Tuesday, October 27, 2009

.:: || Intrusion Detection System || ::.

Intruders


  • significant issue hostile/unwanted trespass

  • User trespass - unauthorized logon, privilege abuse

  • Software trespass - virus, worm, or trojan horse

  • Classes of intruders: - masquerader, misfeasor, clandestine user



Security Intrusion & Detection

  • Security Intrusion - a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.


  • Intrusion Detection - a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.


Hackers

  • 1. motivated by thrill of access and status

  • 2. benign intruders might be tolerable

  • 3. IDS / IPS / VPNs can help counter


Intrusion Detection Systems

Classify intrusion detection systems (IDSs) as:

  • 1. Host-based IDS: monitor single host activity

  • 2. Network-based IDS: monitor network traffic


Logical components:

  • 1. sensors - collect data

  • 2. analyzers - determine if intrusion has

  • 3. occurred

  • 4. user interface - manage / direct / view IDS


IDS Principles

  • assume intruder behavior differs from

  • legitimate users

  • from past history


Types of IDS

  • 1. Host IDS

  • 2. Network IDS

  • 3. Distributed IDS


Intrusion Detection Techniques

  • signature detection

  • anomaly detection

  • when potential violation detected sensor sends an alert and logs information


Anomaly Detection
- threshold detection

  • checks excessive event occurrences over time

  • alone a crude and ineffective intruder detector

  • must determine both thresholds and time intervals



Signature Detection - observe events on system and applying a set of rules to decide if intruder

Honeypot

  • are decoy systems

  • filled with fabricated info

  • instrumented with monitors / event loggers

  • divert and hold attacker to collect activity info

  • without exposing production systems

  • initially were single systems

  • more recently are/emulate entire networks

.:: || Firewall || ::.

Types of firewall


  • 1. Packet filtering firewall

  • 2. statefull inspection firewall

  • 3. Application level gateway (application proxy)

  • 4. circuit level gateway



Type 1: Packet filtering firewall


Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).



Type 2: Stateful Inspection Firewall


Third generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

Type 3: Application Proxy Firewall & Type 4: Circuit-level Proxy Firewall


Firewall hosting

  • 1. Bastion host = single firewall that cover a network territory

  • 2. Host-base = single firewall protect a single workstation/server



VPN

  • Create a secure LAN connection through an internet.

  • outsider will tgought that we in a LAN network but actually we use the internet.



Distributed firewall

  • A firewall installed per subnet in a network



A feature of distributed firewalls:

  • The ability to populate servers and end-users machines, to configure and "push out" consistent security policies helps to maximize limited resources.

  • secure critical servers on the network preventing intrusion by malicious code and "jailing" other such code by not letting the protected server be used as a launch pad for expanded attacks.

.:: || Wireless Security || ::.

There are three principal ways to secure a wireless network.


  • For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can used to provide wireless LAN security in this network model.

  • For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.

  • Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.



Joining BBS




Roaming & channel

  • roaming = walk/change away from initial AP network to another AP network



802.11a

  • 54Mbps in 5Ghz range

  • not compatible


802.11g

  • 54Mbps in 2.4GHz range

  • compatible


802.11b

  • 11Mbps in 2.4GHz range

  • compatible


Open system authentication

  • Service Set Identifier (SSID)

  • Station must specify SSID to connect to the AP


Interception

  • signal week by 3 factor:



  • 1. Wall

  • 2. floor

  • 3. interference


802.11

  • 3 basic security service:


  • 1. Authentication

  • 2. Integrity - data will be encrypt by using WEP & WPA technique.

  • 3. Confidential

  • * Some say WPA is much more secure than WEP but its actually depends on what type of shared key that actually base on ots library. the it use a simple library so it would be easy to crack and hack the network

    Passive attack

    • Attacker collect all trafic

    • Attacker collect two message


  • 1. encrypted with same key and IV

  • 2. Statistical attack to reveal plain text

  • 3. Plaintext X0R chipertext = keystream


  • Tool to crack the wireless AP

    • Backtrack


    .:: || Security Application || ::.

    Email


    • have 2 parts

    • header

    • body

    • send as text file format

    • Use MIME that allow us to an email that contain image file, attachment file or whatever.

