Security in Computing

Study Notes by Rahul Prabhudesai

Information

This page is still in progress and new content will be added over time. Estimated completion is August 2020.

Contents


1| The Basics of Security


Cybersecurity and Physical Security


Security is “the state of being free from danger or threat” and is an important aspect in everyday life, whether it be physical such as security in a home or digital security in the form of anti-malware, passwords, and others.

Stages in the Protection of Assets

  • Deterrence deters potential threats from trying to attack the asset being secured. The deterrents will be visible to the threat.
    • Physical Examples: Sign, Security Cameras, Dummy Cameras, Alarms, Magnetic Detectors, Security Guards
    • Digital Examples: Warning, Laws, Policies, Code of Conduct
  • Prevention – prevents threats from being able to break through to the asset, even if they wanted to.
    • Physical Examples: Spikes, Electric Fence, Wall, Locks, Security Bars, 2FA, Guard Dog, Safe
    • Digital Examples: Password, Firewall, UAC/Group Policy, Antivirus, Authentication, Encryption
  • Detection catching the threat which has already infiltrated the system and has attacked the asset. Detection is useful and important as it provides insight into what improvements can be made to the deterrence and prevention systems currently in place as well as to find the culprit.
    • Physical Examples: Hidden Cameras, Activity Logging, Reports, CCTV
    • Digital Examples: Logs, Intrusion Detection Systems, Audits
  • Reaction – responding to the threat and getting rid of them.
    • Physical Examples: Notify the Police, Arrest the Suspect
    • Digital Examples: Block Accounts, Isolation, Security Patches, ACL Changes, Password Change

The Unchanging World

Cyberspace and the physical world are inhabited by the same people and therefore the digital world greatly mirrors the threats present in the physical world. Threats such as invasion of privacy and bank robberies have their digital counterparts, with the real difference with a bank robbery for example, criminals will go for the big banks with highest profits. Digital threats such as a salami attack functions in a way where cyber-criminals can steal small amounts which largely goes unnoticed from a large number of accounts adding up to a large sum and can get by without any real punishment.

The goals for cyber-criminals in the digital world may be similar between those in the physical world, however, the techniques used are quite different.

Automation allows computers to be used in attacks such as a salami attack by automating the dull repetitive tasks it must do. Furthermore, automation can allow for data mining of the population, which can net a large amount of data from a vast population.

Digital attacks have the benefit and security of distance. As the internet has no borders, attackers can access the billions of devices accessible from anywhere without being near their prey. This makes it difficult to trace perpetrations, and prosecution is made more difficult if the perpetrator is found to be in a different jurisdiction.

Cyber-criminals have another benefit, which is they don’t need to learn the tricks of the trade as required in the physical world. Software can easily be downloaded and successful techniques such as worms and viruses can easily propagate.

Security

Security Through Obscurity
Create security through hiding the asset. This may work in some cases, but on the flip side, if it is discovered then it can be easily infiltrated. For these reasons, it is not a worthwhile security technique.

Security Through Legislation
Security through legislation allows for laws to prescribe allowable user activities. This is effective only as an additional method, eg. violators prosecuted or handed over to law enforcement.

Data and Information

Data represents certain aspects of our world, while information is the interpretation of this data. Generally data has a close relationship with information but they are different sometimes.

Covert Channel
The data has a subliminal meaning. Eg. the existence or absence of data carries the information, the actual value is irrelevant. This could take the form of stenography.

Inference
Aggregation of different data can reveal additional information. Eg. the combination of different database queries can lead to identifying a person.

Information Flow

Overt Channels
Openly publicised documented channel for authorised transfer of data

Covert Channels
Covert channels are those which are not intended for the transfer of information, it may transfer at notoriously slow speeds, and are often created resulting from the misuse of overt channels. Some examples of these channels include:

  • Timing Channel – the manipulation of system resources to transmit data.
    • Eg. Hard drive LED’s can be caused to blink due to malware (experiment shown to work at 4 kbits/s).
    • Eg. Using floppy disk drive mechanisms to produce data (information such as music has been created).
  • Storage Channel – communication through modification of a stored object.
    • Eg. File lock (open/close) channel.
  • Data Hiding in the OSI Model – data transmission using packets or other similar measures within the OSI model.
    • Eg. Data transmitted through ICMP error packets.

Information Security

Information security must be reliable, trustworthy and dependable. Information Security has goals and needs, where security is a need and goals such as completion speed and available budget among other goals may override it. It is easier to notice the absence of security than its presence, proved by cases such as system failure.

Data Security

The basic aspect of data security are:

  • Confidentiality – only authorised users can read information.
  • Integrity – information cannot be altered by unauthorised users.
  • Availability – the information is readily accessible by authorised users.

The context dictates the interpretation of these aspects, and are further dictated by the needs of individuals, customs and laws of an organisation.

Availability

Availability can be summed up through three key points; reliability, resilience and performance. Reliability is being able to function without interruption when required. An unreliable system for example would have system failures quite often along with a low system uptime between these failures. If the system is to be deemed resilient, then it will be able to resist system failures and in the event a failure does occur, then how quickly it can recover from it. Performance is the ratio between the amount of useful work done versus the time and resources consumed. Furthermore, performance can be attributed to the ability to cope with excessive loads and resistance to Denial of Service (DoS) attacks.

Threats to Security


Interference with Normal Operations

Malware interferes with normal operations.

  • Viruses – attached to a host program and designed to spread from one computer to another.
  • Worms – self-propogating software which remains active on the host after transmission.
  • Trojans – performs hidden operations and must be executed by the user (Trojan Horse Story).
  • Spyware – collects data in an unauthorised manner and transmits it via a covert channel.
  • Rootkit – hides the presence of malware and enables unauthorised access to a system without detection.

Denial of Service attacks blocks access to a service. A Distributed DoS (DDoS) is a malicious distributed attempt to disrupt access to a specific target. Pursuing acceptable aims in an unacceptable manner, such as nuisance, or more specifically, spam.

Different aspects of security can be targeted such as confidentiality, integrity and availability. Confidentiality could be the disclosure of personal information for example. Integrity for example could be the transfer of funds in a non-legal manner. Availability for example could be a denial of service attack.

