Computer Security

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

Addis Ababa University

College of Natural and Computational Sciences


Department of Computer Science

Computer Networking and Security Module

Part I: Data Communication and Computer Networking


Part II: Network and System Administration
Part III: Computer Security

May 2024
Addis Ababa,
Ethiopia
Chapter 1: Information/Computer Security Issues o The data stored on the computer is the same as what is
1. Introduction intended.
 Security is ―the quality or state of being secure—to be free  Availability:
from danger.‖ o Ensuring timely and reliable access to and use of
o in other words, protection against adversaries —from information.
those who would do harm, intentionally or otherwise—is o Assures systems work promptly & service isn’t denied to
the objective. authorize users.
o National security, for example, is a multilayered system  Authentication:
that protects the sovereignty of a state, its assets, its o Is proving a claim – usually that you are who you say you
resources, and its people. Achieving the appropriate level are.
of security for an organization also requires a multifaceted  non-repudiation:
system. o Prevention of either the sender or receiver denying a
transmitted message.
2. Information Assurance?
o Prove the occurrence of a claimed event or action and its
 The practice of assuring information and managing risks originating entities.
related to the use, processing, storage, and transmission of
information or data, the systems and processes used for 5. Information Assurance strategy
those purposes.  Cyber security awareness and education
 Includes protection of the integrity, availability,  Strong cryptography
authenticity, non-repudiation and confidentiality of user  Good security-enabled commercial information technology
data.  An enabling global Security Management Infrastructure;
o Using physical, technical and administrative controls to and
accomplish these tasks.  A civil defense infrastructure equipped with an attack
o not only digital but also analog or physical form sensing and warning capability and coordinated response
 Includes restoration of information systems by mechanism
incorporating protection, detection, and reaction 6. Difference: InfoSec, computer security & IA
capabilities.  IA: measures that protect and defend information and ISs
 It is best thought of as a superset of information security, by ensuring their availability, integrity, authentication,
strongly related to the field of information security, and confidentiality, and non-repudiation.
also with business continuity.  Information protection or InfoSec: protection of
3. Why Information Assurance is needed? information and ISs from unauthorized access, use,
 To protect information exchanges between interconnected disclosure, disruption, modification, perusal, inspection,
computer systems. recording or destruction.
o Stand-alone COMPUSEC could not protect information  Computer Security: (W. Stallings)
during storage, processing or transfer between systems. o Protection to an automated information system in order to
o to detect attacks and enable a response to those attacks attain the applicable objectives of preserving the
 To add business benefit through the use of IRM confidentiality, integrity, and availability (CIA) of
(Information Risk Management). information system resources (includes hardware,
o improves business continuity software, firmware, information/data, and
 Generally, to minimize risk and ensure business continuity telecommunications).
by implementing controls to limit the impact of a security  Two major aspects of InfoSec are:
breach. o IT security (Sometimes computer security): is InfoSec
applied to technology (most often computer system).
4. Information Assurance pillars
o IA: The act of ensuring that data is not lost when
 Confidentiality: critical issues like natural disasters, system malfunction,
o Preserving authorized restrictions on access and physical theft, etc. arise.
disclosure.
 InfoSec, computer security & IA are frequently used
o Includes personal privacy and proprietary information
interchangeably;
protection.
o These fields are interrelated and share the common goals
 Integrity: of protecting the CIA of information; however, there are
o protecting against improper information modification or some subtle differences.
damage
o differences lie primarily in the approach to the subject, the
methodologies used, and the areas of concentration.

