Add to collection(s) Add to saved
  1. No category
Uploaded by Joseph George

Cyber Security Module 1 ans

advertisement 
Introduction to Cyber Security / Information Security
Module 1: Pre-requisites in Information and Network Security
Chapter 1: Overview of Networking Concepts
1.
2.
3.
4.
5.
6.
Basics of Communication Systems
Transmission Media
Topology and Types of Networks
TCP/IP Protocol Stacks
Wireless Networks
The Internet
Chapter 2: Information Security Concepts
1. Information Security Overview: Background and Current Scenario
2. Types of Attacks
3. Goals for Security
4. E-commerce Security
5. Computer Forensics
6. Steganography
Chapter 3: Security Threats and Vulnerabilities
1. Overview of Security threats
2. Weak / Strong Passwords and Password Cracking
3. Insecure Network connections
4. Malicious Code
5. Programming Bugs
6. Cyber crime and Cyber terrorism
7. Information Warfare and Surveillance
Chapter 4: Cryptography / Encryption
1. Introduction to Cryptography / Encryption
2. Digital Signatures
3. Public Key infrastructure
4. Applications of Cryptography
DES’s Fergusson College (Autonomous), Pune
Page 1
Chapter 1: Overview of Networking Concepts
Basics of Communication Systems:
Communication is simply the act of transferring information from one place, person or group to
another. This sharing of information can be local, i.e. face to face or remote communication.
The information which is exchanged among the users is called as data. Data Communication is
an exchange of data between two devices via some transmission medium such as wired cable.
Effectiveness of data communication depends upon three fundamental characteristics:
a. Delivery: The system must deliver data to the right destination. Data must be received by
the intended device and only by that device.
b. Accuracy: The data must be delivered accurately.
c. Timeliness: The data must be delivered in timely manner.
Every communication involves (at least) one sender, a message and a recipient. There are five
major components which are involved in communication, such as:
a. Message is the information to be communicated. It can consist of text, number, picture,
audio, video etc.
b. The Sender is the device that sends the data message. It can be computer, telephone
handset, cell phone and so on.
c. The Receiver is the device that receives the data message. It can be computer, telephone
handset, television and so on.
d. The Transmission Media is the physical path by which a message travels from sender to
receiver. It could be a twisted-pair wire, coaxial cable, fiber optic cable, radio waves.
e. A Protocol is a set of rules that governs data communication. It represents an agreement
between the communicating devices.
DES’s Fergusson College (Autonomous), Pune
Page 2
Data Communication System
During this communication, message which user wants to transmit, it has to be first converted
to bit format. i.e. sequence of bits. These bits will then transmit to the destination. Then
destination again converts it to the readable format.
Data Transmission:
Data transmission refers to the process of transferring data between two or more digital devices.
Data is transmitted from one device to another in analog or digital format. There are two types of
transmission:
a. Serial Transmission: In Serial Transmission, data-bit flows from one computer to another
computer in bi-direction. In this transmission one bit flows at one clock pulse. For e.g. USB,
modem
Serial Transmission
DES’s Fergusson College (Autonomous), Pune
Page 3
Serial communication can take many forms depending on the type of transmission mode and
data transfer. The transmission modes are classified as Simplex, Half Duplex, and Full
Duplex.
•
Simple Mode:
In simplex mode, the communication is unidirectional, as on one
way street. E.g.: Keyboards and traditional monitors.
•
Half-Duplex mode: In half-duplex mode each station can transmit and receive but
not at the same time. E.g.: walkie-talkies
•
Full-Duplex Mode: In full-duplex mode, both stations can transmit and receive
simultaneously. E.g.: telephone network, Video Calling
b. Parallel Transmission: In Parallel Transmission, many bits are flow together
simultaneously from one computer to another computer. Parallel Transmission is faster than
serial transmission to transmit the bits. For e.g. Printer, billing machines
Parallel Transmission
DES’s Fergusson College (Autonomous), Pune
Page 4
Computer Network:
Computer Network is a set of devices (often referred to as nodes) connected by communication
media. A node can be a computer or printer or any other device capable of sending and
receiving data. Most network use distributed processing, in which a task is divided among
multiple computers
Computer Network
To be considered effective and efficient, a network must meet a number of criteria. The most
important of these are performance, reliability, and security.
a. Performance: Can be measured by transit time and response time. Transit time is the
amount of time required for a message to travel from one device to another. Response
time is the elapsed time between an inquiry and a response.
b. Reliability: Is measured by the frequency of failures, the time it takes a link to recover
from failure and the network robustness in a catastrophe.
c. Security: This refers to the ability to protect data from unauthorized access.
There are different types of network connection, which helps the user to communicate over a
link.
a. Point to point link: Provides a dedicated links between two devices.
-
The entire capacity of the link is reserved.
-
Use an actual length of the wire or cable to connect the two ends.
DES’s Fergusson College (Autonomous), Pune
Page 5
b. Multipoint: More than two specific devices share the link or network
-
The channel capacity is shared
-
If several devices can use the link simultaneously, it is a specially shared connection.
-
If users must takes turns, it a timeshared connection.
Computer Network Topologies:
Geometric representation of how the computers are connected to each other is known as
topology.
There are four types of topology – Mesh, Star, Bus and Ring.
Network Topologies
a. Mesh Topology - The mesh topology incorporates a unique network design in which
each computer on the network connects to every other. This creates a point-to-point
connection between every device on the network
Mesh Topology
b. Star topology – all computers and devices are connected to a main hub or switch. The
hub or switch amasses and disburses the flow of data within the network. Star topology is
the most common type of network and follows the Ethernet standard.
DES’s Fergusson College (Autonomous), Pune
Page 6
Star Topology
c. Bus topology – In this arrangement computers and devices are connected to a single
linear cable called a trunk. The trunk is also referred to as the backbone or a segment.
Each end of the trunk must be discharged to prevent the signal from rebounding back up
the cable.
d. Ring topology – computers and devices are connected to a closed loop cable. Here there
are no terminating ends so if one system crashes the entire network goes down. Each
computer functions as a repeater and charges the signal before sending it to the next
station.
Ring Topology
DES’s Fergusson College (Autonomous), Pune
Page 7
Types of Networks:
A network is consist of group of computer systems, servers, networking devices are linked
together to share resources, including a printer or a file server. The connections are established
by using either cable media or wireless media.
a. LAN (Local Area Network)
-
A Local Area Network is a privately owned computer network covering a small
Networks geographical area, like a home, office, or groups of buildings e.g. a school
Network.
-
A LAN is used to connect the computers and other network devices so that the
devices can communicate with each other to share the resources.
-
For example, a library will have a wired or wireless LAN Network for users to
interconnect local networking devices e.g., printers and servers to connect to the
internet.
b. MAN (Metropolitan Area Networks)
-
MAN stands for Metropolitan Area Networks is one of a number of types of
networks. A MAN is a relatively new class of network.
-
MAN is larger than a local area network and as its name implies, covers the area of a
single city.
c. WAN (Wide Area Networks)
-
A wide area network (WAN) is a telecommunication network. A wide area network is
simply a LAN of LANs or Network of Networks.
-
WANs connect LANs that may be on opposite sides of a building, across the country
or around the world.
DES’s Fergusson College (Autonomous), Pune
Page 8
Internet
➢ Internet is a communication system which has brought wealth of information to our
fingertips.
➢ Internet has brought revolution in the many aspects of our daily lives.
➢ Most of our day to day work is now handed over to internet. For e.g.
▪
Sending a mail.
▪
Reading a news paper.
▪
Payment of utility bills.
▪
Making the reservation.
▪
Chatting.
▪
Getting information about specific topic.
