CMPE132 Midterm 2
Permanent Session ID
Change cookie file
Hidden Form
Change in a local copy of HTML page
HTTP Status Code 2XX
Success (200 OK)
Certificates
- Signed messages that specify an identity and the corresponding public key - Signed with the well-known public key of a CA
Client Attacks
Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path
Eavesdropping
Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary
Replay
Adversary repeats a previously captured user response
Authentication Handshakes
- Secure communication almost always includes an initial authentication handshake (authenticate each other, establish session keys, process is not trivial; flaws in this process undermines secure communication)
Password Salt
- 12-bit number between 0 and 4095 - Derived from the system clock and the process identifier
Electronic User Authentication Principles
- A model for electronic user authentication - Means of authentication - Risk assessment for user authentication
Nonce
- A number that is used only once - Deals with replay attacks
Cryptographic Authentication Protocols
- A prover proves some information by performing a cryptographic operation on a quantity that the verifier supplies - Usually reduced to the knowledge of a secret value (a symmetric key, the private key of a public/private key pair)
Object
- A resource to which access is controlled - Entity used to contain and/or receive information - Anything on which a subject can perform operations (mediated by rights) - Usually passive, i.e. File, Directory (or Folder), Memory Segment
Trojan Horses
- A rogue software installed, perhaps unwittingly, by duly authorized users - Does what a user expects it to do, but in addition exploits the user's legitimate privileges to cause a security breach
Certification Authorities (CA)
- A trusted intermediary - Uses public key cryptography Advantages: - Doesn't have to be online - Lower risk compared with KDCs - Allow the network to operate even if CAs crash - Certificates can be public - A compromised CA can't decrypt prev secured traffic
UNIX Files
- Administered using inodes (index nodes) - Control structures with key information needed for a particular file - Several file names may be associated with a single inode - An active inode is associated with exactly one file - File attributes, permissions and control information are sorted in the inode - On the disk there is an inode table, or inode list, that contains the inodes of all the files in the file system - When a file is opened its inode is brought into main memory and stored in a memory resident inode table
Ideal Two-Way Public Key Based Authentication
- Alice and Bob establish the session key with Diffie-Hellman Key Exchange - Alice and Bob sign the quantity they send - Trudy won't be able to learn anything about the session key even if she compromises both Alice and Bob
Cross-Site Request Forgery (CSRF)
- An attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated - Specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request
Subject
- An entity capable of accessing objects - Three classes: Owner, Group
XSS Flaw DOM-based
- Arbitrary parameters used by client-side code
Biometric Authentication
- Attempts to authenticate an individual based on unique physical characteristics - Based on pattern recognition - More complex and expensive in comparison to passwords and tokens
Remote User Authentication
- Authentication over a network, the Internet, or a communications link is more complex - Additional security threats (i.e. eavesdropping, capturing a password, replaying an authentication sequence that has been observed) - Generally rely on some form of a challenge-response protocol to counter threats
Expanded Needham-Schroeder Protocol
- Classic protocol for authentication with KDC (i.e. Kerberos) - The additional two messages assure Bob that the initiator has talked to KDC since Bob generates Nb
Mandatory Access Control (MAC)
- Controls access based on comparing security labels with security clearances - Restricts the access of subjects to objects on the basis of security labels - Label both the subjects and the objects - Allow a subject to access an object only when certain constraints are satisfied
Communication post mutual authentication
- Should be cryptographically protected as well - Require a session key established during mutual authentication
Discretionary Access Control (DAC)
- Controls access based on the identity of the requestor and on access rules (authorization) stating what requestors are (or are not) allowed to do - Scheme in which an entity may enable another entity to access some resource - Often provided using an access matrix - One dimension: identified subjects that may attempt data access to the resources - Other dimension: lists objects that may be accessed - Each entry in the matrix indicates the access rights of a particular subject for a particular object - Allow access rights to be propagated from one subject to another - Possession of an access right by a subject is sufficient to allow access to the object
Dictionary Attack 1
- Create a dictionary of common words and names and their simple transformations - Use these to guess the password
Access Right
- Describes the way in which a subject may access an object - Could include: Read, Write, Execute, Delete, Create, Search
Crypt Algorithm (Unix)
- Designers: Bob Morris and Ken Thompson - Uses DES encryption algorithm - User password and salt is used as the encryption key to encrypt a 64-bit block of zeros - 12 bit salt, password takes 8 characters - Process is repeated 25 times
Dictionary Attacks
- Develop a large dictionary of possible passwords and try each against the password file - Each password must be hashed using each salt value and then compared to stored hash values
What are the Different Access Control Policies?