2|Page
 InfoSec: concerned with the CIA of data regardless of the Chapter 2: Information security models and
form the data may take: electronic, print, or other forms.
mechanisms
 Computer security: can focus on ensuring the availability
and correct operation of a computer system without 1. Model for Computer Security
concern for the information stored or processed by the
computer.
 IA: focuses on the reasons for assurance that information
is protected, and is thus reasoning about information
security.
7. Enterprise security & Cyber defense
 Enterprise security: is about building systems to remain
dependable in the face of malice, error, or mischance.
 Cyber defense: computer network defense mechanism
 Example: If a company has antivirus software but does not
which includes response to actions and critical
use an anti-virus and keep the virus signatures up-to-date,
infrastructure protection and IA for possible networks.
this is vulnerability. The company is vulnerable to virus
 Business-driven approach to enterprise security attacks. Similarly, if you fail to routinely update your
architecture means that security is about enabling the operating systems or application software, these will
objective of an organization by controlling operational remain vulnerable to software problems ("bugs") that have
risk. been identified and patched
8. Threats, vulnerabilities, risk, controls (W. Stallings) o Vulnerability: no antivirus/ un updated Signatures
 Adversary (threat agent): An entity that attacks, or is a o Threat: Virus
threat to, a system. e.g. all hackers in the world o Attack: System Crash and/or destroy data and/or
 Threat: any circumstances or events that can potentially data modification
harm an information system by destroying it, disclosing o The likelihood of a virus showing up in the
the information stored on the system, adversely modifying environment and causing damage is the risk.
data, or making the system unavailable. o The countermeasures in this situation are to update
 Vulnerability: weaknesses or fault in an information the signatures and install the antivirus software on all
system or its components that could be exploited. computers
 Attack: actual violation of security that derives from an 2. Goals of computer security
intelligent threat. 3 key objectives of computer security: CIA triad (W. Stallings)
 Risk: An expectation of loss expressed as the probability  Confidentiality: Data confidentiality and Privacy
that a particular threat will exploit a particular o is the prevention of unauthorized disclosure of
vulnerability with a particular harmful result. information.
o Risk = Threats x Vulnerabilities o In other words, confidentiality means keeping information
 Control, safeguard, or countermeasure: An action, private or safe.
device, procedure, or technique that reduces a threat, a o it may be important for military, business or personal
vulnerability, or an attack by eliminating or preventing it, reasons.
by minimizing the harm it can cause, or by discovering o it may also be known as privacy or secrecy.
and reporting it so that corrective action can be taken.  Integrity: covers Data integrity and System integrity
 Security Policy: A set of rules and practices that specify or o the prevention of unauthorized writing or modification of
regulate how a system or organization protects sensitive information.
and critical system resources. o Integrity in a computer system means that there is an
 System Resource (Asset): Data contained in an external consistency in the system – everything is as it is
information system; or a service provided by a system; or expected to be.
a system performance; or an item of system equipment o Data integrity: the data stored on the computer is the same
(i.e., a system component—hardware, software, or as what is intended.
documentation); or a facility that houses system operations  Availability:
and equipment. o Assures that systems work promptly and service is not
denied to authorized users.
o Information should be accessible and usable upon
appropriate demand by an authorized user.

