Attack Trees to Assess Security

At this point, we all know that optimizing poorly performing code must be done only after analysis points you to the bottleneck. Right? It makes no sense to optimize code on a hunch, because your hunches are usually wrong, and if they are wrong then the time spent optimizing is all wasted. If there is a performance issue then the first step is always to pull out the profiler, and let that pinpoint the issue. Maybe you prefer printf statements with timings. Whatever.

But what do you do when you contemplate application security? Do you start to research authentication frameworks like SASL? Do you start using HTTP over SSL? I do. Application security for me starts and ends with the programming language and its frameworks, because those are the pieces that an application developer can effect. I've never known how to step back and ask where the security weakpoints are. Or step back and ask who I'm protecting it from. I'm a lot like the programmer that optimizes code without performance statistics. Jumping straight to code based security solutions is premature and wasteful unless backed by proper analysis. Spending 40 hours getting SASL integrated into your application without knowing definitively that front door authentication is the most likely exploit is a lot like spending 40 hours on a whim converting all your String objects to character arrays because it'll be faster (true story, and it wasn't faster).

All this is why I think attack trees are so cool. Attack trees are a threat modeling tool created by Bruce Schneier. They provide a process for thinking about what you're trying to protect, what the most likely attack would be, and how much it is worth. The outcome is a clearer picture of who would be most likely to attack your system and how they would do it. This information is what you use to determine the security needed on your application, and how much energy to expend creating it.

So what is an attack tree? It's just a visual representation of all the possible ways of attacking your system, in tree form of course. Here is an attack tree for reading someone else's email (taken from Core Security Patterns):

The root node of an attack tree is the goal of the attack, and child nodes are actions that can attain that goal. The leaf nodes (bottom-most nodes) are direct actions that can be taken to achieve the goal. Brainstorming the possible security holes can be an enlightening process, but it isn't the end point of the analysis. The real knowledge is generated by using the tree to answer questions.

• What is the cheapest attack? Assign each leaf a relative monetary value and the tree clearly shows the lowest cost attack.
  
• What is the easiest attack? Assign each leaf a relative difficulty and the tree shows which attack is easiest to perform. If hacking your app's authentication mechanisms isn't the easiest attack, then perhaps researching SASL is wasted effort.
  
• Which attacks require specialized equipment or skills?
  
• Which attacks are legal?
  
• Which attacks are most likely to work?
  

These questions can be combined to find the easiest path from a leaf node to the root. For instance, the cheapest low-risk attack, requiring no special equipment or skills, that cannot be prosecuted if caught is really something to worry about. The expensive attack, requiring advanced security skills and equipment, and easily prosecutable, is not your greatest risk. As the original article points out, the areas that most people think are vulnerable usually aren't. How much time has been spent debating whether PGP encryption algorithms should use a 1024 or 2048 bit key length (your company probably revisits this discussion every few years, by the way)? Meanwhile, keyboard sniffers and trojan horses are far and away an easier method to intercept data when compared to breaking the RSA encryption algorithm. This perspective of being able to make these types of relative judgments about security risks is exactly what attack trees are designed to do.

An important question to answer before making security decisions is, "How much is what you're protecting worth?" Imagine that what you are protecting is worth US$100,000. Any attack costing more than that can safely be ignored. The bumbling crooks spending more to crack the safe than the safe contains are Hollywood myths. Similarly, if closing the security hole costs more than US$100,000 then it isn't worth your time. There is no point on spending more on a safe than what the contents of the safe is worth. Give the contents away freely and don't buy the safe in the first place. Your accountants will thank you.

And what about who you are protecting the system from? Are you worried about organized criminals, who are willing to purchase expensive equipment and risk going to jail? Or is it bored teenagers with broadband, who might think twice about breaking the law or doing anything time consuming? What about a terrorist, who might even be willing to die for their cause? Knowing beforehand who might be attacking your system will rule out certain paths through the attack tree.

As Bruce Schneier wrote, "Security is not a product -- it's a process. Attack trees form the basis of understanding that process." Just like a profiler is a tool to guide optimization decisions, attack trees are a tool to guide security decisions. I was so impressed with the concept when I read about it in Core Security Patterns, that I had to dig a little deeper. It's been worth it. The original article appeared in Dr. Dobb's Journal, way back in 1999. 8 years old, but it was new to me, at least!

The Online Merchant of Venice

The Story
A play in which our hero, Antonio, uses the Internet to securely purchase airline tickets. But all is not what it seems on the Internet… for shady characters await to entrap poor Antonio.

Cliff Note: Internet based SSL is explained using a weak story and several bad Shakespeare references.

The Players
Antonio - The tragic hero of the story longs to visit his lover in Italy
Aye Eee - A clueless, befuddled web browser used by Antonio
|Bits Dotcom - (pronounced Orbitz.com) A travel broker offering deep discounts
Shylock.ru - A scheming character with a shady past, seeking profit by any means

Act I – Antonio Buys a Ticket

Antonio: Oh how I long to visit Italy, but tickets are so expensive. Maybe I can buy a ticket online with the help of my friend Aye Eee. [Speaking to Aye Eee] Aye Eee, create a secure SSL connection to |Bits

Aye Eee: [Speaking to |Bits] Client Hello. SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_256_MD5

|Bits: Server Hello. SSL_RSA_WITH_RC4_128_MD5 acceptable. Session ID = 123456.

Cliff Note: The first step of SSL communication is for the client and server to negotiate CipherSuite to use. The client begins with a Client Hello message and a list of acceptable encryptions. The server responds with a Server Hello and either the CipherSuite to use or a fatal alert.

|Bits: [Speaking to Aye Eee] Here is my digital certificate... My public key is 998877.

Aye Eee: Now I will generate a random value and encrypt it with |Bits's public key... [works hard, possibly grunts]... Perfect! My encrypted result is "!@#$^". I will send this result to |Bits in my "Client Key Exchange Message", and then I too will use the random value to create the session's master secret

Cliff Note: The delivery of these lines, especially the pronunciation of "!@#$%^", has been a career defining moment for many actors.

|Bits: Now that I possess the encrypted random value, I will decrypt it using my private key and calculate the session's master secret. Now both I, the server, and Aye Eee, the browser, possess the master secret.

Aye Eee: [Speaking to |Bits] Change cipher specification... from this point on all messages are secured using the negotiated parameters

|Bits: [Speaking to Aye Eee] Change cipher specification... from this point on all messages are secured using the negotiated parameters

Aye Eee: Using the master secret and SSL_RSA_WITH_RC4_128_MD5 encryption, I will now send the "Finished message"

|Bits: Using the master secret and SSL_RSA_WITH_RC4_128_MD5 encryption, I too will now send the "Finished message"

Cliff Notes: Both of the finished messages are the first messages passed be each party that is fully encrypted using the negotiated security parameters. From this point forward, all application data exchanged is encrypted, and any new connections to the site are also encrypted.

Aye Eee: [Speaking to Antiono] Here is your requested page, securely encrypted as you can see by the lock in the bottom right. Be careful now, and only give out personal information when you see the little lock.

Antonio: Wonderful. I am now safe to buy my tickets.

Cliff Note: An overview of the SSL Handshake is provided below:


Act II – Antonio Checks his Reservations

Antonio: I’m so excited for my trip that I just have to log on to |Bits and check me reservations. Aye Eee, take me securely to the site.

Aye Eee: [Speaking to |Bits] Client Hello. SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_256_MD5

Shylock.ru: [Masquarading as |Bits] Ah ha, disguised as |Bits, I will be able to extract 3000 ducats from innocent Antonio. [Speaking to Aye Eee] Alert - Warning. Unacceptable cipher spec. Try SSL_NULL_WITH_NULL_NULL

Cliff Note: This unencrypted CipherSpec should only be used during the SSL handshake, but some browsers will erroneously allow an SSL connection to be created with it. An Alert can be either a warning or an error, and is one of the four categories of SSL messages: Handshake, Alert, ChangeCipherSpec, and Application data.

Aye Eee: Client Hello. SSL_NULL_WITH_NULL_NULL

Shylock.ru: Hello. SSL_NULL_WITH_NULL_NULL acceptable. Here is your session ID.

Cliff Note: Notice how this degenerate CipherSpec does not require a digital certificate to be verified before sending the session ID.

Aye Eee: I’ll still generate my random value, but the CipherSpec says there is no need to encrypt it. I guess I’ll just send it to the server in plaintext and then use my random value to calculate the session's master secret.

Shylock.ru: Poor Aye Eee is almost snared in my trap. I’ll take the unencrypted random value and generate the session's master secret…

Aye Eee: [Speaking to |Bits] Change cipher specification...

Shylock.ru: [Speaking to Aye Eee] Change cipher specification...

Cliff Note: The Change Cipher specification message tells the players to use the negotiated security parameters for all communication going forward. However, the negotiated parameters now include sending application data in plaintext!

Aye Eee: [Speaking to |Bits] Finished message

Shylock.ru: [Speaking to Aye Eee] Finished message

Cliff Note: At this point, Aye Eee will display a “secure lock” in the browser. Shylock.ru can now impersonate |Bits because the lack of digital certificate in the CipherSpec means that there is no name mismatch warning. If the browser didn’t support the NULL CipherSpec then the illegitimate website could not impersonate the real site.

Aye Eee: Antonio, here is your requested page, securely encrypted as you can see by the lock in the bottom right. For some reason |Bits needs you to type in your credit card.

Shylock.ru: Poor Antonio doesn’t realize that all that glistens is not gold. If he just sends his credit card then I can extract my pound of flesh…

Antonio: Credit card number… sure, it is a secure site after all!

[Curtain closes as credit agencies rush in...]

Mary Queen of Scot's Guide to Asymmetric Ciphers

Before proceeding, you may want to read the backgrounder.

Before asymmetric ciphers, the sender of a message that was secured with a symmetric cipher would need to communicate the key value used to encrypt the message to the receiver via a separate secure communications channel. They are referred to as symmetric because both the sender and the receiver must share the same key to encrypt and then decrypt the data. The encoding cipher used by Mary Queen of Scots in the Babington Plot is an example of a symmetric cipher.

Like symmetric ciphers, asymmetric ciphers also provide encryption and decryption; however, the key value used in encryption is different than the key value used in decryption. At a vastly simplified level, the encryption functions used with asymmetric ciphers are examples of forward-only functions, where the inputs of the function cannot be deduced by knowing the output. Consider the function x + y = z. If we know that x = 4 and z = 2, then we can deduce that y was 2 (4 + 2 = 6). This is an example of a symmetric cipher... x is our private key and z if our enciphered output. If we know the key and the output, then we can calculate the contents of the message (y). Now imagine that the numbers of x + y = z function are times: 4 PM + y = 6 PM. Naively we can say y must equal 2 hours. However, it could just as easily equal 26 hours to get the same result. Or 50 hours. And so on. There are an infinite number of possible values for y. We can no longer deduce the value of y with forward only function the way we can with a two way function, such as a symmetric cipher.

An asymmetric cipher can be thought of like this one way function. It doesn't matter how many people know the key to your scheme, they won't be able to deduce the plaintext of the message without some other piece of information... and you keep this piece of information (your private key) secret from everyone.

Now Mary Queen of Scots could never possess the computing machines that we do, but they really were one great mathematician away from having something like our Public Key Infrastructure (PKI) and Digital Signatures. What would Mary and Babington's communications have looked like if they had?

Step 1. Exchanging Keys - Babington and Mary need to exchange public keys. The royal eavesdroppers could not change the integrity of these keys and still allow the parties to communicate. Effectively, they are free to exchange keys. Of course, the Spy Master keeps them both.

Step 2. Writing to Babington - Mary writes the message "Please tell me more about your plan".

Step 3. Encrypting the Message - She then encrypts it using a two-way, symmetric algorithm with the key "tennetsale". The result is "eirogneyfmyjdyeeork".

Step 4. Encrypting the Key - Now Mary needs to communicate the key and the message to Babington. To do this she encrypts the key "tennetsale" using Babington's public key and a one-way function, the result is "$&#*$&@%!@". This takes a very long time because asymmetric functions are so much slower than the alternative. Luckily, she didn't have to encrypt her entire message this way, only the key to the simpler encrypted message. She also counts the characters in her original message as a form of rudimentary checksum, and adds the encrypted result to the key.

Step 5. Encrypting the Signature - Mary now signs the entire message by encrypting her name using her private key, which results in "&*@#".

Step 6. Sending the Message - Mary's agents would take the encrypted message and key and store it in the hollow stopper of a beer barrel. The brewer would then deliver the barrels to Babington's agents.

Step 7. Intercepting the Message - Elizabeth's Royal Spy Master would intercept the barrels and make a copy of the message and key, passing the original back on to the brewer. However, no amount of effort would allow him to decrypt the original key of "tennetsale". It is not possible to deduce the plaintext of the message from knowing Mary's public key, Babington's public key, and the encrypted text. He can, however, prove that it was indeed Mary who sent the message because the signature line of "&*@#" can be decrypted in "Mary" using Mary's public key.

Step 8 - Verifying the Signature - Babington receives the message "eirogneyfmyjdyeeork", the key "$&#*$&@%!@", and the signature "&*@#". The first thing he does is use Mary's public key to decrypt her signature line from "&*@#" to "Mary", thus proving that the message really does come from her.

Step 9 - Decrypting the Key - Using his own private key, Babington now decrypts "$&#*$&@%!@" into "tennetsale". After great effort, he now has the encryption key that the Spy Master was unable to obtain. He also notes that there should be 35 characters in the message, information which Mary included with the key phrase.

Step 10 - Decrypting the Message - Babington now uses the key "tennetsale" to decrypt the message, receiving the text "Please tell me more about your plan". Since the message contains exactly 35 characters he can be reasonably sure that it was not altered in transit.

All four relevant facets of security were maintained throughout. Confidentiality was ensured by the Spy Master's inability to decrypt anything more but the conspirator's signature lines. Integrity was ensured by the basic checksum of 35 characters in the message. Authentication was proven by Mary's signature line, which when decrypted with her public key proved it was produced with her private key. And Non-repudiation was presumably ensured by Babington’s response.

Viola, history is irrevocably changed forever. Without being able to stop the plot, the Queen is dethroned and Mary replaces her. More importantly, no royal is ever executed for a crime, the population continues to believe royals are only accountable to God, and we're all probably serfs. Enjoy your farming.

Mary Queen of Scot's Guide to Information Security

Mary's Story

In January 1586, the English throne was in dispute between the Catholic Mary Queen of Scots and the Protestant Queen Elizabeth (whom most of us know today as Kate Blanchett). Fears for Elizabeth's safety escalated, and culminated with Mary being imprisoned in order to stop her from plotting to kill Elizabeth. While imprisoned, Mary conspired with a Catholic nobleman named Anthony Babington to overthrow and possibly execute Elizabeth. Elizabeth's fears were well founded, it seems. They communicated using encoded messages which they believed were of strong enough encoding to stop the royal spies from deciphering.

The messages between Mary and Babington contained two levels of encoding. The 23 unique letters in the English alphabet were substituted with 23 unique symbols. 36 common words and phrases in the language were also substituted with unique symbols. A complete decoding key dated from 1586 and containing Babington's signature follows:

The messages were smuggled in and out of prison through beer barrel stoppers where a nearby brewer delivered and picked up the barrels. Queen Mary's servants would retrieve the messages from the beer barrels and place messages back into the hollow of the beer barrel stopper.

The royal Spy Master intercepted all of the messages between Mary and Babbington. Each message was copied by the Spy Master and then sent on to its destination intact. Each message was decoded by trial and error by starting with letter substitutions and using the frequency of common characters (frequency analysis) until a readable text was found. The rest of the message was guessed at by the message context until the entire cipher was understood. Each message was returned in good enough condition that it was not evident that it had been read and copied.

Once Mary acknowledged the existing plot in an encoded message, the royals used a cipher and language expert to forge a postscript to the same message asking Babbington for the identity of the six conspirators. Babington received the forged postscript and message, but he never replied with the names of the conspirators. Nevertheless, he and the six conspirators were discovered and imprisoned. The forged postscript can still be found today in the National Archives:

Queen Mary denied her part in the plot, but her correspondence was the evidence; therefore, Mary was sentenced to death. Elizabeth signed her cousin's death warrant, and on February 8 1587, in front of 300 witnesses, Mary, Queen of Scots, was executed.

Questions

Q. Confidentiality is the concept of protecting sensitive data from being viewable by an unauthorized entity. Were the secret communications confidential? How would the answers from Mary and Elizabeth differ?

A. Mary would say the messages were confidential, because she believed that her encoding scheme was strong enough to secure the data even though it was publicly transmitted. Elizabeth knew otherwise, as she had cracked Mary's code. The message passing protocol, involving the brewer and beer barrel stoppers had little to do with confidentiality, because both parties assumed that the messages could be intercepted. The encoding, rather than their messaging system, was their primary method to obtain confidentiality. In this case, a stronger encoding or encryption algorithm would be needed to maintain confidentiality in the messages.

Q. Integrity is the concept of ensuring that data has not been altered by an unknown entity during its transit or storage. Did the messages have integrity? What would the answers from Elizabeth and Babington differ?

A. For the most part, Elizabeth and her Spy Master maintained the integrity of the messages by not altering them in transit. However, the last message contained a forged post script in an attempt to extract more information from the plotters. Elizabeth certainly knew this last message had no integrity, but did Babington? He never replied to the message, so he might have realized the message was a fake. From his perspective, all of the messages except the last one had integrity.

Q. Authentication is the concept of ensuring that a user's identity is truly what the user claims to be. Did the messages ensure that the author was truly the person they said they were? How could the system be changed to ensure authentication?

A. There are three broad bases to proving you are who you say you are: what you know, what you have, and what you are. The authentication scheme here is based on what you know... Mary and Babington believed only they knew the encoding scheme. So the author's identity was proven on the simple basis that the encoded message made sense when decoded. Passwords and personal questions are today's equivalent of a "what you know" authentication scheme. "What you have" was a common authentication scheme in the 1500s. Nobles would seal a document with wax and press their signet ring into wax, leaving a somewhat unforgeable impression of their identity in the envelope. Smartcards, ID Chips, and Secure ID cards are today's examples of "what you have" authentication. "What you are" was probably infrequently used in the middle ages, as a fingerprint was not noticed to be unique in the West until 1823. 14th century Persia knew and used this authentication technique, but like many things from Arabia, the technology never migrated West and was not "discovered" until much later. Today all sorts of biometric devices can be used for authentication, from hand size to retina scans.

One easy way to ensure authentication would have been to encrypt a signature line into each message, possibly based on some astronomical chart or calendar. However, Babington did not seem fooled by the one forged message, so perhaps their messages contained an authentication scheme we don't know about.

Q. Authorization is the concept of determining what actions a user is allowed to perform after being allowed access to the system. Was any authorization system in this system? How would one have helped?

A. Short answer: no. The only functions available in the system were to read or write a message. Any authenticated user could do both.

Q. Non-repudiation is the concept that when a user performs an action on data, such as sending a message, that action must be bound with the user in such a way that the user cannot deny performing the action. Did this message system contain non-repudiation? How is non-repudiation achieved today?

A. To this day, there is no definitive proof that Mary wrote the messages. The system contained no non-repudiation. Non-repudiative messaging system today rely on public/private key exchanges (PKI) and asymmetric encryption algorithms. Any message that can be decoded with a person's public key is mathematically guaranteed to have been generated with their private key. Often today, plain text (unsecured) emails are exchanged, and the email's signature line contains a small encrypted message. The recipient can decrypt the message with the author's public key and thus prove the identity of the author. Nonetheless, Mary was executed. The court of law has lower standards than information exchange, it seems.

Epilogue: Elizabeth was reluctant to execute Mary, for she realized that once a sovereign became answerable for the common man's crimes, the belief that a king's or queen's actions were accountable only to God would be undercut and ultimately challenge the structure upon which her authority was founded.