➢ It is a collaboration of more than hundreds of thousands of wide and local area networks
and switching stations.
➢ Private individuals as well as various organizations use the Internet.
➢ Users who want Internet Connection use the services of ISPs. Internet Service Providers.
➢ There are,
▪
International Internet Service Providers
▪
National Internet Service Providers
▪
Regional Internet Service Providers
▪
Local Internet Service Providers
▪
World Wide Web (WWW)
DES’s Fergusson College (Autonomous), Pune
Page 9
Network Protocols
It is a set of rules that governs data communications. It defines,
- What is communicated?
- How it is communicated?
- When it is communicated
Key elements of the network protocol are,
- Syntax : Structure/ format of data –order in which it is presented
-
Semantics : meaning of each section of bits- how pattern to be interpreted – What
action to be taken
-
Timing: When data to be sent and how fast they can be sent
Network Standard
-
It is essential in creating and maintaining an open and competitive market for
equipment manufacturers and in guaranteeing national and international
interoperability of data and telecommunications technology and processes.
-
It provides guidelines to manufacturers, vendors, government agencies.
-
For e.g. : ISO - International Organization Of Standardization
Network OSI Model
➢ OSI stands for Open System Interconnection is a reference model that describes how
information from a software application in one computer moves through a physical
medium to the software application in another computer.
➢ OSI consists of seven layers, and each layer performs a particular network function.
1. Physical Layer
2. Data-Link Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Application Layer
DES’s Fergusson College (Autonomous), Pune
Page 10
➢ OSI model divides the whole task into seven smaller and manageable tasks. Each layer is
assigned a particular task.
➢ Each layer is self-contained, so that task assigned to each layer can be performed
independently.
Functions of the OSI Layers
Network TCP/IP model:
The TCP/IP model was developed prior to the OSI model. The TCP/IP model is exactly similar
to the OSI model. The three topmost layers in the OSI model, however, are represented in
TCP/IP by a single layer called the application layer & their functionalities are performed by that
single layer only. The TCP/IP model consists of five layers: the application layer, transport layer,
network layer, data link layer and physical layer.
5
DES’s Fergusson College (Autonomous), Pune
Page 11
5
DES’s Fergusson College (Autonomous), Pune
Application
Page 12
Chapter 2: Information Security Concepts
Information Security Overview
Information system means to consider available countermeasures or controls stimulated through
uncovered vulnerabilities and identify an area where more work is needed.
Information security in today’s enterprise is a “well-informed sense of assurance that the information
risks and controls are in balance.”
Security is:
-
Freedom from risk or danger; safety.
Freedom from doubt, anxiety, or fear; confidence.
Something that gives or assures safety
The need for Information security:
1.
Protecting the functionality of the organization:
The decision maker in organizations must set policy and operates their organization in compliance
with the complex, shifting legislation, efficient and capable applications.
2.
Enabling the safe operation of applications:
The organization is under immense pressure to acquire and operates integrated, efficient and capable
applications. The modern organization needs to create an environment that safeguards application
using the organizations IT systems, particularly those application that serves as important elements
of the infrastructure of the organization.
3. Protecting the data that the organization collect and use:
Data in the organization can be in two forms that are either in rest or in motion, the motion of data
signifies that data is currently used or processed by the system. The values of the data motivated the
attackers to seal or corrupt the data. This is essential for the integrity and the values of the
organization’s data.
4.
Safeguarding technology assets in organizations:
The organization must add intrastate services based on the size and scope of the organization.
Organizational growth could lead to the need for public key infrastructure; the information security
mechanism used by the large organization is complex in comparison to a small organization. The
small organization generally prefers symmetric key encryption of data.
DES’s Fergusson College (Autonomous), Pune
Page 13
Goals for Information Security
The following are the key security goals
1. Prevention - Designed security should prevent attacker for violating the security policy.
2. Detection – Security should allow the detection of attacker’s violation of security policy and
information.
3. Recovery – Designed security should stop the attack, assess it and repairs the damage caused by
it if any. It also specifies that, providing security policy will allows the functionality of the system
even if the attack is succeeded.
Different Security Approaches:
Organization can take several approaches to implement its security model:
•
No security - Implement no security at all.
•
Security through obscurity - Nobody knows about its existence and contents.
•
Host security- Security is enforced individually for each host.
•
Network Security- focus is to control network access to various hosts & their services rather than
individual host.
Security Policies –
Security Policy defines what is, and what is not, allowed in the organization in terms of accessing the
information. Defined policies should have following characteristics:
•
Affordable - In the terms of cost & effort in security system, define policies should be affordable/
•
Functional – Policies should provide expected security mechanism of functionality.
•
Legal – Defined Policy should meet the legal requirements.
•
Cultural Issues – Policies should be according to people’s expectations, working style and belief.
DES’s Fergusson College (Autonomous), Pune
Page 14
Security Principles
There are basically 6 principles of security which needs to be followed.
1. Confidentiality
- It specifies that only the sender and the intended recipients should be able to access the
contents of a message.
-
Confidentiality gets compromised if an unauthorized person is able to access the message.
-
For example, in the Figure below user A sends a confidential message to user B, and if user C
gets access to this message, which is not, desired and defeats the confidentiality.
Figure: Loss of confidentiality
2. Authentication –
- It helps to establish the proof of identities.
-
This process ensures that the origin of message or document is correctly identified.
-
For example, in the figure below User C posed as user A, and transfers the message to B. And
B does not know about the same, this type of attack is known as Fabrication.
Figure: Absence of authentication
DES’s Fergusson College (Autonomous), Pune
Page 15
3. Integrity –
- When the contents of the message are changed after the sender sends it, but before it reaches
the intended recipient, we say that the integrity of the message is lost.
-
For example, in the figure below user C modifies the message of user A and makes changes
in it and then transfers it to user B. So modification of message leads to loss of integrity.
Figure: Loss of Integrity
4. Non- repudiation –
- There are situations when user sends a message and later on refuses that she had he/she had
sent that message.
-
In the figure below, user A repudiates or denies that the message is not sent from him.
-
Non- repudiation does not allow the sender of a message to refuse the claim of not sending
that message.
Figure: Establishing non-repudiation
DES’s Fergusson College (Autonomous), Pune
Page 16
5. Access Control –
- It determines who should be able to access what?
-
An access control mechanisms allows user to impose the restrictions on who can access what
content.
6. Availability –
• It states that resources should be available to all authorized users.
- For example, in figure below due to the intentional actions of an unauthorized user C, an
authorized user A may not be able to contact a server computer B.
- This would defeat the principle of availability. Such an attack is called as interruption.
Figure: Attack on availability
Attacks on Security
An attack tends to be an undesirable act which is in process that may cause cracking of a
message. It can also be termed as an action that compromises the security of information owned
by an organization.
Threat tends to be a promise of an attack to come or something that might make an attempt to
attack a system.
Information security is about how to prevent attacks, or to detect attacks on information-based
systems
Types of Attacks: A General View
From common user’s point of view, attacks can be classified into three categories.
1. Criminal Attack
2. Publicity Attack
3. Legal Attack
DES’s Fergusson College (Autonomous), Pune
Page 17
1. Criminal Attack: In such attacks, sole aim of the attacker is to maximize financial gain by
attacking computer system.
Type of criminal attacks
• Fraud – manipulation of e-money, credit cards, checks etc.
• Scams – People are enticed to send money in return of great profit.
• Destruction – Some sort of grudge is the motive behind such attack.
• Identity theft – attacker does not steal anything from the user, he becomes the
user.
• Intellectual property theft – stealing companies trade secrets , databases etc
• Brand theft - Fake website.
