CMPE132 Midterm 2

Permanent Session ID

Change cookie file

Hidden Form

Change in a local copy of HTML page

HTTP Status Code 2XX

Success (200 OK)

Certificates

- Signed messages that specify an identity and the corresponding public key - Signed with the well-known public key of a CA

Client Attacks

Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path

Eavesdropping

Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary

Replay

Adversary repeats a previously captured user response

Authentication Handshakes

- Secure communication almost always includes an initial authentication handshake (authenticate each other, establish session keys, process is not trivial; flaws in this process undermines secure communication)

Password Salt

- 12-bit number between 0 and 4095 - Derived from the system clock and the process identifier

Electronic User Authentication Principles

- A model for electronic user authentication - Means of authentication - Risk assessment for user authentication

Nonce

- A number that is used only once - Deals with replay attacks

Cryptographic Authentication Protocols

- A prover proves some information by performing a cryptographic operation on a quantity that the verifier supplies - Usually reduced to the knowledge of a secret value (a symmetric key, the private key of a public/private key pair)

Object

- A resource to which access is controlled - Entity used to contain and/or receive information - Anything on which a subject can perform operations (mediated by rights) - Usually passive, i.e. File, Directory (or Folder), Memory Segment

Trojan Horses

- A rogue software installed, perhaps unwittingly, by duly authorized users - Does what a user expects it to do, but in addition exploits the user's legitimate privileges to cause a security breach

Certification Authorities (CA)

- A trusted intermediary - Uses public key cryptography Advantages: - Doesn't have to be online - Lower risk compared with KDCs - Allow the network to operate even if CAs crash - Certificates can be public - A compromised CA can't decrypt prev secured traffic

UNIX Files

- Administered using inodes (index nodes) - Control structures with key information needed for a particular file - Several file names may be associated with a single inode - An active inode is associated with exactly one file - File attributes, permissions and control information are sorted in the inode - On the disk there is an inode table, or inode list, that contains the inodes of all the files in the file system - When a file is opened its inode is brought into main memory and stored in a memory resident inode table

Ideal Two-Way Public Key Based Authentication

- Alice and Bob establish the session key with Diffie-Hellman Key Exchange - Alice and Bob sign the quantity they send - Trudy won't be able to learn anything about the session key even if she compromises both Alice and Bob

Cross-Site Request Forgery (CSRF)

- An attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated - Specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request

Subject

- An entity capable of accessing objects - Three classes: Owner, Group

XSS Flaw DOM-based

- Arbitrary parameters used by client-side code

Biometric Authentication

- Attempts to authenticate an individual based on unique physical characteristics - Based on pattern recognition - More complex and expensive in comparison to passwords and tokens

Remote User Authentication

- Authentication over a network, the Internet, or a communications link is more complex - Additional security threats (i.e. eavesdropping, capturing a password, replaying an authentication sequence that has been observed) - Generally rely on some form of a challenge-response protocol to counter threats

Expanded Needham-Schroeder Protocol

- Classic protocol for authentication with KDC (i.e. Kerberos) - The additional two messages assure Bob that the initiator has talked to KDC since Bob generates Nb

Mandatory Access Control (MAC)

- Controls access based on comparing security labels with security clearances - Restricts the access of subjects to objects on the basis of security labels - Label both the subjects and the objects - Allow a subject to access an object only when certain constraints are satisfied

Communication post mutual authentication

- Should be cryptographically protected as well - Require a session key established during mutual authentication

Discretionary Access Control (DAC)

- Controls access based on the identity of the requestor and on access rules (authorization) stating what requestors are (or are not) allowed to do - Scheme in which an entity may enable another entity to access some resource - Often provided using an access matrix - One dimension: identified subjects that may attempt data access to the resources - Other dimension: lists objects that may be accessed - Each entry in the matrix indicates the access rights of a particular subject for a particular object - Allow access rights to be propagated from one subject to another - Possession of an access right by a subject is sufficient to allow access to the object

Dictionary Attack 1

- Create a dictionary of common words and names and their simple transformations - Use these to guess the password

Access Right

- Describes the way in which a subject may access an object - Could include: Read, Write, Execute, Delete, Create, Search

Crypt Algorithm (Unix)

- Designers: Bob Morris and Ken Thompson - Uses DES encryption algorithm - User password and salt is used as the encryption key to encrypt a 64-bit block of zeros - 12 bit salt, password takes 8 characters - Process is repeated 25 times

Dictionary Attacks

- Develop a large dictionary of possible passwords and try each against the password file - Each password must be hashed using each salt value and then compared to stored hash values

What are the Different Access Control Policies?