3|Page
o Denial of service (DOS) attacks are a common form of o Modification / Deception: unauthorized party
attack against computer systems whereby authorized users modifying a resource, acceptance of false data, E.g.,
are denied access to the computer system. providing wrong data (attack on data integrity)
Additional objectives: o Disruption/Interruption: destroyed/unavailable
 Non-repudiation: is the prevention of either the sender or services/resources, DoS (attack on data availability)
the receiver denying a transmitted message. o Fabrication: unauthorized party inserts a fake
o It is the ability to prove the occurrence of a claimed event asset/resource, loss of confidentiality, authenticity and
or action and its originating entities integrity of the message
o It assures that a sender of data is provided with proof of  Types of Attackers
delivery and the recipient is provided with proof of the o Amateurs: Opportunistic attackers (use a password
sender's identity, so neither can later deny having they found), Script kiddies
processed the data. o Hackers - nonmalicious
o often implemented by using digital signatures o Crackers – malicious
 Authentication o Career criminals
o is proving a claim – usually that you are who you say you o State-supported spies and information warriors
are. 4. Countermeasure Methods to Risk
o for example it may be obtained by the provision of a  Any means taken to deal with a security attack. It can be
password or by a scan of your retina. devised to prevent a particular type of attack. When
 Access controls prevention is not possible, or fails in some instance, the
o provide the limitation and control of access to authorized goal is to detect the attack and then recover from the
users through identification and authentication. effects of the attack.
o A system needs to be able to identify and authenticate  Five basic approaches to defense of computing systems
users for access to data, applications and hardware. o Prevent attack: from violating security policy, Block
o In a large system there may be a complex structure attack / Close vulnerability
determining which users and applications have access to o Deter attack: intended to discourage potential
which objects. attackers, Make attack harder,
 Accountability o Deflect attack: Make another target more attractive
o Ensuring an entity’s action is traceable uniquely to that than this target
entity. o Detect attack: accept that an attack will occur; the
o Ascertains the responsibility of an entity (like a person) goal is to determine that an attack is under way, or has
for its actions and decisions. occurred, and report it.
o All relevant activities events and operations on a system, o Recover from attack: Stop attack, assess and repair
e.g., failed and successful authentication attempts, are damage or restore the operations of the business
recorded in a log.
5. Controls: Security policies & mechanisms
3. Security Attack  for Today Computers
 The agent carrying out the attack is referred to as an o Encryption: primary control that protects CIA, by
attacker, or threat agent. which Cleartext scambled into ciphertext.
 We can distinguish two types of attacks: (W. Stallings) o Software controls: password checker, virus scanner,
o Active attack: an attempt to alter/affect system IDS (intrusion detection system)
resources or their operation. o Hardware controls: provide higher degree of security;
o Passive attack: an attempt to learn/make use of Locks, Smart cards, dongles, hadware keys...
information from the system that does not affect o Policies and procedures: Alignment with users’ legal
system resources. and ethical standards; eg. password policy
 We can also classify attacks based on the origin of the o Physical controls: natural and man-made disaster
attack: protection; walls, locks, guards, security, cameras,
o Inside attack: Initiated by an entity inside the security backup copies and archives
perimeter (an ―insider‖).
6. Principles of Computer Security
o Outside attack: Initiated from outside the perimeter.
 Principle of Easiest Penetration
 Types of Attacks on Data CIA (W. Stallings)
 Principle of Adequate Protection
o Disclosure/Interception: unauthorized party snooping,
or getting access to a resource, Attack on data  Principle of Effectiveness: Controls must be efficient, easy
confidentiality: to use, and appropriate.
 Principle of Weakest Link: Security can be no stronger
than its weakest link.

