Basic Security Techniques

1
Basic Security Techniques
2
Steps of Attacks

• Discovering the key elements of the network
• Scanning for vulnerabilities
• Hacking the system to gain root or administrator
  privileges.
• Disabling auditing and removing traces from log
  files
• Stealing files, modifying data, and stealing
  source code or other valuable information
• Installing back doors and Trojan horses that
  permit undetectable reentry
• Returning at will to inflict more damage

3
Types of attack

• Denial of Service (DoS) attack
• Input validation attack
• Intercepted transmissions
• Malicious code viruses, worms, and Trojan horses
• Malicious mobile code

4
Denial of Service (DoS) attack

• Overwhelm a victims site with seemingly
  legitimate communications
• Disrupt service is easier than illegal access
• Bandwidth consumption attacks
• Resource consumption attacks

5
DoS attacks

• IP fragmentation
• Sends packets with incorrect header information
  that causes computers to hang, crash or perform
  slowly
• DNS spoofing
• Modify DNS table and reroute the traffic from the
  actual Web site to fraudulent site

6
DoS attacks

• Ping of death
• Send a large ping messages to online computers
• Smurf attack
• Send the broadcast ping massages to cause mass
  response
• SYN flood
• Let victim waiting for SYN/ACK response
• Buffer overflows
• Overwriting the buffer and cause the execution of
  hackers code.

7
Ping Flooding
Attacking System(s)
Victim System
SOURCE PETER SHIPLEY
8
Three-Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
SOURCE PETER SHIPLEY
9
SYN FLOOD
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply
ICMP Internet Control Message
Protocol
INTERNET
PERPETRATOR
VICTIM
INNOCENTREFLECTOR SITES
BANDWIDTH MULTIPLICATION A T1 (1.54 Mbps) can
easily yield 100 MBbps of attack
SOURCE CISCO
10
Exploiting System Bugs

• Buffer overflows
• Program allocates 255 bytes for input.
• Hacker sends 500 bytes.

11
Input validation attack

• Types invalid data directly into the browsers
  address line
• Get a password file (cat/etc/password) by typing
• Abc.com/cgi-bin/catalog.cgi?product
• 0Acat20/etc/password
• View a ASP script by typingabc.com/catalog.asp.
  Orabc.com/catalog.asp2easp

12
Intercepted transmissions

• A computer can run in promiscuous mode to monitor
  all the packets on their networks
• Use Sniffer Pro form Network Associates (nai.com)
  to record the network traffic in a log file

13
Malicious code viruses, worms, and Trojan horses

• Viruses a piece of code that inserts itself into
  a host to propagate. Propagation mechanism and
  payload
• Worms A worm propagates between systems through
  a network
• Macro virus and macro worms
• when open and or save a file containing a
  virus code written in macro
• Trojan horses a program contains a hidden
  function. NetBus hidden in a game Whack-A-Mole
  that remotely control the victims computer

14
Viral Phenomena

• Invented 1985
• More than 36,500 known viruses (NY Times,
  6/10/99)
• More than in nature
• 10-15 new viruses per day
• 35 are destructive (up from 10 in 1993)
• Virus attacks per computer doubles every two
  years
• Written mostly by men 14-24
• India, New Zealand, Australia, U.S.
• Symantec employs 45 people full-time, spread over
  24 hours, to detect and neutralize viruses

15
Malicious mobile code

• Mobile code downloaded from server and executed
  at users machine
• ActiveX controls
• Java applets

16
Basic Security Techniques

• Antivirus
• Firewalls
• Intrusion detection system
• Cryptography
• Identification techniques

17
Antivirus software

• DR Solomon's
• http//www.drsolomon.com/home/home.cfm
• Network Associates (McAfee) Online
• http//www.mcafee.com
• Norton's antivirus
• http//www.symantec.com/product/
• Windows antivirus Shareware Utilities
• http//winfiles.cnet.com/apps/98/antivirus.html

18
Firewalls

• http//csrc.nist.gov/publications/nistpubs/800-10/
  node30.html
• Control access to or from a protected network
• implements a network access policy by forcing
  connections to pass through the firewall, where
  they can be examined and evaluated.
• usually located at a higher-level gateway, such
  as a site's connection to the Internet.

