Cryptography Flashcards
Security Attacks-
Weaknesses(vulnerability) in system. Need patches, fixed
Vulnerability is a threat that can be hacked(stolen, changed, compromised) and needs to be controlled.
Compromises security of data of organization:
Vulnerability- weaknesses in computer system, no updated system.→
Threat- loss or harm to computer→
Control- preventative measure
Classification of attack-
Passive Attacks(Wireshark) capturing data, copy- some countries illegal-mostly if its thrown in air and u capture, not your fault
Active Attacks- illegal
Security threat types?
Interruption- attack on availability- DOS , DDOS attack- interruption of web services
-deliberately unavailable
Interception-attack on confidentiality-decipher with brute force- cipher text to plain text
e.g illegal eavesdropping, wireless packet sniffing.
Modification-an attack on integrity - modify
tampering a resource
Fabrication-an attack on authenticity- e.g imposter sent email- counterfeiting
fake message, record to a file
Passive Attack
protocol analyzer
Nature: eavesdrop, monitoring
Goal: capture data
Two-types of Passive Attack
If readable- Non-encrypted data.Message content
If non-readable(encrypted):
Traffic Analysis- can’t read information, can observe pattern
source IP, destination IP, type of content, frequency and length of communication.
Four Type of active Attacks-
Masquerade- one entity pretending to be another entity.
- extra priveleges
- authentication sequences are captured and replayed
Replay- passive capture of data and subsequent transmission
Modification of Message- altered message
Denial of Services- services disturb.
prevents normal use of communication facilities
Three types of cryptography algorithms?
- Symmetric encryption
- Public key cryptography(asymmetric)
- Hash functions for security
-Symmetric Encryption model
Sender(plaintext)→ encrypt algorithm with a shared secret key e.g DES → transmitted ciphertext → decryption algorithm with secret key→ plaintext output
-called symmetric encryption as it is the same secret key.
E.g alphabetic substitution.
- scramble the data.
- Assymetric has two different beings.
Maintain integrity- encryption
Symmetric Encryption uses which mechanism
Uses substitution & permutation.
- substitution boxes- S-boxes, look up table for the part of the message block.
- can also be expanded e.g 6 bits to 8 bits with S-boxes
Permutation
- reorder the bits itself
- P-box
- e.g- 1st bit→7th bit 2nd bit→12 bit
Advanced Encryption Standard(AES)
Symmetric e.g your email into an array.
keep transforming it in n transformation rounds depending on no of bits.
first→initial permutation
next→keep substitution.
byte substitution
next rows are shifted.
next columns are mixed XoR operation
add roundkey
last substitution n-1 transformation
AES 128 strongest encryption standard 32 bytes longest key length.
SECURITY PROPERTIES OF SYMMETRIC ENCRYPTION
- AES wordks on message blocks. 128 bits, 4*4 bytes. and converts into encrypted
- different types of blockchaining
- most common is cipher blockchaining
- start with an intialization vector and combine each encrypted block with the next encrypted block.final block will be the encrypted block.
- CBC-cipher block chaining
- MAC- message authentication
check integrity of message by CBC-MAC
Symmetric Cryptography and disadvantages-
how can assymetric cryp help?
single key/secrete/private/one key.
shard b/w sender and receiver.
unintentionally or intentionally, compromise the key.
efficient- 128 bits, 192, 256 bits, much faster than assymetric
Disadvanvantages-
How to distribute the key?
- key distribution- secure channel such a VPN or key distribution system e.g kurbrose.
- scalability- n(n-1)/2 number of keys required.
- non repudiation- someone else can say they didnt send the message
Public Key Cryptography(helps in defficiencies of symmetric cryptography)
- “Non-secret encryption”
- two keys public key and private key
- public key can be given to anyone, public domain. publish public keys of the parties
- private key- secure.
- pass message through RSA assymetric encyption
- public key is input→cipher message to bryan.
- bryan can decrypt with his private key.
- or if u want everyone to see you encrypt with private key and can use public key published to decrypt. to ensure it if not tampered.
- key size is 2048 bit minimum max 4096 bit and more
- secret session key. takes a bit time
- Asymmetric since parties are not equals.
- clever application of number theory
-complements rather than replace symmetric key cryptography helps to exchange
- symmetric key.
- protocols RSA and Diffie-Hellman Key Exchange.
- large random numbers, “hard” mathematical problem. large prime numbers.
- private key cant be derived from public without solving
Asymmetric Encryption
bob wants to send Alice a message
Plain text→ Bob uses alice’s public key to encrypt the plaintext→ciphertext is decrypted with alice’s private key. →plaintext
public key- encrypt
private key- to decrypt
Key Establishment with Public Key Cryptography
- Alice and Bob both replace their public keys and keep their respective private keys.
- key derivation using both keys for each person
- Shared secret (symmetric key)
Diffie-Haulman
Digital signatures/authenticity
Alice has public key and private key
Bob get’s Alice’s public key
Alice sends plaintext by signing message with private key.
Digital signature get from finding the hash function and encrypting hash function with alice’s private key.
message- hash function- hash code- encrypted with RSA encryption with private key- to get signature
If message is authentic, signature will match the message. data integrity is maintained
bob- gets message and signature- decrypts with public key- receives the hash code.
now bob takes message and pass it into hash function to get hash code
if both hash code matches, the message is authentic.
