Computer Security Final

**Social Engineering

"Tricking" users to assist in the compromise of their own systems: Spam -Unsolicited bulk e-mail -Significant carrier of malware -Used for phishing attacks Trojan horse: -Program or utility containing harmful hidden code -Used to accomplish functions that the attacker could not accomplish directly. Mobile phone trojans: First appeared in 2004 (Skuller) Target is the smartphone

**Inference Detection

- Inference detection during database design: This approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference. Examples include removing data dependencies by splitting a table into multiple tables or using more fine- grained access control roles in an RBAC scheme. Techniques in this category often result in unnecessarily stricter access controls that reduce availability. • Inference detection at query time: This approach seeks to eliminate an inference channel violation during a query or series of queries. If an inference channel is detected, the query is denied or altered.

**Malware Countermeasure Approaches

- Prevention is the ideal solution: four elements of prevention - policy, awareness, vulnerability mitigation, and threat mitigation. - If prevention fails, technical mechanisms can be used to support the following threat mitigation options: Detection, Identification, and Removal. Generations of Anti-Virus Software: -First Gen.: Simple Scanners - requires a malware signature to identify the malware. Limited to the detection of known malware. -2nd Gen: heuristic scanners - Uses heuristic rules to search for probable malware instances. Another approach is integrity checking. -3rd Gen: activity traps - Memory-resident programs that identify malware by its actions rather than its structure in an infected program. -4th Gen: full-featured protection - packages consisting of a variety of anti-virus techniques used in conjunction. Include scanning and activity trap components and access control capability.

Let's choose the number 70A32C17 base 16, and assume it is stored starting at byte address 100. In LITTLE endian this would be:

-100: 17 -101: 2C -102: A3 -103: 70

Let's choose the number 70A32C17 base 16, and assume it is stored starting at byte address 100. In BIG endian this would be:

-100: 70 -101: A3 -102: 2C -103: 17

**Perimeter Scanning Approaches

-Anti-virus software typically included in e-mail and Web proxy services running on an organization's firewall and IDS. -May also be included in the traffic analysis component of an IDS. -May include intrusion prevention measures, blocking the flow of any suspicious traffic. -Approach is limited to scanning malware. --Ingress monitors: -Located at the border between the enterprise network and the Internet -One technique is to look for incoming traffic to unused local IP addresses --Egress monitors: -Located at the egress point of individual LANs as well as at the border between the enterprise network and the Internet -Monitors outgoing traffic for signs of scanning or other suspicious behavior

**Reflection Attacks

-Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system. -When intermediary responds, the response is sent to the target. -"Reflects" the attack off the intermediary (reflector). -Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary. -The basic defense against these attacks is blocking spoofed-source packets.

**System Corruption (form of Payload)

-Chernobyl virus: First seen in 1998 Windows 95 and 98 virus Infects executable files and corrupts the entire file system when a trigger date is reached -Klez: Mass mailing worm infecting Windows 95 to XP systems On trigger date causes files on the hard drive to become empty -Ransomware: Encrypts the user's data and demands payment in order to access the key needed to recover the information PC Cyborg Trojan (1989) Gpcode Trojan (2006

**Virus Classifications

-Classification by Target: -Boot sector infector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus -File infector: Infects files that the operating system or shell considers to be executable -Macro virus: Infects files with macro or scripting code that is interpreted by an application -Multipartite virus: Infects files in multiple ways - classification by concealment strategy: - Encrypted virus A portion of the virus creates a random encryption key and encrypts the remainder of the virus - Stealth virus A form of virus explicitly designed to hide itself from detection by anti-virus software - Polymorphic virus A virus that mutates with every infection - Metamorphic virus A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance

**Worm Countermeasures

-Considerable overlap in techniques for dealing with viruses and worms: Once a worm is resident on a machine anti-virus software can be used to detect and possibly remove it. -Perimeter network activity and usage monitoring can form the basis of a worm defense -Worm defense approaches include: --Signature-based worm scan filtering --Filter-based worm containment --Payload-classification-based worm containment --Threshold random walk (TRW) scan detection --Rate limiting --Rate halting

**Remote Control Facility

-Distinguishes a bot from a worm: -Worm propagates itself and activates itself -Bot is initially controlled from some central facility -Typical means of implementing the remote control facility is on an IRC server: -Bots join a specific channel on this server and treat incoming messages as commands -More recent botnets use covert communication channels via protocols such as HTTP -Distributed control mechanisms use peer-to-peer protocols to avoid a single point of failure.

**Generic Decryption (GD)

-Enables the anti-virus program to easily detect complex polymorphic viruses and other malware while maintaining fast scanning speeds. -Executable files are run through a GD scanner which contains the following elements: CPU emulator, Virus signature scanner, and Emulation control module. -The most difficult design issue with a GD scanner is to determine how long to run each interpretation.

**PayloadSystem Corruption

-Real-world damage: Causes damage to physical equipment Chernobyl virus rewrites BIOS code Stuxnet worm: Targets specific industrial control system software There are concerns about using sophisticated targeted malware for industrial sabotage -Logic bomb: Code embedded in the malware that is set to "explode" when certain conditions are met

Caesar Ciphers

-Secret key cipher -Replace a character with the character 3 letters down in the alphabet Encipher: C ≡ P + 3 (mod 26), 0 ≤ C ≤ 26 Decipher: solve for P, get P ≡ C - 3 (mod 26), 0 ≤ P ≤ 26 General case, for an alphabet of size n: C ≡ P + s (mod n), 0 ≤ C ≤ n, where 1 ≤ s ≤ n-1 P ≡ C - s (mod n), 0 ≤ P ≤ n, where 1 ≤ s ≤ n-1 Weaknesses: Can be broken by a frequency analysis Can be broken by an exhaustive key search (only 26 keys in regular alphabet, 28-1 = 255 keys in the "ASCII" alphabet)

**Rootkit (form of stealthing)

-Set of hidden programs installed on a system to maintain covert access to that system. -Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer. -Gives administrator (or root) privileges to attacker: Can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand. Rootkit Classification Characteristics: Persistent, memory based, user mode, kernel mode, virtual machine based, external mode.