    • Non-encrypted because it just a plain text



    S/MIME

    • Encrypted content

    • We can choose whether just want to send the email as plaintext or being encrypted.



    Web Security

    • To secure our web/http

    • Use SSL/TLS,SSH,SET





    Email Transported

    Monday, October 26, 2009

    .:: || Security In Network || ::.

    Computer Networks

    Definiton

    Computer Networks is a computing enviroment with more than one independent processors.

    Network Resources :


    • Computers

    • Operating Systems

    • Programs

    • Process

    • People



    Network Architecture


    Network architecture
    is the design of a communications network. It is a framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as data formats used in its operation.

    In computing, the network architecture is a characteristics of a computer network. The most prominent architecture today is evident in the framework of the Internet, which is based on the Internet Protocol Suite.

    Basic Termonology

    • Node

    • Host

    • Link

    • Topology



    Type of Network



    Network Topology

    Bus Topology


    A bus network topology is a network architecture in which a set of clients are connected via a shared communications line, called a bus. There are several common instances of the bus architecture, including one in the motherboard of most computers, and those in some versions of Ethernet networks.

    Bus networks are the simplest way to connect multiple clients, but may have problems when two clients want to transmit at the same time on the same bus. Thus systems which use bus network architectures normally have some scheme of collision handling or collision avoidance for communication on the bus, quite often using Carrier Sense Multiple Access or the presence of a bus master which controls access to the shared bus resource.

    Star Topology


    Star networks are one of the most common computer network topologies. In its simplest form, a star network consists of one central switch, hub or computer, which acts as a conduit to transmit messages. Thus, the hub and leaf nodes, and the transmission lines between them, form a graph with the topology of a star. If the central node is passive, the originating node must be able to tolerate the reception of an echo of its own transmission, delayed by the two-way transmission time (i.e. to and from the central node) plus any delay generated in the central node. An active star network has an active central node that usually has the means to prevent echo-related problems.

    Ring Topology


    A ring network is a network topology in which each node connects to exactly two other nodes, forming a single continuous pathway for signals through each node - a ring. Data travels from node to node, with each node along the way handling every packet.

    Because a ring topology provides only one pathway between any two nodes, ring networks may be disrupted by the failure of a single link. A node failure or cable break might isolate every node attached to the ring. FDDI networks overcome this vulnerability by sending data on a clockwise and a counterclockwise ring: in the event of a break data is wrapped back onto the complementary ring before it reaches the end of the cable, maintaining a path to every node along the resulting "C-Ring". 802.5 networks -- also known as IBM Token Ring networks -- avoid the weakness of a ring topology altogether: they actually use a star topology at the physical layer and a Multistation Access Unit to imitate a ring at the datalink layer.

    Many ring networks add a "counter-rotating ring" to form a redundant topology. Such "dual ring" networks include Spatial Reuse Protocol, Fiber Distributed Data Interface (FDDI), and Resilient Packet Ring.

    Mesh Topology


    Mesh networking is a type of networking where each node in the network may act as an independent router, regardless of whether it is connected to another network or not. It allows for continuous connections and reconfiguration around broken or blocked paths by “hopping” from node to node until the destination is reached. A mesh network whose nodes are all connected to each other is a fully connected network. Mesh networks differ from other networks in that the component parts can all connect to each other via multiple hops, and they generally are not mobile. Mesh networks can be seen as one type of ad hoc network.

    Layer Responsibilities




    Advantage Computer Network


    • Resource sharing

    • Increase realibility

    • Distributing the workload

    • Expandability



    Disadvantages Computer Network

    • Sharing

    • Complexity

    • unknown parameter

    • Many point of attack

    • Unknows path

    • Label format diffrence



    Person who cause the Security Problem:

    • Hacker

    • Spy

    • Student

    • Stockbroker

    • Terrorist

    • Ex-employee



    Network Security Control

    • Encryption

    • Strong Authentication

    • IPSec, VPN, SSH

    • Kerberos

    • Firewallt

    • Intrusion Detection System (IDS)

    • Intrusion Prevention System (IDS)

    • Honeypot



    1. Encryption

    It have 2 type:

    • Link to link

    • End to end



    Link to link

    • cover layer1 and layer 2 of the OSI Model.