- Discretionary Access Control (DAC) - Role-based Access Control (RBAC) - Mandatory Access Control (MAC) - Attribute-Based Access Control (ABAC)

XSS Flaw Reflected (Non-persistent)

- Easiest to test - Place script in URL

Precautions That Should Be Taken When Developing Web Applications

- Ensure the integrity by hashing the variables - Encrypting information in URL, hidden form element, or cookies, in addition to SSL - Generating long enough session IDs to prevent collision - Dynamic session IDs, changing from page to page - Applying timestamp to session IDs

Request Types to Access a Web Server

- GET - POST - HEAD - TRACE - OPTIONS - CONNECT - PUT -DELETE

Stateless HTTP

- HTTP is stateless, thus the application must implement a method for grouping a series of requests together in a session - The application implements a state tracking mechanism - Server-side code has to identify that each request is part of the same session (URI Parameters sand Hidden Form Fields) - Typically a session token is passed to and from the client

What can XSS be used to do?

- Hijack sessions - Gain access to restricted content stored by a website - Execute commands on the target - Record keystrokes

Certificate Revocation

- How to deal with revoked certificates? Certificate Revocation List (CRL), list of revoked certificates. - Timely and reliable distribution of CRLs is a critical and difficult problem.

What are the different types of information leakage flaws?

- Infrastructure information (Web server type, back-end database type, operating system type, version numbers of each of these, etc.) - Path (where are the application components installed on the target machine file system?) - Code Base (Can we download the application code?) - Data Store (Where the backend data store and what is it?) - Usernames and/or passwords

Token-based Authentication

- Memory cards - Smart cards - Electronic identity cards

John the Ripper

- Open-source password cracker first developed in 1996 - Uses a combination of brute-force and dictionary techniques

Easily Guessable Passwords

- Password cracker usually exploit this - Shorter password lengths are easier to crack

Remote User Authentication

- Password protocol - Token protocol - Static biometric protocol - Dynamic biometric protocol

Biometric Authentication

- Physical characteristics used in biometric applications - Operation of a biometric authentication system - Biometric accuracy

Rainbow Table Attacks

- Pre-compute tables of hash values for all salts - A mammoth table of hash values - Can be countered by using a sufficiently large salt value and a sufficiently large hash length

Cookie

- Provides one or more state variables previously set by a server on this client. - A small piece of information that HTTP server sends to the browser connecting the first time. Browser returns a copy of the cookie each time it reconnects. HTTP server uses the cookie to create the impression the "session" spans multiple pages. It can store access control and/or authentication information, thus is susceptible to snooping and sniffing.

What are the three types of XSS flaws?

- Reflected (non-persistent) - Persistent - DOM-based

XSS Flaw Persistent

- Requires attacker to input script - Then view resulting pages

What are the Various Session ID Implementations?

- S session token, session credential - URL session tracking - Hidden form element - Cookies (per-session cookie [lives in memory], permanent cookie [cookie.txt] )

One-Time Passwords

- S/Key - Time synchronized - Challenge response

Uniform Resources Identifier (URI)

- The address of a resource including how to retrieve it - Interchangeably used with URL (Uniform Resource Locator) - Contains: protocol://[user:password@]host.domainname[:port]/resource?param=value

Session Keys

- The more the same symmetric key is used, the more likely to be broken - Generate and use a symmetric key for use during a specific communication for data only - Public Key schemes good for encrypting random data; not good otherwise - especially if possible plain text is from a small set (forward search attack, encrypt all possibilities with public key)

Password-based Authentication

- The vulnerability of passwords - The use of hashed passwords - Password cracking of user-chosen passwords - Password file access control - Password selection strategies

What are the Defense Mechanisms for Cookies?

- To implement expiration time and date - To include the browser IP address - To hash the cookie using MAC (Message Authentication Code)

Dictionary Attack 3

- To speed up a search, pre-compute F(dictionary) - A simple look up gives the password

What are the Various Session ID Vulnerability

- URL session tracking - Hidden Form - Permanent Session ID - Per-session ID

Bloom Filter

- Used to build a table based on dictionary using hashes - Check desired password against this table

Query String

- Used to pass data via a URL - Popular target for attackers because they're trivial to manipulate because they are in the browser's location line - The format of a query parameter is determined by the web application developer or the production environment running the application

Key Distribution Center (KDC)

- Uses secret key cryptography Disadvantages: high risk, single point of failure, performance bottleneck

Dictionary Attack 2

- Usually F is public and so is the password file - Compute F(word) for each word in the dictionary - A match gives the password

XSS Attack

- XSS injects scripts into a web application as it involves tricking the browser into execution code and the browser believes that the code is part of the site and runs it in that context - XSS attacks the browser (client), not the server as the goal is to get the client (browser) to execute the script

What is Involved in a XSS Attack?