**Source Address Spoofing

-Use forged source addresses: Usually via the raw socket interface on operating systems. Makes attacking systems harder to identify. -Attacker generates large volumes of packets that have the target system as the destination address. -Congestion would result in the router connected to the final, lower capacity link. -Requires network engineers to specifically query flow information from their routers. -Backscatter traffic: Advertise routes to unused IP addresses to monitor attack traffic.

**Distributed Denial of Service DDoS Attacks

-Use of multiple systems to generate attacks. -Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie). -Large collections of such systems under the control of one attacker's control can be created, forming a botnet.

**DNS Amplification Attacks

-Use packets directed at a legitimate DNS server as the intermediary system. -Attacker creates a series of DNS requests containing the spoofed source address of the target system. -Exploit DNS behavior to convert a small request to a much larger response (amplification). -Target is flooded with responses. -Basic defense against this attack is to prevent the use of spoofed source addresses.

Reasons for popularity of passwords

1. Techniques the utilize client-side hardware, such as fingerprint scanners and smart card readers, require the implementation of the appropriate user au- thentication software to exploit this hardware on both the client and server systems. Until there is widespread acceptance on one side, there is reluctance to implement on the other side, so we end up with a who-goes-first stalemate. 2. Physical tokens, such as smart cards, are expensive and/or inconvenient to carry around, especially if multiple tokens are needed. 3. Schemes that rely on a single sign-on to multiple services, using one of the non-password techniques described in this chapter, create a single point of security risk. 4. Automated password managers that relieve users of the burden of knowing and entering passwords have poor support for roaming and synchronization across multiple client platforms, and their usability had not be adequately researched.

**cloud computing

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

**Bloom Filter

A technique [SPAF92a, SPAF92b] for developing an effective and efficient proactive password checker that is based on rejecting words on a list has been implemented on a number of systems, including Linux. It is based on the use of a Bloom filter [BLOO70]. To begin, we explain the operation of the Bloom filter. A Bloom filter of order k consists of a set of k independent hash functions H1(x), H2(x), c, Hk(x), where each function maps a password into a hash value in the range 0 to N - 1.That is, Hi(Xj) = y 1...i...k; 1...j...D; 0...y...N-1 where Xj = jth word in password dictionary D = number of words in password dictionary

**The use of hashed passwords

A widely used password security technique is the use of hashed passwords and a salt value. This scheme is found on virtually all UNIX variants as well as on a number of other operating systems. The following procedure is employed (Figure 3.2a). To load a new password into the system, the user selects or is assigned a password. This password is combined with a fixed-length salt value [MORR79]. In older implementations, this value is related to the time at which the password is assigned to the user. Newer implementations use a pseudorandom or random number. The password and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. The hash algorithm is designed to be slow to execute in order to thwart attacks. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. The hashed password method has been shown to be secure against a variety of cryptanalytic attacks [WAGN00].

Backdoor (form of stealthing)

Also known as a trapdoor. Secret entry point into a program allowing the attacker to gain access and bypass the security access procedures. -Maintenance hook is a backdoor used by programmers to debug and test programs. It is difficult to implement operating system controls for backdoors in applications.

**Clickjacking

Also known as a user-interface (UI) redress attack: Using a similar technique, keystrokes can also be hijacked. A user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. Vulnerability used by an attacker to collect an infected user's clicks: The attacker can force the user to do a variety of things from adjusting the user's computer setters to unwittingly sending the user to Web sites that might have malicious code. By taking advantage of Adobe Flash or JavaScript an attacker could even place a button under or over a legitimate button making it difficult for users to detect. A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. The attacker is hijacking clicks meant for one page and routing them to another page.

Access Control Policies

An access control policy, which can be embodied in an authorization database, dictates what types of access are permitted, under what circumstances, and by whom. Access control policies are generally grouped into the following categories: • Discretionary access control (DAC): Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. This policy is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource. • Mandatory access control (MAC): Controls access based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource. • Role-based access control (RBAC): Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles. • Attribute-based access control (ABAC): Controls access based on attri- butes of the user, the resource to be accessed, and current environmental conditions.

Stream cipher

An algorithm that takes one character and replaces it with one character. It typically encrypts data one byte at a time. Processes the input elements continuously, producing output one element at a time, as it goes along. Although block ciphers are far more common, there are certain applications in which a stream cipher is more appropriate.

Rainbow Table

An alternative is to trade-off space for time by precomputing potential hash values. In this approach the attacker generates a large dictionary of possible pass- words. For each password, the attacker generates the hash values associated with each possible salt value. The result is a mammoth table of hash values Known as this. This approach can be countered using a sufficiently large salt value and a sufficiently large hash length

One-Way Hash Function

An alternative to the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output (Figure 2.4). Typically, the message is padded out to an integer multiple of some fixed length (e.g., 1024 bits) and the padding includes the value of the length of the original message in bits. The length field is a security measure to increase the difficulty for an attacker to produce an alternative message with the same hash value. Unlike the MAC, a hash function does not take a secret key as input. Figure 2.5 illustrates three ways in which the message can be authenticated using a hash function. The message digest can be encrypted using symmetric encryption (Figure 2.5a); if it is assumed that only the sender and receiver share the encryp- tion key, then authenticity is assured. The message digest can also be encrypted using public-key encryption (Figure 2.5b); this is explained in Section 2.3. The public-key approach has two advantages: It provides a digital signature as well as message authentication; and it does not require the distribution of keys to com- municating parties.