4|Page
 Principles of Least Privilege: ―Do not give any more B. Brute-force attack: The attacker tries every possible
privileges than absolutely necessary to do/perform the key on a piece of ciphertext until an intelligible
required job‖. translation into plaintext is obtained. On average, half of
 Defense in Depth: having more than one layer or type of all possible keys must be tried to achieve success.
defense C. Cryptanalysis: the process of breaking an encrypted
 Minimization: ―do not run any software, or applications that code.
are not strictly required to do the entrusted job.‖  Ciphertext only Attack, Known plaintext Attack,
 Compartmentalization: limits the damage in other Chosen plaintext Attack, Chosen ciphertext Attack,
compartments when one compartment is compromised. and Chosen text Attack
 Keep Things Simple: Complexity is the worst enemy of 2. Class of Attacks
security.  Reconnaissance: The hackers first identifies a target to
 Fail Securely: if a security measure or control has failed for launch an attack, extract maximum information regarding
whatever reason, the system is not rendered to an insecure this target, understand its vulnerabilities, and then only
state. explore the best ways to exploit it.
 Balancing Security and Access o Examples: Credential Theft using Keyloggers and
Chapter 3: Computer Threats/Attacks Spyware; Identity Theft using spam e-mail, phishing
attack and social engineering attack
1. Types of Threats/Attacks … (Chuck Eastom)
 Access: Ones the attacker Reconnaissance the target, S/he
 Physical Attack: Stealing, breaking or damaging of
starts a successful exploitation and continued access to the
computing devices
system. Then, the attacker is in control of the target.
 Malware Attack: A generic term for software that has
 Denial of Service: Ones the attacker having a successful
malicious purpose.
access to the system. S/he starts to deny users from
o Viruses accessing or using the service or system.
o Worms
o Trojan horses
Chapter 4: Application of Security Mechanisms
o Spy-wares 1. Cryptography and hash functions
o Zombie  Cryptography is the science and art of secret, or hidden
o Botnets writing
o Bacterium  Cryptanalysis is the science and art of breaking codes.
o Logic bomb  Modern cryptography concerns with:
o Backdoor(Trapdoor) o Confidentiality - Information cannot be understood by
o Adware anyone.
o Flooders (DoS client) o Integrity - Information cannot be altered.
o Key loggers o Non-repudiation - Sender cannot deny his/her
o Rootkit intentions in the transmission of the information at a
o Spam/scam, identity theft, e-payment frauds, etc. later stage.
 Hacking /Intrusion/ Attack: any attempt to intrude or gain o Authentication - Sender and receiver can confirm
each.
unauthorized access to your system either via some
operating system flaw or other means. The purpose may or  Generally, the goal of the cryptography is to protect
may not be for malicious purposes. private communication in the public world.
 Cracking: is hacking conducted for malicious purposes.  Basic cryptographic terms
 Denial of Service (DoS) Attack: Blocking access from o Plaintext - the original form of a message
legitimate users o Ciphertext - the coded/encrypted form of a message
 Distributed DoS Attack: is accomplished by tricking o Cipher – an encryption method or process
routers into attacking a target or using Zombie hosts to encompassing the algorithm and key, or procedures
simultaneously attack a given target with large number of used to transform plaintext to ciphertext
packets. o Key - info used in cipher known only by the
 Spoofing: Examples; MAC cloning, IP spoofing, and email sender/receiver. A Key is value that the cipher, as an
algorithm, operates on.
spoofing
 If same key is used for encryption & decryption
 Password attacks: guessing password; social engineering
the algorithm is called symmetric
attack, Dictionary attack
 If different keys are used for encryption &
 Cryptographic Attack:
decryption the algorithm is called asymmetric
A. Frequency Analysis attack: Guess values based on
frequency of occurrence
5|Page
o Encipher (encrypt) – the process of converting ciphertext character. Alice and Bob can agree on a table
plaintext to ciphertext showing the mapping for each character.
o Decipher (decrypt) - recovering plaintext from
ciphertext
o Cryptography – the study of encryption (2) Polyalphabetic Ciphers
principles/methods
o The relationship between a character in the plaintext to a
o Cryptanalysis (codebreaking) - the study of character in the ciphertext is one-to-many.
principles/ methods of breaking ciphertext without
o Autokey Cipher:
knowing key
o Cryptology - the field of study which deals with both
cryptography and cryptanalysis
 Cryptography classification:
A. Classical/Conventional Cryptography: Substitution o Playfair Cipher
Cipher and Transposition Cipher o Vigenere Cipher
B. Modern Cryptography: Symmetric key cryptography o Exercise:
and Public key cryptography  Encrypt the message ―She is listening‖ using the 6-
character keyword ―PASCAL‖.
Classical Cryptography
 The initial key stream is (15, 0, 18, 2, 0, 11). The key
Substitution ciphers stream is the repetition of this initial key stream (as
 Replaces one symbol with another. many times as needed)
 Categories monoalphabetic or polyalphabetic ciphers. o Hill Cipher:
(1) Monoalphabetic Ciphers  Key in the Hill cipher: The key matrix in the Hill cipher
o The relationship between a symbols in the plaintext to a needs to have a multiplicative inverse.
symbol in the ciphertext is always one-to-one.
o sometimes called additive cipher or shift cipher or Caesar
cipher (key of 3)
o When the cipher is additive, the plaintext, ciphertext,
and key are integers in Z26.
o Exercise:
 Use additive cipher with key = 15 to encrypt the
message ―hello‖.
 Use the additive cipher with key = 15 to decrypt
the message ―WTAAD‖.
o Multiplicative Ciphers: the plaintext and ciphertext are
integers in Z26; the key is an integer in Z26*. This set has
only 12 members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
o Exercise:
 use a multiplicative cipher to encrypt the message Transposition Ciphers
―hello‖ with a key of K=7. The ciphertext is  Does not substitute one symbol for another, instead it
―XCZZU‖. changes the location of the symbols (reorders symbols).
 Decryption key is multiplicative inverse of K=7; K-1  A transposition cipher relies on an algorithm which
mod 26=7-1 mod 26. rearranges the order of the letters in a plaintext
o Affine Ciphers: uses a pair of keys in which the first key message
is from Z26* and the second is from Z26. The size of the (1) Keyless Transposition Ciphers
key domain is 26 × 12 = 312. o Permute the characters by writing plaintext in one way and
 The additive cipher is a special case of an affine reading it in another way.
cipher in which k1 = 1. The multiplicative cipher is o rail-fence transposition: a plaintext message is
a special case of affine cipher in which k2 = 0. transposed into several rows
o Because additive, multiplicative, and affine ciphers have  Ciphertext is produced by reading the resulting
small key domains, they are very vulnerable to brute- columns in sequence
force attack;  Example with 2 rails (rows):
 Solution: Monoalphabetic Substitution Cipher  Plaintext: THEBIGBANGTHEORY
o Monoalphabetic Substitution Cipher: creates a mapping  Plaintext arranged into 2 rows:
between each plaintext character and the corresponding  THEBIGBA
 NGTHEORY