Threats and attacks can take the forms of insertion (deletion) of messages (objects) or exclusion of valid users to name a few.

Adversaries

The main type of adversary in cybersecurity are hackers. These hackers are highly skilled and educated and therefore have above average computer skills. There are white, black and grey hat hackers. White hat hackers are those who have the permission of the target and are generally experts in security testing to exploit potential threats and inform the target of these vulnerabilities. On the other hand, a black hat hacker uses their expert computer skills for malicious and criminal activities. The third type of hacker is a grey hat, or hacktivist who utilises their technology to infiltrate a system without permission with the intent to inform the target of the vulnerability. Hacktivists are not motivated by a malicious nature and are usually ideological or political in nature. The aim of hackers is to make a point or meet some sort of challenge.

Amateurs are regular people who are usually uneducated individuals or groups who are trying to exploit some vulnerabilities with the aim of getting a thrill. On the other end of the spectrum, career criminals aim for financial gain or espionage and some may even lack computer skills and therefore employ corrupt hackers.

The other types of adversaries include malicious insiders, industrial espionage, political and military espionage, press, terrorists and info-warriors to name a few. The key difference between the many adversaries are the aims they have.

Computer Crime

Computer crime or cybercrime is crime assisted by the internet. Cybercrime can include theft such as theft of information, intellectual property and identities. Criminal conduct is another type of cybercrime which could be fraud (eg. bank fraud, extortion), abuse (eg. harassment, intimidation, defamation), misuse (eg. obscene or offensive content).

Achieving Security

HOMECOMPUTER
Develop a PlanProtect doors and windows from illegal entryProtect both physical and digital access to the device
Have Proper MechanismsMechanisms such as locks, iron bars, gates, etcKeep it in a secured room and have access control (login, resource management)
Be in ControlLock the doors / windows and keep the key in a secure placeLog out or log in, don’t publicise the password

Security measures include policies which describe the goals of protection, for example, resources are only available for authorised users, mechanisms which implement the policies such as login being required before access to the information is provided and evaluation or assurance which judges the quality of protection, for example, can the login authentication be bypassed?

Software Development


Security is extremely important and should be an integral part of software development. Security based objectives have a high importance level and should be treated equal to other business objectives. The effects of poor security can be reduced through early consideration by up to 50% according to a 2016 State of DevOps Report.

  1. Conduct security reviews alongside other reviews.
  2. Security should be intertwined with the entirety of the software lifecycle.
  3. Security requirements testing can and should be automated.
  4. Developers should have unrestricted access to pre-approved libraries, packages, tools and processed and these should be readily available.

Security Policies

The system should be protected through the restriction of certain forms of activities through implementation-independent statements. Furthermore, one should set goals for any work regarding security. The objectives should also be described, ie. Outline the key aspects of a system which needs to be protected, trying to project everything is not possible due to it being too expensive. Another objective should be what the specific threats are which need to be protected against and which operations are granted or denied access to a system. Lastly, this should not refer to details of an actual implementation.

Security Services

  • Confidentiality – restricts read access.
    • A basic concept in security is the secrecy of information, which means only entities who are authorised can know about the existence and acquire certain data.
    • Medical records, student results, and bank details for example, should only be disclosed to the required entities.
  • Integrity – restricts write access.
    • Refers to the data content being able to change or be modified by only by authorised entities. The implicit definition of integrity is the correctness, or accuracy of data and that it originated from a trustworthy source.
    • For example, bank statements should not show incorrect transaction details.
  • Privacy – denies permission to use legally obtained data.
    • Who can share or disclose data legally with third parties. Furthermore, privacy involves a level of accountability (responsibility) of one’s actions, traceability (logs) of these actions and non-repudiation (non-deniability).
    • A company is not allowed to sell or profit from any personal data without the express permission of the user in question.
  • Authenticity – source of origin can be verified.
    • Being able to prove something is authentic, or genuine and come from a trustworthy source.
    • Authenticity is tested by computers in the form of origin (where did this come from) authentication and user (is the user who they say they are) authentication.

Human Aspects

Individual rights such as privacy and free speech vs censorship are a key aspect of humans. Identity protection is another key aspect, with identity theft is the fastest growing crime it is becoming more and more important. Intellectual property involves copyright and its violation. Personal agenda such as hate crime, e.g. racist attacks and insider attacks from disgruntled (former) employees.

Summary

The main difference between cybersecurity and physical real world security are the tools used, with the involvement of humans being the common aspect. To ensure working and effective security operations, mechanisms must be in place with policies to ensure these are used. For example, a house can have the most advanced security systems and mechanisms in place, but without this being activated, or a door being left open for example, the system is largely redundant or useless. Therefore policies must be utilised to ensure this is not the case.

2| Vulnerabilities, Threats and Attacks


Vulnerabilities and Threats


Know The Enemy

It is essential to know the terminology of the threat, what their attack motives are and the methods they utilise to fulfil these motives. Attack motives include the entity attacking the computer systems and their intention. On the other hand, attack methods revolve around the techniques employed to infiltrate computer systems along with the consequences faced.

Vulnerabilities & Attacks

  • Vulnerability – weakness such as a design flaw, bug, mis-configuration or back door. This allows an attacker to gain access into the system to cause harm.
  • Exploit – the methods or techniques employed by the attacker to successfully infiltrate a system through discovered vulnerabilities.
  • Attack – the use of an exploit.
  • Threat – the outcome of the attack.
  • Threat Agent – the person who is using their capabilities combined with their intentions and past activities to attack a system.

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System or CVSS for short is a standardised method to assess vulnerabilities in security and is scored based on a number of metrics. These metrics fall into three main categories, base, temporal and environmental.

The base metric cannot change, and is determined by the damage a vulnerability can cause, level of difficulty to exploit, etc. The temporal metric refers to the way a vulnerability changes over time, ie. patches. The environmental metric is how the vulnerability changes based on environmental factors such as a change in system, change in hardware, network access, etc.

CVSS Base Score

The base score indicates the severity of the vulnerability in a general sense and the natural characteristics which are not expected to change. The main metrics included in the base score exploitability which is the access vector (eg. local or remote) and access complexity (high to low), and impact which is whether there is a complete, partial or no loss of confidentiality, integrity and availability.