- Discretionary Access Control (DAC) - Role-based Access Control (RBAC) - Mandatory Access Control (MAC) - Attribute-Based Access Control (ABAC)
XSS Flaw Reflected (Non-persistent)
- Easiest to test - Place script in URL
Precautions That Should Be Taken When Developing Web Applications
- Ensure the integrity by hashing the variables - Encrypting information in URL, hidden form element, or cookies, in addition to SSL - Generating long enough session IDs to prevent collision - Dynamic session IDs, changing from page to page - Applying timestamp to session IDs
Request Types to Access a Web Server
- GET - POST - HEAD - TRACE - OPTIONS - CONNECT - PUT -DELETE
Stateless HTTP
- HTTP is stateless, thus the application must implement a method for grouping a series of requests together in a session - The application implements a state tracking mechanism - Server-side code has to identify that each request is part of the same session (URI Parameters sand Hidden Form Fields) - Typically a session token is passed to and from the client
What can XSS be used to do?
- Hijack sessions - Gain access to restricted content stored by a website - Execute commands on the target - Record keystrokes
Certificate Revocation
- How to deal with revoked certificates? Certificate Revocation List (CRL), list of revoked certificates. - Timely and reliable distribution of CRLs is a critical and difficult problem.
What are the different types of information leakage flaws?
- Infrastructure information (Web server type, back-end database type, operating system type, version numbers of each of these, etc.) - Path (where are the application components installed on the target machine file system?) - Code Base (Can we download the application code?) - Data Store (Where the backend data store and what is it?) - Usernames and/or passwords
Token-based Authentication
- Memory cards - Smart cards - Electronic identity cards
John the Ripper
- Open-source password cracker first developed in 1996 - Uses a combination of brute-force and dictionary techniques
Easily Guessable Passwords
- Password cracker usually exploit this - Shorter password lengths are easier to crack
Remote User Authentication
- Password protocol - Token protocol - Static biometric protocol - Dynamic biometric protocol
Biometric Authentication
- Physical characteristics used in biometric applications - Operation of a biometric authentication system - Biometric accuracy
Rainbow Table Attacks
- Pre-compute tables of hash values for all salts - A mammoth table of hash values - Can be countered by using a sufficiently large salt value and a sufficiently large hash length
Cookie
- Provides one or more state variables previously set by a server on this client. - A small piece of information that HTTP server sends to the browser connecting the first time. Browser returns a copy of the cookie each time it reconnects. HTTP server uses the cookie to create the impression the "session" spans multiple pages. It can store access control and/or authentication information, thus is susceptible to snooping and sniffing.
What are the three types of XSS flaws?
- Reflected (non-persistent) - Persistent - DOM-based
XSS Flaw Persistent
- Requires attacker to input script - Then view resulting pages
What are the Various Session ID Implementations?
- S session token, session credential - URL session tracking - Hidden form element - Cookies (per-session cookie [lives in memory], permanent cookie [cookie.txt] )
One-Time Passwords
- S/Key - Time synchronized - Challenge response
Uniform Resources Identifier (URI)
- The address of a resource including how to retrieve it - Interchangeably used with URL (Uniform Resource Locator) - Contains: protocol://[user:password@]host.domainname[:port]/resource?param=value
Session Keys
- The more the same symmetric key is used, the more likely to be broken - Generate and use a symmetric key for use during a specific communication for data only - Public Key schemes good for encrypting random data; not good otherwise - especially if possible plain text is from a small set (forward search attack, encrypt all possibilities with public key)
Password-based Authentication
- The vulnerability of passwords - The use of hashed passwords - Password cracking of user-chosen passwords - Password file access control - Password selection strategies
What are the Defense Mechanisms for Cookies?
- To implement expiration time and date - To include the browser IP address - To hash the cookie using MAC (Message Authentication Code)
Dictionary Attack 3
- To speed up a search, pre-compute F(dictionary) - A simple look up gives the password
What are the Various Session ID Vulnerability
- URL session tracking - Hidden Form - Permanent Session ID - Per-session ID
Bloom Filter
- Used to build a table based on dictionary using hashes - Check desired password against this table
Query String
- Used to pass data via a URL - Popular target for attackers because they're trivial to manipulate because they are in the browser's location line - The format of a query parameter is determined by the web application developer or the production environment running the application
Key Distribution Center (KDC)
- Uses secret key cryptography Disadvantages: high risk, single point of failure, performance bottleneck
Dictionary Attack 2
- Usually F is public and so is the password file - Compute F(word) for each word in the dictionary - A match gives the password
XSS Attack
- XSS injects scripts into a web application as it involves tricking the browser into execution code and the browser believes that the code is part of the site and runs it in that context - XSS attacks the browser (client), not the server as the goal is to get the client (browser) to execute the script
What is Involved in a XSS Attack?
