoritarian Regimes Network Neutrality Peer-to-Peer, Hate Speech and Child Porn Forensics and Rules of Evidence Forensics Admissibility of Evidence Privacy and Data Protection European Data Protection Differences between Europe and the USA Summary Research Problems Further Reading Chapter 25 Managing the Development of Secure Systems Introduction Managing a Security Project A Tale of Three Supermarkets Risk Management Organizational Issues The Complacency Cycle and the Risk Thermostat Interaction with Reliability Solving the Wrong Problem Incompetent and Inexperienced Security Managers Moral Hazard Methodology Top-Down Design Iterative Design

776 776 779 781 782 783 784 785 787 789 790 792 793 794 796 797 798 800 801 803 803 806 808 809 810 812 813 813 815 815 816 816 818 819 820 821 822 823 823 824 826 827

xxiv

Contents
Lessons from Safety-Critical Systems Security Requirements Engineering Managing Requirements Evolution Bug Fixing Control Tuning and Corporate Governance Evolving Environments and the Tragedy of the Commons Organizational Change Managing Project Requirements Parallelizing the Process Risk Management Managing the Team Summary Research Problems Further Reading 829 834 835 836 838 839 841 842 844 846 848 852 853 854

Chapter 26 System Evaluation and Assurance Introduction Assurance Perverse Economic Incentives Project Assurance Security Testing Formal Methods Quis Custodiet? Process Assurance Assurance Growth Evolution and Security Assurance Evaluation Evaluations by the Relying Party The Common Criteria What the Common Criteria Dont Do Corruption, Manipulation and Inertia Ways Forward Hostile Review Free and Open-Source Software Semi-Open Design Penetrate-and-Patch, CERTs, and Bugtraq Education Summary Research Problems Further Reading Chapter 27 Conclusions Bibliography Index

857 857 858 858 860 861 862 862 863 866 868 869 870 873 876 878 881 882 882 884 885 886 887 887 887 889 893 997