Security of hash functions

As with symmetric encryption, there are two approaches to attacking a secure hash function: cryptanalysis and brute-force attack. As with symmetric encryption algorithms, cryptanalysis of a hash function involves exploiting logical weaknesses in the algorithm. The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. For a hash code of length n, the level of effort required is proportional to the following: (see attached photo) If collision resistance is required (and this is desirable for a general-purpose secure hash code), then the value 2n/2 determines the strength of the hash code against brute-force attacks. Van Oorschot and Wiener [VANO94] presented a design for a $10 million collision search machine for MD5, which has a 128-bit hash length, that could find a collision in 24 days. Thus a 128-bit code may be viewed as inadequate. The next step up, if a hash code is treated as a sequence of 32 bits, is a 160-bit hash length. With a hash length of 160 bits, the same search machine would require over four thousand years to find a collision. With today's technology, the time would be much shorter, so that 160 bits now appears suspect.

Linear Cipher

Better than exhaustive search in that it does not cycle through all exponents. For m the smallest integer no less than square root of n: Have ax≡ b (mod n) Write x = im + j ax = aim aj b((am)')i ≡ aj (mod n)

Threats

Capable of exploiting vulnerabilities Represent potential security harm to an asset.

**Keyloggers (form of payload - information theft)

Captures keystrokes to allow attacker to monitor sensitive information. Typically uses some form of filtering mechanism that only returns information close to keywords ("login", "password").

**Cipher Block Chaining

Cipher block chaining prevents the problem of the same plaintext mapping to multiple ciphertext blocks (subject to the square root attack) In the following, "E" stands for "Encipher" C1 = E(P1 XOR IV) C2 = E(P2 XOR C1) C3 = E(P3 XOR C2) ... Cn = E(Pn XOR Cn-1) Since XOR is reversible, you can decipher by doing this in reverse Cipher Block Chaining will work with any block cipher

**Flooding Attacks

Classified based on network protocol used Intent is to overload the network capacity on some link to a server. Virtually any type of network packet can be used: ICMP flood: Ping flood using ICMP echo request packets. Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool. UDP flood: Uses UDP packets directed to some port number on the target system. TCP SYN flood: Sends TCP packets to the target system Total volume of packets is the aim of the attack rather than the system code.

**SYN Spoofing

Common DoS attack. Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them. Thus legitimate users are denied access to the server. Hence an attack on system resources, specifically the network handling code in the operating system.

Key Security Concepts

Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity - Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability - Ensuring timely and reliable access to and use of information

**Low interaction honeypot

Consists of a software package that emulates par- ticular IT services or systems well enough to provide a realistic initial interac- tion, but does not execute a full version of those services or systems.

Mandatory access control (MAC)

Controls access based on comparing security labels with security clearances

Discretionary access control (DAC)

Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. Scheme in which an entity may enable another entity to access some resource •Often provided using an access matrix -One dimension consists of identified subjects that may attempt data access to the resources -The other dimension lists the objects that may be accessed •Each entry in the matrix indicates the access rights of a particular subject for a particular object

Categories of vulnerabilities

Corrupted (loss of integrity) Leaky (loss of confidentiality) Unavailable or very slow (loss of availability)

**Out-of-Band Attack

Data are retrieved using a different channel This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax.

**SQLi Countermeasures

Defensive Coding Detection Run-time Prevention

**Morris Worm

Earliest significant worm infection Released by Robert Morris in 1988 Designed to spread on UNIX systems Attempted to crack local password file to use login/password to logon to other systems Exploited a bug in the finger protocol which reports the whereabouts of a remote user Exploited a trapdoor in the debug option of the remote process that receives and sends mail Successful attacks achieved communication with the operating system command interpreter Sent interpreter a bootstrap program to copy worm over.

**Credential Management

Examples of credentials are smart cards, private/public cryp- tographic keys, and digital certificates. Credential management is the management of the life cycle of the credential. Credential management encompasses the follow- ing five logical components: 1. An authorized individual sponsors an individual or entity for a credential to establish the need for the credential. For example, a department supervisor sponsors a department employee. 2. The sponsored individual enrolls for the credential, a process which typically consists of identity proofing and the capture of biographic and biometric data. This step may also involve incorporating authoritative attribute data, maintained by the identity management component. 3. A credential is produced. Depending on the credential type, production may involve encryption, the use of a digital signature, the production of a smart- card, or other functions. 4. The credential is issued to the individual or NPE. 5. Finally, a credential must be maintained over its lifecycle, which might include revocation, reissuance/replacement, reenrollment, expiration, personal identi- fication number (PIN) reset, suspension, or reinstatement.

**Drive-By-Downloads

Exploits browser vulnerabilities to download and installs malware on the system when the user views a Web page controlled by the attacker In most cases does not actively propagate Spreads when users visit the malicious Web page.

**Phishing (form of payload - information theft)

Exploits social engineering to leverage the user's trust by masquerading as communication from a trusted source: Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site, Suggests that urgent action is required by the user to authenticate their account, and Attacker exploits the account using the captured credentials. Spear-phishing: -Recipients are carefully researched by the attacker. -E-mail is crafted to specifically suit its recipient, often quoting a range of information to convince them of its authenticity.

**Mobile Phone Worms

First discovery was Cabir worm in 2004 Then Lasco and CommWarrior in 2005 Communicate through Bluetooth wireless connections or MMS Target is the smartphone Can completely disable the phone, delete data on the phone, or force the device to send costly messages CommWarrior replicates by means of Bluetooth to other phones, sends itself as an MMS file to contacts and as an auto reply to incoming text messages.