6|Page
 Ciphertext: tnhgetbhiegobray  complexity of a brute-force attack:
o columnar transposition: a plaintext message is o If the key is 56 bits long, there are 256 possible keys.
transposed into several columns o Assuming a supercomputer can try a million keys a
 Ciphertext is produced by reading the resulting second, it will take 2285 years to find the correct key.
rows in sequence o 256 /(1000,000*(365days*24hr*3600s))
 Example with 2 columns: e.g. DES
 Plaintext: SECRET  There are three main types of modern cryptographic
 Plaintext arranged into 2 columns: functions that are the building blocks of security:
S R 1) symmetric encryption
E E 2) Asymmetric encryption
C T 3) Hash Functions
 Ciphertext: sreect Symmetric key cryptography
 The key in a columnar transposition is the number of  Uses conventional / secret-key / single-key.
columns!  The secret key shared by both sender and receiver.
 In the example above, the key is 2  All classical encryption algorithms are private-key.
(2) Keyed Transposition Ciphers o Use the same key (shared key) for encryption and
o Is to divide the plaintext into groups of predetermined decryption process.
size, called blocks, and then use a key to permute the  If this key is disclosed communications are compromised.
characters in each block separately.  Symmetric Cipher Model
o The permutation of each character in the plaintext into the o Alice can send a message to Bob over an insecure
ciphertext based on the positions. channel
o Permutation key: key used for encryption and decryption.  with the assumption that an adversary, Eve, cannot
understand the contents of the message.
o The original message from Alice to Bob is referred to
as plaintext;
o the message that is sent through the channel is referred
(3) Combining Two Approaches to as the cipher text.
o Alice uses an encryption algorithm and a shared secret
key.
o Bob uses a decryption algorithm and the same secret
key.

Figure 4.1 symmetric - key cryptography


 2 requirements for secure use of symmetric encryption:
Modern Cryptography: o Strong encryption algorithm: i.e., Y = EK(X)
 Based on Kerckhoff’s principle, one should always assume o Secret key known only to sender / receiver: i.e. X =
that the adversary, Eve, knows the encryption/decryption DK(Y)
algorithm.  Assume encryption algorithm is known
 The resistance of the cipher to attack must be based only o Implies a secure channel to distribute key:
on the secrecy of the key and the strength of the  Problem: - Key distribution problem
algorithm.  Key Distribution
 If the strength of the algorithm is secured enough, better o Symmetric schemes require both parties to share a
way to break the cryptosystem will be trying every common secret key.
possible key in a brute-force attack. o Issue is how to securely distribute this key.
7|Page
o Often secure system failure due to a break in the key o Four different stages are used, one of permutation
distribution scheme. and three of substitution:
 Given parties A and B have various key distribution  Substitute bytes: Uses an S-box to perform a byte-
alternatives: by-byte substitution of the block
o A can select key and physically deliver to B.  ShiftRows: A simple permutation
o Third party can select & deliver key to A & B.  MixColumns: A substitution that makes use of
o If A & B have communicated previously can use arithmetic over GF(28)
previous key to encrypt a new key.  AddRoundKey: A simple bitwise XOR of the
o If A & B have secure communications with a third- current block with a portion of the expanded key
party C, C can relay key between A & B.  Categories of symmetric ciphers:
 Key Hierarchy o Stream Ciphers: Encrypt data one bit or one byte at a
o session key time
 temporary key o Block Ciphers: a group of plaintext characters of a fixed
 used for encryption of data between users size (a block) is encrypted at once and sent to the receiver;
 for one logical session then discarded Playfair, Hill ciphers, modern symmetric ciphers
o master key o Combination Cipher
 used to encrypt session keys Asymmetric key cryptography
 shared by user & key distribution center  also known as public-key encryption.
 Advantage: Simpler and faster  In public key cryptography,
 Disadvantages: Less secured, key exchange problem, o unlike symmetric-key, there are two keys: a private
large number of keys are needed key and a public key.
 Examples of symmetric key algorithms are as follows:  The public key is announced to the public; whereas
(1) Data Encryption Standard (DES) (56bits key) the private key is kept by the receiver.
o Feistel cipher: half of the data block is used to modify o anyone can send messages using the public key of the
the other half of the data block and then the halves are receiver for encryption, but only the receiver uses his
swapped. private key for decryption
o passes through an initial permutation (IP) that  Secret transmission of key for decryption is not
rearranges the bits to produce the permuted input. required
o followed by sixteen rounds of the same function:  Every entity can generate a key pair and release its
involves both permutation and substitution functions. public key
o The left and right halves of the output are swapped to  Encryption and decryption keys are different but
produce the preoutput. form a unique pair
o The preoutput passed through the inverse of the initial o Note that: Private key can also be public by keeping
permutation function (IP -1) public key secret
 PKE systems eliminate the problems(key exchange)
encountered with symmetric key systems
o Key distribution is easy with PKE!
 used for confidentiality, authentication & Digital Signature.
 the padlock that is locked with a public key can be
unlocked only with the corresponding private key.
 Eve should not be able to advertise her public key to the
community pretending that it is Bob’s public key.
 used for internet secure links. Each site has its own public
& private keys.
 Asymmetric-key cryptosystem Model
(2) Triple DES (3DES) (168 bits key) o Both users (Bob & Alice) generates a pair of keys
(3) Advanced Encryption Standard (AES) o Each user places one of 2 keys in public register.
o is not a Feistel structure  This is the public key: each user maintains a collection of
 processes the entire data block as single matrix public keys obtained from others.
during each round using substitutions and o The companion key is kept private to each.
permutation (substitutions permutation Network ) o If Alice wishes to send a confidential message to Bob,
o plain text is a fixed block size of 128 bits and a key She encrypts the message using Bob’s public key.
size of 128, 192, or 256 bits o When Bob receives the message, he decrypts it using
his private key.
8|Page
o first practical method for secret share over unsecured
 No other recipient can decrypt because only Bob knows his channel.
private key. o The point is to agree on a key that two parties can use
for a symmetric encryption, in such a way that an
eavesdropper cannot obtain the k.
o One of the main uses of DH is in the Internet Key
Exchange (IKE) protocol,
 a central part of the IP Security (IPSEC) architecture
o Example: Suppose Alice and Bob want to agree on a
shared symmetric key.
a) Alice and Bob, and everyone else, already know the
values of p and g.
b) Alice generates a random private value a and Bob
generates a random private value b.
 Both a and b are drawn from the set of integers 1, ..., p-1.
c) Alice and Bob derive their corresponding public values, - the
values they will send to each other unencrypted-as follows.
Figure 4.2 Asymmetric-key cryptography  Alice’s public value is ga mod p and
 uses this ideas to make a trap-door one-way function:  Bob’s public value is gb mod p then, they exchange their
public values.
o dominant PKE algorithms are based on the difficulty  Finally,
of factoring large numbers, or Discrete Logarithm  Alice computes gab mod p = (gb mod p) a mod p and
Problem.  Bob computes gba mod p = (ga mod p) b mod p.
o Multiplying two large primes is a one-way Function,
factoring is conjectured to be a hard problem
 These algorithms are also susceptible to a brute-force
attack, but of a different type.
 Breaking these algorithms
o does not involve trying every possible key;
o involves trying to factor the large number (or taking
discrete logarithms in a very large finite field)
 If the number is too small, you have no security. Fig 4.3 Diffie-Hellman Key Agreement (DH)
 If number is large enough, secured against all (3) Rivest, Shamir, Adleman (RSA)
computing power. o Developed by Ron Rivest, Adi Shamir, Len Adelman
 Advantages: more secured, Authentication o Variable Key Size (512, 1024, or 2048 bits)
 Disadvantages: relatively complex o Most popular public key algorithm
 Public Key Infrastructure (PKI) o Based on principle:
o used for the management of public key and  No mathematical method to efficiently find the prime
distribution of digital certificates factors of large numbers
o Authenticates users and devices in the digital world. o Breaking RSA is equivalent to finding prime factors:
o Its most familiar use is this is now to be computationally infeasible.
 in SSL certificates and TLS (newer version): in o private and public keys are constructed from very large
practice, most websites now use TLS. prime numbers.
o With HTTPS, certificates serve to identify the web o only who has produced the keys from prime number
site; ensure no-one can eavesdrop your connection. can easily decrypt messages
o consists of o Key Generation, Encryption & Decryption Procedure
 Certification Authorities (CAs), Registration  Choose two large prime numbers p & q
Authorities (RAs), Certificate holders, Clients,  Compute n=pq and z=(p-1)(q-1)
Repositories, Cryptographic Algorithms and  Choose number e, less than n, which has no
Protocols. common factor (other than 1) with z
 Examples of Asymmetric key algorithms are as follows:  Find number d, such that ed – 1 is exactly
(1) El Gamal divisible by z
o Developed by Taher ElGamal  Keys are generated using n, d, e
o Variable key size (512 or 1024 bits)  Public key is (n,e)
o Less common than others  Private key is (n, d)
(2) Diffie-Hellman Key Agreement (DH):  Encryption: c = me mod n

9|Page
 m is plain text
 c is cipher text
 Decryption: m = cd mod n
 Public key is shared and the private key is hidden
(4) Digital Signature Algorithm (DSA):
o PKI relies on DS, which uses public key cryptography.
o The basic idea is that private key is only known by Figure 4.5 Examples of hash algorithms: MD5 , SHA-1
that entity & used for signing.
 Public key derived from it: used for verifying 2. Application Security
signatures but cannot be used to sign.  Vulnerability:
 It is available to anyone, and is typically included in o any mistakes or weakness in the system security that
the certificate document. may result the possibility for intruders to get
o Digital Signature procedure unauthorized access
 Sender encrypts message with its private key  Vulnerability Assessment :
o a software testing technique to evaluate the sudden
 Receiver can decrypt using sender’s public key
increase of risks involved in the system in order to
 This authenticates sender, who has the matching key
reduce the probability of the event.
 Does not give privacy of data i.e. Decrypt key is
o depends on two mechanisms:
public key.
 Vulnerability Assessment: the process of scanning
(locating & reporting) vulnerabilities to provide a
way to detect and resolve security problems by
ranking the vulnerabilities.
 Penetration Testing: an authorized simulated
attack on a computer system, performed to evaluate
the security of the system.
 Types of vulnerability scanner:
o Host Based :
Fig 4.4 digital Signature algorithm (DSA)  Identifies the issues in the host or the system.
 carried out by using host-based scanners .
Hash functions o Network Based :
o A hash function H takes a variable-size message m as  will detect the open port, and identify the unknown
input and produces a fixed-size output, referred to as a services running on these ports.
hash code or message digest or hash value H (m)  carried out by using Network-based Scanners.
o no key is used in this algorithm. o Database Based :
o A fixed-length hash value is computed as per the  identify the security exposure in the database
plain text systems to prevent from SQL Injections.
 that makes it impossible for the contents of the plain  Vulnerability Testing Methods:
text to be recovered. o Active Testing: While doing the test, the tester will
o also used by many operating systems to encrypt actively involve in the process of finding out the new
passwords.. test cases and analyzes the results.
o Hashing o Passive Testing: monitoring the result of running SW
 the transformation of variable-length messages into under test without introducing new test cases or data.
fixed-length message digest that represents the o Network Testing: the process of measuring the state
original string. of network operation over a period of time to find out
o Hash value (or simply hash), also called a message the problems created by new services.
digest, is a number generated from a string of text. o Distributed Testing: applied for testing distributed
 is much smaller than the text itself. applications.
o creates a unique, fixed- length signature for a specific o Penetration Test (pen test):
message or data set.  To identify both weaknesses (vulnerabilities) &
 even minor changes to that message result in a strengths, to enable a full risk assessment.
dramatically different hash. Therefore, it is very  Determine whether a system is vulnerable, defenses
resistant to tampering. were sufficient and which defenses (if any) the test
defeated.
 Secure Shell (SSH):

