INFORMATION SECURITY
SSL(Secure Sockets Layer)
"___ provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that prevents eavesdropping, tampering, or message forgery." Goals: Confidentiality, integrity and mutual authentication Supported by all browsers, all common servers ___3.0 was the basis for TLS1.0
Stream Cipher Cons
-2 time pad attacks -Malleable(possible to change the contents of the message m without decrypting)
Chaums Online eCash Protocol Drawbacks
-All transactions must be online -If not online, customer could otherwise spend the same coin multiple times
Popular word construction
-Append all possible one, two, three characters strings to common passwords and dictionary words -Prepend all possible one, two, three character strings to common passwords and dictionary words. -Combine a + b
Hash Function Uses
-Authenticity, -Integrity -Digital signatures -Password databases -Proof of work computation(Blockchain)
How are passwords cracked?
-Brute force -Common passwords(only passwords that are longer than 6 chars.) -Apply popular word construction rules to common passwords and dictionary words
Overloading Methods
-Consume too much bandwidth -Create too many requests -Create time consuming requests -Make the service hard to reach by overloading a nearby router with bogus requests.
Applications of Block Ciphers
-Encryption schemes -Hash functions -Stream ciphers (CTR mode) -Message Authentication Codes -Pseudorandom bit generators
How to build a botnet
-Find a widespread vulnerability -Exploit it, install your malicious code and turn it into a bot -Let bots make more vulnerable machines into more bots
Popular Hash Functions
-MD5(now considered broken)(128 bit hash values) -SHA1(broken too, 160 bit hash values) -SHA2 family( SHA224, SHA256, SHA384, SHA512) -SHA3 family(SHA3-224, SHA3-256, SHA3-384, SHA3-512)
Protecting against Active Data Upload
-Put any uploads outside of the path to the document root to prevent the attacker from directly accessing the file. File should be streamed on request rather than executed. -Create a new, unpredictable filename.
Defences against CSFR
-Server cannot distinguish whether browser is making a request on user or attacks behalf -Valid requests for critical state changes(money transfers) must include unpredictable tokens. This can be done with challenge response mechanisms.
Brute-forcing methods
-Short passwords: Go through all possible character strings of length 1 through 6 -Lowercase passwords: of length 7 or 8. -Uppercase passwords: of length 7 or 8.
Active Data Upload Attack
-Site allows data to be uploaded eg. img giles -Attacker discovers site uses PHP, Java.. -Uploads an active file eg. myload.php -Server saves it -Attacker runs mysite.com/uploads/myload.php
SQL Injection uses
-Steal contents of databases(passwords, credit cards, user data(CONFIDENTIALITY BREACH) -Modify contents of database(delete all contents) BREACHES INTEGRITY -Get unauthorised access to resources.
RC4(Rivest Cipher 4)
-Used in WEP, WPA and SSL/TLS -Very efficient and simple, but has some security flaws
Defenses against XSS
-User input must be securely handled in both client and server side code. -Secure and reflected XSS and countered by the same defense mechanisms.
CSFR(Cross-site Request Forgery)
-User/victim is authenticated to server and in a session with a server. -User clicks link or resource provided by an attacker. Browser interprets this as the provided resource and connects to server. -Server cannot distinguish between malicious and genuine request as both are received in the same browser. -____ purpose is to cause a state change as attacker cannot directly observe an outcome.
public key cryptography uses
-secure distribution of keys -forms of authentication and non-repudiation -digital signatures
Validating an X.509 certificate
1) Certificate recipient authentically obtains a public key of CA that signed the certificate 2)Recipient validates certificate by computing hash of non signature fields and checking it matches the signed hash. 3) Recipient checks the validity period to ensure certificate has not expired
Certificate Parameters
1) Issuer 2) Expiration Date 3) Purpose of the public key
Chaum's Ecash
1)Not transferable 2)Unforgeable 3)Anonymous(for honest users...) 4)Untraceable 5)Transactions can be made offline 6)Centralized system
Common Hacking Tactics
1)Social Engineering 2)Physical access to systems 3)Application vulnerabilities 4)Flawed communication protocols 5) Hardware level vulnerabilities 6)Broken crypto primitives 7)Mathematical breakthrough
Bitcoin
1)Transferable 2)Unforgeable 3)Anonymous 4)Not traceable 5)Transactions not avaliable offline 6)Distributed System
How does a rainbow table work?