**Classic DoS Attacks

Flooding ping command: -Aim of this attack is to overwhelm the capacity of the network connection to the target organization -Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases -Source of the attack is clearly identified unless a spoofed address is used -Network performance is noticeably affected

Access Control Lists in Unix

FreeBSD allows the administrator to assign a list of UNIX user IDs and groups to a file by using the setfacl command. Any number of users and groups can be associated with a file, each with three protection bits (read, write, execute), offering a flexible mechanism for assigning access rights. A file need not have an ACL but may be protected solely by the traditional UNIX file access mechanism. FreeBSD files include an additional protection bit that indicates whether the file has an extended ACL. FreeBSD and most UNIX implementations that support extended ACLs use the following strategy (e.g., Figure 4.5b): 1. The owner class and other class entries in the 9-bit permission field have the same meaning as in the minimal ACL case. 2. The group class entry specifies the permissions for the owner group for this file. These permissions represent the maximum permissions that can be assigned to named users or named groups, other than the owning user. In this latter role, the group class entry functions as a mask. 3. Additional named users and named groups may be associated with the file, each with a 3-bit permission field. The permissions listed for a named user or named group are compared to the mask field. Any permission for the named user or named group that is not present in the mask field is disallowed.

**Hypertext Transfer Protocol (HTTP) Based Attacks

HTTP Flood: -Attack that bombards Web servers with HTTP requests. -Consumes considerable resources -Spidering: Bots starting from a given HTTP link and following all links on the provided Web site in a recursive way. Slowloris: -Attempts to monopolize by sending HTTP requests that never complete. -Eventually consumes Web server's connection capacity. -Utilizes legitimate HTTP traffic. -Existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris.

Secure hash function algorithms

In recent years, the most widely used hash function has been the Secure Hash Algorithm (SHA). SHA was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993. When weaknesses were discovered in SHA, a revised version was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1. SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. These new versions, collectively known as SHA-2, have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1. SHA-2, particularly the 512-bit version, would appear to provide unassailable security. However, because of the structural similarity of SHA-2 to SHA-1, NIST decided to standardize a new hash function that very different from SHA-2 and SHA-1. This new hash function, known as SHA-3, was published in 2012 and is now available as an alternative to SHA-2.

**Attack Kits

Initially the development and deployment of malware required considerable technical skill by software authors. The development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malware. Toolkits are often known as "crimeware". Include a variety of propagation mechanisms and payload modules that even novices can deploy. Variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them. -Widely used toolkits include: Zeus Blackhole Sakura Phoenix

**Host-Based Behavior-Blocking Software

Integrates with the operating system of a host computer and monitors program behavior in real time for malicious action: -Blocks potentially malicious actions before they have a chance to affect the system -Blocks software in real time so it has an advantage over anti-virus detection techniques such as fingerprinting or heuristics. Limitations: Because malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked.

**High interaction honeypot

Is a real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers.

**SQL Injection Attacks (SQLi)

One of the most prevalent and dangerous network-based security threats •Designed to exploit the nature of Web application pages •Sends malicious SQL commands to the database server •Most common attack goal is bulk extraction of data •Depending on the environment SQL injection can also be exploited to: oModify or delete data oExecute arbitrary operating system commands oLaunch denial-of-service (DoS) attacks

Password File Access Control

One way to thwart a password attack is to deny the opponent access to the pass- word file. If the hashed password portion of the file is accessible only by a privileged user, then the opponent cannot read it without already knowing the password of a privileged user. Often, the hashed passwords are kept in a separate file from the user IDs, referred to as a shadow password file. Special attention is paid to making the shadow password file protected from unauthorized access. Although password file protection is certainly worthwhile, there remain vulnerabilities: • Manysystems,includingmostUNIXsystems,aresusceptibletounanticipated break-ins. A hacker may be able to exploit a software vulnerability in the operating system to bypass the access control system long enough to extract the password file. Alternatively, the hacker may find a weakness in the file system or database management system that allows access to the file. • An accident of protection might render the password file readable, thus com- promising all the accounts. • Some of the users have accounts on other machines in other protection domains, and they use the same password. Thus, if the passwords could be read by anyone on one machine, a machine in another location might be compromised. • A lack of or weakness in physical security may provide opportunities for a hacker. Sometimes there is a backup to the password file on an emergency repair disk or archival disk. Access to this backup enables the attacker to read the password file. Alternatively, a user may boot from a disk running another operating system such as Linux and access the file from this OS. • Instead of capturing the system password file, another approach to collecting user IDs and passwords is through sniffing network traffic.

**Attacks (threats carried out)

Passive - attempt to learn or make use of information from the system that does not affect system resources Active - attempt to alter system resources or affect their operation Insider - initiated by an entity inside the security parameter Outsider - initiated from outside the perimeter

**Hashing

Passwords: Chapter 3 explains a scheme in which a hash of a password is stored by an operating system rather than the password itself. Thus, the actual password is not retrievable by a hacker who gains access to the password file. In simple terms, when a user enters a password, the hash of that password is compared to the stored hash value for verification. This application requires preimage resistance and perhaps second preimage resistance. • Intrusion detection: Store the hash value for a file, H(F), for each file on a system and secure the hash values (e.g., on a CD-R that is kept secure). One can later determine if a file has been modified by recomputing H(F). An intruder would need to change F without changing H(F). This application requires weak second preimage resistance.

**Viruses

Piece of software that infects programs Modifies them to include a copy of the virus Replicates and goes on to infect other content. Easily spread through network environments When attached to an executable program a virus can do anything that the program is permitted to do. Executes secretly when the host program is run. Specific to operating system and hardware Takes advantage of their details and weaknesses.