CVSS Temporal Score

The temporal score is calculated based on the change over time, the introduction of mitigation factors (usually lowers the final score) and an indication of urgency. This metric should be re-evaluated periodically as it changes over time based on the main metrics such as exploitability, which is whether the vulnerability is theoretical, functional or there is a proof of concept and the ease of exploitation, and remediation which is whether there is an official or provisional patch or workaround available or not.

CVSS Environmental Score

The environmental score represents environments factors such as the number of users on the vulnerable platform and the overall priority. The key metrics of this incorporate the level of collateral damage which can be cause and the number of vulnerable systems in a particular environment.

Threat Assessment

Identification of system vulnerabilities, the level of risk posed by the threats and an effective mitigation plan can be developed though undertaking a threat assessment. Tools which can assist in threat assessment and analysis:

Attacks


Attack Vectors & Attack Surface

Attack Vectors
A method or path in which a vulnerability could be triggered or reached. For example, this could be a malicious email, attachments, worms, web pages, downloads, and deception / social engineering. These are different to malicious payloads such as viruses, trojans and malicious scripts. Analysis of attack vectors can produce an understanding of the severity of a vulnerability and defences such as blocking certain inputs.

Attack Surface
A sum of the variety of attack vectors which are threatening a software environment. A reduction of the attack surface equates to an improvement in security.

Attack Methods
A zero-day attack is an attack which exploits a new vulnerability with no known defence, solution or fix for it. This can be defined as an unknown unknown.

Attack Motives

Motives for an attack could include a criminal intent which could be for financial gain for example, industrial, political or military espionage, to prove a point such as disclosing a vulnerability, to get revenge or act upon a vendetta, terrorism, and hate.

Common Attack Methods

Passive Attacks
Passive attacks aim to collect information without authorisation. This is an attack on privacy, that could be targeted towards a certain entity, or data harvesting, which is the complete opposite of targeted. It could also be a publicity attack, an attack with the intention to gain publicity from the press, media, etc. Passive attacks do not interfere with normal operation.

Active Attacks
Active attacks manipulate objects, misuse data, etc. These attacks do interfere with normal operation as it changes the behaviour of a system. An example of an active attack could be a browser hijacker as it reroutes internet traffic to infected sites, therefore manipulating and affecting the usual operation.

Criminal Attacks

Examples of criminal attacks include, but not limited to:

  • Fraud – personal gain through deception.
  • Scam – committing fraud after gaining the victim’s trust or confidence.
  • Destructive Attacks – damage a system or the operation of it.
    • For example, erasing a database, or fractions of it.
  • Theft – stealing data, information, or other tangible and intangible things.
    • Intellectual Property – property which is intangible.
      • For example, inventions, trade marks, original designs, ideas, patents.
    • Identity – someone pretending to be or acting as another person.
    • Brand – the use of someone else’s brand and the characteristics which make up said brand.
      • For example, use of a brand name in a forged website.

The law in digital realm moves at a significantly slower pace in comparison to law in the real world.

Most Frequent Attacks

The most frequent types of attacks are information theft, resource theft and interference with operations.Information theft alludes to theft of private data such as bank account numbers, passwords, personal details, etc. which is commonly done through the means of spyware (collects information without knowledge of the user, eg. keyloggers). Resource theft can be explained as computer jacking for example. Computer jacking is generally undertaken through the means of a botnet, a network of computers controlled remotely without the owner’s approval. The most common aims of such attacks is for spamming and DoS attacks. Denial of Service attacks are also used as means for an interference of operations attack as it overwhelms the target with excessive and unwanted requests to prevent legitimate users from accessing the service.

Common Attack Strategies

The aim of the attacker is generally to gain administrator or root privileges to target machines in order to be able to execute programs in kernel mode. The infiltration methods commonly utilised is social engineering, exploitation of root-level flaws and exploitation of lower-level flaws and escalate privileges via other exploits. Distribution of malware such as viruses (requires a host to disseminate) and worms (disseminates on its own) is another common attack strategy.

Other Malware

  • Trojan Horse – malicious code or tasks run in the background alongside normal operation of a program.
  • Trapdoor – utilisation of non-standard to gain access to services.
  • Logic Bomb – malicious code which remains dormant while awaiting a certain action or condition to be true to trigger the event.
  • Easter Egg – ‘cute’ but harmless behaviour triggered by special input (ie. cheat codes).
  • Rootkit – a piece of code with the purpose of hiding the existence / presence of itself and other malware from the user in a system.

Authentication (Password) Attacks

  • Dictionary Attack – using a list or ‘dictionary’ of words to test for potential password matches.
  • Replay Attack – using data collected from a prior valid session to infiltrate a system.
  • Password Guessing – using intuition to ‘guess’ the password.
  • Password Sniffing – gaining access to and monitoring a valid session to find the password.

Other Prevalent Attacks

  • Spoofing – modification of data to act as someone else.
    • Spoofing Attacks – commonly used for phishing attacks, which involves obtaining confidential information from a user through identity theft (acting as an authoritative party, eg. ATO).
  • Denial of Service (DoS) Attacks –
    • Direct Attacks – overwhelming the server through direct attacks from the attacker.
    • Reflected Attack – overwhelming responses to the victim through spoofed (victim shown as source) packets sent to many hosts.
    • Distributed DoS (DDoS) Attacks – making use of botnets to deny access to a service.

DDoS Attack Types and Statistics

  • Volume Based Attacks – uses methods such as bandwidth saturation to deny access to a service.
    • For example, UDP / ICMP floods (spoofed packets commonly used).
  • Protocol Attacks – an attack on the server resources to deny access to a service.
    • For example, SYN floods, fragmented packets, smurf.
  • Application Layer Attacks – crashes the application in order to deny access to a service.
    • For example, GET / POST floods.

Attack Type

Attack Length

Botnets and Botnet Platforms

Botnets are a network of computers which are all compromised and therefore controlled from a single command point. Features of botnets include a hierarchy of computers which is neatly presented with workers at the lowest level, infected computers function similar to a zombie in the sense that they are activate by a central command and can execute both attacks and malicious activities using various methods on the same computer, and workers back off randomly to disguise themselves.

Botnets are generally used with a malicious intent such as spam mailers and in DDoS attack tools, however, there are rare honest use cases in the forms of distributed computing for example. Programs such as Folding@Home and SETI@Home.