OTHER uses of public key crypto
electronic cash
non-repudiation protocols(email)
electronic voting
multi-party key agreement
Calculations
Mathematical background:Prime Numbers
divisible with 1 and itself
Factorization - time consuming
multiplying is easier rather than factorization.
RSA Algorithm
Steps-
- select two large random prime number , p, q
- N= p*q
- calculate Euler’s Totient-
Euler’s totient- number of primes in range of p*q.
→Select public key an integer e
such that 1
Symmetric Cryptography - RSA properties
developed by Rivest, Shamir, Adleman , 1977
Private key d, public key e
- good selection random numbers
- psuedo random key numbers
- cryptography attacks happen when numbers aren’t random enough
Cryptographic hash functions-
check for integrity of data
hash function maps input arbitrary length to a fixed length output.
pass message(variable length) →through a hash function →(fixed length )output
cryptographic hash functions are infeasible to invert like a fingerprint.use a key and hash function for fixed output→ cant be recreated.
used in digital signatures, storing and comparing password, authentication codes.
Ideal cryptographic hash functions-
- hash value for message- fast and low resources.
- every hash is unique(no collision)
- message integrity is checked.
- hash for similar messages should not be correlated(small change in messages→ large change in hash)
- infeasible to find collusion
Examples of Hash function-
MD5- was widely used, not secure.. sometimes used for integrity protection
SHA1 is better- but attacking it is much easier than brute force. not recommended for digital signatures.
Recommendations- SHA-256, SHA-384 and SHA-512
What is Access Control -
who has access to which resources?- what access
after authenticiation.
How to authenticate user- who has accesss
Password Problems→
Stolen through phishing/malware
Resued password
Stored password
Weak
Difficult to remember/ reset processes
Check who has logged in system calls. i.e checked user id to authenticate in kernel level. next,access control will be applied for files/data needed
How NOT to store a pass:
- Clear text
- As a HASH value- can brute force attack, rainbow
Better way to store a pass:
-Use a SALTED hash.
if User enters id and pass, password →hash→ encrypt with salted value(random key)→ salted hash.
UNIX does it 23 times
→pass commonly used to authenticate
→multi-factor authentication popular
Type of biometrics
Biometrics→
fingerprint / iris- strong authentication.
fingerprint
retina scan
iris scan recognition
face recognition
signature- insufficient
hand geometry- if hand is “bad” not reliable
voice analysis- may not work sometimes
- high usability
- not a secret but cant be revoked/replaced
Hardware Token:
separate way of authentication
device/additional secrutiy.
even with authentication, can still be vulnerable for an attack
Authentication for Transactions-
TAN(transaction authentication number)
SMS TAN can show info on transaction.
TAN genertor reads barcode and generates TAN linked to transaction.
Like OTP(one time password)
E.g my.monash has Okta
Access Control on O.S Level
Once authenticated, goes to access control
→ distinguish users, groups and users.(read,write,etc)
Controls access to files, ports, devices,etc
User authentication(pass, MFA,biometrics,etc)
Allocate processes to users.
Basic File Permission(Linux)
- Read,Write,Execute
- Can be defined for owner,group,all users.
Chmod oga(command)
4 read, 2 write, 1 execute
o(owner) - 7
group - 4
others- 0
ownership takes precedence and can restore and permission.
group- sales,marketing
all users-
Access Control on Application Level→
object-level access control.
User can see this and configure
Often complex security policies (organisation)
Can fine-grain access too
Social networks- rules on who can see, copy,forward,search what data.
Access Control in Enterprise Applications→
(CLoud-based all users) -E.g→Database server
can enforce protection properties
can be role-based (not just user-based)
Authentication for Access Control on Applications
ticket or token-based(for user) access control
central server (Microsoft Active Directory) checks authenticity, issues tickets.
ticket has identity info and can also restrict capabilities.
e.g kerberos, AD.
Kerberos client request ticket for kerberos service → will go to kerberos authentication server 1. Authenticaiton service(AS) 2.Ticket Granting Service(TGT) → get ticket →goes to client and client produce the ticket identify which service he wants access→sent to TGT look at previous ticket and authenticate and sees service → client gets TGT→ presented to kerberos service and implements TGT
SSO? Adv, Disadv?
SSO-
signal sign on(SSO)
AD, kerberos.
instead authenticate multiple apps with only one set of login credentials e.g google, my.monash.
Adv-
eliminates re-authentication
streamlines local and remote application and desktop workflow
- improves productivity
- minimizes phishing- tell you authenticaiton has fialed,etc
- provides detailed user access reporting
- SSO ideal for okta OTP usually used with MFA, smartcards.
- log in once and access many services
- convenient high usability
Disadv-
- not suitable for guaranteed access
- single point of failure, needs secure implemenation and high level of control
Goal of Access Control
- Limit damage by users
- privelege escalation- objective of hacker
- how can access control go wrong
What can go wrong in access control?
weaknesses in software, interface, protocols
physical attacks
connect devices(USB) cant communicate w external devices
social engineering- manipulating people for log in information.
Additional security mechanisms-
Hard disk encryption
Virus protection** - only half protected even with anti-virus software
Backups
Security updates
Trusted computing