1. Application: running a vulnerable application 2. Browser: tricked into running the code 3. Attacker: evil person 4. Code: usually Javascript

What are the Four Types of Flaws?

1. Information leakage flaws 2. Configuration flaws (miscommunication between app and server is configured) 3. Bypass flaws (authentication bypass/authorization bypass/file control bypass/front-end bypass) 4. Injection flaws (i.e. SQL injection)

What are the 4 methods to authenticating user identity?

1. Something the individual knows (i.e. PW, Pin, Security Questions) 2. Something the individual possesses (token) (i.e. Smartcard, electronic key, physical key) 3. Something the individual is (static biometrics) (i.e. Fingerprint, retina, face) 4. Something the individual does (dynamic biometrics) (i.e. voice pattern, handwriting, typing rhythm)

What are the four password selection strategies?

1. User Education 2. Computer Generated Passwords 3. Reactive Password Checking 4. Complex Password Policy

Unrestricted DAC

Allows information from an object which can be read by a subject to be written to any other object

Trojan Horse

An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode or biometric

Denial-Of-Service

Attempts to disable a user authentication service by flooding the service with numerous authentication attempts

Multiple CA Domains

CAs issue certificates to each other

HTTP Status Code 4XX

Client Error (401 Unauthorized / 404 File Not Found)

Attribute-based access control (ABAC)

Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

Role-Based Access Control (RBAC)

Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles

The User ID

Determines that the user is authorized to access the system, determines the user's privileges and is used in discretionary access control

Host Attacks

Directed at the user file at the host where passwords, token passcodes, or biometric templates are stored

One-Way Hash Function

F(x) is easy to compute From F(x), x is difficult to compute

User Agent String

Identifies the type of client software and summarizes its capabilities

HTTP Status Code 1XX

Information (100 continue / 101 switching protocols)

Injection Flaw

Injection code into some form of user input, with the goal of an interpreter somewhere processing it i.e. SQL injection (targets the backend data store) XSS (targets the clients of an app)

Computer Security

Measures that implement and assure security services in a computer system, particularly those that assure access control service

Multiple KDC Domains

KDCs share keys between each other

Password Authentication

Widely used line of defense against intruders. (i.e. User provides name / login and password, then system compares password with the one stored for that specified login)

Content Length

Length of the response

HTTP Status Codes

Numeric code to identify the response types. There are five classes: 1XX, 2XX, 3XX, 4XX, and 5XX

How Are Passwords Stored?

Per each user, system stores (username, F(password)) in a password file, where F is a one-way hash function. When a user enters the password, the system computes F(password). A match provides a proof of identity.

Identification Step

Presenting an identifier to the security system

Verification Step

Presenting or generating authentication information that corroborates the binding between the entity and the identifier

URL Session Tracking

Retype URL (session cloning)

HTTP Status Code 3XX

Redirection (302 Redirect / 304 Not Modified)

Status Code

Result from the request, often incorrectly called an error code

HTTP Status Code 5XX

Server Error (500 Server Error / 502 Bad Gateway)

Server Token

String returned by the web server identifying itself. This can be spoofed or changed by the administrator

Web Application Attacks

Targets: misconfigured and vulnerable web server Techniques - Account Harvesting - Undermining session-tracking mechanisms - SQL piggybacking - Cross Site Scripting (XSS)

GET Request

The client is requesting this web page using GET method

Authentication Process

The fundamental building block and primary line of defense and basis for access control and user accountability. Performed in two steps: Identification and Verification

User Authentication

The process of verifying an identity claimed by or for a system entity

Server Time

Time stamp based on the server's time and date

Session ID

Used to maintain state of HTTP connections

Password-based Authentication

Uses a secret quantity (the password) that the verifier states to prove he/she knows it. Posed threat: password guessing / dictionary attack

Multimodal Biometrics: OR

Uses multiple biometrics together, accept as long as atleast one is passed

Multimodal Biometrics: AND

Uses multiple biometrics together, accept only when all are passed

Per-session ID

Using Achilles proxy