19
Benefits

• Protection from Vulnerable Services
• Controlled Access to Site Systems
• Concentrated Security
• Enhanced Privacy
• Logging and Statistics on Network Use, Misuse
• Policy Enforcement

20
Problems

• Restricted Access to Desirable Services
• Large Potential for Back Doors
• Little Protection from Insider Attacks
• No virus protection
• Bottleneck of throughput
• All eggs in a single basket

21
intrusion detection system (IDS)

• The goal of intrusion detection is to monitor
  network assets to detect anomalous behavior and
  misuse.
• Network Intrusion Detection (NID)
• Host-based Intrusion Detection (HID)
• Hybrid Intrusion Detection
• Network-Node Intrusion Detection (NNID)
• http//www.securityfocus.com/infocus/1514

22
Network Intrusion Detection (NID)

• Act as "packet-sniffers," network intrusion
  detection devices intercept packets traveling
  along TCP/IP.
• Compare the packet to a signature database
  consisting of known attacks and malicious packet
  "fingerprints
• Look for anomalous packet activity that might
  indicate malicious behavior

23
Host-based Intrusion Detection (HID)

• Designed to monitor, detect, and respond to user
  and system activity and attacks on a given host.
• Offer audit policy management and centralization
• Supply data forensics, statistical analysis and
  evidentiary support
• Best suited to combat internal threats

24
Network-Node Intrusion Detection (NNID)

• With NNID, the "packet-sniffer" is positioned in
  such a way that it captures packets after they
  reach their final target, the destination host.
  The packet is then analyzed just as if it were
  traveling along the network through a
  conventional "packet-sniffer.

25
IDS Players

• Cisco
• Internet Security Systems (ISS)
• Symantec
• Enterasys

26
Cryptography

• Symmetric cryptosystems
• Public-key cryptosystems
• Integrity check-values (message digest)
• Digital Certificate
• Digital Signature

27
Symmetric Cryptography
28
Symmetric Cryptography

• The same key is used for encryption and
  decryption
• Operates as block cipher (fixed size) or stream
  cipher (arbitrary size, byte by byte)
• Fast encryption and decryption
• Require secure key distribution

29
Role of the Key in Cryptography

• The key is a parameter to an encryption procedure
• Procedure stays the same, but produces different
  results based on a given key

NOTE THIS METHOD IS NOT USED IN ANY REAL
CRYPTOGRAPHY SYSTEM. IT IS AN EXAMPLE INTENDED
ONLY TO ILLUSTRATE THE USE OF KEYS.
30
Symmetric key algorithms

• DES (Data Encryption Standard)64-bit block
  cipher with 56-bit key
• Triple-DES used by financial industry
• AES (Advanced Encryption Standard)
• SKIPJACK use Clipper chip,Gov.
• IDEA (international Data Encryption Algorithm)
  Ascom-Tech, Switzerland used by PGP
• RC2,RC4,RC5 by RSA

31
Data Encryption Standard (DES)

• Symmetric, key-based encryption-decryption
  standard. No public keys
• Block cipher operates on 64-bit blocks
• Uses 56-bit key
• 16 rounds -- key for each round is a 48-bit
  function of the original 56-bit key. Each key
  bit participates in an average of 14 rounds
• Completely symmetric. Same algorithm decrypts.
• Fast implementation in hardware 1 gigabit/second

32
(No Transcript)
33
(No Transcript)
34
Information Loss with Exclusive-OR

• x ? y 1 if either x or y is 1 but not both
• If x ? y 1 we cant tell which one is a 1
• Cant trace backwards to determine values

y
x
35
Cryptographic strength

• The secrecy of the key
• The difficulty of guessing the key
• The difficulty of inverting the encryption
  algorithm without knowing the key
• The existence of back doors
• The ability to decrypt entire message if know
  portion of it.
• Cryptographic strength can almost never be
  proven it can only be disproved
• Most encryption algorithms have fundamental flaws
  that make them unsuitable for serious use

