CMSC 100
Cybersecurity
Professor Marie desJardins
Thursday, November 1, 2012
Adapted from instructor slides for Schneider & Gerstung
Cybersecurity
1
Thu 11/1/12
Outline

Keeping your computer system safe

Hashing functions to store passwords

Types of cyber-attacks

Encryption and types of ciphers
Cybersecurity
2
2
Thu 11/1/12
Introduction


Information security:

Keep information safe

Control access to authorized people only
Physical security:


Lock doors, maintain control of devices
Online security:

Secure operating system

Secure network
Cybersecurity
3
3
Thu 11/1/12
Authentication

Authentication: establishing identity

Password file security: passwords are not stored in plain or clear text


On password creation, encrypt and store in a password file
On log in:

Read username and password

Look up entry for username in password file

Hash input password and compare


Key to security is that the hash function is one-way (not reversible)
More secure mechanism:

Add creation time to password before hashing

Identical passwords (for different users) won’t hash to identical values
Cybersecurity
4
4
Thu 11/1/12
Password Hashing


Secure password file with hash function, one-way encoding
Example: password = 1comp2
1.
2.
3.
4.
5.

Replace letters by numbers: 1 3 15 13 16 2
Add digits: 1+3+15+13+16+2=50
Remainder of sum/7: 50 mod 7 = 1
Add 1 and multiply by 9: (1+1)*9 = 18
Reverse digits and convert to letters: 81 = ha
Questions:





Cybersecurity
How many different hashed passwords are there with this simple encoding?
How many different (6-character) passwords map to the same hashed
password?
What’s the probability of guessing the user’s actual password?
What’s the probability of guessing a password that has the same hash
value?
Would this be a secure way to store
a password?
5h
5
Thu 11/1/12
Password Cracking



Guess password, using brute force or knowledge (heuristics)

Try common passwords (e.g.,123456)

Try personal references (e.g., pet name)

Try all possible passwords (computationally difficult)
Steal password file and use password-cracking software

Tries words and word combinations, millions of password possibilities per
second

Defeating this approach is why many systems shut down or time out after
a certain number of illegal password attempts
Social engineering:

Get the person to tell you their password
Cybersecurity
6
6
Thu 11/1/12
Advanced Authentication

Answer personal information question

Biometric information (fingerprint or retinal scans)

One-time password scheme:

User enters ID and a partial password

System or user device generates last half of password

Last half password good for only a few seconds
Cybersecurity
7
7
Thu 11/1/12
Authorization

Authorization: Set of permitted actions for each authorized person

Operating system maintains access control lists


Read access (read a file)

Write access (modify a file)

Execute access (run a program)

Delete access (remove a file
System administrator or superuser has universal access and sets up
authorization
Cybersecurity
8
8
Thu 11/1/12
Types of Malware

Malware: malicious software arriving from the network

Virus: program embedded within another program or file, replicates itself
and attacks other files

Worm: program that can send copies of itself to other nodes on the
network

Trojan horse: program that seems beneficial, but hides malicious code
within it

keystroke logger: records all keys typed

drive-by exploit/drive-by download: Trojan horse downloaded by
simply visiting a bad web site
Cybersecurity
9
9
Thu 11/1/12
Security Attacks

Denial-of-service (DOS) attack:

Many computers try to access same URL at the same time

Clogs the network, prevents legitimate access, causes server to crash

Distributed DOS uses thousands of computers


Uses a zombie army (botnet), many innocent computers infected with
malware
Phishing: Obtain sensitive information by impersonating legitimate
sources

Many e-mails, just a few “bites” are enough
Cybersecurity
10
10
Thu 11/1/12
Encryption


Cryptography: Science of secret writing
Encryption and decryption (inverse operations)




Symmetric encryption algorithm



Convert from plaintext to ciphertext and back again
Unlike hashing, needs to be invertible...
...but needs to be sufficiently difficult that the code can’t be easily cracked!
Uses a secret key shared by sender and receiver
Same key used to encrypt and decrypt
Asymmetric encryption algorithm (public key)



Uses two keys: public and private
Use public key (generally known) to encrypt
Use private key (known only to receiver) to decrypt
Cybersecurity
11
11
Thu 11/1/12
Simple Ciphers

Caesar cipher (shift cipher)

Map characters to others a fixed distance away in alphabet

Example: A->E, B->F, C->G…U->Y, V->Z, W->A

Stream cipher: encode each character as it comes

Substitution cipher: similar, but any letter can map to any other letter

Pros: easy and fast, can do character by character

Cons: clues like letter frequency and double letters make substitution
ciphers easy to break
Cybersecurity
12
12
Thu 11/1/12
Block Cipher
Block cipher

Block of plaintext encoded into block of ciphertext

Each character contributes to multiple characters

Matrix-based block cipher (Note: you don’t need to know this math or
understand the matrix algebra):

Group characters into blocks n characters long

Find invertible NxN matrix, M, and its inverse, M’, as keys

Map characters to letters A->1, B->2, etc.

Wrap values 26 and above back to zero: 26->0, 27->1, etc.
Cybersecurity
13
13
Thu 11/1/12
Cybersecurity
14
14
Thu 11/1/12
DES/AES


DES (Data Encryption Standard)

Symmetric encryption algorithm – essentially a repeated block cipher

Designed for digital data: plaintext is binary string

Uses 64-bit binary key (56 bits actually used)

Sixteen rounds of same series of manipulations

Decryption uses same algorithm, keys in reverse

Fast and effective, but requires shared key, 56 bits is too small for modern
technology
AES (Advanced Encryption Standard) similar approach, longer keys
Cybersecurity
15
15
Thu 11/1/12
RSA: Public Key Encryption
RSA key creation:

Pick two large prime numbers: p and q

Compute n = p×q and m = (p-1)×(q-1)

Retrieving p and q, given n, would require computing n’s prime factors,
which is an intractable computational problem

Choose large number e at random, so that e and m are relatively prime
(no common factors except 1)

Find unique value d, between 0 and m, such that (e×d) modulo m = 1

Public key = (n, e), Private key = d
Cybersecurity
16
16
Thu 11/1/12
RSA Example
RSA key creation, example:

p = 7, q = 13

n = 7×13 = 91, and m = 6×12 = 72

Choose e = 77 (72 = 2 * 2 * 2 * 3 * 3, 77 = 7 * 11)

Choose d = 29 (29 and 72 are relatively prime)

Public key = (91, 25), Private key = 29
Cybersecurity
17
17
Thu 11/1/12
RSA Encryption (cont.)
RSA encryption:
Given public key (n, e)

Convert message to integer P

Calculate C = Pe modulo n
RSA decryption:
Given private key d

Calculate Cd modulo n
Cybersecurity
18
18
Thu 11/1/12
RSA Encryption (cont.)
RSA encryption, example:
Given public key (91, 25)

Convert message to integer P = 37

Calculate C = 3725 modulo 91 = 46
RSA decryption:
Given private key 29

Calculate 4629 modulo 91 = 37
Cybersecurity
19
19
Thu 11/1/12