1. Application: running a vulnerable application 2. Browser: tricked into running the code 3. Attacker: evil person 4. Code: usually Javascript
What are the Four Types of Flaws?
1. Information leakage flaws 2. Configuration flaws (miscommunication between app and server is configured) 3. Bypass flaws (authentication bypass/authorization bypass/file control bypass/front-end bypass) 4. Injection flaws (i.e. SQL injection)
What are the 4 methods to authenticating user identity?
1. Something the individual knows (i.e. PW, Pin, Security Questions) 2. Something the individual possesses (token) (i.e. Smartcard, electronic key, physical key) 3. Something the individual is (static biometrics) (i.e. Fingerprint, retina, face) 4. Something the individual does (dynamic biometrics) (i.e. voice pattern, handwriting, typing rhythm)
What are the four password selection strategies?
1. User Education 2. Computer Generated Passwords 3. Reactive Password Checking 4. Complex Password Policy
Unrestricted DAC
Allows information from an object which can be read by a subject to be written to any other object
Trojan Horse
An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode or biometric
Denial-Of-Service
Attempts to disable a user authentication service by flooding the service with numerous authentication attempts
Multiple CA Domains
CAs issue certificates to each other
HTTP Status Code 4XX
Client Error (401 Unauthorized / 404 File Not Found)
Attribute-based access control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
Role-Based Access Control (RBAC)
Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles
The User ID
Determines that the user is authorized to access the system, determines the user's privileges and is used in discretionary access control
Host Attacks
Directed at the user file at the host where passwords, token passcodes, or biometric templates are stored
One-Way Hash Function
F(x) is easy to compute From F(x), x is difficult to compute
User Agent String
Identifies the type of client software and summarizes its capabilities
HTTP Status Code 1XX
Information (100 continue / 101 switching protocols)
Injection Flaw
Injection code into some form of user input, with the goal of an interpreter somewhere processing it i.e. SQL injection (targets the backend data store) XSS (targets the clients of an app)
Computer Security
Measures that implement and assure security services in a computer system, particularly those that assure access control service
Multiple KDC Domains
KDCs share keys between each other
Password Authentication
Widely used line of defense against intruders. (i.e. User provides name / login and password, then system compares password with the one stored for that specified login)
Content Length
Length of the response
HTTP Status Codes
Numeric code to identify the response types. There are five classes: 1XX, 2XX, 3XX, 4XX, and 5XX
How Are Passwords Stored?
Per each user, system stores (username, F(password)) in a password file, where F is a one-way hash function. When a user enters the password, the system computes F(password). A match provides a proof of identity.
Identification Step
Presenting an identifier to the security system
Verification Step
Presenting or generating authentication information that corroborates the binding between the entity and the identifier
URL Session Tracking
Retype URL (session cloning)
HTTP Status Code 3XX
Redirection (302 Redirect / 304 Not Modified)
Status Code
Result from the request, often incorrectly called an error code
HTTP Status Code 5XX
Server Error (500 Server Error / 502 Bad Gateway)
Server Token
String returned by the web server identifying itself. This can be spoofed or changed by the administrator
Web Application Attacks
Targets: misconfigured and vulnerable web server Techniques - Account Harvesting - Undermining session-tracking mechanisms - SQL piggybacking - Cross Site Scripting (XSS)
GET Request
The client is requesting this web page using GET method
Authentication Process
The fundamental building block and primary line of defense and basis for access control and user accountability. Performed in two steps: Identification and Verification
User Authentication
The process of verifying an identity claimed by or for a system entity
Server Time
Time stamp based on the server's time and date
Session ID
Used to maintain state of HTTP connections
Password-based Authentication
Uses a secret quantity (the password) that the verifier states to prove he/she knows it. Posed threat: password guessing / dictionary attack
Multimodal Biometrics: OR
Uses multiple biometrics together, accept as long as atleast one is passed
Multimodal Biometrics: AND
Uses multiple biometrics together, accept only when all are passed
Per-session ID
Using Achilles proxy