    • decryption occursjust as the communications arrives and enters the receiving computer.



    End to end

    • Some assert that the end-to-end principle is one of the central design principles of the Internet and is implemented in the design of the underlying methods and protocols in the Internet Protocol Suite. It is also used in other distributed systems. The principle states that, whenever possible, communications protocol operations should be defined to occur at the end-points of a communications system, or as close as possible to the resource being controlled.



    2. Strong Authentication

    • Strong authentication is a notion with several unofficial definitions; is not standardized in the security literature.

    • Often, strong authentication is associated with two-factor authentication or more generally multi-factor authentication. It should also be remembered, however, that "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor.



    3. IPSec, SSH and SSL

    IPSec

    • optional in IPv4

    • define a standard mean for handling encrypted data

    • Implemented at IP layer, so affects all layer above it, in particular TCP and UDP.

    • provide authentication (AH) & encryption (ESP)



    SSH

    • secure remote login (encrypt data send over the network)



    SSL


    • Secure socket layer, encrypt data over the transport layer.

    • SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server.



    4.Kerberos


    • Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

    • Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.



    A simplified and more detailed description of the protocol follows. The following abbreviations are used:

    • AS = Authentication Server

    • SS = Service Server

    • TGS = Ticket-Granting Server

    • TGT = Ticket-Granting Ticket




    Phase 1: In messages 1 and 2, C and AS authenticate and set up short-term key and ticket granting ticket.


    Phase 2: In messages 3 and 4, C and TGS authenticate and set up session keys and (session) ticket.

    Phase 3: In messaged 5 and 6, C and S use session key and ticket to authenticate and set up secure session.

    Phases 2 and 3 will usually be repeated many times for each execution of Phase 1.

    5. Firewall


    • A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.

    • Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria



    There are several types of firewall techniques:

    • 1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.

    • 2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

    • 3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

    • 4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.




    Show how a firewall works

    6. Intrusion Prevention System

    • An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.



    7. Intrusion Detection System

    • An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.


    • An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).



    8. Intrusion Prevention System

    • An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.

    Saturday, October 17, 2009

    .:: || Happy Depavali || ::.



    Happy Deepavali To All Malaysian

    Wednesday, October 7, 2009

    .:: || Authentication & Access Control || ::.

    Authentication?

    Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.

    Requirement of Authentication

    In authentication must able to verify that:

    1.Message came from apparent source or author.
    2.Contents have not been altered.
    3.Sometimes, it was sent at a certain time or sequence.

    Password

    Protection of passwords
    Don’t keep your password to anybody
    Don’t write or login your password at everywhere
    Etc.

    Choosing a good password

    Criteria:
    Hard to guess and easy to remember
    Characteristics of a good password
    Not shorter than six characters
    Not patterns from the keyboard
    Etc.

    Calculations on password

    Password population, N =rs
    Probability of guessing a password = 1/N
    Probability of success, P=nt/N

    Biometric Identifiers

    Biometrics refers to methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In information technology, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance.

    Biometric characteristics can be divided in 2 main classes:

    * Physiological are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has largely replaced retina, and odor/scent.
    * Behavioral are related to the behavior of a person. Examples include, but are not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for this class of biometrics.

    It is possible to understand if a human characteristic can be used for biometrics in terms of the following parameters:

    * Universality – each person should have the characteristic.
    * Uniqueness – is how well the biometric separates individuals from another.
    * Permanence – measures how well a biometric resists aging and other variance over time.
    * Collectability – ease of acquisition for measurement.
    * Performance – accuracy, speed, and robustness of technology used.
    * Acceptability – degree of approval of a technology.
    * Circumvention – ease of use of a substitute.

    A biometric system can operate in the following two modes:

    * Verification – A one to one comparison of a captured biometric with a stored template to verify that the individual is who he claims to be. Can be done in conjunction with a smart card, username or ID number.
    * Identification – A one to many comparison of the captured biometric against a biometric database in attempt to identify an unknown individual. The identification only succeeds in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold.

    Basic Blog Diagram in Biometric System.