2. Publicity Attack: In such attacks, attacker wants to see their names appear on the television
news channels and newspapers. These attackers are not hardcore criminals. They are normal
people working in an organization or students in colleges.
3. Legal Attack: This type of attack is quite novel and unique. The aim of the attacker is to
exploit the weakness of the working of the computer system.
Types of Attacks: A General View
1. Passive Attacks: In passive attack, the attacker only monitors the traffic that attacks the
confidentiality of the data. Passive Attacks are in the nature of eavesdropping on or
monitoring of transmission. The goal of the opponent is to obtain information is being
transmitted. Passive attacks are categorized into two types.
DES’s Fergusson College (Autonomous), Pune
Page 18
•
The release of message content
When the information is released against the wish of the user, then that is considered
as the release of message content attack. In such attacks, attacker will not make any
changes in the contents but he will just publish the information without your
permission. Telephonic conversation, an electronic mail message or a transferred file
may contain sensitive or confidential information. We would like to prevent an
opponent from learning the contents of these transmissions.
•
Traffic analysis –
In such attacks, attacker will not do anything with your information. Even he will not
capture it but he will just keep an eye on the network which you are using for
transferring the information. Attacker will analyze the information which you are
transferring through that network. Such attempt of analyzing message to come up
with likely patterns is the work of the traffic analysis attack.
2. Active Attacks: An Active attack attempts to alter system resources or effect their
operations. Active attack involves some modification of the data stream or creation of false
statement. Types of active attacks are as following:
•
Masquerade –
This attack is also referred as Interruption attack. Masquerade attack takes place when
one entity pretends to be different entity. A Masquerade attack involves one of the
other forms of active attacks.
•
Modification of messages –
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorized effect.
•
Denial of Service –
It prevents legitimate user from accessing some services, which they are eligible for.
For e.g unauthorized user sends too many request to the server in a succession, so as
to flood the network and deny other legitimate users from using the network facilities.
E-Commerce Security
Ecommerce entails buying/selling of products over the internet and has gain popularity in the
recent years. Security is an essential part of any transaction that takes place over the internet.
Customer will lose his/her faith in e-business if its security is compromised.
Following are the essential requirements for safe ecommerce website:
DES’s Fergusson College (Autonomous), Pune
Page 19
1. Choose a secure ecommerce platform: Choose a strongly typed higher level language for
the development. If open source tools/libraries are used then ensure that the frameworks
does not create security holes in your application
2. Use a secure connection for online checkout--and make sure you are PCI compliant:
Always use HTTPs protocol for all important transactions.
3. Don't store sensitive data: As part of the website, there is no need to store sensitive
information like CVV number and other credit card information
4. Set up system alerts for suspicious activity: Build a system that alerts when an undesired
event happens in the system. Multiple requests from the same IP for long periods of time
can indicate malicious intent
5. Layer your security: Defence in depth is absolutely needed in ecommerce domain.
Security features like multiple passwords and OTP helps in reducing the risk of hacking
6. Provide security training to employees: If the employees understand the importance of
security then human error can be avoided
7. Patch your systems: New security loop holes are discovered on a daily basis. If the
system is not up to date then risk of getting hacked increases exponentially
8. Make sure you have a Distributed Denial of Service (DDoS) protection and mitigation
service: Have a mitigation strategy against network denial of service attack and block IPs
that are sending lot of request to the system
9. Disaster recovery plan: Plan for unlikely failure of your system. In case of system failure
ensure that sensitive data is not lost or corrupted by the system
Computer Forensics:
-
-
Computer forensics is a branch of digital forensic science pertaining to evidence found in
computers and digital storage media.
Computer forensic is used in
a. Criminal prosecution
b. Insurance companies
c. Law enforcement
The goal of computer forensics is to examine digital media in a forensically sound manner
with the aim of identifying, preserving, recovering, analyzing and presenting facts and
opinions about the digital information.
At a high level following are the guidelines used to process the evidence in computer forensic:
1. Shut down the computer. Considerations must be given to volatile information. Prevents
remote access to machine and destruction of evidence (manual or ant-forensic software)
2. Document the Hardware Configuration of the System. Note everything about the
computer configuration prior to re-locating
3. Transport the Computer System to A Secure Location. Do not leave the computer
unattended unless it is locked in a secure location
DES’s Fergusson College (Autonomous), Pune
Page 20
4. Make Bit Stream Backups of Hard Disks and Floppy Disks
5. Mathematically Authenticate Data on All Storage Devices. Must be able to prove that
you did not alter any of the evidence after the computer came into your possession
6. Document the System Date and Time
7. Make a List of Key Search Words
8. Evaluate the Windows Swap File
9. Evaluate File Slack. File slack is a data storage area of which most computer users are
unaware; a source of significant security leakage.
10. Evaluate Unallocated Space (Erased Files)
11. Search Files, File Slack and Unallocated Space for Key Words
12. Document File Names, Dates and Times
Steganography:
•
•
•
•
Steganography is the art and science of writing hidden messages in such a way that no
one apart from the intended recipient knows of the existence of the message.
This can be achieving by concealing the existence of information within seemingly
harmless carriers or cover Carrier: text, image, video, audio, etc.
Steganography can be used to conceal almost any type of digital content, including text,
image, video or audio content; the data to be hidden can be hidden inside almost any
other type of digital content.
The content to be concealed through steganography -- called hidden text -- is often
encrypted before being incorporated into the innocuous-seeming cover text file or data
stream.
DES’s Fergusson College (Autonomous), Pune
Page 21
Chapter 3: Security Threats and Vulnerabilities
•
Overview of Security - Now the world is all about Mobiles, laptops, internet. The role we play on
internet is
–
–
–
–
•
➢
o
As user of the system
As a vendor / service provider of any system
Either we perform transactions
Access network resources, data
• Sensitive data
• Business data
• Intellectual property
What all we need to protect?
Our asset - in terms of
People:
▪ Employees or Customers
▪ Secure their personal data
o Property
▪ Computers, infrastructure
o Information
▪ Data, software product, critical company records
➢ Our ability to use our computers (denial of service attacks)
➢ Our reputation with the general public
•
Whom to protect from?
➢ Major sources of danger can be caused by Humans
o By running malicious code
o Carrying infected media (laptops) in from off site
➢ Purpose
o Damage the data
o To disrupt the operation
o Unavailability of service
o Defame someone
DES’s Fergusson College (Autonomous), Pune
Page 22
Some Important Security terms –
1. Vulnerability
• It refers to the security flaws in a system which can be exploited to allow an attack
• These flaws can treated as gaps/ weakness in the security program which can provide
exposure to attack.
• This weakness can be found in hardware, software or process that exposes a system to
compromise
• Hardware: Allowing USB port / wi –fi connection
• Software: Interface given for third party integration
• Process: unsecure gateway for online transactions
2. Threat:
• A threat is what we’re trying to protect against.
• Threat is anything or anyone that can exploit a vulnerability,
– intentionally or accidentally,
– obtain, damage, or destroy an asset.
E.g. data stored on social media sites , Threat : misuse of uploaded photos
• Threat source: Enemy with motivation to defame some one
• Vulnerability: availability of data online
Types of Threat:
➢ Unauthorized Access
o
o
Accessing information or systems, without permission or rights to do so.
How to take care?
o Ensure you have a properly configured firewall, up to date
▪ malware prevention software
▪ All software has the latest security updates.
o Encryption information where appropriate
o Use strong passwords
o Be alert and verify all requests for sensitive information
o Ensure network is secure
o Monitor for unusual network behavior
➢ Malware:
o A collective term for malicious software, such as viruses, worms and trojans.
o Designed to break into the systems or information for criminal, commercial or
destructive purposes.
o How to take care?
o Ensure configured firewall, up to date malware prevention software
o Do not click links or open attachments in emails from unknown senders
o Do not visit un-trusted websites or install dubious software.