36
Attacks on Symmetric Encryption

• Key search (brute force attacks)
• Cryptanalysis
• Systems-based attacks

37
Key Search Attack

• There is no way to defend against key search
  attack
• Brute force key search attacks are not efficient
• 40 bit key 3.5 hours, 128 bit key 1013 years
  with the use of 1 billion computers
• May be simpler because most user pick keys based
  on small passwords with printable characters

38
Cracking Symmetric Encryption
ESTIMATED TIME TO CRACK KNOWN SYMMETRIC
ENCRYPTION ALGORITHMS
(40-bit symmetric key 384-bit PKE key)
39
Cryptanalysis

• Most encryption algorithm can be defeated by the
  combination of math and computer power

40
Integrity check value
41
System-based Attacks

• Attack the system not the algorithm
• Monitor the random number generator used by
  Netscape Navigator for SSL.

42
Message Authentication Code
43
Public Key Cryptosystems

• A pair of related keysPrivate key (kept secret)
  Public key (publicly known)They are related but
  it is not feasible to determine the private key
  by knowing the public key
• Two ways of useEncryption mode make sure a
  right person receives messageAuthentication
  mode make sure message is from a right person
• Solving key distribution problem

44
Public-Key (Asymmetric) Encryption
2. SENDERS USE SITES PUBLIC KEY FOR
ENCRYPTION
3. SITE USES ITS PRIVATE KEY FOR DECRYPTION
4. ONLY WEBSITE CAN DECRYPT THE
CIPHERTEXT. NO ONE ELSE KNOWS HOW
1. USERS WANT TO SEND PLAINTEXT TO
RECIPIENT WEBSITE
SOURCE STEIN, WEB SECURITY
45
(No Transcript)
46
(No Transcript)
47
RSA

• RSA is a public-key cryptosystem for both
  encryption and authentication
• Invented in 1977 by Ron Rivest, Adi Shamir, and
  Leonard Adleman (RSA)
• RSA is the most widely used public-key
  cryptosystem today and has often been called a de
  facto standard.

48
The key pair of RSA

• Take two large primes, p and q, and find their
  product n pq. Choose a number, e, less than n
  and relatively prime to (p-1)(q-1), and find its
  inverse, d, mod (p-1)(q-1), which means that ed
  mod (p-1)(q-1) 1 e and d are called the public
  and private exponents, respectively.
• The public key is the pair (n,e) the private key
  is (n,d). The factors p and q must be kept
  secret, or destroyed.
• p29, q37, n1073, (p-1)(q-1)1008
• e 25, d121, (25X121)mod(1008) 1

49
Multiplicative InversesOver Finite Fields

• The inverse e-1 of a number e satisfies e-1 e
  1
• The inverse of 5 is 1/5
• If we only allow numbers from 0 to n-1 (mod n),
  then for special values of n, each e has a unique
  inverse

50
Rivest-Shamir-Adelman (RSA)

• It is easy to multiply two numbers but apparently
  hard to factor a number into a product of two
  others.
• Given p, q, it is easy to compute n p q
• Example p 5453089 q 3918067
• Easy to find n 21365568058963
• Given n, hard to find two numbers p, q with p q
  n
• Now suppose n 7859112349338149 What are p
  and q such that p q n ?
• Multiplication is a one-way function
• RSA exploits this fact in public-key encryption

51
The Encryption and Decryption with RSA

• Message M
• Encryption with public key (n, e)M Me mod n
• Decryption with private key (n, d)
• Md mod n (Me)d mod n M mod n
• It is difficult to find integer x so that
• Ax mod (B) C
• http//www.princeton.edu/matalive/VirtualClassroo
  m/v0.1/html/lab1/lab1_8.html

52
(No Transcript)
53
Digital Signatures

• A digital signature must support non-repudiation

54
(No Transcript)
55
(No Transcript)
56
Hash Functions

• One way hash function f
• hash x to y f(x)
• Infeasible to calculate x f-1(y)
• Infeasible to construct x so that f(x) y
  f(x)
• U.S. Governments Secure Hash Algorithm (SHA-1)
  the best so far
• RSA MD5 has some known weakness