Botnet Platforms
Internet of Things (IoT) devices can be used as bots in a botnet, especially with many IoT devices using embedded Linux with a low security level.

Attack Techniques

  • Injection Attacks – being able to insert instructions into data and sent into a system with a vulnerability and therefore does not sanitise the data properly.
  • Rootkits – malware which hides the presence through the modification of system data.
  • Social Engineering – exaction of confidential information through exploitation of human gullibility.

Injection Attacks

Injection attacks function by ‘injecting’ code which is interpreted by the application.

  • Command – executes system level commands acting as the application while making use of the application’s privileges.
  • SQL Injection – inserting database queries through the input of an application.
  • XML Injection – altering the intended logic of an application for example through the means of adding XML content or structures into a message.
  • Cross-Site Scripting – having malicious scripts run via trusted websites.

Engineering and Incident Response


Rootkits

Rootkits function by hiding the presence of malware and itself. It is generally done through the form of DLL injections (malware loaded as processes) which removes any references to the malware before executing real user code, or in the form of device drivers which are installed on Microsoft Windows. Unix or Linux systems also face the wrath of rootkits, however, it functions by replacing system binaries with the version the rootkit wants.

Social Engineering

Social engineering works by extracting or revealing key information from a human victim through manipulation. This type of attack is common when attackers want to steal data, gain access into systems, extract money or steal an identity, all without raising any suspicion. Social engineering is a very effective method as it exploits the vulnerabilities in humans – the weakest link in the security chain.

Social Engineering Methods
Human based or computer based methods of social engineering exist. Human based methods could be a phone call for example, where the attacker impersonates another figure such as a IT support officer or ATO agent while using information such as names to trick the victim into believing the impersonator is who they say they are. Another human based method could be in person, where attackers could shoulder surf (watch the actions, eg. typing, over the shoulder) or dumper drive to gather information about the victim for example. Computer based attacks could be phishing, or verifying account details with the victim, popup windows faking an error message, spam, hoaxes, or illegitimate / illegal websites claiming the victim could win something or has won something and requires some information to claim the rewards.

Psychology of Social Engineering
Social engineering is relies heavily on psychological techniques such as preying on natural human qualities like desires to assist others, tendency to being trusting and fear of consequences. Furthermore, social engineering employs a variety of conversation styles to psychologically persuade the victim to satisfy the attackers aims, alongside other persuasion techniques which include systematic logical arguments to stimulate favourable responses (eg. “The head of department has asked me to collect…”), and using peripheral cues and misinterpretation of objectives to trigger acceptance without thought (eg. person wearing appropriate apparel such as a safety vest or shirt with logo and branding of the relevant company).

Social Engineering Exploits
Attackers could set up a contrived situation by creating several factors to improve believability along the lines of forgetting a password or having fast upcoming deadlines. Another exploit attackers could use is personal persuasion which involves manipulating and convincing the target into being under the impression of making the decision themselves, and seeking voluntary action rather than forcing compliance. They could also use direct or context-aware request method exploit. A direct request is often challenged and refused, therefore rarely used, on the flip side however, context-aware request could entail a perpetrator inventing a scenario to then take advantage of it, eg. cutting a cable then offering help.

Responding to Incidents

  1. Detection: identify that an attack has occurred.
  2. Containment: prevent further damage and spread though isolation or quarantine for example.
  3. Eradication: removal of the agent.
  4. Recovery: restore normal operation.

Response tools such as antivirus and anti-malware programs can assist or automate steps 1-3 of a response to an incident.

Security Operation Centre (SOC)

Security Operation Centres (SOCs) are information system monitoring, assessment and defence facilities which can provide passive defences like intrusion detection through monitoring, or active defences such as penetration (pen) testing to assess the system’s vulnerability.

Image Source: McAfee Labs Threats Report (December 2016)

Incident Response Organisations
Incident response organisations provide general support to local incident response teams such as the Computer Emergency Response Team (CERT) who analyses and studies software vulnerabilities, were founded after the first internet worm in 1988 and is not a world-wide network of national organisations. One such organisation is AusCERT who publishes security bulletins and advisories. Furthermore, there is a Forum of Incident Response and Security Teams (FIRST) with 289 teams across 64 countries, six of which are in Australia. FIRST was founded in 1990 and their activities include best practices contents, creation of ISO standards and development of the Common Vulnerability Scoring System (CVSS).

Summary

Security awareness is being dragged behind the many billions upon billions of computers which have become a big part of everyday life. Computer security is based on the defence of specific threats. Attacks can and are based on both old deception methods and newer specifically crafted bits of code.

3| Security Mechanisms and Elementary Cryptography


Security Process and Mechanisms


The Security Process

Security changes over time alongside continuously evolving technology. This equates to a constant flow of new vulnerabilities and threats discovered in both new and old system. Furthermore, as people change, so do their practises and humans tend to forget some of these over time.

The security life cycle is an infinite loop comprising of a plan which is subsequently implemented and evaluated before the process is repeated again and again.

Evolution of Technology and The Current Landscape

Technology evolves over time, for example, a modern digital watch has more computing power than the guidance computer on NASA’s Apollo 11 space shuttle. Similarly, the new age of quantum computing and supercomputers are paving the way towards the new future of technology.

The Current Landscape
With the advancement of technology, internet usage has also risen in popularity and usage and it has now become part of everyday infrastructure. This creates insufficient risks / threat awareness.

Causes of Security Problems

One of the biggest factors contributing to security problems are software vulnerabilities. These problems allow criminals to cause damage to a system. Another big factor is human error in the form of maintenance failure and operational problems caused by negligence, lack of expertise, failing to update software, not applying fixes or patches, and hardware maintenance issues.

Computer Accounts – Legal Aspects

An account on a computer provides authorisation to access a computer and provides legally binding rights and responsibilities to users. Computer accounts should only be used for the sole purpose for which it was provided.

Security Mechanisms

Security mechanisms implement security services. These deal with prevention and detection of incidents and recovery from them. Security mechanisms are characterised by their high fault tolerance and ability to operate in unfavourable, hostile environments and are therefore resilient.

Security Mechanisms in Computing
In computing, data is guarded from unauthorised access and modification though the use of security measures. Security mechanisms in computing utilise encryption, authentication, Access Control Lists (ACLs) as well as other cryptographic methods which help to maintain integrity and hide the content.

Types of Security Mechanisms
Pervasive mechanisms try to protect against a variety of threats and utilise systems such as a network firewall, email filters, antivirus software, etc. and are less accurate, but more economical. On the other hand, specific mechanisms protect against specific threats and individual data or hardware parts and utilise systems such as data integrity protection and access control for individual pieces of data. This is less economical, but on the upside it is more accurate.

Cost of Security

The costs associated with security are both monetary and non-monetary. Monetary, or direct costs include the price to purchase software, equipment and procedures. Indirect costs could be reduced efficiency resulting from additional procedures, and cost savings could include being able to avoid possible expensive damage and potential optimisation of procedures. This is usually not the case and security tends to cost more than the savings it provides.

Security Trade-offs

Security features can sometimes restrict functionality, for example a fixed number of network connections allowed. Additionally, security mechanisms can complicate user interaction, for example, additional procedures such as retina scan to login to a computer can make the process slower and more cumbersome to perform the operation. It is crucial that a proper balance between security, functionality and usability exists. This can be done though risk analysis.

Image Source: Tree Solution: Security-Functionality-Usability Triangle

Risk Analysis

Identification of amount of vulnerability versus the amount of potential loss in case of an accident / threat. A potential loss would be the sum of the value of assets and the probability of an accident.

Encryption / Decryption and Cryptosystem Security


Encryption is a process where information is converted into a form of secret code to obscure the true message. Decryption is the reverse of encryption, where it understands the secret code and converts it back into the same understandable information. Plaintext is understandable information whereas cyphertext is the encrypted form of the message. In historical terms, a cryptosystem is a tool which encodes / encyphers and decodes / decypher information.

Terminology

  • Breakable Encryption – encryption which has a weak or poor algorithm and can easily be reversed.
    • Theoretically Breakable – a method exists to break the encryption.
    • Practically Breakable – able to be broken within a reasonable amount of time.
  • Cryptography – the art of writing or solving codes.
  • Cryptanalysis – the art or process of deciphering coded messaged without the key.
    • An aim of cryptanalysis could be to break a single message, devise methods to break all messages or to find weaknesses in the implementation.

Encryption Methods and Keys

An encryption method is the algorithm used to convert information (plaintext) into secret code (cyphertext). Some popular encryption are Triple DES, RSA and AES. An encryption key functions similar to a physical key, in that it unlocks or decrypts the locked or encrypted information. Cyphertext becomes the function of (plaintext + key). The most popular encryption methods are public knowledge, this is because there is a high reliance on the key rather than the encryption. This facilitates the use of many keys and uses rather than a requirement to develop a new method for each use case. This sort of encryption makes it mandatory to find the key in order to crack the encryption.

Secret and Public Key Encryption

Secret or symmetric key encryption means if either E_Key or D_Key are found, the other can easily be calculated, therefore it is simple and fast to crack. Public or asymmetric key encryption means either E_Key or D_Key cannot be used to calculate the other in a reasonable amount of time. This is therefore more secure, but much slower.

Cryptanalysis Attacks Against Encryption

  • Ciphertext-Only Attack – trying to decipher the cyphertext available to the analyst in the hopes of determining the encryption / decryption key.
  • Known-Plaintext Attack – using both the available cyphertext and plaintext to find out what the key is.
  • Chosen-Plaintext Attack – analyst is able to input or choose plaintext which gets encryped.
  • Adaptive-Chosen-Plaintext Attack – the analyst can choose the plaintext used based on prior encryption.
  • Chosen-Cyphertext Attack – ciphered messages can be chosen with the analyst having access to the decrypted messages.
  • Chosen-Key Attack – the encryption / decryption key is provided, generally for the purpose of evaluation of the algorithm rather than an attack.
  • Brute Force Attack – trying all possible solutions to find the key, however, easier methods may exist.
The enigma example can be considered as a known-plaintext attack as the analysts knew the start of every message on the weather channel was “Hail Hitler”.

Classes of Encryption Strength

  • P (Polynomial) – problems for which the solution growth rate is a polynomial function.
  • NP (Non-Deterministic Polynomial) – accuracy of a guessed solution can be checked in polynomial time.
  • EXP (Exponential) – a deterministic solution exists in exponential time.

Practical Security of Cryptosystems

In security, there is theoretically not breakable, therefore unconditionally secure, and practically not breakable. The work factor or computing time and power required to recover the key is what makes algorithms computationally secure or strong. As time goes on and computing power increases, the work factor will reduce. Confusion is the complexity between plaintext and cyphertext; ensuring that all messages cannot be cracked with just a few cracked messages. Lastly, diffusion is whether the statistical properties of the plaintext and cyphertext related.

Stream & Block Ciphers

Stream Ciphers
This form of ciphers have a low error spread (error correction is easier) and is fast, but is also suspect to malicious attacks and easier to break due to a lowered diffusion. The key characteristic of stream ciphers is the transformation focuses on each character individually rather than basing it upon the previous or following character(s).

Block Ciphers
These ciphers transforms entire ‘blocks’ of characters rather than individually. This allows for higher diffusion, but requires more time to encrypt and has increased error propagation issues as one error affects numerous others characters.

Classical Secret-Key Algorithms

  • Substitution Ciphers – a character replaced or ‘substituted’ with another.
    • Simple Substitution Cipher – changing one character of plaintext to another.
    • Homophonic Cipher – a single character can become a number of other character based upon various characteristics.
      • For example, ‘a’ can shift by either 3, 5 or 7 positions.
    • Polyalphabetic Substitution Cipher – multitude of ciphers where the actual one used transforms the position of each character.
      • For example, the first key encrypts the first letter, second key encrypts the second letter, etc. and the keys get recycled after it is all used.
    • Polygram Substitution Cipher – a group or block of characters are encrypted as a whole.

Caesar Cipher

The caesar cipher is a form of simple substitution cipher which shifts characters based upon an ‘n’ value.

ci = E(pi) = pi + n
n = number pi = letter position

Transposition Ciphers

An old form of cypher used in the era of World War I. This ‘transposes‘, or rearranges the order in which the text is displayed. For example, rather than reading from left to right with the following character on each row, characters could be required to be read top to bottom with corresponding letters within the column. This text could also be displayed in different patters rather than being arranged in columns.

The efficiency of transposition ciphers are lower than the more common substitution ciphers due to an exponential increase in time required to decode and space consumed based on the length of the message.

Rotor Machines and Symmetric Key Systems


Rotor Machines

Image: Enigma Machine of Nazi Germany

Rotor machines have a number of rotors to shift the the character and map it to something else, which is subsequently remapped by the next rotor. This automated the process of encryption as each rotor makes a substitution and immediately after substitution, the previous rotor rotates one step. The combination of rotors make it difficult to break (Period 26n).

Image Source: On Enigma and a Method for its Decryption

One-Time Pads

One-time pads are a pad with non-repeating one-time random keys with each letter being encrypted with a corresponding key on the pad. These pads may only ever be used once and then subsequently destroyed to maintain security. In order to function securely, the numbers must be truly random, and not pseudo-random (computers are not truly random). One of the downfalls of one-time pads are that the length of the key is the equivalent of the plaintext, which can result in higher bandwidth needs.

The most popular use cases for one-time pads are for ultra-secure low-bandwidth channels and for one-time password generation, which are a similar construct.

Secret-Key Encryption Examples

Data Encryption Standard (DES 1977)
Used to be the most widely used and secure algorithm until the late 1990s. It maps a 64-bit plaintext into a 64-bit ciphertext using a 56-bit encryption key. It has 16 key-dependent rounds that have data rotated and transposed (split in half, right half is scrambled and two halves are swapped). Successful attacks against it are possible as the key is small enough to brute force and due to its old age, has been thoroughly analysed. Triple DES was later introduces as it uses DES three times with three different keys, but is not currently considered to be secure any more. Most commonly used as encrypt-decrypt-encrypt (EDE).

Advanced Encryption Standard (AES)
AES was adopted as a standard in 2001. It is a version of the Rijndael block cipher which has a block size of 128-bits (4×4 array of bytes) and key sizes of 128-bit, 192-bit and 256-bit (10, 12 and 14 rounds of calculations). Each of these rounds has four steps:

  1. AddRoundKey – each byte is combined (XOR’d) with the sub-key.
  2. SubBytes – non-linear substitution of each byte using a lookup table.
  3. ShiftRows – cyclically shifts the bytes in each row by a particular offset.
  4. MixColumns – combines the bytes in each column using a linear transformation (replaced with another AddRoundKey in the last round).

A brute force attack was published in 2002 showing it was computationally and time impractical, and expensive to attempt to crack AES encryption.

Cipher Modes

Electronic Code Book (ECB)
A plaintext is always encrypted into the same ciphertext. A ‘code book’ can be created for each key with any plaintext to ciphertext combination can be listed. A suitable use case for ECBs would be for database encryption. This method has a low diffusion value.

Cipher Block Chaining (CBC)
CBC is the improved method which takes plaintext and XORs it with the previous ciphertext block which is subsequently encrypted. During decryption, each block is decrypted and saved as ciphertext for a response until the next block is decryped. A random Initialisation Vector (IV) is used for the beginning block. Due to it functioning as a chain, a small error in the ciphertext can lead to a catastrophic one after decryption.

Problems of Symmetric Key Systems

The key must be kept secure, or changed quite frequently. Furthermore, the key must me distributed via a secure channel. Simple methods can be left open and vulnerable for attack. Another issue with symmetric key systems is the need for an additional key per participant.

Public-Key Systems

Public-key systems require both a public and private key. The private encryption key ensures the message cannot be tampered with and is used for authenticity verification in the form of a digital signature. A private decryption key on the other hand is used to make sure the message cannot be decoded and therefore kept confidential. The principle was first published in the mid 1970s.

Some common methods are RSA which is used for encryption and digital signatures, El Gamal and DSS which is used for digital signatures, and Diffie-Hellman which is used to establish a shared secret key.

The pitfall of public-key algorithms is that they are significantly slower in comparison to symmetric-key systems. They are however used to encrypt a symmetric key (session key) to facilitate faster data exchange thanks to a symmetric key and keep the symmetric key secure through public-key encryption.

Diffie-Hellman Key Agreement

A protocol which allows for a shared secret to be established through an insecure channel. The Diffie-Hellman key agreement resolves this issue by requiring two parties to calculate the share key together via negotiation. It allows for data exchange during negotiation without compromising on security and maintains the integrity of the key. Furthermore, the secret which is established is never sent to the other party regardless of whether or not it is encrypted. It is a common algorithm used regularly in secure communication protocols.

Secure Digest Functions Principle

A secure digest function principle essentially takes some input, applies an algorithm to it and produces a result. This is also called a hash which only works one way and must always produce the same result. Secure digest functions accept any message length but always output a fixed hash length. It is also known as a message digest or digital fingerprint.

h = H(M)
Givem M, it is easy to compute h
Given h, it is hard to compute M

Given M, it is hard to find another message M’ such that: H(M) = H(M’)

This ensures the hash is collision-secure. Hashes are used for digital signatures and to mitigate or identify the tampering of messages.

Image Source: Digital Kites Hashing Guide

Types of Secure Digest Functions

  • Non-Keyed – is dependent solely on the message (AKA. Message Integrity Code (MIC), Modification Detection Code (MDC)).
  • Keyed – is dependent on both the message and respective secret key (AKA. Message Authentication Code (MAC)).

Practical Aspects of Secure Digest Functions

  • Exploiting Collisions – birthday attack.
    • Alice prepares two versions M and M’, M is favourable for Bob, M’ is not.
    • Alice makes several versions of M and M’ that are visually indistinguishable from each other (e.g. by adding spaces at the end of lines) until she finds an M and an M’ so that the calculated h is the same for the two.
    • Alice sends the favourable document M to Bob to sign it.
    • When Bob returns the signed document, Alice replaces M with M’.
  • Common Hash Functions
    • MD5: very efficient method which produces a 128-bit digest, requires a single pass, but is vulnerable.
    • SHA-0, SHA-1: produces a 160-bit digest, but attacks have in fact been found.
    • SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512): currently still considered to be secure.