**Worms

Program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines Exploits software vulnerabilities in client or server programs Can use network connections to spread from system to system Spreads through shared media (USB drives, CD, DVD data disks) E-mail worms spread in macro or script code included in attachments and instant messenger file transfers Upon activation the worm may replicate and propagate again Usually carries some form of payload First known implementation was done in Xerox Palo Alto Labs in the early 1980s

**Mobile Code

Programs that can be shipped unchanged to a variety of platforms Transmitted from a remote system to a local system and then executed on the local system Often acts as a mechanism for a virus, worm, or Trojan horse Takes advantage of vulnerabilities to perform its own exploits Popular vehicles include Java applets, ActiveX, JavaScript and VBScript

Role Based Access Control (RBAC)

RBAC is based on the roles that users assume in a system rather than the user's identity. Typically, RBAC models define a role as a job func- tion within an organization. RBAC systems assign access rights to roles instead of individual users. In turn, users are assigned to different roles, either statically or dynamically, according to their responsibilities.

Exponential Ciphers

RSA Cipher: -Public key cipher -First patented public key cipher Encipher: C ≡ Pe (mod n) 0 ≤ C < n Decipher: P ≡ Cd (mod n) where e*d = 1 (mod (p-1) (q-1) ) [NOTE: True since d is an inverse of e] e < n such that gcd(e, (p-1)(q-)) = 1 (relatively prime). e is public, n is public n=pq Weaknesses: eth Root Attack: Subject to the eth root attack (similar to the square root attack on the Rabin cipher, but with an eth root instead. Dependent on the same message being sent to multiple entities). Dangerous normally only when a small e is chosen (but small e's are sometimes chosen to speed up enciphering time). Common Modulus Attack: If all entities in a system use the same modulus (but different e's and d's, then the private keys of all using the same modulus can be determined (2 congruences in two unknowns)

**Target Discovery

Scanning (or fingerprinting): First function in the propagation phase for a network worm. Searches for other systems to infect. Scanning strategies that a worm can use: Random: -Each compromised host probes random addresses in the IP address space using a different seed -This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched Hit-list: -The attacker first compiles a long list of potential vulnerable machines -Once the list is compiled the attacker begins infecting machines on the list -Each infected machine is provided with a portion of the list to scan -This results in a very short scanning period which may make it difficult to detect that infection is taking place Topological: -This method uses information contained on an infected victim machine to find more hosts to scan. Local subnet: -If a host can be infected behind a firewall that host then looks for targets in its own local network -The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall

**Cloud Security As A Service

SecaaS Is a segment of the SaaS offering of a CP Defined by The Cloud Security Alliance as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers' on-premise systems

Affine Transformation Ciphers

Secret key cipher Multiply each character by a number and add a shift Encipher: C ≡ mP + b (mod n)n is the size of the alphabet m and n must be relatively prime, or decryption is not possibleIn order to decrypt, must solve for P. A unique solution exists only if an inverse of m (mod n) exists Decipher: P ≡ m' (C-b) (mod n) •Weaknesses: Can be broken by a frequency analysis Can be broken by an exhaustive key search, only 12 choices for the multiplier and 25 choices for the shift

Structured Query Language (SQL)

Standardized language to define schema, manipulate, and query data in a relational database •Several similar versions of ANSI/ISO standard •All follow the same basic syntax and semantics SQL statements can be used to: •Create tables •Insert and delete data in tables •Create views •Retrieve data with query statements

Databases

Structured collection of data stored for use by one or more applications •Contains the relationships between data items and groups of data items •Can sometimes contain sensitive data that needs to be secured

**Spyware (form of payload - information theft)

Subverts the compromised machine to allow monitoring of a wide range of activity on the system: Monitoring history and content of browsing activity, Redirecting certain Web page requests to fake sites, and Dynamically modifying data exchanged between the browser and certain Web sites of interest.

Database Management System (DBMS)

Suite of programs for constructing and maintaining the database. Offers ad hoc query facilities to multiple users and applications.

Relational Databases

Table of data consisting of rows and columns •Each column holds a particular type of data •Each row contains a specific value for each column •Ideally has one column where all values are unique, forming an identifier/key for that row •Enables the creation of multiple tables linked together by a unique identifier that is present in all tables •Use a relational query language to access the database •Allows the user to request data that fit a given set of criteria Elements: Relation/table/file •Tuple/row/record •Attribute/column/field Primary key - uniquely identifies a row. Consists of one or more column names. Foreign key - Links one table to attributes in another View/virtual table - result of a query that returns selected rows and columns from one or more tables

**Bots/Zombies/Drones (form of Payload - Attack Agents)

Takes over another Internet attached computer and uses that computer to launch or manage attacks Botnet - collection of bots capable of acting in a coordinated manner Uses: Distributed denial-of-service (DDoS) attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement add-ons and browser helper objects (BHOs) Attacking IRC chat networks Manipulating online polls/games

**Denial-of-Service (DoS) Attack

The NIST Computer Security Incident Handling Guide defines a DoS attack as: "An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space." ::A form of attack on the availability of some service. Categories of resources that could be attacked are: Network bandwidth: -Relates to the capacity of the network links connecting a server to the Internet -For most organizations this is their connection to their Internet Service Provider (ISP). System resources: Aims to overload or crash the network handling software. Application resources: -Typically involves a number of valid requests, each of which consumes significant resources, thus limiting the ability of the server to respond to requests from other users.