DES’s Fergusson College (Autonomous), Pune
Page 23
➢ Cyber Espionage
o The act of spying through the use of computers.
o Involves the covert access (not through proper channel) or ‘hacking’
o Spying on company or government networks to obtain sensitive information.
o How to take care?
o Be alert and verify all requests for sensitive information
o Ensure network is secure
o Monitor for unusual network behavior
➢ Data Leakage:
o The intentional or accidental loss, theft or exposure of sensitive company or
personal information.
o How to take care?
o Ensure all sensitive information stored on removable storage media,
mobile devices or laptops is encrypted
o Be mindful of what you post online e.g. revealing company next
project
o check email recipients before pressing send
o Never email company’s sensitive information to personal email
accounts.
➢ Mobile Devices
o The malicious attack / unauthorized access on mobile devices to get in
information stored on them
o These attacks can be performed wirelessly or through physical possession.
o How to take care?
o Avoid connecting to insecure, un-trusted public wireless networks
o Keep Bluetooth in ‘undiscoverable’ mode.
o Keep devices with you at all times
o Use strong passwords\
➢ Social Engineering:
o Taking out sensitive information by tricking and manipulating others
o either company info or personal info
o This can be done through phone, email, online or in-person
o While casual chat, employee of rival company may take out company’s next
strategies
o E.g. Sometimes helpdesk people may ask username and password
o How to take care?
o Verify all requests for sensitive information, no matter how legitimate
(genuine) they may seem
DES’s Fergusson College (Autonomous), Pune
Page 24
o Never share your passwords with anyone – not even the helpdesk.
o Never share sensitive info, if in doubt, Report if suspected
➢ Insiders:
o An employee or worker with malicious intent to steal sensitive company
information.
o He can commit fraud or cause damage to company systems or information.
o How to take care?
o Ensure access to sensitive information is restricted to only those that
need it
o Revoke access when no longer required.
o Report all suspicious activity or workers immediately.
➢ Phishing:
o
o
o
o
A form of social engineering
It involves sending of legitimate looking emails aimed at fraudulently
extracting sensitive information from recipients usually to gain access to
systems or for identity theft.
e.g. Emails like “You have won lottery”.
How to take care?
o Look out for emails containing unexpected or unsolicited requests
for sensitive information.
o Look out for contextually relevant emails from unknown senders.
o Never reply to such mails.
➢ System Compromise:
o A system that has been attacked earlier is often used for attacking other
systems.
o How to take care?
o Ensure vulnerable holes are tightly closed.
o Ensure systems are hardened and configured securely,
o Regularly scan them for vulnerabilities
➢ Denial of Service:
o An intentional or unintentional attack on a system or on information
o Resulting system unavailable and inaccessible to authorized users.
o E.g. Etoys vs Etoy cyber war
o How to take care?
o Securely configure and harden all networks and network equipment
against known DoS attacks.
o Monitor networks through log reviews
o Use intrusion detection or prevention systems.
DES’s Fergusson College (Autonomous), Pune
Page 25
➢ Identity Theft:
o The theft of an unknowing individual’s personal information.
o This info will be used to commit a crime, usually for financial gain.
o E.g. Filing for online - tax refund on someone else's behalf
o http://www.irs.gov/uac/Examples-of-Identity-Theft-Schemes-Fiscal-Year2013
o How to take care
o Never provide personal information to un-trusted individuals or
websites.
o Ensure personal information is protected when stored and securely
disposed of when no longer needed.
Passwords:
•
•
•
•
•
Usernames and password combinations are the most common means of providing access
to information.
A username identifies you as a unique individual,
Password is then used to prove your identity.
A password is a set of secret characters or words utilized to gain access.
If passwords are not set properly, then there is threat of losing information or misusing it.
Weak password:
• A weak password is easy to detect both by humans and by computer.
• Do NOT use:
– Your username or family members name
– Birthdays or other personal information such as addresses or phone numbers
– A set of characters in alphabetic or numeric order (ex. Abcdef, 123456), in a row
on a keyboard
– Words that can be found in a dictionary
Strong password:
• An effective password that would be difficult to break.
• For a password to be strong and hard to break, it should:
– Contain 8 or more characters
– Contain letters, numerals (0-9), Symbols (@ # $ etc)
– Be significantly different from prior passwords
General Instructions related to Passwords:
• Try to change your password(s) every 6 months.
• Make sure no one is watching you when you type password.
• Ask anyone around you to kindly look away.
DES’s Fergusson College (Autonomous), Pune
Page 26
Password Cracking:
• Attackers use this technique to break into someone account.
• Password cracking software uses one of three approaches
– intelligent guessing (about Personal info)
– dictionary attacks
– automation that tries every possible combination of characters
• Given enough time, the automated method can crack any password.
• However, it still can take months to crack a strong password.
Insecure Network connections:
1. Using Bluetooth & Unsecure Wi-Fi
2. Wi-fi
3. Unsecured web site content
– Digital Certificates associated with web contents
1. Unsecure Wi – fi
• Case1: Leaving your home wireless network unsecured
– Your neighbor will download contents
– They can also download illegal contents like music, movies or child
pornography, anything.
– They can also access your personal data like your tax documents, financial
records, online banking information, credit card numbers, emails, usernames
and passwords
• Case2: Using Public Unsecured Networks or Hotspots e.f. wi-fi in coffee shop, MG
Road
– Everyone know they are available for public use, even criminal too
– Criminals will watch the online traffic looking for valuable information such
as credit card numbers, usernames and passwords, or online banking
information
2. Unsecure Web contents
DES’s Fergusson College (Autonomous), Pune
Page 27
Malicious code /Software:
•
•
•
•
Known as Malware i.e. malicious software
Designed to break into the systems or information for criminal, commercial or
destructive purposes.
Attackers use this software
– to disrupt computer operation
– gather sensitive information,
– gain access to private computer network
– To spy on network traffic
Types of Malicious code
– Viruses
– Worms
– Trojans
– Spyware
– Botnet
– Zombie
What is a computer virus?
•
•
•
•
Virus is a program written to alter the way a computer operates, without the
permission or knowledge of the user.
A virus replicates and executes itself, usually doing damage to your computer in the
process.
It’s estimated that the Conficker virus infected more than 10 million computers in
2009.
Tens of thousands of computer viruses now operate over the Internet, and new
computer viruses are discovered every day.
How does a computer virus find me?
DES’s Fergusson College (Autonomous), Pune
Page 28
•
•
•
•
•
Sharing music, files or photos with other users
(songs.PK)
Visiting an infected Web site
Opening spam email or an email attachment
Downloading free games, toolbars, media players and other system utilities
Installing mainstream software applications without fully reading license agreements
What does a computer virus do?
• Can erase data
• Encrypt files
• Delete directory structures
• Prohibit us from using our own machine , set up
• Send files stored on our machine to contacts in our address book
• replicate themselves or flood a network with traffic
• making it impossible to perform any internet activity
Virus Types - Parasitic Viruses:
– Also called as File Infector Virus
– This attaches itself to a file in order to propagate (to multiply)
– Adds itself to start of the file or end of the file
– COM and EXE files are common targeted file
– Since these get loaded directly into the memory and execution always
starts at the first instruction.
Virus Type - Browser Hijacker:
–
Spread itself in numerous ways
o including voluntary download
– Effectively hijacks certain browser functions and re-directs the user automatically
to particular sites.
– E.g. CoolWebSearch
Virus Type - Macro Virus:
– Many programs provide support for macros e.g. Microsoft Excel, Outlook
– Macros are special action programs implemented in macro programming language.