Digital Signatures

A digital signatures serves as a verification of origin. It used by the recipient to determine if the original information has been modified. It is calculated through the encryption of the document hash along with the signer’s private key for example.

Image Source: DocuSign Understanding Digital Signatures

A digital signature is them appended to the document, ie. <M, S, { M } KS > is sent.
(M = Message, S = Sender, {M} = Digital Signature)

Image Source: How PGP Works – Secure Digital Signatures

Checking Digital Signatures

Image Source: Hill Associates Wiki on Digital Signature

Summary

Encryption proves as a highly effective and popular method of keeping information secure. The key difference between secret-key and public-key encryption methods are the applicability and speed. Cryptographic methods can be employed to prove data authenticity in the form of digital signatures for example.

4| Authentication


Identification and Authentication


Identification

The main purpose of authentication is to establish the identity of the user, a peer or process. The downfalls of identification is the characteristics and attributes which are associated with a person or entity cannot be observed. Authentication solves these issues.

Authentication

Verification of the user, peer, origin, process, etc. to determine who they are and if that matches who they claim to be. The verification process works by querying a server for an authentication ticket to be used for obtaining services.

There are a multitude of authentication methods which include passwords, biometrics, two factor authentication (2FA) and tokens, such as certificates (usually from a certificate authority).

Authentication Systems
The important functions served by authentication systems are to protect against an impersonator of a user or authentication server, alteration of data sent between the server and user and prevents attackers from using a replay attack to bypass authentication.

Mobile Phone Authentication System

Authentication Factors

There are many authentication factors available and some are used more readily.

  • Proof by Knowledge – information which is known by the user.
    • For example, a username and password, pin.
  • Proof by Possession – something which is physically used by the user for authentication.
    • For example, a bank card, identity card, RFID key, passport.
  • Proof by Property – physical details or attributes of the user.
    • For example, fingerprint, face scan, iris scan, other biometrics.
  • Proof by Location – location of the user used for authentication.
    • For example, geolocation security check.
  • Proof by Activity – authentication through observation of user’s actions or gestures.
    • For example, signature, picture (gesture) password.

Multifactor authentication is when a multitude of authentication factors are used in conjunction with each other to gain access to a system, for example, Banking ATM’s require the user to possess their banking card as well and knowing their pin number. Two-factor authentication or 2FA is like multifactor authentication requiring two factors for authentication.

Special Authentication Methods

Special authentication methods include mutual authentication and single sign-on.

  • Mutual Authentication – requires both ends to be authenticated.
    • For example, by communicating peers, TLS/SSL between the server and user, server and user.
  • Single Sign-On (SSO; cascading authentication) – user is only required to be authenticated once to access a number of systems.
    • Process: User is authenticated once, subsequent authentications are re-using the result without user interaction.
    • Method: Systems share the authentication database or exchange security assertions.
    • The problem with SSO is if the main account is hacked or compromised, all other services are infiltrated. Similarly, if the main account is DDoS attacked, the subsequent services will not be able to be used.

With authentication methods, easier does not necessarily result in higher security, easier generally means less secure as more secure means more steps, more steps creates an increase in overhead.

Proof by Knowledge Challenge-Response Methods and Possession


The server presents a challenge to the user and requests an answer. If the answer is correct, the user is authenticated. The different types of challenges include passwords, cryptographic methods requiring users to encrypt or produce a hash of the challenge using the user’s private key, and challenge questions.

Passwords

Passwords are the most commonly used, but also the most commonly exploited authentication token. The advantage of passwords are the ease of replacement if it is compromised. Passwords are stored in encrypted form or as a hashed value, they can also be salted, which adds a random word to the end of the password for additional security. Once the user enters their password, the system then calculates the hashed or encrypted value and compares this to the stored value. If it is a match, then the user is authenticated, otherwise authentication fails when an error is thrown.

Password Transmission
An insecure, but possible method for transmitting a password is to forward it in plain text form, for example through basic HTTP or telnet. This is insecure to easily being able to be snooped. More reliable methods protect the password by forwarding only the hash through a HTTP digest, encrypts the password and transmits it through Kerberos or by encrypting the entirety of the communication channel through SSL, TLS, HTTPS, and SSH.

HTTP Authentication

Features of Basic AuthenticationFeatures of Digest Authentication
Insecure as passwords are transmitted in plain text and not encrypted.Passwords are hashed and only this hash (digest) is forwarded. This is more secure.
No logout – the browser is required to ‘forget’ the user credentials. There is no automatic logout feature.Most, albeit not all, major browsers support HTTP digest.

HTTP Authentication (Apache)

Basic Authentication

Create a password file
htpasswd -c my_dir/passwords user1

Configuration file: .htaccess
AuthType Basic
AuthName “Display this message”
AuthUserFile my_dir/passwords
Require user user1 user2

Digest Authentication

Create a password file
htdigest -c my_dir/passwords user1

Configuration file: .htaccess
AuthType Digest
AuthName "Private"
AuthDigestFile my_dir/passwords
Require user user2 user3

Password Attacks

Passwords are the easiest authentication method to attack as the attacker does not require physical or local access in order to crack the password. The attacker can use methods such as password spoofing (phishing) which involves a website created to imitate another real website with the intent of capturing authentication information. Key logging can be used along with compromisation of the password file through modification or addition to the file. The most common method is password guessing which can be done intuitively by using information about the user such as date-of-birth, friend’s name, user’s name, etc. or through dictionary attacks (requires the attacker to possess the encryption key or hash. An exhaustive search or brute force is another method of password guessing.

Password Protection Methods

  • Increase password strength.
    • Make it difficult to guess.
    • Create a long password.
    • Use a mix of upper and lower case letters, numbers and non-alphaneumerical symbols.
  • Follow password ageing.
    • Regularly updating passwords.
    • Expire passwords, requiring the user to change the password.
  • Use password generation.
    • Password generation is good, but are difficult to remember.
  • Protective measures against attacks:
    • Exponential Backoff: increase cooling off period after each failed attempt (classic example is Apple devices).
    • Blacklisting: lock the account after a certain number of failed attempts are registered.
    • Reverse Turing Test: require users to perform a task which can only be accomplished by a human, therefore preventing computers from conducting attacks.

Password Management

DoDon’t Do
Passwords should be sent to the user via secure channels. Different channels may be used such as phone or text message to activate an account/password.Do not write down difficult passwords or replace with an easy one.
Make use of one-time passwords which require the user to change upon initial login.Avoid common passwords such as 123456, Password1, and abc123.
Identify the user prior to transmission of a password, for example, through call back to an authorised phone number.
Avoid delays when resetting passwords and be careful not to allow attackers time to reset it first in the event one system is compromised.

Bad Example of Password Management

Sony’s Password Lists

Password Reset

People tend to forget passwords, and more prevalent when they are faced with a difficult one. Systems offer challenge questions to counter cumbersome password reset procedures, but these systems generally have a limited set of questions with easily guessable answers. Furthermore, people provide false answers in the hopes of improving security, however, they forget this answer and are locked out of their account.

Password Crackers

Numerous password cracking tools are available such as Cain and Abel for Windows, John the Ripper for Unix, and Airsnort for wireless networks to name a few. There are some free ones, however, others are commercial and labelled as “password recovery tools/services”. The difficulties of using such tools lies in the amount of time requires to crack the passwords resulting from slow speeds, inability to function for cracking one-time passwords and it is difficult to reverse passwords as they are generally encrypted with one-way functions. This requires the cracker to encrypt the guess and compare the result.

One-Time Passwords (OTP)

One-time passwords are valid only for a single session, therefore preventing any replay attacks from working. Multiple delivery methods are used such as a separate device, paper based, email, text message, etc.

Generation Methods
OTP could be time-synchronised with the hardware token generating the password. This method requires the clock to be accurate and synchronised with the server’s clock and the algorithm must be able to tolerate clock drift. Mathematical algorithms are another method of OPT generation. Each OPT is generated through hash calculation of the previous password.

X1 = H (S)
X2 = H (X1) = H (H (S))

Xi = H(Xi-1)

Passwords are used one at a time in a backwards orientation therefore preventing eavesdroppers who have learnt Xi and consequently all subsequent (used) passwords, from being able to guess the following password as a result of one-way hashing.

Proof by Possession

The user is required to prove their authenticity, for example through a banking card, USB memory stick which can be turned into a key through software, Subscriber Identification Module (SIM) card which is an essential part of GSM devices, and specific hardware devices such as SecurID and YubiKey. Authenticating a user becomes more difficult and if the possessed item is lost, it is much more difficult and expensive to reproduce. Another potential issue with proof by possession is it could be forgotten, cloned, damaged or even stolen.

Proof by Property

Based on the attributes rather than possession of the person. This could be biometrics both physiological such as facial scans, fingerprint, hand scan, or eye/retina scan which is commercially available, and behavioural, which could be signature, voice, or keystroke dynamics, which are commonly used as an additional authentication factor. The limitations of this include environmental and other factors such as aging causing authentication to be more difficult. Furthermore, proof of property only works on humans, needs to be easily measured and an acceptable form that is non-intrusive.

Biometrics: Methods and Certificates


Biometrics

Biometrics compare physical attributes or characteristics of a human with the stored initial. This is commonly used for identity verification purposes. The advantage of biometrics is the difficulty of forgetting, but the drawbacks include difficulty in verification, cannot be replaced if data is compromised and requirement for expensive equipment. In terms of reliability, there could be both false positives where an unauthorised user is accepted and false negatives where the legitimate user is denied access.

Methods
The main types of biometrics include:

  • Fingerprints – well developed, widely used and requires clean environment to function.
  • Hand Anatomy – not very common.
  • Iris Pattern – does not change over a lifetime, however, measurement can prove difficult.
  • Face – used for digital passports.

Other forms of biometrics include phrenology which is the observation of a person’s skull, DNA matching, voice recognition, etc. (more types of biometrics).

Fingerprints

Fingerprints have been in use for centuries. It provides forensic, government and civilian applications. Fingerprints are sensed through a live scan and through traces. It is processed either through comparison against existing value or through feature extraction, a three-step process involving macro-details, minutiae, and dimensional attributes (more info). Low-quality images, dirt on fingers, cuts, wet fingers, and skin texture mutilations can make it difficult to accurately read a fingerprint, additionally non-linear distortions are prevalent when pushing a finger against a surface, increasing difficulty. Many people are uncomfortable with using fingerprints due to the connotation with fingerprints more often being used by the police or law enforcement officers when dealing with criminals.

Hand Anatomy & Related Methods

Static Methods
Veins in the hand can be scanned through infra-red (IR) right, which is a non-intrusive method. This tolerates dirty hands. Hand geometry is another static biometric method which measures the length, width, thickness and curvature of hands and fingers. It is less distinctive than fingerprints and there is a possibility that the hand will change through injury, weight change, etc.

Dynamic Methods
Handwriting is a dynamic biometric method which captures the dynamics of writing. It is reliable as it allows those affected by injury, fatigue, temperature and medical conditions to still use a biometric method. Additionally, keystroke analysis checks for speed of typing, and the period of time the keys are pressed for. As this is a new method, the reliability is currently unknown.

Iris Recognition

Irises are highly unique because of its complexity in terms of texture. Pattern matching is used for iris recognition. To match the iris, it captures a scan or photo of the iris (acquisition), isolates it from the surroundings (segmentation), encodes the data (feature extraction) and matches it (matching). The challenges posed by acquisition include unfavourable lightning, variable distances, motion blur and poor contrast. In terms of segmentation, it is difficult to localise the position of the iris due to head rotation, camera angle, etc. Lastly, the challenges faced by matching is there is no effective theoretical model to quantify individuality.

Facial Recognition

A basic method used by humans to identify each other. Facial recognition is becoming increasingly popular nowadays. Static facial recognition include principal component analysis, linear discriminant analysis and elastic graph matching. Video recognition checks for temporal characteristics of facial motion and appearance changes. It often utilises images from multiple cameras. The problems faced by facial recognition is can easily be avoided through disguises. Illumination, facial expressions and natural aging can make it more difficult to recognise faces.

Biometrics Summary

Certificates


Electronic Certificates

5| Access Control


Authorisation


Access Control Structures

6| Operating System Security


Operating System (OS) and Protection Methods


Operating System (OS)

#| References