57
Key management

• All cryptographic techniques depend upon keys
• The key management is complex and crucial for
  providing security

58
Key Life Cycle Management

• Key generation and registration
• Key distribution
• Key backup/recovery and/or escrow
• Key replacement or update
• Key revocation
• Key termination (destruction and/or archival)

59
Transferring DES key via RSA
60
Diffie Heliman Key Agreement
61
Virtual Private Networks

• Important for B2B application
• A VPN uses the public Internet to carry
  information but remains private by using a
  combination of encryption, authentication and
  access control
• Protocol tunneling data packets are first
  encrypted and then encapsulated into IP packets
  for transmission. They are decrypted at the
  destination by a special host or router. It also
  supports multiprotocol networking.

62
Virtual Private Networks

• Protocol standards
• Point-to-point tunneling (PTP) protocol
• Layer 2 tunneling protocol (L2TP)
• VPN Services (http//www.vpnc.org/)
• ATT (http//www.att.com/emea/vpn/)
• Cable Wireless (http//www.cwusa.net/internet_ip
  vpn.htm)
• MCI WorldCom (http//www.worldcom.com/)
• PSINet (http//www.psinet.com/security/datasheets/
  managedservicessecurity.html)

63
Identification Techniques
64
Access Security
65
Identification Techniques

• The ability to identify people or organization
  creates accountability and helps to promote trust
• Identification is not enough. It should work
  with legal system to create a stable business
  environment

66
Computerized Identification Techniques

• Password-based systems something that you know
• Physical tokens something that you have
• Biometrics something that you are
• Location someplace you are
• Reference third party authentication

67
Password problem

• Has to be stored in file
• May be intercepted
• May forget
• May easy to guess
• May tell other people

68
Major threats to password

• External disclosure
• Guessing
• Communication eavesdropping
• Replay
• Host compromise

69
Authentication Protocols

• Transformed password
• Challenge-response
• Time stamp
• One-time password
• Digital signature
• Zero knowledge techniquespossession of
  information can be verified without any part of
  information being revealed

70
Physical Tokens

• Access card, storage token, synchronous one-time
  password generator, challenge-response, digital
  signature token
• Human-interface token, smart card, PCMCIA card
• The token does not prove who you are
• Token may be copied or forged
• Token may be used with password

71
Biometrics

• An image of persons face
• Fingerprints
• Footprints and walking style
• Hand shape and size
• Pattern of blood vessels in the retina
• DNA patterns
• Voice prints
• Handwriting techniques
• Typing characteristics

72
Fingerprints
MAIN SHAPES
MINUTIAE
EACH PERSON HAS A UNIQUE ARRANGEMENT OF MINUTIAE
SOURCE C3i
73
Fingerprint Capture
ST-Micro TOUCHCHIP (Capacitative)
Thompson-CSF FingerChip (Thermal-sensed
swipe) DEMO1, DEMO2
American Biometric Company BioMouse (Optical)
Biometric Partners Touchless Sensor
74
Iris Scan

• Human iris patterns encode 3.4 bits per sq. mm
• Can be stored in 512 bytes
• Patterns do not change after 1 year of life
• Patterns of identical twins are uncorrelated
• Chance of duplication lt 1 in 1078
• Identification speed 2 sec. per 100,000 people

PERSONAL IRIS IMAGER
Companies British Telecom, Iriscan, Sensar
SOURCE IRISCAN
75
Signature Dynamics

• Examines formation of signature, not final
  appearance
• DSV (Dynamic signature verification)
• Parameters
• Total time
• Sign changes in x-y velocities and
  accelerations
• Pen-up time
• Total path length
• Sampling 100 times/second

Companies CyberSIgn, Quintet, PenOp, SoftPro
SignPlus,
76
Error in Biometric Systems
VERY BAD
BAD
SOURCE IDEX
77
Problems with biometrics

• A persons biometric print must be on file
  before that person can be identified
• Require expensive, special purpose equipment
• Unprotected biometrics equipment is vulnerable to
  sabotage and fraud
• Possibility of false match