    Biometric Method

    Face recognition



    Of the various biometric identification methods, face recognition is one of the most flexible, working even when the subject is unaware of being scanned. It also shows promise as a way to search through masses of people who spent only seconds in front of a "scanner" - that is, an ordinary digital camera.
    Face recognition systems work by systematically analyzing specific features that are common to everyone's face - the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin and so forth. These numerical quantities are then combined in a single code that uniquely identifies each person.

    Fingerprint identification



    Fingerprints remain constant throughout life. In over 140 years of fingerprint comparison worldwide, no two fingerprints have ever been found to be alike, not even those of identical twins. Good fingerprint scanners have been installed in PDAs like the iPaq Pocket PC; so scanner technology is also easy. Might not work in industrial applications since it requires clean hands.
    Fingerprint identification involves comparing the pattern of ridges and furrows on the fingertips, as well as the minutiae points (ridge characteristics that occur when a ridge splits into two, or ends) of a specimen print with a database of prints on file.

    Hand geometry biometrics



    Hand geometry readers work in harsh environments, do not require clean conditions, and forms a very small dataset. It is not regarded as an intrusive kind of test. It is often the authentication method of choice in industrial environments.

    Retina scan



    There is no known way to replicate a retina. As far as anyone knows, the pattern of the blood vessels at the back of the eye is unique and stays the same for a lifetime. However, it requires about 15 seconds of careful concentration to take a good scan. Retina scan remains a standard in military and government installations.

    Access Control

    What you know about Access Control ?

    An access control system is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure.

    Access Control Principles



    Access Control Requirements

    ¤ reliable input
    ¤ fine and coarse specifications
    ¤ least privilege
    ¤ separation of duty
    ¤ open and closed policies
    ¤ policy combinations, conflict resolution
    ¤ administrative policies

    Access Contril Matrix

    Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system.

    Example Access Control Matrix

    Consider system with two files and two processes. Set of rights is - r,w,x,a,o (read, write, execute, append, own).



    Can get very large and hence inefficient in general purpose scenarios – seldom used.

    Access Control List

    An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY).

    UNIX File Access Control



    ¤ “set user ID”(SetUID) or “set group ID”(SetGID)
    ¤ system temporarily uses rights of the file owner / group in
    ¤addition to the real user’s rights when making access
    ¤control decisions
    ¤ enables privileged programs to access files / resources not
    ¤generally accessible
    ¤sticky bit
    ¤ on directory limits rename/move/delete to owner
    ¤superuser
    ¤ is exempt from usual access control restrictions.

    File Permission

    There are three specific permissions on Unix-like systems that apply to each class:

    * The read permission

    which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions.)

    * The write permission

    which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.

    * The execute permission

    which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled c++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless read is set).

    .:: || Modern Cryptography || ::.

    Modern Cryptograpy Algorithm

    Most modern ciphers use a sequence of binary digits (bits), that is, zeros and ones such as ASCII.

    This bit sequence representing the plaintext is then encrypted to give the ciphertext as a bit sequence.

    Stream Ciphers



    A Stream Cipher is a symmetric key cipher where plaintext bits are combined with a pseudorandom cipher bit stream (keystream), typically by an exclusive-or (xor) operation. In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption. An alternative name is a state cipher, as the encryption of each digit is dependent on the current state. In practice, the digits are typically single bits or bytes.

    Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear-cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to serious security problems if used incorrectly: see stream cipher attacks — in particular, the same starting state must never be used twice.

    Type of Stream Ciphers

    1.Synchronous stream ciphers

    In a synchronous stream cipher a stream of pseudo-random digits is generated independently of the plaintext and ciphertext messages, and then combined with the plaintext (to encrypt) or the ciphertext (to decrypt). In the most common form, binary digits are used (bits), and the keystream is combined with the plaintext using the exclusive or operation (XOR). This is termed a binary additive stream cipher.

    In a synchronous stream cipher, the sender and receiver must be exactly in step for decryption to be successful. If digits are added or removed from the message during transmission, synchronisation is lost. To restore synchronisation, various offsets can be tried systematically to obtain the correct decryption. Another approach is to tag the ciphertext with markers at regular points in the output.