**Cloud Computing Reference Architecture

The NIST cloud computing reference architecture focuses on the requirements of 'what' cloud services provide, not a 'how to' design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference. Objectives: NIST developed the reference architecture with the following objectives in mind: To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations

**Injection Technique

The SQLi attack typically works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed the attacker terminates the injected string with a comment mark "- -" Subsequent text is ignored at execution time

Access Management

The access management component deals with the management and control of the ways entities are granted access to resources. It covers both logical and physical access, and may be internal to a system or an external element. The purpose of access management is to ensure that the proper identity verification is made when an individual attempts to access security sensitive buildings, computer systems, or data. The access control function makes use of credentials presented by those requesting access and the digital identity of the requestor. Three support elements are needed for an enterprise-wide access control facility: • Resource management: This element is concerned with defining rules for a resource that requires access control. The rules would include creden- tial requirements and what user attributes, resource attributes, and envi- ronmental conditions are required for access of a given resource for a given function. • Privilege management: This element is concerned with establishing and main- taining the entitlement or privilege attributes that comprise an individual's access profile. These attributes represent features of an individual that can be used as the basis for determining access decisions to both physical and logical resources. Privileges are considered attributes that can be linked to a digital identity. • Policy management: This element governs what is allowable and unallow- able in an access transaction. That is, given the identity and attributes of the requestor, the attributes of the resource or object, and environmental conditions, a policy specifies what actions this user can perform on this object.

**Database Encryption

The database is typically the most valuable information resource for any organization Protected by multiple layers of security: Firewalls, authentication, general access control systems, DB access control systems, database encryption. Encryption becomes the last line of defense in database security. Can be applied to the entire database, at the record level, the attribute level, or level of the individual field. Disadvantages to encryption: -Key management: Authorized users must have access to the decryption key for the data for which they have access. -Inflexibility: When part or all of the database is encrypted it becomes more difficult to perform record searching.

Hash function requirements

The purpose of a hash function is to produce a "fingerprint" of a file, message, or other block of data. To be useful for message authentication, a hash function H must have the following properties: 1. H can be applied to a block of data of any size. 2. H produces a fixed-length output. 3. H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical. 4. For any given code h, it is computationally infeasible to find x such that H(x) = h. A hash function with this property is referred to as one-way or pre- image resistant.6 5. For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x). A hash function with this property is referred to as second preim- age resistant. This is sometimes referred to as weak collision resistant. 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). A hash function with this property is referred to as collision resistant. This is sometimes referred to as strong collision resistant.

An access control model

This section introduces a general model for DAC developed by Lampson, Graham, and Denning [LAMP71, GRAH72, DENN71]. The model assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects. Let us define the protection state of a system to be the set of information, at a given point in time, that specifies the access rights for each subject with respect to each object. We can identify three requirements: representing the protection state, enforcing access rights, and allowing subjects to alter the protection state in certain ways. The model addresses all three requirements, giving a general, logical description of a DAC system. To represent the protection state, we extend the universe of objects in the access control matrix to include the following: • Processes: Access rights include the ability to delete a process, stop (block), and wake up a process. • Devices: Access rights include the ability to read/write the device, to control its operation (e.g., a disk seek), and to block/unblock the device for use. • Memory locations or regions: Access rights include the ability to read/write certain regions of memory that are protected such that the default is to disallow access. Subjects: Accessrightswithrespecttoasubjecthavetodowiththeabilitytogrant or delete access rights of that subject to other objects, as explained subsequently.

SQL Access Controls

Two commands for managing access rights: Grant Used to grant one or more access rights or can be used to assign a user to a role Revoke Revokes the access rights Typical access rights are: Select Insert Update Delete References

The Vulnerability of Passwords

Typically, a system that uses password-based authentication maintains a password file indexed by user ID. One technique that is typically used is to store not the user's password but a one-way hash function of the password, as described subsequently. We can identify the following attack strategies and countermeasures: • Offline dictionary attack: Typically, strong access controls are used to pro- tect the system's password file. However, experience shows that determined hackers can frequently bypass such controls and gain access to the file. The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination. Countermeasures include controls to prevent unauthorized access to the password file, intrusion detec- tion measures to identify a compromise, and rapid reissuance of passwords should the password file be compromised. • Specific account attack: The attacker targets a specific account and submits password guesses until the correct password is discovered. The standard coun- termeasure is an account lockout mechanism, which locks out access to the account after a number of failed login attempts. Typical practice is no more than five access attempts. • Popular password attack: A variation of the preceding attack is to use a popu- lar password and try it against a wide range of user IDs. A user's tendency is to choose a password that is easily remembered; this unfortunately makes the password easy to guess. Countermeasures include policies to inhibit the selection by users of common passwords and scanning the IP addresses of authentication requests and client cookies for submission patterns. • Password guessing against single user: The attacker attempts to gain knowl- edge about the account holder and system password policies and uses that knowledge to guess the password. Countermeasures include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, minimum length of the password, character set, prohibition against using well-known user identifiers, and length of time before the password must be changed. • Workstation hijacking: The attacker waits until a logged-in workstation is unattended. The standard countermeasure is automatically logging the work- station out after a period of inactivity. Intrusion detection schemes can be used to detect changes in user behavior. • Exploiting user mistakes: If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password. A user may intentionally share a password, to enable a colleague to share files, for example. Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. Many computer systems are shipped with preconfigured passwords for system administrators. Unless these preconfigured passwords are changed, they are easily guessed. Countermeasures include user training, intrusion detection, and simpler passwords combined with another authentica- tion mechanism. • Exploiting multiple password use: Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user. Countermeasures include a policy that forbids the same or similar password on particular network devices. • Electronic monitoring: If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. Simple encryp- tion will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary.

**SQLi Attack Avenues

User input - Attackers inject SQL commands by providing suitable crafted user input. Server Variables - Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers. Second-order injection - A malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself. Cookies - An attacker could alter cookies such that when the application server builds an SQL query based on the cookie's content, the structure and function of the query is modified. Physical User Input - Applying user input that constructs an attack outside the realm of web requests

**Inband Attacks

Uses the same communication channel for injecting SQL code and retrieving results The retrieved data are presented directly in application Web page Include: Tautology - this form of attack injects code in one or more conditional statements so that they always evaluate to true. End-of-line comment - After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments. Piggybacked queries - the attacker adds additional queries beyond the intended query, piggybacking the attack on top of a legitimate request.

**Macro and Scripting Viruses

Very common in mid-1990s -Platform independent -Infect documents (not executable portions of code) -Easily spread -Exploit macro capability of MS Office applications -More recent releases of products include protection -Various anti-virus programs have been developed so these are no longer the predominant virus threat

**Advanced Persistent Threats (APTs)

Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) Typically attributed to state-sponsored organizations and criminal enterprises Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods High profile attacks include Aurora, RSA, APT1, and Stuxnet. APT Attacks: -Aim: Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure -Techniques used: Social engineering Spear-phishing email Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization -Intent: To infect the target with sophisticated malware with multiple propagation mechanisms and payloads Once they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their access

Vigenere Cipher

a method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword. Use a key which represents a series of shifts Example in Chapter 1 used different shift values for letters depending on their position in the text A key of length n represents a series of shifts, s0,s1,...sn-1 pi is the plaintext character. t is # of characters in the plaintext message Encipher ci ≡ pi + sr (mod m) 0≤ ci ≤ m, 0 ≤ i < t where r ≡ i (mod n) 0≤ r < n Decipher: pi ≡ ci - sr (mod m) 0≤ ci ≤ m, 0 ≤ i < t where r ≡ i (mod n) 0≤ r < n Weaknesses: Can be broken by a frequency analysis

**Malware

a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim.

**Honeypot

a resource that has no production value. There is no legitimate reason for anyone outside the network to interact with a honeypot. Thus, any attempt to communicate with the system is most likely a probe, scan, or attack. Con- versely, if a honeypot initiates outbound communication, the system has probably been compromised. Honeypots are typically classified as being either low or high interaction.

Identity Federation

addresses two questions: 1. How do you trust identities of individuals from external organizations who need access to your systems? 2. Howdoyouvouchforidentitiesofindividualsinyourorganizationwhenthey need to collaborate with external organizations? Identity federation is a term used to describe the technology, standards, pol- icies, and processes that allow an organization to trust digital identities, identity attributes, and credentials created and issued by another organization. We discuss identity federation in the following section.

Attribute based access control (ABAC)

can define authorizations that express conditions on properties of both the resource and the subject. For example, consider a configuration in which each resource has an attribute that identifies the subject that created the resource. Then, a single access rule can specify the own- ership privilege for all the creators of every resource. The strength of the ABAC approach is its flexibility and expressive power. [PLAT13] points out that the main obstacle to its adoption in real systems has been concern about the performance impact of evaluating predicates on both resource and user properties for each access. However, for applications such as cooperating Web services and cloud com- puting, this increased performance cost is less noticeable because there is already a relatively high performance cost for each access. Thus, Web services have been pio- neering technologies for implementing ABAC models, especially through the intro- duction of the eXtensible Access Control Markup Language (XAMCL) [BEUC13], and there is considerable interest in applying the ABAC model to cloud services [IQBA12, YANG12]. There are three key elements to an ABAC model: attributes, which are defined for entities in a configuration; a policy model, which defines the ABAC policies; and the architecture model, which applies to policies that enforce access control. We examine these elements in turn.

Attributes

characteristics that define specific aspects of the subject, object, envi- ronment conditions, and/or requested operations that are predefined and preassigned by an authority. Attributes contain information that indicates the class of informa- tion given by the attribute, a name, and a value (e.g., Class=HospitalRecordsAccess, Name=PatientInformationAccess, Value=MFBusinessHoursOnly). The following are the three types of attributes in the ABAC model: • Subject attributes: A subject is an active entity (e.g., a user, an application, a process, or a device) that causes information to flow among objects or changes the system state. Each subject has associated attributes that define the identity and characteristics of the subject. Such attributes may include the subject's identifier, name, organization, job title, and so on. A subject's role can also be viewed as an attribute. • Objectattributes: Anobject,alsoreferredtoasaresource,isapassive(inthe context of the given request) information system-related entity (e.g., devices, files, records, tables, processes, programs, networks, domains) containing or receiving information. As with subjects, objects have attributes that can be leveraged to make access control decisions. A Microsoft Word document, for example, may have attributes such as title, subject, date, and author. Object attributes can often be extracted from the metadata of the object. In particu- lar, a variety of Web service metadata attributes may be relevant for access control purposes, such as ownership, service taxonomy, or even Quality of Service (QoS) attributes. • Environment attributes: These attributes have so far been largely ignored in most access control policies. They describe the operational, technical, and even situational environment or context in which the information access occurs. For example, attributes, such as current date and time, the current virus/hacker activities, and the network's security level (e.g., Internet vs. intranet), are not associated with a particular subject nor a resource, but may nonetheless be relevant in applying an access control policy.

**Identity Management

concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE. The goal is to establish a trustworthy digital identity that is independent of a specific application or context. The traditional, and still most common approach, to access control for applications and programs is to create a digital representation of an identity for the specific use of the application or program. As a result, maintenance and protection of the iden- tity itself is treated as secondary to the mission associated with the application. Fur- ther, there is considerable overlap in effort in establishing these application-specific identities.

Access right

describes the way in which a subject may access an object. Access rights could include the following: • Read: User may view information in a system resource (e.g., a file, selected records in a file, selected fields within a record, or some combination). Read access includes the ability to copy or print. • Write: User may add, modify, or delete data in system resource (e.g., files, records, programs). Write access includes read access. • Execute: User may execute specified programs. • Delete: User may delete certain system resources, such as files or records. • Create: User may create new files, records, or fields. • Search: Usermaylistthefilesinadirectoryorotherwisesearchthedirectory.