1. Check table for hash 0x1135 2. Apply reduce function. R(0x1135)=h4x0rz(maps hash values back to strings of characters that are likely to occur in actual passwords) 3.Apply hash function. H(h4x0rz)=0xDEAD 4. Check table for 0xDEAD. Find possibilities and try both hash chains. 5. Apply R and H to find the password. Save space by computing hash chains. Storing only the first and last elements in a chain.
Password Authentication
1. Find Alice in DB 2. Read password hash 3. Compute supplied hash 4. Compare hash values
Threat agent
1. Identify relevant threat agents: e.g., External attacker vs inside attacker, Script kiddies vs organised criminals, Competitors vs nation-states, Accidental vs Intentional actors. 2. Identify threat agents' skills and motives 3. Identify threat agents' opportunity and group size
Problems with RC4
1. It was discovered that some bytes of the output are biased. 2. First few bytes of output sometimes leak some information about the key TLDR: dont use RC4
Constructing a MAC
1. Some ___ are secure even if the adversary is not computationally bound. These constructions are not practical in the same way as OTP. 2.___ can also be constructed from hash functions eg. NMAC, HMAC 3. ___ can be constructed from block ciphers eg. CBC-MAC
One Time Pad disadvantages
1. The key has to be as long as the message. |C| == |M| 2. It is very difficult to generate truly random strings. 3. The key cannot be reused.
Formal Definition of MAC Scheme
A ___ scheme is a pair of algorithms(tag, vrfy) where Tag: K x M → T Verify: K x M x T → {true, false} tag is called a tagging alg vrfy is a verification alg K is set of Keys M is set of plaintxts T is set of tags
Hash Functions
A ____ ________ maps a string of arbitrary length(message) to a string of fixed length(message digest/hash)
Block Cipher Notation
A _____ _____- with key length k and block size n consists of two sets of efficiently computable bijections: EK: {0,1}n --> {0,1}n and DK: {0,1}n --> {0,1}n such that DK is the inverse of EK for any K in {0,1}k
Rainbow Tables
A _______ _____ is a database that is used to gain authentication by cracking the password hash. It is a precomputed dictionary of plaintext passwords and their corresponding hash values that can be used to find out what plaintext password produces a particular hash
Certificates
A _________ is a data structure that binds an identity and a purpose to a key.
one-time pad (OTP)
A ________________ involves combining plaintext with a random key to create ciphertext that cannot be broken mathematically.
Pre-Image Resistance
A characteristic of a strong hash function in which it is infeasible to generate a plaintext value based on its hash.
Vulnerability
A characteristic of a system that can be exploited by a threat.
Public Key Infrastructure (PKI)
A digital certificate binds an identity and purpose to a public key. A ___ is a set of policies and procedures to manage digital signatures. Can be based on: 1) Certificate Authorities 2)Web of Trust 3)Blockchain
Digital Signatures
A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.
Risk
A function of loss associated with an event and probability that event occurs. Working definition for risk associated with vulnerabilities: rish = (impact to asset from exploit of vulnerability) x (probability of occurrence) .
Collision resistance
A hash function H is ________ _________ if it is hard to find two inputs that hash to the same output.
Hybrid Encryption
A method of encryption that makes use of both symmetric and asymmetric encryption by encrypting a symmetric key with public key encryption.
Prime Numbers
A natural number p 6= 1 is a prime number , or simply a prime, if 1 and p are the only divisors of p.
pseudorandom number generator
A program element that performs calculations to produce a series of numbers in seemingly random order.
Establishing Secure Channels
A secure channel provides confidentiality and authenticity, so we need both encryption and authentication.
Certificate Authority (CA)
A trusted third-party agency that is responsible for issuing digital certificates.
Reflected DoS attack
A type of DoS attack that uses a forged source IP address when sending requests to a large number of computers. This causes those systems to send a reply to the target system causing a DoS condition.
XSS(Cross Site Scripting)
A type of injection attack in which malicious scripts are injected into trusted websites and then executed in the victims browser. Attacked can steal cookies and credentials, spy on the user and modify the webpage content to preform the phishing attacks.
DDos/IP spoofing
A type of spoofing whereby an intruder uses another site's IP address as if it were that other site
NTP Amplification Attack
A volumetric DDoS attack that takes advantage of a vulnerability in NTP protocol, with a goal of flooding a server with UDP traffic.
Same Origin Policy
A web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin
Modular Arithmetic
A/B=Q remainder R A is the dividend B is the divisor Q is the quotient R is the remainder Using the same A, B, Q, and R as above, we would have: A mod B = R EXAMPLE 13/5 = 2 remainder 3 13 mod 5 = 3
Best Block Cipher
AES -widely supported -special hardware instructions available on modern CPUs
Security of Hashed Passwords
Against malicious system admins(active adversary)? -No!! E.g. Key loggers, modified log-in code... Against curious (eavesdropping) system administrators and leaked password databases? - A hash function is a 1-way function, which means that it can't be decrypted.
RSA Generation
Alice generates her ___ keys by selecting two primes: p=11 and q=13 The ___ modulus is n=p*q=143 The totient is n ϕ(n)=(p−1)x(q−1)=120 She chooses 7 for ___ public key E and calculates her ___private key using extended euclidean alg giving her 103.
Injections Attack Conclusion
Allowing any form of user input(SQL queries, forms, GET/POST variables, data uploads) makes your application vulnerable to injection attacks.
chosen plaintext attack
Allows manipulation of a cryptosystem by choosing a block of plaintext, and getting the ciphertext as output to see how things are enciphered.
certificate chain
Also known as the certification path, is a list of certificates used to authenticate an entity. It begins with the certificate of the entity and ends with the root CA certificate.
DDoS (Distributed Denial of Service)
An attack on a computer or network device in which multiple computers send data and requests to the device in an attempt to overwhelm it so that it cannot perform normal operations. Frequently carried out by botnets by instructing bots to request a service from the victim.
SQL Injection
An attack that targets SQL servers by injecting commands to be manipulated by the database.
Efficient Algorithm
An efficient algorithm is an algorithm whose running time is bounded by a polynomial in the size of its input
Perfect Secrecy
An encryption scheme is perfectly secret if the adversary learns no additional information about the plaintext after observing the ciphertext.
Encryption Scheme
An encryption scheme(or cipher) is a pair of algorithms(Enc, Dec) where: Enc: K × M → C Dec: K × C → M Enc is called the encryption algorithm, Dec is called a decryption algorithm, K is the set of keys, M the set of plaintexts, C the set of ciphertexts.
DoS(Denial Of Service)
Attack the availability of the service. 2 options to attack availability: -Break the service -Overload the service/starve it of a resource
DoS/Overloading the service
Attacker makes services unavailable to legitimate users by overloading the service or starving it of a resource with bogus requests so legitimate ones cannot be serviced.
congruence modulo
A≡B(mod C) This says that A is congruent to B modulo C. 1. ≡ is the symbol for congruence, which means the values A and B are in the same equivalence class. 2.(mod C) tells us what operation we applied to A and B. 3.when we have both of these, we call ≡" congruence modulo C. 26 mod 5=1 so it is in the equivalence class for 1, 11 mod 5 = 1 so it is in the equivalence class for 1, as well.
Chaum's Online eCash: Withdrawl
Bank RSA pub.key:(e,n) Bank RSA priv.key(d,n) Create random coin number: c, Blinding factor: r User→c*r^e mod n → Bank: Debit £1 from acc, Sign blinded coin User← c^d*r mod n ← Bank User then unblinds coin no. by dividing by r This is called a blind signature
Security of AES
Best known attack: Biclique attack
RSA decryption
Bob can simply: 1. Compute m as: 2. m = c^d (mod n) 3. Convert m into Alice's message
public key cryptography example
Bob has key pair(sk,pk) and Alice wants to encrypt msg m for Bob. Like everyone, Alice knows Bob's public key pk . She computes ciphertxt c = E(pk, m) by applying the encryption function E with Bob's public key pk. Encrypting with fixed key pk by Epk, i.e., Epk(m) := E(pk, m) The scheme can only be secure if it's infeasible to compute m from c = Epk(m).
Configurated, Delegated CA
CAs whose public keys are configured in a system can authorise other CAs to act as delegated CAs Both kinds of CA are completely trusted to issue both certificates and recommend delegates as trustworthy CAs. (Certificate chains) Pros: Competitive pricing, convenience of local CAs, systems need to be configured with all certificates. Cons: As before, Compromise of any CA suffices to forge fraudulent certificates. Systems certificate can be manipulated by adding attackers keys,
MAC-then-Encrypt
Ciphertext integrity not protected May be vulnerable to padding oracle attacks Used in SSL/TLS t: Tag^k2(m) and c:=Enc^k1(m||t) send(c,)
Stored Server XSS
Classic XSS attack. Malicious user input is stored on the target server. Client receives the stored data from the server without the data being made safe to render in the browser.
CIA properties
Confidentiality, Integrity, Availability
Encrypt-and-MAC
Considered bad design as it may reveal information about the plaintext. Used in SSH. c: = Enc^k1(m) and t: Tag^k2(m), send(c,t)
Encrypt-then-MAC
Considered stronger than the 2 alternative methods But not foolproof! Used in IPsec, extensions of TLS and SSH c:=Enc^k1(m) and t:=Tag^k2(c) send (c,t)
chosen ciphertext attack
Cryptanalysis attack where the attacker chooses a ciphertext and obtains its decryption under an unknown key.
DNS Amplification Attack
DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic.
Multiple CAs
Each system needs a set of CA public keys. Pros: Local CAs more convenient, competition prevents abusive pricing. Cons: Less secure than the single CA model Compromise of any CA suffices to forge fraudulent certificates. Systems certificate store can be manipulated by adding attacker's keys.
Encryption Scheme: Correctness Condition
Enc and Dec satisfy the following correctness condition: for every k in K: Dec(k,Enc(k,m)) = m.
Formal Definition of One-Time Pad
Enck(m) = k ⊕ m Deck(c) = k ⊕ c t - a parameter K = M = C = {0,1}t bit strings of length t ⊕: Bitwise XOR
Encryption Scheme Notation
Enck(m) and Deck(c) for Enc(k,m) and Dec(k,c), respectively
Chaum's Online eCash: Payment
Encrypt vendor ID, hash of payment specification and the signed coin number: c^d mod n with banks public key {IDuser,h(spec),c^d mod n}pk(bank) payment spec contains the payment specification, e.g., date, time, items purchased, and a nonce.
Block Ciphers
Encrypts and decrypts blocks of bits, encryption is done with a key.
RSA Encryption
From Alice to Bob: 1. Looks up Bob's public key 2. Convert the message into an integer: m 3. Compute the ciphertext c as: c = m^e (mod n) 4. Send c to Bob
Diffie-Hellman key exchange
G group g generator of G Random a Random b
Pre-Image Resistance Notation
Given H(m) is hard to find so m' so that H(m)=H(m')
second preimage resistant
Given m it is hard to find m'!=m so that H(m)=H(m')
Constructing MACs from Hash Functions(HMAC)
HMACk(m) = H((k xor opad)|| H(k xor ipad|| m)) For example: HMAC-SHA256k(m) = SHA256((k xor opad)|| SHA256(k xor ipad|| m))
composite number
If a number n ∈ N is not prime, it is called composite A number with more than two factors.
X.509 Format
Issuer Name: CA Name Serial Number: Unique for each CA Algorithm: Identifier for alg used to sign certificate Subject name: User who's public key is certified Subject public-key info: Identifies alg and user public key Signature: Hash of the other fields, signed with CA's signing key
Collision Resistant Notation
It's hard to find any pair(m,m') such that H(m)=H(m')
DES(Data Encryption Standard)
Key Length: 56 bits Block Length: 64 bits Outputs a 64 bit cryptogram.
AES(Advanced Encryption Standard)
Key sizes: 128, 192 or 256 bit, Block size: 128 bits ___ is new official standard
What makes systems insecure?
Limited Resources -Developments cost time/money -Must balance the cost of security with the potential loss Changing environment Enormous complexity in software
Injection Attacks
Malicious data is sent to an interpreter as part of a query or command.
Reflected Server XSS
Malicious user input is received by the target server and sent back to the browser(eg. Error/confirmation msg) Client receives data from the server without that data being made safe to render within the browser.
Stored Client XSS
Malicious user input stored in the client's browser. Data may not be sent to server
Countermeasure
Means to detect, deter or deny attacks to threatened assets
DOS/Permanent DoS
Method of breaking the service. Exploit security flaw to replace a devices firmware with non functional firmware
DOS/Ping of Death
Method of breaking the service. Send a malformed packet to crash the service
Do stream ciphers practice perfect secrecy?
NO!! Why? Keys in K are smaller than the messages in M
Threat
Potential cause of an unwanted event that may harm assets
Integrity
Property of accuracy and completeness
Availability
Property of being accessible and usable upon demand by an authorised entry.
Confidentiality
Property that information is not made available or disclosed to unauthorised.
TLS(Transport Layer Security)
Provides end-to-end communications security over networks and is widely used for internet communications and online translations. Used to prevent eavesdropping, tampering and message forgery. Common applications that employ TLS include web browsers, IM, email and (VoIP) voice over IP.
Examples of Injection Attacks
SQL, OS, LDAP injections Related: Buffer and heap overflow attacks, XXS
How to defend against SQL injections
Separate code and data Using prepared statements -Create a 'template' statement -Insert the data -Then do the statement Using stored procedures -Store a collection of statements in the database -These can be executed and return a result -Language independent -Can result in reduced network traffic
Why is brute forcing feasible?
Short Salt Values -Attack: Collect all hashes using the same salt and attack largest collection first with dictionary attack -Solution: Long salt values Fast Hash Functions: High ends graphics cards(GPU) and custom hardware can compute billions of hashes per second, so dictionary attacks are still effective.
Why are rainbow tables effective?
Since more than one text can produce the same hash, it's not important to know what the original password really was, as long as it produces the same hash.
4 types of XSS
Stored Server ___ Stored Client ___ Reflected Server ___ Reflected Client ___
If H is collision resistant
THEN H is second preimage resistant
Does one time pad provide perfect secrecy?
The One-Time-Pad provides perfect secrecy (the ciphertext conveys no information about the content of the plaintext. |M| = |C|) But: • The key must be chosen uniformly at random from the set of keys K. • The key must not be reused.
Kerckhoff's Principle
The design of a security mechanism should be made public; and not reply on obscurity. The system should remain secure even if your adversary knows exactly what kind of encryption system you are employing, as long as your key remains secure
Security of DES
The main weakness are • the short key (brute-force attacks are possible) • and the block length is too small.
X.509
The most widely accepted format for digital certificates and certificate validation as defined by the International Telecommunication Union (ITU). Used in IPSec, SSL/TLS, SSH
public key cryptography
The principle idea of _________ is public keys. In a _________ encryption scheme, the communication partners do not share a secret key. Each person's key is separated into 2 parts: -public key(pk) for encryption available to everyone -secret key(sk) for decryption kept secret by owner
Stream Cipher
They are called this because their output is an "infinite" stream of bits. _____ _______ generate keystreams from a key seed using a pseudorandom generator. Each plaintext digit is encrypted one at a time with the corresponding digit of the keystream to give a digit of the ciphertext.
Hash functions suitable for password hashing
They use slow, CPU intensive hashing mechanisms. A password hash should be inefficient with an adjustable work parameter. Require large amounts of memory to prevent parallelised attacks. Examples: bcrypt, scrypt, PBKDF2, Argon2
How MACs work?
To establish the ___ process, the sender and receiver share a symmetric key K. The sender uses some publicly known ___ algorithm, inputs the message and the secret key K and produces a ___ value. Similar to hash, ___ function also compresses an arbitrary long input into a fixed length output. The major difference between hash and ___ is that ___ uses secret key during the compression. The sender forwards the message along with the ___. We assume that the message is sent in the clear, as we are concerned of providing message origin authentication, not confidentiality. If confidentiality is required then the message needs encryption. Receipt of the message and the ___, the receiver feeds the received message and the shared secret key K into the ___ algorithm and re-computes the ___ value. The receiver now checks equality of freshly computed ___ with the ___ received from the sender. If they match, then the receiver accepts the message and assures himself that the message has been sent by the intended sender. If the computed ___ does not match the ___ sent by the sender, the receiver cannot determine whether it is the message that has been altered or it is the origin that has been falsified. As a bottom-line, a receiver safely assumes that the message is not genuine.
MAC(Message Authentication Code)
Used to preserve message integrity and provide authentication . Essentially an encrypted checksum generated on the underlying message that is send along with a message to ensure message authentication.
Symmetric Cryptography
Uses the same secret key k to encrypt and decrypt a message
Risk Assessment
What are we protecting? (asset) Who is the attacker? (threat agent) What are the threats? What are the vulnerabilities? What are effective defence mechanisms?
known plaintext attack
When an attacker has both a known plaintext and the ciphertext, they can sometimes derive the key itself.
MAC Correctness Condition
Where tag and verify satisfy the following correctness condition: for every k in K, m in M: vrfy(k,m,tag(k,m)) = true tag is called a tagging alg vrfy is a verification alg K is set of Keys M is set of plaintxts T is set of tags
RSA Security
___ derives its security from the difficulty of factoring large integers that are the product of two large prime numbers. Multiplying these two numbers is easy, but determining the original prime numbers from the total/factoring is considered infeasible due to the time it would take.
RSA(Rivest, Shamir, and Adleman)
___ is the most common internet encryption and authentication system. The system used an algorithm that involves multiplying two large prime integers to generate a public key, used to encrypt data and decrypt an authentication, and a private key, used to decrypt the data and encrypt an authentication.
XSS vs CSFR
___: Browser executes malicious injected code ____: Server receives malicious request from browser and acts on it
Single CA
_____ CA for the entire world. All systems configured with CA's public key. All certificates obtained from the CA directory, Pros: Simple setup, no need for trust recommendations. Cons: No organisation is universally trusted Debatable where CS should be located, inconvenient and insecure for distant organisations to obtain certification CA has monopoly, can charge excessive prices.
Chaums eCash Offline Protocol
_______ keeps customers anonymous as long as the customer is honest and spends each coin only once. If customer spends a coin more than once, bank will be able to identify the customer. This is achieved by splitting the coin into several parts and embedding the customer's ID to these parts.
ElGamal Encryption Scheme
_______ uses asymmetric key encryption, based on the Diffie-Hellman key exchange for communicating between 2 parties and encrpyting the message. Based on finding the discrete logarithm in a cyclic group.
Properties of digital signatures
________ are: 1)Publicly verifiable 2) Transferable 3)Provide non repudiation MACs have none of these properties
A hash function used to protect passwords must be...
collision resistant and preimage resistant.
|n|
e size of n ∈ N is equal to b log^2 (n)c+ 1.3 n is a an element of N
Popular Stream Ciphers
• RC4 used, e.g., to encrypt WiFi communication(WEP, WPA) and SSL/TLS communication Based on linear feedback shift registers: • A5/1 and A5/2 used to encrypt mobile phone (GSM) communication. • Content Scramble System (CSS) encryption used to encrypt Movies on DVDs.
Chaum's Online eCash: Redemption
→IDuser, h(spec)→ →{IDuser, h(spec), c^d mod n}pk(Bank)→ Verify IDuser,h(spec) are recordeed in the encryption that the signature on c is correct that c has not been spent. Record c in a database as spent. ← OK/NOT OK ←