    2.Self-synchronizing stream ciphers

    This is a another approach uses several of the previous N ciphertext digits to compute the keystream. Such schemes are known as self-synchronizing stream ciphers, asynchronous stream ciphers or ciphertext autokey (CTAK). The idea of self-synchronization was patented in 1946, and has the advantage that the receiver will automatically synchronise with the keystream generator after receiving N ciphertext digits, making it easier to recover if digits are dropped or added to the message stream. Single-digit errors are limited in their effect, affecting only up to N plaintext digits.

    An example of a self-synchronising stream cipher is a block cipher in cipher-feedback mode (CFB).

    Block Ciphers

    A block cipher is a symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvarying transformation. A block cipher encryption algorithm might take (for example) a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input — the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plaintext.

    To encrypt messages longer than the block size (128 bits in the above example), a mode of operation is used.

    Block ciphers can be contrasted with stream ciphers; a stream cipher operates on individual digits one at a time, and the transformation varies during the encryption. The distinction between the two types is not always clear-cut: a block cipher, when used in certain modes of operation, acts effectively as a stream cipher.

    An early and highly influential block cipher design was the Data Encryption Standard (DES), developed at IBM and published as a standard in 1977. A successor to DES, the Advanced Encryption Standard (AES)

    A block cipher consists of 2 paired algorithms, one for encryption, E, and another for decryption, E-1. Both algorithms accept two inputs: an input block of size n bits and a key of size k bits, yielding an n-bit output block. For any one fixed key, decryption is the inverse function of encryption, so that

  • E_K^{-1}(E_K(M))=M


  • for any block M and key K.

    Data Encryption Standard(DES)



    The Data Encryption Standard (DES) is a block cipher (a form of shared secret encryption) that was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm that uses a 56-bit key. The algorithm was initially controversial with classified design elements, a relatively short key length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic scrutiny which motivated the modern understanding of block ciphers and their cryptanalysis.



    DES is now considered to be insecure for many applications. There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are unfeasible to mount in practice. The algorithm is believed to be practically secure in the form of Triple DES, although there are theoretical attacks. In recent years, the cipher has been superseded by the Advanced Encryption Standard (AES).

    Advanced Encryption Standard

    the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor,[3] the Data Encryption Standard (DES).

    AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable. It became effective as a standard May 26, 2002. As of 2009[update], AES is one of the most popular algorithms used in symmetric key cryptography.[citation needed] It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information.

    High-level description of the algorithm

    • KeyExpansion using Rijndael's key schedule

    • Initial Round

    • 1. AddRoundKey


    • Rounds


    1. SubBytes — a non-linear substitution step where each byte is replaced with another according to a lookup table.
    2. ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps.
    3. MixColumns — a mixing operation which operates on the columns of the state, combining the four bytes in each column
    4. AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.

    • Final Round (no MixColumns)

    • 1. SubBytes

    • 2. ShiftRows

    • 3. AddRoundKey



    The SubBytes step

    In the SubBytes step, each byte in the array is updated using an 8-bit substitution box, the Rijndael S-box. This operation provides the non-linearity in the cipher. The S-box used is derived from the multiplicative inverse over GF(28), known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible affine transformation. The S-box is also chosen to avoid any fixed points (and so is a derangement), and also any opposite fixed points.

    The ShiftRows step

    The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain offset. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. For the block of size 128 bits and 192 bits the shifting pattern is the same. In this way, each column of the output state of the ShiftRows step is composed of bytes from each column of the input state. (Rijndael variants with a larger block size have slightly different offsets). In the case of the 256-bit block, the first row is unchanged and the shifting for second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively - this change only applies for the Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit blocks.

    The MixColumns step

    In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. The MixColumns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher. Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4 + 1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2. The MixColumns step can also be viewed as a multiplication by a particular MDS matrix in Finite field. This process is described further in the article Rijndael mix columns.

    The AddRoundKey step

    In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main key using Rijndael's key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.

    Message Authentication Code

    A message authentication code (often MAC) is a short piece of information used to authenticate a message.

    A MAC algorithm, sometimes called a keyed (cryptographic) hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

    Message Authentication Code Flow



    the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can safely assume that the integrity of the message was not compromised, and the message was not altered or tampered with during transmission.