A symmetric encryption scheme

five ingredients (Figure 2.1): • Plaintext: This is the original message or data that is fed into the algorithm as input. • Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext. • Secretkey:Thesecretkeyisalsoinputtotheencryptionalgorithm.Theexact substitutions and transformations performed by the algorithm depend on the key. • Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different ciphertexts. • Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext. There are two requirements for secure use of symmetric encryption: 1. We need a strong encryption algorithm. At a minimum, we would like the algorithm to be such that an opponent who knows the algorithm and has access to one or more ciphertexts would be unable to decipher the ciphertext or figure out the key. This requirement is usually stated in a stronger form: The opponent should be unable to decrypt ciphertext or discover the key even if he or she is in possession of a number of ciphertexts together with the plain- text that produced each ciphertext. 2. Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure. If someone can discover the key and knows the algorithm, all communication using this key is readable.

**Lifecycle Management

includes the following: • Mechanisms, policies, and procedures for protecting personal identity information • Controlling access to identity data • Techniques for sharing authoritative identity data with applications that need it • Revocation of an enterprise identity

Block Affine Cipher

processes the input one block of elements at a time, producing an output block for each input block. •Construct an affine transformation that maps 4 letter blocks to other 4 letter blocks HOWDY DOO becomes HOWD YDOO replace A=00, B=01, etc. HOWD YDOO becomes 07142203 24031414 The largest value that can appear in a block of 4 is ZZZZ = 25252525. So use modulo 25252526 Encipher: C ≡ mP + b (mod 25252526) Decipher: P ≡ m' (C-b) (mod 25252526) So shift b is such that 1 ≤ b ≤ 25252525 Multiplier m is any number that is relatively prime to 25252526. b is a shift. •When the size of the message is not a multiple of the block size, padding is necessary. However, it can sometimes be difficult for the receiving end to distinguish between padding and real message. A proposed standard padding method is PKCS#45. Pad with a byte value equal to the number of missing values in the block. If the block size is complete, pad with an entire block where each value is equal to the block size. NOTE: PKCS#45 cannot be used where the ciphertext block is greater than 255 bytes (can't represent that number in one byte for padding) •Weaknesses: On the positive side, this is NOT subject to frequency attacks. With the non-block affine cipher, figuring out which plaintext characters corresponded to E and T resulted in being able to determine the multiplier and the shift. Here, multiplier and shift correspond to blocks of characters instead of single characters. Is vulnerable to a known plaintext attack (if the attacker has only two messages with both plaintext and corresponding ciphertext, the attacker can decipher every other ciphertext message by solving a system of two congruences to find m and b. Here you require two congruences in two unknowns, with the unknowns m and b)

Access Control Context

this context involves the following entities and functions: • Authentication: Verification that the credentials of a user or other system entity are valid. • Authorization: The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose. • Audit: An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compli- ance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures.

Matrix Ciphers

•In Matrix ciphers, you use C ≡ AP + B (mod n). However:A (the multiplier) is an mXm matrix P is a column vector of plaintext values of length mB (the shift) is a column vector of length m When B is the zero vector, this is called a Hill cipher •Encipher: C ≡ AP + B (mod n) •Decipher: P = A'(C-B) (mod n) NOTE: A must be chosen such that the inverse A' exists •The block size can be as large as desired by choosing large m. For m ≥ 10, cryptanalysis is difficult. •Weaknesses: On the positive side, this is NOT subject to frequency attacks With the non-block affine cipher, figuring out which plaintext characters corresponded to E and T resulted in being able to determine the multiplier and the shift. Here, multiplier and shift correspond to blocks of characters instead of single characters. When using the ordinary alphabet with blocks of size n, there are 26 n different ways to map an n-block of text to another block. Maintaining a frequency table of these blocks when n is large becomes infeasible. Is vulnerable to a known plaintext attack (if the attacker acquires m messages with both plaintext and corresponding ciphertext, the attacker can solve a system of m congruences (where the multiplier matrix is an m by m matrix) to determine the multiplier matrix and the shift matrix). Here you require m congruences in m unknowns, with the unknowns the A and B matrices of length m).

Rabin Cipher

•Rabin Cipher -Public key cipher -A static (memoryless) cipher: always maps same plaintext to same ciphertext Encipher: C ≡ P2 (mod n) (0≤P< n, 0≤C<n) Decipher: P ≡ ±(zqqp' ± wppq') (mod n) Where z = C(p+1)/4, w = C(q+1)/4 Solving produces 4 distinct roots. For text, easy to tell which is correct. For binary need some kind of tag that will tell which is correct. Weaknesses: Anyone who can factor n into p and q can decrypt this (however, for n large, a few hundred digits, this is very difficult!) Subject to chosen ciphertext attackSubject to adaptive chosen ciphertext attackSubject to square root problem Subject to forward search attack NOTE: strong primes must be used •A chosen ciphertext attack occurs when an attacker can pass one chosen message through the decryption machine (call the message z):Receive 4 values. One is congruent to z (mod n), another to -z (mod n). The other two roots (r and r') are not congruent to either z (mod n) or -z (mod n). Thus, n | (z-r) (by definition of congruence) Therefore, gcd(z-r,n) ≠ nIf (z-r) and n are not relatively prime, then gcd(z-r,n) is a non-trivial divisor of n, either p or q

**Inferential Attack

•There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server •Include: oIllegal/logically incorrect queries •This attack lets an attacker gather important information about the type and structure of the backend database of a Web application •The attack is considered a preliminary, information-gathering step for other attacks oBlind SQL injection •Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker