exploring software and hardware security

In my previous article I was discussing how a “non expert” security engineer should think about choosing the right security protocol for his system. I have tried to present that complicated task in an easier manner.

However it’s important to also understand that when we integrate a secret based protocol in our system, we will get another, more serious problem – how to securely hide the secret that is used in the protocol for authentication?

For example, suppose you have two components which are establishing an SSL protocol. As SSL is based on public key cryptography they both need to possess private keys (if the authentication is mutual). So how are they going to protect their private keys locally in their systems?

Of course the problem of hiding cryptographic keys or other secret information doesn’t only apply to systems which are implementing security protocols. Encryption is the most popular and convenient way to protect the confidentiality of information. However when the system encrypts something there should be a way to protect the encryption key (or the decryption key) and this, believe me, is a much, much harder problem.

In this article we will discuss the ways how one can hide secret information in:

• Windows environment
• Inside a software
• Inside a hardware

I have been doing research on this topic more than a year now and would like to share my knowledge and experience with you.

All the mentioned topics are heavy and one cannot describe all of them in a single article. I’m planning to have several articles describing different aspects of these themes (such as obfuscation and tamper-proofing in software, tamper resistance in hardware, etc).

So in this article we will discuss the “theoretical” part of the topic and then will go through an example and try to apply this knowledge in real life.

Read the rest of this entry »

We all know that sending data over network and being sure that its confidentiality is not damaged is one of the crucial problems in security engineering. In fact, except some special cases the entire information security area is based on the problem of being able to send information from point A to point B and making sure that’s its security properties are maintained properly.

Creating secure protocols is not an easy task and this article is not intended to help you to create new protocols from the scratch. There already exist many well designed protocols which will give you all the necessary features to meet your requirements. There are many books and articles about how different secure protocols work and how they are designed. This article is not trying to describe details of these protocols rather it tries to recommend the “ideal” protocol for you, which of course doesn’t exist. The question that this article will try to answer is how you should choose the right secure protocol for your particular application.

Choosing the right protocol is also not a trivial task however I believe there are patterns which will help you to solve this task for your particular application. I’m able to recognize these patterns and I’m sure you will also be able to do it once you get the proper knowledge and experience.

We will go over the following topics:

• Data confidentiality and integrity in protocols
• Two types of security protocols
• Attacks you should worry about while thinking about protocols
• Protocol Choosing Patterns
• A demonstrative example
• Recommended references

Read the rest of this entry »

Before starting discussing different techniques which are helpful while creating architecture of a secure system, it’s useful to go through the key concepts which must always be at primary concern of any software/hardware architect while thinking about security.

In this article we will go through the key concepts in information security and will try to explain them by bringing real life examples. Throughout the article I will also call the key concepts “security properties” of information.

So the security properties we will discuss here are:

• Confidentiality
• Integrity
• Authenticity
• Availability
• Non-Repudiation
• Accessibility

Read the rest of this entry »

Secure system is a piece, or any combination of hardware, software or just an operation which protects an information block that is sensitive to the user. There are secure systems which are dedicated to perform only security related operations (such as safe storage, a dongle token, DRM system, firewalls, encryption device, etc). There are also systems which are designed to perform operations which work on sensitive information and thus require having security features implemented inside (such as online payment systems, ATMs, email clients/servers, messengers, etc). Independent of purpose of the system and the operations it allows to perform – the security engineers must threat them identically important and design the security of these systems by taking into account the state of art best practices and techniques.

This article is the first part of a series of articles dedicated to principles and best practices of designing secure systems. It will discuss the following topics:

• The wrong approach of designing security systems
• The right approach
• Assets, threats, security controls, vulnerabilities, attack vectors and risks

Read the rest of this entry »

There are several reasons why a software company would decide to implement heavy protection schemes in their applications by spending lot of development resources, time and money. These reasons are mainly related to the business models of the applications. License based applications (IDE, compilers, etc), applications with valuable IP inside (EDA applications, etc) and applications which have access to confidential information (DRM, authentication software, etc), in addition to their main logic, also require difficult protection schemes implemented inside which will ensure that the integrity, confidentiality and availability of the assets, inside these applications, will not be damaged.

It has always been a mystery for me how crackers try to break software. What techniques they are starting with when they have the executable in hand, or what tools they are using for doing the crack.

In general the motivation of crackers is obvious and is the same as what the abovementioned applications want to prevent from:

• They are trying to use software without paying money (break)
• They are trying to steal intellectual property of applications to create a copy of it
• They are trying to steal confidential information (such as cryptographic keys) from applications to have access to other valuable information, such as user credentials, high-definition video content, etc, which is accessible in this application

In this article we will try to outline the techniques and tools that crackers are using while trying to break protections that exist in applications.

Read the rest of this entry »

I decided to continue the series of “user authentication” related articles (which I started with article Conventional Website Authentication Model and its Weaknesses) and bring more details about one-time passwords.

In this article I will overview the following topics:

• Basic ideas behind OTP
• OTP Types
• Vulnerabilities
• Standards and Applications

To make the illustration of OTP more practical we will implement a web server with authentication from scratch by trying to integrate an OTP scheme.

Read the rest of this entry »

The current article discusses the problems of authentication schemes that are used by websites and browsers while the user logs in to a website.

The following topics will be covered:

• Conventional user and website authentication model
• Weak points of password based authentication
• Weak points of website authentication
• Alternative ways for user authentication in websites

Note that by the term “conventional” we mean the most popularly used authentication scheme – username/password.

Read the rest of this entry »

Citation from Bruce Schneier:

Think about the most recent security vulnerability you’ve read about. Maybe it’s a killer packet, which allows an attacker to crash some server by sending it a particular packet.

Maybe it’s one of the gazillions of buffer overflows, which allow an attacker to take control of a computer by sending it a particular malformed message. Maybe it’s an encryption vulnerability, which allows an attacker to read an encrypted message, or fool an authentication system. These are all software issues.

Testing the software from security standpoint is a key requirement especially for software products with security focus. Even if the product has been architected with the best security protocols and security designing best practices in mind, it doesn’t make much sense as the attacker will prefer focusing on the application layer and eventually will find a vulnerability there and exploit it…. Remember, on application layer…

Read the rest of this entry »

Have you ever thought about why it’s easy for people to create an elegant piano, a huge building with astonishing architecture or an excellent working elevator  but in the same time it’s so difficult to create a well working text editor for PC? Why only very few people, when they are opening the garage, have a think that the garage door will fall down and destroy their car… but in the same time I’m sure that all the people, when they type in a text editor on PC, continuously think that the program may crash anytime… really, anytime!

During last several decades people have created a completely new discipline, a new world, something that even the most genius fiction writers didn’t come up with – computers and software.  Today it’s in our life everyday, everywhere, almost each second… I think that’s a wonderful progress…

Software and hardware are used everywhere, at home, when we drive a car, when we flight on airplane, when we talk by phone, when we watch TV, when we send a mail or wait in a queue in a restaurant…

However in parallel to this big progress there is one thing that I think is not improving very well over time. That is the quality of software. Although people realize and give a very high priority to the technologies, processes, methodologies, which will raise the opportunity to improve the quality of developing software, however there is no big progress in this area.

What you think is the reason behind this? How can we solve this problem and finally how is software security connected to its quality?

I will try to briefly discuss these questions in this article.

Read the rest of this entry »