    Hash Function

    A hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the "message", and the hash value is sometimes called the message digest or simply digest.

    The ideal cryptographic hash function has four main properties:

    • it is easy to compute the hash value for any given message,

    • it is infeasible to find a message that has a given hash,

    • it is infeasible to modify a message without changing its hash,

    • it is infeasible to find two different messages with the same hash.



    A cryptographic hash function (specifically, SHA-1) at work. Note that even small changes in the source input drastically change the resulting output, by the so-called avalanche effect.

    RSA( Rivest, Shamir & Adleman)

    RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

    RSA Key Setup Example :

    • 1.Select primes: p=17 & q=11

    • 2.Compute n = pq =17 x 11=187

    • 3.Compute ø(n)=(p–1)(q-1)=16 x 10=160

    • 4.Select e: gcd(e,160)=1; choose e=7

    • 5.Determine d: de=1 mod 160 and d < 160 Value is d=23

    • 6.Publish public key PU={7,187}

    • 7.Keep secret private key PR={23,187}



    RSA Key Generation

    users of RSA must:
    determine two primes at random - p, q
    select either e or d and compute the other

    primes p,q must not be easily derived from modulus n=p*q
    means must be sufficiently large
    typically guess and use probabilistic test

    exponents e, d are inverses, so use Inverse algorithm to compute the other

    Tuesday, October 6, 2009

    .:: || Basic Cryptography || ::.

    Cryptograpy Definition

    Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and γράφω, gráphō, "I write", or -λογία, -logia, respectively)[1] is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.(from //en.wikipedia.org/wiki/Cryptography).

    Cryptograpy Concept


    • scramble data in storage

    • transmit data in to the Internet

    • user can get the data but they can't read



    Art of secret writing



    i) Steganography

    Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing". The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptography and steganography disguised as a book on magic. Generally, messages will appear to be something else: images, articles, shopping lists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter.

    The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal.[1] Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

    Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it

    Within this picture, the letters position of a hidden message are represented by increasing numbers (1 to 20), and a letter value is given by its intersection position in the grid. For instance, the first letter of the hidden message is at the intersection of 1 and 4. So, after a few tries, the first letter of the message seems to be the 14th letter of the alphabet; the last one (number 20) is the 5th letter of the alphabet.

    Termonology Cryptograpy

    cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext).[2] Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to plaintext. A cipher (or cypher) is a pair of algorithms which create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key. This is a secret parameter (ideally known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks.

    plaintext - original message
    ciphertext - coded message
    cipher - algorithm for transforming plaintext to ciphertext
    key - info used in cipher known only to sender/receiver
    encipher (encrypt) - converting plaintext to ciphertext
    decipher (decrypt) - recovering ciphertext from plaintext
    cryptography - study of encryption principles/methods
    cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key
    cryptology - field of both cryptography and cryptanalysis

    CRYPTANALYSIS

    Definition of Crytanalysis

    Cryptanalysis (from the Greek kryptós, "hidden", and analýein, "to loosen" or "to untie") is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. Typically, this involves knowing how the system works and finding a secret key. In non-technical language, this is the practice of codebreaking or cracking the code, although these phrases also have a specialised technical meaning (see code).

    "Cryptanalysis" is also used to refer to any attempt to circumvent the security of other types of cryptographic algorithms and protocols in general, and not just encryption. However, cryptanalysis usually excludes methods of attack that do not primarily target weaknesses in the actual cryptography, such as bribery, physical coercion, burglary, keystroke logging, and social engineering, although these types of attack are an important concern and are often more effective than traditional cryptanalysis.(from )

    Symmetric Algorithm

    Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption.

    The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.

    Other terms for symmetric-key encryption are secret-key, single-key, shared-key, one-key, and private-key encryption. Use of the last and first terms can create ambiguity with similar terminology used in public-key cryptography.

    Example of Symmetric Algorithm

    Assymmetric Algorithm

    Assymmetric Algorithm cryptography is a cryptographic approach, employed by many cryptographic algorithms and cryptosystems, whose distinguishing characteristic is the use of asymmetric key algorithms instead of or in addition to symmetric key algorithms. Using the techniques of public key-private key cryptography, many methods of protecting communications or authenticating messages formerly unknown have become practical. They do not require a secure initial exchange of one or more secret keys as is required when using symmetric key algorithms. It can also be used to create digital signatures.

    Example of Assymmetric Algorithm

    Symmetric Algorithm vs Assymmetric Algorithm


    This is a short comparisson of this 2 types of algorithm :

    Speed of algorithms

    Symmetric-key algorithms are generally much less computationally intensive than asymmetric key algorithms. In practice, asymmetric key algorithms are typically hundreds to thousands times slower than symmetric key algorithms.

    Key management

    One disadvantage of symmetric-key algorithms is the requirement of a shared secret key, with one copy at each end. In order to ensure secure communications between everyone in a population of n people a total of n(n − 1)/2 keys are needed, which is the total number of possible communication channels.[1] To limit the impact of a potential discovery by a cryptographic adversary, they should be changed regularly and kept secure during distribution and in service. The process of selecting, distributing and storing keys is known as key management, and is difficult to achieve reliably and securely.

    Hybrid cryptosystem

    In modern cryptosystems designs, both asymmetric (public key) and symmetric algorithms are used to take advantage of the virtues of both. Asymmetric algorithms are used to distribute symmetric-keys at the start of a session. Once a symmetric key is known to all parties of the session, faster symmetric-key algorithms using that key can be used to encrypt the remainder of the session. This simplifies the key distribution problem, because asymmetric keys only have to be distributed authentically, whereas symmetric keys need to be distributed in an authentic and confidential manner.

    Systems that use such a hybrid approach include SSL, PGP, GPG etc.

    Caesar Ciphers



    Caesar cipher also known as a Caesar's cipher, the shift cipher, Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a shift of 3, A would be replaced by D, B would become E, and so on. The method is named after Julius Caesar, who used it to communicate with his generals.

    The encryption step performed by a Caesar cipher is often incorporated as part of more complex schemes, such as the Vigenère cipher, and still has modern application in the ROT13 system. As with all single alphabet substitution ciphers, the Caesar cipher is easily broken and in practice offers essentially no communication security.

    Examples :

    Using this system, the keyword "zebras" gives us the following alphabets:

    Plaintext alphabet: abcdefghijklmnopqrstuvwxyz

    Ciphertext alphabet: ZEBRASCDFGHIJKLMNOPQTUVWXY

    A message of :

    flee at once. we are discovered!

    enciphers to

    SIAA ZQ LKBA. VA ZOA RFPBLUAOAR!

    ROT13 is a Caesar cipher, a type of substitution cipher. In ROT13, the alphabet is rotated 13 steps.

    Vigenere Ciphers

    The Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution.

    The Vigenère (French pronunciation: [viʒnɛːʁ]) cipher has been reinvented many times. The method was originally described by Giovan Battista Bellaso in his 1553 book La cifra del. Sig. Giovan Battista Bellaso; however, the scheme was later misattributed to Blaise de Vigenère in the 19th century, and is now widely known as the "Vigenère cipher".

    This cipher is well known because while it is easy to understand and implement, it often appears to beginners to be unbreakable; this earned it the description le chiffre indéchiffrable (French for 'the unbreakable cipher'). Consequently, many people have tried to implement encryption schemes that are essentially Vigenère ciphers, only to have them broken.

    Vinegere Tableau

    For example, suppose that the plaintext to be encrypted is:

  • ATTACKATDAWN


  • The person sending the message chooses a keyword and repeats it until it matches the length of the plaintext, for example, the keyword "LEMON":

  • LEMONLEMONLE


  • The first letter of the plaintext, A, is enciphered using the alphabet in row L, which is the first letter of the key. This is done by looking at the letter in row L and column A of the Vigenère square, namely L. Similarly, for the second letter of the plaintext, the second letter of the key is used; the letter at row E and column T is X. The rest of the plaintext is enciphered in a similar fashion:

    • Plaintext : ATTACKATDAWN

    • Key : LEMONLEMONLE

    • Ciphertext: LXFOPVEFRNHR

    Saturday, July 18, 2009

    .:: || Introduction Network Security || ::.

    Salam semua ...Ok, macam biasa ..kalau dh nama pun 1st class nih kami telah diterangkan secara ringkas mengenai modul Network Security ni. Pensyarah untuk modul ini adalah En. Zaki bin Mas'ud (email : zaki.masud@utem.edu.my)

    Modul ini merangkumi 14 tajuk yang merangkumi :

    Slide 4

    • ¡Introduction to Information Security
    • ¡Introduction to Cryptography
    • ¡Modern Cryptography
    • ¡Access Control and Authentication
    • ¡Program Security
    • ¡Database Security
    • ¡Security in Networks
    • ¡Security in Applications
    • ¡Firewall
    • ¡Intrusion Detection System
    • ¡Wireless Security
    • ¡Legal and Ethical Issues in Computer Security
    • ¡Cyberlaws
    • ¡Administering Security

    First class juga kami telah diuji dengan 1st quiz dimana En. Zaki ingin menguji tahap pemahaman & apa yang para pelajar tau tentang serba sedikit mengenai Network Security ini.. haha ..

    Serba sedikit review tentang pembelajaran yang pertama :

    WHAT IS SECURITY ?

    • Security is a quality or state of being secure that is to be free from danger.
    • To be protected from adversaries.



    SECURITY PRINCIPLE ?

    It have 3 types including :

    • Confidentially - prevention of unauthorized disclosure of information

    • Integrity - prevent of unauthorized modification of information

    • Availability - unauthorized withholding of information or resources


    • SECURITY TRENDS ? (refer picture below)


      THREAT & ATTACK

      • Threat : A potential for violation of security, which exists when there is a circumstance,capability,action, or event that could breach security & cause harm. That is,a threat is a possible danger that might exploit vulnerability


      • Attack : An assault on system that derives from an intelligent threat,that is an intelligent act that is a deliberate attempt (especially in the sense of method or technique) to evade security services & violate the security policy of a system.


      Passive Attack : eavesdropping on, or monitoring of, transmissions.
      The Goal : to obtain information that is being transmitted.
      Types : release of message contents & traffic analysis

      Release of message contents
      eassily understood. A telephone conversation, an electronic mail message, and a transfered file may contain sensitive or confidential information (refer picture below)


      Traffic analysis
      Is subtler, which suppose that we had a way of masking the contents of message or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the patern of these message. The opponent could determine the location & identity of communicating hosts and could observe the frequency and length of messages being exchanged(refer picture below)


      Active Attacks : involve some modification of the data stream or the creation of a false stream & can be subdivided into 4 categories :masquerade, replay, modification of message, & denial of service.

      Masquerade
      takes place when one entity pretends to be a diffrent entity.(refer picture below)


      Replay
      involve the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect (refer picture below)


      Modification of messages
      some portion of a legitimate message is altered, or that message are delayed or reordered, to produce an unauthorized effect.(refer picture below)


      Denial of service
      prevents or inhibits the normal use or management of communication facilities.(refer picture below)




      SECURITY SERVICE

      X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the system or of data transfers.

      RFC 2828 define which provides the following definitions : a processing or communication service that is provided by a system to give a specific kind of protection to system resources.

      5 Categories & 14 Specific Services



      SECURITY MECHANISM

      Any process (or a device incorporating such a process) that is designed to detect, prevent or recover from a security attack.

      Specific Security Mechanism



      Pervasive Security Mechanism





      LAB 1.::Introduction to Virtualization & VMware::.

      Virtual Machines (VM) allow you to run any operating system in a new window. This is done by using virtualization, which is the general technology used by virtual machines. Imagine what you could do if you had under your control many computers, possibly connected together. Best is, they are simple to use and have only little performance hit. Well see what those applications can do, how they can help you (test any OS or application while keeping you PC clean), and how to use them. Further, VM make it possible to create testing plateforms for your applications, websites, or virtually anything!

      • Task 1 : VMware Workstation Installation

      • Task 2 : 1.Creating Disk Image

      • : 2.To know how to get the virtual machine console
      • Task 3 : Installing Windows Server 2003 on Virtual Machine



    WP Gadget Review | Design: fahimie Blogger port by Kepit@n Copyright 2009 | Programmed by Muhd Fahimie