– Unfortunately this facility opens door for virus to be hidden in normally genuine
looking documents.
– E.g. Melissa
o a Word document supposedly containing the passwords to pornographic
websites
o The virus also exploited Word’s link to Microsoft Outlook in order
to automatically email copies of itself.
DES’s Fergusson College (Autonomous), Pune
Page 29
Virus Type – E-Mail Viruses:
– It’s a computer code sent to you as an e-mail note attachment
– Opening the attachment will
o destroying certain files on hard disk
o Re-email the attachment to everyone in your address book
– How to protect??
o Don't open messages from unknown senders
o Immediately delete messages you suspect to be spam
o Install antivirus which will scan email attachments
How to know you are infected by Virus?
• Your computer may be infected if you recognize any of these malware symptoms
– Slow computer performance
– Erratic (unreliable) computer behavior
– Unexplained data loss
– Frequent computer crashes
How to protect computer from Virus?
• Install best security software on your computer
• Use antivirus protection and a firewall
• Install antispyware software
• Keep your antivirus protection and antispyware software up-to-date
• Update operating system regularly
• Increase browser security settings
• Avoid questionable Web sites
• Download software from trusted sites.
• Carefully evaluate free software and file-sharing applications before downloading
them.
What is computer Worm?
•
•
A standalone program that replicates itself in order to spread malicious code
Worms normally
– spread across network,
– exploiting vulnerabilities (OS specific, network specific)
– Installs a backdoor to allow creation of Zombie
Virus
DES’s Fergusson College (Autonomous), Pune
Worm
Page 30
Virus are dependent, need existing file to
get attached to.
Worms are separate entity.
It does not need to attach it self to
any existing file
Viruses almost always corrupt or modify
files on a targeted computer
Worms will spread themselves to
consume bandwidth
Worm interfere with the normal use of computer or
network
Difference between Worms and Virus:
Examples:
1. Morris Worm:
• Released via Internet on November 2, 1988
• Intention was not cause damage, but to gauge the size of the Internet.
• Mistake in code
– Code written was checking if there is already running version of the program
• If yes, don’t copy the version
• Else copy program
– Problem was though answer was yes, program was getting copied.
– This level of replication was excessive and resulted into network down. The U.S.
Government Accountability Office put the cost of the damage at $100,000–
10,000,000 for this
2.
Stuxnet :
• Discovered in June 2010, believed to have been created by the United States and Israel
• Purpose: To attack Iran's nuclear facilities
• Worm initially spread via Microsoft Windows and targets Siemens industrial control
systems
• Different variants of Stuxnet targeted five Iranian organizations.
• Worm has not caused any damage to its customers.
• But successfully damaged Siemens equipment procured by Iran.
How they are spread?
•
Most known computer worms are spread in one of the following ways:
•
Files sent as email attachments
Via a link to a web or FTP resource
Via a link sent in an ICQ (I Seek You) or IRC (Internet Relay chat) chat message
Via P2P (peer-to-peer) file sharing networks
Some worms are spread as network packets.
o They enter the computer memory, and then gets activated.
•
•
•
•
3.
Email Worms
DES’s Fergusson College (Autonomous), Pune
Page 31
•
•
•
•
•
•
•
•
Spread thru email attachment, links in the message
Instant Messaging Worms
Spread thru instant messaging application, sending links to infected site
Internet Worms
Nasty ones, will try to get network down
Scan available network resources or internet for vulnerable machines
If found, try to connect and gain full access
Send data packets or requests to install the worm or worm downloader
How to stay safe from computer worms?
• Because worms spread by exploiting vulnerabilities in operating systems, apply regular
OS security updates.
• Install Anti-spyware, Firewall or Anti Virus software.
• Keep virus information up-to-date .
• Be cautious while opening unexpected mail, attachment, visiting web sites.
What is a Trojan?
•
•
•
•
•
•
•
•
•
It is malicious, security-breaking program that is disguised as something benign
(genuine)
Perform actions that have not been authorized by the user.
Trojans are not able to self-replicate.
It can come to your machine in form like movie or music file
Trojan will get activated on clicking the file
Damage it can do
Erases your disk,
sends your credit card numbers and passwords to a stranger
Allows stranger hijack your computer to commit illegal denial of service attacks
Trojan Types
1. Backdoor:
• This program gives malicious user remote access to the infected machine
• User can do any operation like
– Sending, receiving, launching and deleting files, displaying data and rebooting the
computer
• Backdoor Trojans are often used to unite a group of victim computers, which can be used
for Criminal purposes.
2. Rootkit:
• Rootkits are designed to conceal certain objects or activities in your system.
• Main purpose: is to prevent malicious programs being detected.
DES’s Fergusson College (Autonomous), Pune
Page 32
• This helps to extend the period in which programs can run on an infected compute
3. Banker:
• They will steal your account data for online banking systems, e-payment systems and
credit or debit cards.
4. DoS:
• Conduct DoS (Denial of Service) attacks against a targeted web address.
• Will send multiple requests – from your computer and several other infected computers
How to protect yourself against Trojans?
• Install effective anti-malware software
• NEVER download blindly from people or sites which you aren't 100% sure about
• Be sure what the file is before opening it
• Beware of hidden file extensions
• Don't download an executable program just to "check it out"
Programming Bugs:
These are programming related bugs – which open system to vulnerabilities.
• During program execution, certain task needs privileges of “administrator” account,
1. access should be grant only for that task
2. Remove access on task completion.
• Giving access to un-trusted user
1. Create temp user account
2. Give minimum access to perform necessary task
3. Ensure, program doesn’t give any kind of unwanted access to the user, which he
can exploit further.
How to handle Programming Bugs?
• Design system carefully.
• Listing different users and their access rights who will be accessing the system.
• In case of third party integration, ensure the user gets only minimum access which is
enough to perform given tasks.
Cyber Crime:
•
•
Computer crime or Cyber crime refers to any crime that involves a computer and
a network.
– The computer may have been used in the commission of a crime, or it may be the
target.
“ These are offences that are committed against individuals or groups of individuals
– with a criminal motive to intentionally harm the reputation of the victim or
– cause physical or mental harm to the victim directly or indirectly,
DES’s Fergusson College (Autonomous), Pune
Page 33
–
•
using modern telecommunication networks such as Internet (Chat rooms, emails,
notice boards and groups) and mobile phones (SMS/MMS)"
Cybercrime ranges across activities.
– Fundamental breaches of personal or corporate privacy , identity theft.
– transaction-based crimes such as fraud, trafficking in child pornography,
digital piracy, money laundering, and counterfeiting
– Deliberately altering data for either profit or political objectives.
– Attempts to disrupt the actual workings of the Internet - spam, hacking, and denial
of service attacks, cyber terrorism.
Cyber Crime: Spam:
• Spam is the unwanted sending of bulk email for commercial purpose, such as products
and services advertisement.
• It comprises roughly 50 percent of the e-mail.
• Spam is a crime since it wastes both the storage and network capacities.
• Spam is nearly free for perpetrators
– A cost is same for sending 10 messages as well for 10 million.
How does a spam work?
• Spammer gets secret control of numerous infected machines connected to internet.
– Such machines are known as zombie computers.
• This network can be activated to flood the Internet with spam or to institute DoS attacks.
• While Spam will be still ok but DoS can be used to blackmail Web sites by threatening to
shut them down.
Cyber Crime: Fraud:
• Computer fraud is any dishonest misrepresentation of fact intended to let another to do or
refrain from doing something which causes loss.
• Altering in an unauthorized way.
• Altering, destroying, suppressing, or stealing output, usually to conceal unauthorized
transactions: this is difficult to detect;
• Altering or deleting stored data;
• Altering or misusing existing system tools or software packages, or altering or writing
code for fraudulent purposes. E.g. Malware code
• Crimes coming under fraud are bank fraud, identity theft, extortion, and theft of classified
information.
Cyber Crime: Identity Theft:
• Major problem for people using the Internet for cash transactions and banking services.
• A criminal accesses data about a person’s bank account, credit cards, Social Security,
debit card and other sensitive information to siphon money or to buy things online in the
victim’s name.
DES’s Fergusson College (Autonomous), Pune
Page 34
•
•
•
•
•
It can result in major financial losses for the victim and even spoil the victim’s credit
history.
Theft is anything which is taken without permission.
This crime occurs when a person violates copyrights and downloads music, movies,
games and software.
There are even peer sharing websites which encourage software piracy and many of these
websites are now being targeted by the FBI.
Today, the justice system is addressing this cyber crime and there are laws that prevent
people from illegal downloading.
Cyber Crime: Hacking:
• This is a crime wherein a person’s computer is broken into so that his personal or
sensitive information can be accessed.
– In the US, hacking is classified as a felony and punishable as such.
• This is different from ethical hacking
• In hacking, the criminal uses a variety of software to enter a person’s computer and the
person may not be aware that his computer is being accessed from a remote location.
• Most hackers have not been criminals but young people driven by intellectual curiosity.
• Hacking costs the world economy billions of dollars annually.
• Hacking is not always an outside job.
• Hacking is old-fashioned industrial espionage by other means.
• The largest known case of computer hacking was a spyware called GostNet discovered in
late March 2009 by University of Toronto.
– (Dalai Lama case)
– compromised systems embassies and foreign affairs bureaus
Cyber Crime: Cyber Stalking
• Cyberstalking is the use of the Internet or other electronic means to stalk or harass an
individual, a group of individuals, or an organization.
• It may include the making of false accusations or statements of fact (as in defamation),
monitoring, making threats, identity theft, damage to data or equipment, the solicitation
of minors for sex, or gathering information that may be used to harass.
• False accusations
• Attempts to gather information about the victim.
• Monitoring their target's online activities and attempting to trace their IP address in an
effort to gather more information about their victims.
• Encouraging others to harass the victim.
• False victimization.
• Attacks on data and equipment.
• Ordering goods and services.
• Arranging to meet.
DES’s Fergusson College (Autonomous), Pune
Page 35
•
Cyberstalking is a form of cyberbullying
Cyber Crime: Cyber bullying
• Cyberbullying is being cruel to others by sending or posting harmful material using a cell
phone or the internet
• Cyberbullying is referred as cyberstalking or cyberharassment when perpetrated by adults
toward adults.
Cyber Terrorism:
• Cyber terrorism focuses upon the use of the Internet by non-state actors to affect a
nation’s economic and technological infrastructure.
• Cyber terrorist attack is designed to cause physical violence or extreme financial harm.
• Possible cyber terrorist targets include the banking industry, military installations, power
plants, air traffic control centers, and water systems.
• How dangerous could these cyber attacks be?
• There can be three levels of cyber terror capability :
• Simple-Unstructured
• Advanced-Structured
• Complex-Coordinated
• Cyber terrorism is possibly one of the top 10 events to "end the human race“.
Cyber Terrorism: Methods of Protection
• The only way to completely secure a system is to fully isolated from any outside
connection.
OR
• Create unique passwords that are difficult to guess for all accounts that you use.
• Use security software.
• Check with vendors for upgrades and patches for your security software.
• If you’re unsure about a website/email, don’t access it. Better safe than sorry.
• Use sandboxing software. A free option is Sandboxie.
Information Warfare:
• Information Warfare is about WEALTH.
• Information Warfare is about POWER.
• Information Warfare is about FEAR.
• Information Warfare is about POLITICS.
• Information Warfare is about SURVIVAL.
• Information – Data and Knowledge.
• Information Infrastructures – Display, Store, Process, Transmit
• Information-based Processes – Obtain, Exchange
DES’s Fergusson College (Autonomous), Pune
Page 36
Surveillance:
• Computer and network surveillance is the monitoring of computer activity, of data stored
on a hard drive, or being transferred over computer networks such as the Internet.
• It is very useful to governments and law enforcement to maintain social control,
recognize and monitor threats, and prevent/investigate criminal activity.
DES’s Fergusson College (Autonomous), Pune
Page 37
Chapter 4: Cryptography
Modern Nature of attack:
• Automating attacks: the speed and concurrent working of computer attacks makes a
serious issue.
• Privacy concern: for different applications various companies collect loads of data
which could be easily misused.
• Distance does not matter: money is in digital form and can be moved from any place to
other.
Plain text:
• Any communication language that we speak takes the form of plain text.
Plain text can be understood by anyone knowing the language.
Cipher text:
• If you don’t want anyone to read your plain text simply code it to some other form.
When a plain text message is codified using any suitable scheme, the resulting message
is called cipher text.
Encryption:
• Encryption is the process of encoding plain text messages into cipher text is called as
encryption.
Decryption:
• It is the reverse process of transforming cipher text messages back to plain text
message is called decryption.
DES’s Fergusson College (Autonomous), Pune
Page 38
Process:
•
To encrypt the plain text, sender performs encryption i.e. it applies the encryption
algorithm.
•
To decrypt the encrypted message the receiver performs decryption i.e. applies
decryption algorithm.
•
Both the encryption and decryption algorithms must be same otherwise it could not
retrieve the original message.
•
Every encryption and decryption process has two aspects : a) algorithm b) key used for
the process.
•
Example:
o If we had a combinational lock, we would need to remember the key, that is the
combination, to open the lock
▪
say a number 871.
o The fact that it is combination lock and how to open it (algorithm) is known to
everyone. However the actual value of the key required to open the specific lock
(871) is a secret.
DES’s Fergusson College (Autonomous), Pune
Page 39
Cryptography: It is the art and science of achieving security by encoding messages to
make them non readable.
Cryptanalysis: It is the technique of decoding message from non-readable format to
readable format without knowing how they initially converted from readable to non readable
format.
Cryptology: It is the combination of cryptography and cryptanalysis.
DES’s Fergusson College (Autonomous), Pune
Page 40
Types of Cryptography Algorithm
Cryptography algorithms are divided into two types,
1. Symmetric key Cryptography:
o Same key for encryption as well as decryption.
o Separate lock and key pairs should be used for each of the recipient.
▪ That is if A sends message to B as well as C, then A must have two different
locks and their keys.
o It means that if there are n no of persons involved, then the number of key lock pairs
would be pairs = n * (n-1) /2
o So when no. of persons involved go on increasing the keeping track of each key lock
pair becomes difficult.
▪
o The problem of key exchange is important issue.
▪ How will the sender convey the key to the receiver?
▪ If the key is not conveyed receiver can’t open (decrypt) the message.
▪
DES’s Fergusson College (Autonomous), Pune
Page 41
2. Asymmetric key Cryptography:
•
•
Asymmetric key cryptography involves the usage of one key for encryption and another
different key for decryption.
Here for each lock there are two different but related keys are used,
o one for locking and other for unlocking.
o Since 2 separate keys are required, the name is asymmetric key cryptography.
Example : A want to send message to B
•
•
•
•
•
First thing A will do is ask B for the key to lock the message. Both the keys
are with B currently.
Then B hands over the key (k1) to A. A will use this key to lock the message
and then send message to B.
Since message is locked no one can read it. (apart from B)
If somebody tries to steal the key k1, they can only lock another message.
No one other than B can read the message.
Asymmetric key Cryptography: Public Key
•
•
•
•
So anybody who wants to have secure message from others will send the lock
and key to that person and will request to use this key only.
The important point is that when the sender changes, no need not create
another pair of lock and key, you can still use the same lock and key for
everyone.
Rather these keys and locks are made available for general public
The key k1 which is used to lock the message is called public key.
DES’s Fergusson College (Autonomous), Pune
Page 42
Asymmetric key Cryptography: (Private Key)
•
•
•
•
So even though 1000 people want to send message to B, they can use the same
lock and the public key distributed by B.
Only B can read the message sent to him as the key to open the lock is not
shared with anybody and it is only with B, this key is called as private key.
Public keys are shared with everybody and used to lock the message while
sending,
Private keys are kept secret and not shared with anybody and used to unlock
the message.
Comparing Symmetric Key with Asymmetric Key
Symmetric Key
Asymmetric Key
Work wise
The same algorithm with the same key is
used for encryption and decryption
Same algorithm is used for encryption and
decryption with a pair of keys , one for
encryption and one for decryption
The sender and receiver must share the
algorithm and the key
Both the sender and receiver must have one of
the matched pair of keys. (not the same)
Speed of encryption/ decryption is very fast
Comparatively slower
Size of cipher is almost equal to plain text
Size of cipher is much more than original text
Exchange of keys is big problem
Key exchange is no problem at all
No of keys required as compared to
participant is moreEg if 1000 participants are
there then the keys to be produced are 499500
No of keys to participant ratio is always 1 i.e for
1000 participant we require 1000 keys pairs
(public-private)
Used for encryption, decryption
Encryption, decryption, digital certificate
(integrity, non repudiation)
DES’s Fergusson College (Autonomous), Pune
Page 43
Symmetric Key
Asymmetric Key
Security wise
The key must be kept secret.
Only One of the two keys must be kept
secret.
Knowledge of the algorithm plus sample of
cipher text are not sufficient to determine the
key
Knowledge of the algorithm plus one
of the key plus sample of cipher text
are not sufficient to determine the
other key.
DES’s Fergusson College (Autonomous), Pune
Page 44
Digital Signature:
•
•
•
A digital signature serves the same purpose as a handwritten signature.
Digital signature is an electronic signature that can be used to authenticate the identity of the
sender of a message possibly to ensure that the original content of the message that has been
sent is unchanged.
Unlike a handwritten signature, a digital signature is nearly impossible to counterfeit.
Requirements of a digital signature
•
•
•
•
•
It must be a bit pattern that depends upon the message being signed.
It must use some information unique to the sender, to prevent forgery and denial.
It must be relatively easy to produce the digital signature.
It must be practical to retain a copy of digital signature in storage.
It must be computationally infeasible to forge a digital signature.
When public key is used for encryption in digital signature?
• Only private key can decrypt the message.
• The private key is only with one intended user.
• So this mechanism is used only for securing the message content ( no one else can reveal the
contents)
When private key is used for encryption in digital signature?
• Only public key can decrypt the message.
• The public key may be shared with multiple users.
• So this mechanism is used neither for security nor for
DES’s Fergusson College (Autonomous), Pune
Page 45
Then what it is used for?
•
•
•
•
•
•
•
•
•
•
•
To let the world view your message.
There are various things, like your resume, your visiting cards, your invitation card, movie
tickets you have purchased online etc. which must be confirmed before using that they are
from Authorised user.
When any one can open (unlock) message by using public key it means it must be locked by
only your private key, that’s the proof. It is original.
If anyone makes an attempt to change the invitation card (which is impossible, since you
only posses the private key), then the user can not open it with your public key.
This is the concept of authentication.
Apart from encryption that is hiding the message details from rest of the world; public key
cryptography is even used for authentication.
Authentication means identifying and proving the sender.
Example:
o A bank manager gets a request to reset the password for Priya’s saving account. How
will the manager verify that the mail was sent by Priya herself?
o So what the manager will do is simply check the digital signature associated with the
mail sent by Priya.
A digital signature enables the creator of a message to attach a code that acts as a signature.
So when a recipient gets such a message, he/she gets the assurance proof that the message is
from the alleged sender.
And this achieves the purpose of non – repudiation (sender can not refuse about sending of
the message)
DES’s Fergusson College (Autonomous), Pune
Page 46
Characteristics of Digital Signature:
•
•
•
•
•
The Signature is authentic
The signature is unforgeable
The signature is not reusable
The signed document is unalterable
The signature cannot be repudiated
Public key infrastructure: (Digital Certificate)
•
•
•
•
•
•
•
•
•
•
In certain situations, for instance when:
- Trust needs to be established in unknown servers, such as an electronic banking
service
- Large organisations need their employees to be able to communicate securely
- Or you are downloading a particular software
How to trust someone (person or entity) whom you have never seen or you do not recognise?
PKI is a model where the establishment of trust is outsourced.
Public Key Infrastructure, (PKI), essential services
o for managing digital certificates
o Providing encryption keys for people, programs and systems.
Public key infrastructure supports security mechanisms such as confidentiality, integrity,
authentication, and non-repudiation.
o However, to successfully implement these security mechanisms, you must carefully
plan an infrastructure to manage them.
A public key infrastructure (PKI) is a foundation on which other applications, system, and
network security components are built.
The PKI service is based on the concept of digital certificate.
A certificate is a digital document (i.e. a formatted computer file) that binds a public key to a
person, application, or service.
Like passport helps in establishing our identity, a digital certificate establishes relationship
between a user and his public key.
It’s a proof that a particular public key belongs to particular user.
Who signs the digital certificate in PKI?
•
•
The digital certificates are signed by trusted third party(TTP) ( often recruited by
government agencies).
These certificates state user’s credentials (e.g. name, e-mail address, etc.) and their public
key and are digitally signed by the TTP.
DES’s Fergusson College (Autonomous), Pune
Page 47
•
TTPs are called Certificate Authority (CA)
Why we trust digital certificate?
•
•
•
As you don’t know the unknown web server, or software, so some trusted third party(TTP)
takes the responsibility to specify that it comes from the authentic site only.
As the third party signs the digital certificate with their private key, it can not be changed by
anybody else.
We have the public key of CA with which we can unlock it.
How to create digital certificate?
• You or your organisation is ready with your web site, so you want a digital certificate for the
user.
• You need to contact a third party entity called RA (registration authority)
• RA will register you, if needed may generate the public and private key for you, and if you
already have the key pair then it will validate it.
• RA will also go through verification process of your credentials.
How to create digital certificate?...
• After this RA passes all the information to the CA
• CA will create a digital certificate after doing his own verification.
• CA sends the digital certificate to the user and retains one copy for record.
• He also maintains a certificate directory.
What are the fields of certificate?
Field
Description
Serial No
Contains a unique no. given to certificate
Algorithm
Identifies the algorithm used by CA
Issuer
Name of CA
Validity
Contains 2 dates (not before and not after)
Subject
Name of user / organisation to whom the certificate is issued
DES’s Fergusson College (Autonomous), Pune
Page 48
Public key
Subject’s public key and related information; This can never be blank
Certificate hierarchy
•
•
•
•
•
•
Now, change of scenario.
Instead of building trust with certificate holder, user should build trust with CA who
authorised the certificate.
How to build trust?
By verify the signature on a certificate against the CA’s public key .
But how could user obtain the CA’s public key? Or what if the certificate is signed by CA
from other country whom user never heard about?
That why a hierarchy of CA is maintained.
Certificate Authority Hierarchy
•
•
•
•
•
Also called chain of trust
Each hierarchy begins with a root CA.
This Root CA expresses trust in Intermediate CAs by signing their certificates. In turn, the
intermediate CAs issue certificates to end users.
How the Root CA can be trusted? It is self signed.
Root CA certificates are included in every modern browsers and operating systems.
DES’s Fergusson College (Autonomous), Pune
Page 49
•
So every browser takes care about the digital certificate and if it finds invalid, it will inform
you.
Cross certification
•
•
•
If two users are living in two different countries then their CA ‘s might be different then a
cross-certificate is issued, it extends the trust relationship of a CA.
A relying entity, for example, may desire to validate the public key certificate of an end
entity whose signing CA’s public key it is not aware of. Assuming that the relying entity
trusts its own CA, when it sees a cross-certificate signed by that CA, it will also trust that
other CA, and subsequent certificates signed by it.
The net effect of cross certification is to allow many PKI deployments to be both extensible
and scalable.
Certificate Revocation
•
•
•
•
CA can a revoke a certificate. There might be various issues like :
The holder complains that his private key is stolen
CA finds that there is mistake while issuing it
Holder leaves the organisation so this certificate is not for him.
Services of PKI:
o
o
o
o
o
o
Registration
Certification
Key recovery
Key generation
Cross verification
Revocation
DES’s Fergusson College (Autonomous), Pune
Page 50
Applications of Cryptography:
1. Tamperproof hardware: (Authentication based)
•
•
•
2.
To store the private key of the user, you cannot use hard disk or anything on the network.
In such cases special cryptographic hardware such as smart cards may be used to hold the
user’s private key.
The private key never leaves the cryptographic hardware.
One time password: (Authentication based)
•
•
Password generators use cryptography to generate session passwords (called one-timepassword, or OTP) that can be recognized by the verifying party as valid and cannot be
guessed by an attacker.
Internally such a token has a clock whose value is hashed and encrypted using a key
shared with the verifying party. The verifying party has a clock that is synchronized with
the token’s clock.
3) Device Encryption:
•
•
Device encryption (sometimes also referred to as endpoint encryption) is the practice of
encrypting the data stored on a device.
The intention is to stop unauthorized people accessing the data. Device encryption
applies to all sorts of devices:
o Mobile devices such as PDAs or smart phones
o Laptop hard drives
o USB fl ash drives
o Portable hard drives
o Workstation or server hard drives
4) Security
•
•
•
•
•
•
•
Apart from private and organisational data security cryptography is used for :
Secure file copying
Secure backup of remote servers
Setting up secure network
Non- repudiation
Data Integration
Other Application
o Bank cards and credit cards at automated teller machines
DES’s Fergusson College (Autonomous), Pune
Page 51
•
o Home banking, e-commerce
o Credit card transactions over the internet
o Mobile communication
Electronic purses (smart cards)
DES’s Fergusson College (Autonomous), Pune
Page 52
Assessment Section
Sr. No.
Question
1
Effectiveness of data communication depends upon three fundamental characteristics (Delivery, Accuracy, Timeliness)
2
Every communication involves (at least) one sender, a message and a recipient.
3
A Protocol is a set of rules that governs data communication. It represents an
agreement between the communicating devices.
4
Data transmission
True
refers to the process of transferring data between two or more digital
devices.
5
In Serial Transmission, data-bit flows from one computer to
another computer in bi-direction. True
6
Serial Transmission is faster than Parallel transmission to transmit the bits.
7
Transmission modes are classified as
8
A Network is a set of devices (often referred to as nodes) connected by communication
media True
9
Geometric representation of how the computers are connected to each other is known as
topology .
10
LAN, MAN, WAN
False
Simplex, Half duplex, Full duplex
are different types of networks.
LAN
11
covers the geographical area, like a home, office, or groups of buildings
e.g. a school Network.
12
MAN stands for
13
A wide area network is simply a LAN of LANs or Network of Networks.
14
are the key elements of Protocols Syntax, Semantics, Timing
The Transmission Media is the physical path by which a message travels from sender to
receiver. (T/F) True
15
16
17
Metropolitan Area Network
True
An attack tends to be an undesirable act which is in process that may cause cracking of
a message. (T/F) True
are the principals of Security.
confidentiality, authentication, integrity, non-repudiation, access control, availability
DES’s Fergusson College (Autonomous), Pune
Page 53
18
19
Integrity
Threat
tends to be a promise of an attack to come or something that might make
an attempt to attack a system.
Attack 2. Publicity Attack
are different types of attacks. 1.1. Criminal
Passive 2. Active
20
21
means data cannot be edited in an unauthorized way.
Virus
3. Legal Attack
Piece of program that attaches itself to another legal program.
Steganography
22
is the art and science of writing hidden messages in such a way that no one
apart from the intended recipient knows of the existence of the message.
23
Computer forensics is a branch of digital forensic science pertaining to evidence found
in computers and digital storage media. (T/F) True
Passive
24
attack, the attacker only monitors the traffic that attacks the
confidentiality of the data.
25
An Active attack attempts to alter system resources or effect their operations.
26
Vulnerability
True
refers to the security flaws in a system which can be exploited to
allow an attack
27
Accessing information or systems, without permission or rights is called as
28
The intentional or accidental loss, theft or exposure of sensitive company or personal
information. Data leakage
29
30
Unauthorized access
Phishing
involves sending of legitimate looking emails aimed at fraudulently
extracting sensitive information from recipients
An intentional or unintentional attack on a system or on information which results in
system unavailable and inaccessible to authorized users is called as
Denial of service
31
Malware is designed to break into the systems or information for criminal, commercial
or destructive purposes.
DES’s Fergusson College (Autonomous), Pune
Page 54
33
34
Virus
is a program written to alter the way a computer operates, without the
permission or knowledge of the user.
A standalone program that replicates itself in order to spread malicious code is called as
Computer worm
35
Viruses almost always corrupt or modify files on a targeted computer.
36
Worms will spread themselves to consume bandwidth
37
Worms are separate entity. It need to attach itself to any existing file .
38
Virus are dependent, does not need existing file to get attached to.
39
Encryption
True
True
False
False
is the process of encoding plain text messages into cipher text is
called as encryption
Decryption
40
is the reverse process of transforming cipher text messages back to
plain text message is called decryption.
41
Cryptography
is the art and science of achieving security by encoding messages to
make them non readable.
Cryptanalysis
42
isthe technique of decoding message from non-readable format to
readable format without knowing how they initially converted from readable to non
readable format.
43
Combination of cryptography and cryptanalysis is called as
44
In
data.
45
Asymmetric key
In
decryption of data.
Symmetric key
Cryptology
_.
Cryptography same key is used for encryption and decryption of
Cryptography different keys are used for encryption and
DES’s Fergusson College (Autonomous), Pune
Page 55
46
In Symmetric key cryptography the same algorithm with the same key is used for
encryption and decryption. True
Digital signature
47
is an electronic signature that can be used to authenticate the
identity of the sender of a message
48
Digital Signature is not reusable.
49
Digitally signed document is unalterable
50
Public key infrastructure supports security mechanisms such as confidentiality,
integrity, authentication, and non-repudiation. True
51
Substitution
In
_ crptography technique the characters of a plain text are
replaced by other characters, number or symbols.
52
In Transposition
performed.
True
True
crptography technique some permutations on the characters are
DES’s Fergusson College (Autonomous), Pune
Page 56
Related documents
application1
application1
homework-02
homework-02
1. Which of the following refers to coding and... data protection against unauthorized access where the same key is...
1. Which of the following refers to coding and... data protection against unauthorized access where the same key is...
A
A
CIS 5371 Cryptography Home Assignment 6
CIS 5371 Cryptography Home Assignment 6
2012
2012
Download
advertisement