10 | P a g e
o A cryptographic protocol for operating NW services c) Circuit Level Gateway: Standalone Software that sets
securely over an unsecured NW. up two TCP connections (inside & outside). It
o Best-known application: for remote login to computer determines which connections will be allowed.
systems by users.  Firewalls implementation
o Common applications: remote command-line login a) Hardware firewalls: a stand-alone product or
and execution. integrated into the router. It will have a minimum of
 Secure Email: four network ports to connect other computers.
o Adds confidentiality and integrity protection to b) Software firewalls: installed on your computer and
ordinary e-mail. will protect your computer from outside and then
o E.g. PGP. determine whether the request is valid or not.
 Secure Web servers: c) Combination of both
o The main vulnerability of web applications is Cross-Site 4. Physical security
Scripting (XSS).
 Without physical security to protect hardware (i.e., doors
o Securing the website or web application itself and the that lock) nothing else about a computer system can be
network around it.
called secure
o Common web servers: Apache, and IIS.
 TLS-based client digital certificates 5. Operations security
 Apache or Oracle penetration testing  As the software charged with controlling access to the
 VPN Apps hardware, the file system, and the network, weaknesses in
 Application firewall / proxy server an operating system are the most valued amongst
crackers.
3. Firewall
 Most OS authentication is handled through user names
 a program or network devices (e.g. router) which filters and passwords. Biometric (e.g. voice, face, retina, iris,
access to a protected network from the internet connection. fingerprint) and physical token-based (swipe cards, pin-
 protects a local or network of systems from network-based generating cards) authentication are sometimes used to
security threats, augment simple passwords, but the costs and accuracy of
 monitors & controls incoming & outgoing network traffic the technology limit their adoption.
based on predetermined security rules.
6. Access control
 Firewall Objectives
 Since many systems (such as router access control lists)
o Keep intruders, malicious code and unwanted traffic
out define which packets may and which packets may not pass
based on the sender's IP address
o Keep private and sensitive information in
 An access enforcement mechanism authorizes requests
o security wall b/n private (protected) NW & outside
word. from multiple subjects (e.g. users, processes, etc.) to
perform operations (e.g., read, write, etc.) on objects (e.g.,
 Categorizes of firewalls
files, sockets, etc.).
a) Network firewalls: Filter traffic b/n two or more
networks and run-on NW hardware.  Network access control (NAC): is an umbrella term for
managing access to a net-work. NAC authenticates users
 Implemented at a specific point in the network path
logging into the network and determines what data they can
and protects all computers on the internal side of the
access and actions they can perform. NAC also examines
firewall from all computers on the external side of
the health of the user’s computer or mobile device (the
the fire wall.
endpoints).
b) Host-based firewalls: Run on host computers and
 An operating system provides an access enforcement
control network traffic in/out of those machines.
mechanism.
a) Packet Filtering Router: Examines TCP/IP header
information of network data packets going in both  Two fundamental concepts of access control:
directions. Applies set of rules to each incoming IP o a protection system that defines the access control
specification and
packets & then forwards or discards the packets.
b) Application-Level Gateway (application firewall / o a reference monitor that is the system’s access
enforcement mechanism that enforces this specification.
proxy server): runs special software that acts as a
proxy for a service request. Proxy server receives 7. Plan, Design and manage security, security policies,
requests for Web pages, accesses the Web server on business continuity plans, disaster recovery plans, and
behalf of the external client, and returns the social and legal issues of information security
requested pages to the users. 8. Design secure systems for real world information
system services

11 | P a g e

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy