Professional Documents
Culture Documents
Module 3
BIT Noida
Malicious access
hacking and cracking - gain unauthorized access to computer systems Spoofing - Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else Denial of service flood Web site with useless traffic to inundate and overwhelm network Sniffing - eavesdropping program that monitors information traveling over a network
BIT Noida 3
Fear that credit card information will be stolen deters on line purchases Hackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identity One solution: New identity verification mechanisms
BIT Noida
Security Management
Authentication
Integrity
Intrusion Detection
BIT Noida
BIT Noida
Input controls prevent users from entering incomplete, erroneous, unauthorized, inappropriate data
Access privileges on user-by-user basis Input authorization passwords Data validation value bounds, data format, missing values
BIT Noida 8
Application Controls
Process controls policies and procedures to ensure reliable data by educating users, backups, anti virus sw Output controls ensure accurate output to right people Storage controls ensure safety of storage devices from disasters, unauthorized access and manipulations
BIT Noida
Development controls
Documentation detailed record keeping of system at all stages Data security and reliability Authorization Separation of duties to reduce conflicts of interest
BIT Noida
10
Physical facilities to be protected from theft, access, vandalism and disasters Personnel controls through social engineering
BIT Noida
11
Monitors traffic between local network and outside world Located at a gateway point Functions include
BIT Noida
12
Target interface to which packet is addressed Incoming packet protocol Rules are difficult to specify Routers are fairly inflexible and are bound by vendor's programming If a hacker can bypass router, local network is exposed
BIT Noida 13
Allow browser to ignore complex networking code that supports firewall protocol Can manage network functions such as audit trials of client transactions Help eliminate security concerns by
Filter dangerous URLs Enforce client/server access to designated hosts Implement access control for network services Check protocols forNoida well-formed commands BIT
14
Protect against unauthorized log-in from external world Provides greater level of audit and security Advantages include
Concentration of security Information hiding from outside hosts Centralized and simplified network services management
BIT Noida 15
Certain network accesses blocked for some users Compromise of firewall can be disastrous
BIT Noida
16
Security policy to deny services or to provide audited method or regulated access to users Define realistic policies Level of monitoring, redundancy and control Understand benefits and limitations
BIT Noida
17
Remote login Application back doors SMTP session hijacking OS bugs Denial of service Email bombs Viruses and Spam Source routing
BIT Noida 18
Attacks that bypass firewall Threats emanating from internal users Integrity of data Confidentiality of data Attacks from malicious software
BIT Noida
19
Data and transaction security ensure privacy, confidentiality and authorization of remote users
BIT Noida
20
BIT Noida
22
Encryption: The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and receiver Purpose: Secure stored information and transmitted information Provides:
Stream cipher
(RC4)
BIT Noida
24
BIT Noida
25
Shared secret key Plain text P Encryption Algorithm Cipher text C C = EK(P) EK = encryption function DK = decryption function
BIT Noida 26
Decryption Algorithm
Plain text P
P = DK(C) = DK(EK(P))
Caesar cipher substitutes each letter of message by another that is 3 letters down the set of alphabet Captain Midnight Secret Decoder Rings same as Caesar cipher except the substituting letter is n letters down the alphabet set Mono-alphabetic cipher uses arbitrary mapping of alphabet into another set of letters
BIT Noida
27
Developed by IBM for NIST, USA Works on 64-bit data blocks Uses 64-bit key since 8 bits are for parity, effective key is 56-bits Data undergoes initial permutation, 16 Fiestel rounds and a final permutation to yield 64-bit cipher Efficient in hardware but slow in software Decryption uses same steps in reverse order
BIT Noida 28
DES Operation
64-bit Plain text Initial permutation 32 bit right half Mangler function + 32 bit left half
15 more rounds of above operation
Key generation
29
BIT Noida
30
DES Variations
Double DES encrypts message using DES twice with two keys. Effective key is 56x2 bits long Triple DES encrypts message using DES thrice, using two or three keys. Effective key is 56x3 bits long DES-X uses an extra 64-bit key before and after applying DES. Effective key length is 56+64+64 bits. Less expensive than 3T-DES GDES proposed to increase speed of operation, but found to be less secure
BIT Noida 31
Designed to be efficient in software in 1991 Works on 64 bits of data block Uses 128 bit key Yields 64 bit cipher text Same operations used for encryption and decryption, but for the generation of round keys Attempts to break successful only up to 5 rounds BIT Noida
32
IDEA Operation
128-bit key is expanded to generate 52 16-bit keys, K1 K52 Process involves 17 rounds of operations Odd and even round operations are different 64-bit data is broken into 4 16-bit chunks Each chunk in each round undergoes math operation along with a 16-bit key Odd rounds use 4 keys and even rounds use 2 keys
BIT Noida 33
Ka
Kd X
xa
xb
xc
xd
BIT Noida
34
xa +
xd
xa
xb
xc
xd
In odd round in decryption Xa = new Xa x mod 216 + 1 Xb = new Xc + additive inverse of Kb Xc = new Xb + additive inverse of Kc Xd =new Xd x mod 216 +1
BIT Noida
35
Based on Rijndael algorithm in 2001 Works on 128-bit data block Uses 128- 192- or 256-bit key Fast both in hardware and software Easy to implement and requires less memory Not broken so far Theoretically, some flaws are published in 2010 that may lead to breaking code
BIT Noida 36
AES Operation
Expands key to generate 10 round-keys Data and key are arranged as a 4x4 byte matrix. Data block undergoes 10 rounds of operation
BIT Noida
37
AES Operation
Substitute bytes of data with bytes from Sbox Shift rows each row is shifted by a fixed number of times Mix columns is what adds to secrecy of algorithm Add round-key XOR key with data
Decryption uses inverse S-box for substitution and uses keys in reverse order
BIT Noida 38
AES Operation
BIT Noida
39
Uses two keys private key and public key Provides both confidentiality and authentication RSA is popular public key encryption algorithm A user generates a private key and a public key Keeps private secret with self, distributes public key Message encrypted with private key can be decrypted by others using public key Message encrypted with public key by others can be decrypted by user
BIT Noida 40
encryption
decryption
encryption
PKE for authentication
BIT Noida
decryption
BIT Noida
42
Private key must be secret Decipher message without matching key must be impossible Algorithm know-how and samples of cipher text must not lead to finding other key Slow to operate Vulnerable to chosen-plain text attack
43
Electronic Code Block the worst method. Break message into chunks. Encrypt each chunk Cipher Block Chaining somewhat better. Break message into chunks. Add an initialization vector to each chunk and encrypt K-bit Cipher Feedback Mode initialization vector of k bits added to each chunk and encrypt. K-bit Output Feedback Mode add initialization vector of k bits to first chunk and encrypt. add k bits out of it to next chunk and encrypt and so on Counter Mode - initialization vector of k bits added to first chunk and encrypt. Increment vector for next chunk and encrypt and so on
BIT Noida
44
Private key must be secret Decipher message without matching key must be impossible Algorithm know-how and samples of cipher text must not lead to finding other key Slow to operate Vulnerable to chosen-plain text attack Irreversible , same key does not work for decryption
45
Key length is 40 to 256 bits Generates a pseudo random stream of bits for key using
Key is XORed with plain text as the text comes in Not very secure as per cryptography standards
BIT Noida 46
BIT Noida
47
End-to-End Encryption
Encryption done at ends of system Data in encrypted form crosses network unaltered Destination shares key with source to decrypt Host can only encrypt user data Otherwise switching nodes could not read header or route packet Traffic pattern not secure Use both link and end to end
BIT Noida
48
Link Encryption
Each communication link equipped at both ends All traffic secure High level of security Requires lots of encryption devices Message must be decrypted at each switch to read address (virtual circuit number) Security vulnerable at switches
49
Key Distribution
Key selected by A and delivered to B Third party selects key and delivers to A and B Use old key to encrypt and transmit new key from A to B Use old key to transmit new key from third party to A and B
BIT Noida
50
BIT Noida
51
Encryption is slow Encryption hardware expensive Encryption hardware optimized to large data Algorithms covered by patents Algorithms subject to export controls (from USA)
BIT Noida
52
Authentication tag generated and appended to each message Message not encrypted Useful for:
Have one destination responsible for authentication Encryption adds to workload Can authenticate random messages
BIT Noida
55
Generate authentication code based on shared key and message Common key shared between A and B If only sender and receiver know key and code matches:
Receiver is assured message has not altered Receiver is assured message is from alleged sender If message has sequence number, receiver assured of proper sequence
BIT Noida 56
BIT Noida
57
Accept data of any length, compute fixed-length hash code and append it to data Hash function must have following properties:
Can be applied to any size data block Produce fixed length output Easy to compute Not feasible to reverse Not feasible to find two message that give the same hash
BIT Noida 58
SHA 1 SHA 2
SHA 1 produces 160-bit hash code Other produce as many bits as their number suggest
BIT Noida 59
SHA 1
BIT Noida
60
MD 5
Announced in 1991 Accepts a message of arbitrary number of bytes and produces 128-bit message digest. Widely used to check integrity of downloaded files on Internet and passwords Algorithm uses only one pass over the data Size of hash is small and vulnerable to attacks Flaws found in 1996, collisions created in 2004
BIT Noida 61
A creates message A applies hash function resulting a hash code A encrypts message and hash code using B's public key A encrypts above result with its own private key A sends encrypted message and hash to B B uses A's public key to authenticate it B uses self private key to decrypt message B checks message and hash function match
BIT Noida 64
Electronic Signature
BIT Noida
65
Digital Envelopes
Public key encryption is slow for large message Private key encryption has key distribution issue Digital envelopes use both
Encrypt message with private key algorithm Encrypt private using recipient's public key Send both to recipient Thus there is a key within a key
BIT Noida 66
SHTTP
Supports many cryptographic formats, key distribution schemes Security can be negotiated between client and server Encapsulates browser-server interactions
BIT Noida 67
SHTTP Requests
First identifies type of content in HTTP message Second identifies cryptographic implementation Data representation of enclosed data Transmit session keys and other info related to data MAC to authenticate and integrity check Content-privacy-domain for digital signatures, encryption, both or neither
BIT Noida
68
A layer between TCP and IP in TCP/IP suite Developed by Netscape Communications Protects higher level protocols built of sockets
Once SSL session begins, communication is private, authenticated and reliable Used to transmit information such as payment
BIT Noida
69
SSL Operation
Client requests connection Server sends form to client Client fills form and submits Server sends form data with SSL
Client (Browser)
Web Server
BIT Noida
70
BIT Noida
71
SSL Operation
Connection
Transport that provides suitable type of service Peer-to-peer Transient Every connection associated with one session Association between client and server Created by Handshake Protocol Define set of cryptographic security parameters Used to avoid negotiation of new security parameters for each connection
Session
Maybe multiple secure connections between parties May be multiple simultaneous sessions between parties
BIT Noida 72
BIT Noida
73
BIT Noida
74
Drawbacks of SSL
Being low level protocol, does little to protect the host, once it is compromised. Once a certificate is compromised, it remains compromised. There is no mechanism to consult the root of CA SSL uses public key encryption to exchange session key, which encrypts HTTP transactions. If short keys are used, it is easy to break the code
BIT Noida 75
A set of written standards to describe how to implement credit card transactions Designed by MasterCard and Visa, developed by Microsoft, CyberCash, IBM, Netscape etc Specific to bank card payments
BIT Noida
76
SET Services
Strong protection for cardholder's account details from both eavesdroppers and fraudulent merchants Non-repudiation for both the merchant and the cardholder on transaction agreement Assurance to merchant that the payment will be honored
BIT Noida
77
SET Operation
Customer opens a MasterCard or Visa account Customer receives digital certificate and private signing key Third party merchants also receive certificates from the bank with their public key and bank's public key Customer places order over a web page Customer receives merchant's certificate and validates it
BIT Noida 78
Customer sends order and payment information Merchant verifies the customer, by checking the digital signature on the certificate, may be by bank or third party Merchant sends order message to bank Bank verifies the merchant and message Bank digitally signs and sends authorization to the merchant, who can then fulfill the order
BIT Noida 79