Internet Security Lectures by Prabhaker MatetiPrabhaker Mateti
Abstract:Data integrity and privacy on the Internet primarily rests on usingcryptography well. Unfortunately, it is easily compromised by errorsin (operating) system configuration. This lecture is a quick overviewof cryptography as relevant in Internet security and passwords.
Data integrity and privacy on the Internet primarily rests on usingcryptography well. The design and implementation of cryptographyrequires deep understanding of discrete mathematics and number theory.Unfortunately, when cryptography is deployed carelessly, it is easilycompromised by errors in (operating) system configuration. Thislecture is a quick overview of cryptography as relevant in Internetsecurity and passwords.
A cryptographic encryption algorithm, also known as cipher,transforms a "plain text" (e.g., humanreadable) pt and outputs cipher textct as the output,
so that it is possible to re-generate the pt fromthe ct through a companion decryption algorithm. Notethat we said "for example, human readable" and not"that is, human readable" as an explanation for the phrase"plain text". Often, the so-called "plain text"is human un-readable binary data that is ready-to-be-used by acomputer.
Ciphers use keys together with plain text as the input to produce cipher text. It is in the key that the security of a modern cipher lies, not in the details of the algorithm.
Roughly speaking, computationally infeasible means that a certaincomputation that we are talking about takes way too long (hundreds ofyears) to compute using the fastest of (super)computers.
Suppose our key is a 128-bit number. There are
128-bit numbers starting from zero (i.e., 128 bits of 0). Torecover a particular key by brute force, one must, on average, searchhalf the key space:
If we use 1,000,000,000 machines that could try 1,000,000,000keys/sec, it would take all these machines longer than the universe aswe know it has existed to find the key.
This is not the same thing as saying that computationalinfeasibility is the same idea as Turing-incomputable. Nor is it thesame thing as saying that you cannot make a lucky guess, orheuristically arrive at a possible answer, and then systematicallyverify that the guessed answer is indeed the correct answer, all donewithin a matter of seconds on a lowly PC. Here is an example:Microsoft Windows NT uses the DES encryption algorithm in storing thepasswords. Brute-forcing such a scrambled password to compute theplain text password can take, according to Microsoft, "about abillion years." But the L0pht team( http://www.l0pht.com) claims thatL0phtCrack breaks Windows passwords in about one week, running in thebackground on an old Pentium PC.
In the context of cryptography, the factorization of an arbitrarilylarge number N, into its constituent primes, determining the powersn2, n3, n5, n7, etc. of the primes, is computationally infeasible --as far as we know.
N = 2n2 * 3 n3* 5 n5 * 7 n7* ...
Based on this, the decryption is computationally infeasible. Note thatthis is assuming that we are using known methods, including brute force.
Is it possible that some one or some country has actuallydiscovered fast algorithms, but chose to keep them secret, for these tasksthat we believe to be computationally infeasible?
A hash function maps input sequences of bytes into a fixed-lengthsequence. The fixed length is considerably shorter than thetypical length (thousands of bytes) of the input, and hence thefunction is a hash function.
The nature of all hash functions is that there must exist multipleinput sequences that map to the same hash. The inverse is amathematical relation, not a mathematical function. But, good hashfunctions have the following properties: It is hard to find twostrings, from the expected set of typically used strings, that wouldproduce the same hash value. A slight change in an input stringcauses the hash value to change drastically.
A "one way" hash function is designed to be computationallyinfeasible to reverse the process, that is, to algorithmicallydiscover a string that hashes to a given value.
One-way hashfunctions are also known as message digests (MD), fingerprints, orcompression functions. The most popular one-way hash algorithms areMD4 and MD5 (both producing a 128-bit hash value), and SHA, also knownas SHA1 (producing a 160-bit hash value).
As of 2006, both MD5 and SHA1 are considered separately broken. Thatis, given plain text p, it is possible to modify p to a desired p' sothat md5(p) == md5(p'); similarly, for SHA1. What is not known is ifwe can modify p to a p' so that md5(p) == md5(p') and sha1(p)== sha1(p').
Symmetric-key cryptography is an encryption system in which thesender and receiver of a message share a single, common key to encryptand decrypt the message. Symmetric-key systems are simpler andfaster, but their main drawback is that the two parties must somehowexchange the key in a secure way. Symmetric-key cryptography issometimes also called secret-key cryptography.
If ct = encryption (pt, key), then pt = decryption (ct, key).
The most popular symmetric-key system is the DES, short for DataEncryption Standard. DES was developed in 1975 andstandardized by ANSI in 1981 as ANSI X.3.92. DES encrypts data in64-bit blocks using a 56-bit key. The algorithm transforms theinput in a series of steps into a 64-bit output.
IDEA (International Data Encryption Algorithm) is a block cipherwhich uses a 128-bit length key to encrypt successive 64-bit blocks ofplain text. The procedure is quite complicated using subkeys generatedfrom the key to carry out a series of modular arithmetic and XORoperations on segments of the 64-bit plaintext block. The encryptionscheme uses a total of fifty-two 16-bit subkeys.
Blowfish is a symmetric block cipher that can be used as a drop-inreplacement for DES or IDEA. It takes a variable-length key, from 32bits to 448 bits, making it ideal for both domestic and exportableuse. Blowfish is unpatented and license-free, and is availablefree for all uses.
Public key cryptography uses two keys -- a public key knownto everyone, and a private or secret key that is safeguarded. Public key cryptography was invented in 1976 by WhitfieldDiffie and Martin Hellman. For this reason, it is sometimes alsocalled Diffie-Hellman encryption. It is also calledasymmetric encryption because it uses two keys instead of one key. The two keys are mathematically related, yet it is computationally infeasible to deduce one from the other.
Unfortunately, public-key cryptography is about 1000 times slowerthan symmetric key cryptography.
The most well-known of the public-key encryption algorithms is RSA, named after its designers Rivest, Shamir, and Adelman. The un-breakability of the algorithm is based on the fact that there is no efficient way to factor very large numbers into their primes.
An example of the above numbers: rsa.txt. Look up the man page: openssl(1).
The e and d are symmetric in that using either ((n,e) or (n,d)) as the encryption key, the other can be used as the decryption key.
The only way known to find d is to know p and q. If the number n is small, p and q are easy todiscover by prime factorization. Thus, p and q are chosen to be as large as possible,say, a few hundred digits long. Obviously, p and qshould never be revealed, preferably destroyed.
Encryption isdone as follows. Consider the entire message to be encrypted asa sequence of bits. Suppose the length of n in bits is b. Split the message into blocks of length b or b-1. A block viewedas a b-bit number should be less than n; if it is not, choose it to beb-1 bits long. Each block is separately encrypted, and theencryption of the entire message is the catenation of the encryptionof the blocks. Let m stand for a block viewed as a number. Multiply m with itself e times, and take the modulo n result as c,which is the encryption of m. That is, c = m^emod n.
Decryption is the "inverse" operation: m = c^dmod n.
The Digital Signature Algorithm (DSA) is a United States Federal Government standard for digital signatures.
An example of the above numbers: dsa.txt.Look up the man page: openssl(1).
Public-key systems, such as Pretty Good Privacy (PGP), are popular for transmitting information via the Internet. They are extremely secure and relatively simple to use. You need to retrieve the recipient's public key from one of several world-wide registries of public keys that now exist to encrypt a message.
When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
In real-world implementations, public keys are rarely used to encrypt actual messages because public-key cryptography is slow. Instead, public-key cryptography is used to distribute symmetric keys, which are then used to encrypt and decrypt actual messages, as follows:
A digital signature is a way to authenticate to a recipient that a received object is indeed that of the sender.
The public key-based communication between Alice and Bob described above is vulnerable to a man-in-the-middle attack.
Let us assume that Mallory, a cracker, not only can listen to thetraffic between Alice and Bob, but also can modify, delete, andsubstitute Alice's and Bob's messages, as well as introduce newones. Mallory can impersonate Alice when talking to Bob andimpersonate Bob when talking to Alice. Here is how the attackworks.
A man-in-the-middle attack works because Alice and Bob have no wayto verify they are talking to each other. An independent third partythat everyone trusts is needed to foil the attack. This third partycould bundle the name "Bob" with Bob's public key and signthe package with its own private key. When Alice receives the signedpublic key from Bob, she can verify the third party's signature. Thisway she knows that the public key really belongs to Bob, and notMallory.
A package containing a person's name (and possibly some otherinformation such as an E-mail address and company name) and his publickey and signed by a trusted third party is called a digital certificate (ordigital ID). An independent third party that everyone trusts, whoseresponsibility is to issue certificates, is called a CertificationAuthority (CA). A digital certificate serves two purposes. First, itprovides a cryptographic key that allows another party to encryptinformation for the certificate's owner. Second, it provides a measureof proof that the holder of the certificate is who they claim to be -because otherwise, they will not be able to decrypt any informationthat was encrypted using the key in the certificate.
The recipient of an encrypted message uses the CA's public key todecode the digital certificate attached to the message, verifies it asissued by the CA and then obtains the sender's public key andidentification information held within the certificate. With thisinformation, the recipient can send an encrypted reply.
The most widely used standard for digital certificates is X.509,which defines the following structure for public-key certificates:
You can obtain a personal certificate from companies likeverisign.com or comodo.com.
- Internet Security Market to Reap Excessive Revenues by 2026 Dagoretti News - Dagoretti News - January 19th, 2020
- How to Secure Your Windows 7 PC in 2020 - How-To Geek - January 19th, 2020
- Security fears saw nearly half of Europe use the internet less during 2018 - The Brussels Times - January 19th, 2020
- Senate Passes Legislation to Help Boost and Secure the Internet of Things - Nextgov - January 19th, 2020
- Internet of Things presents the next frontier of cyberattacks - ITProPortal - January 19th, 2020
- Ooma Improves on Phone and Home Security with New Products for Cord Cutters - Cord Cutters News, LLC - January 19th, 2020
- Windows 7 computers will no longer be patched after today - Naked Security - January 19th, 2020
- How the Trump administration is secretly assisting Iranian protesters - Washington Examiner - January 19th, 2020
- Iowa results will be compiled over the internet, hacking threat aside - The Fulcrum - January 19th, 2020
- Interview with Jordan Blake on the potential of behavioural biometrics - The Paypers - January 19th, 2020
- Cyren (NASDAQ:CYRN) Stock Rating Lowered by Zacks Investment Research - Riverton Roll - January 19th, 2020
- Password Managers: What Are They & How to Use Them? - TechAcute - January 19th, 2020
- EZVIZ C6CN pan-and-tilt security camera review: Motion tracking keeps intruder in this camera's sights - TechHive - January 19th, 2020
- New Year, new gadgets? Five ways to keep your new devices safe from hackers, cyber attacks and malware - ZDNet - January 6th, 2020
- BlackBerry Collaborating with Amazon Web Services to Demonstrate Safe, Secure, and Intelligent Connected Vehicle Software Platform for In-Vehicle... - January 6th, 2020
- Internet of Things security firm Armis in talks to be acquired -media - Nasdaq - January 6th, 2020
- The Internet of Things: how safe are your smart devices? - Spectator.co.uk - January 6th, 2020
- Beset by lawsuits over poor security protections, Ring rolls out 'privacy dashboard' for its creepy surveillance cams, immediately takes heat - The... - January 6th, 2020
- Start the new year, and new decade, by making your slice of the internet more secure - Times Colonist - January 6th, 2020
- Industrial Internet Consortium teams up with blockchain-focused security group - Network World - January 5th, 2020
- Russia Takes a Big Step Toward Internet Isolation - WIRED - January 5th, 2020
- 'This Is the Beginning': Hackers Claiming to Be from Iran Take Over U.S. Government Website - PJ Media - January 5th, 2020
- Virus-Crippled Travelex Was Running Windows 8, RDP Connected to Internet - Computer Business Review - January 5th, 2020
- From the archives: Top ten WSU stories of the decade - - The Wright State Guardian - January 5th, 2020
- Down Over 30% Since August, Is Recent IPO Fastly a Buy for 2020? - The Motley Fool - January 5th, 2020
- North Dakota's building a cybersecurity operations center and everyone's invited - StateScoop - January 5th, 2020
- Quid Pro Quo the truth | Opinion - Kingstree News - January 5th, 2020
- All You Need to Know About Indias First Data Protection Bill - CISO MAG - January 5th, 2020
- Start the new year, and new decade, by making your slice of the internet more secure - SaultOnline.com - January 5th, 2020
- Cheetah Mobile (NYSE:CMCM) Stock Rating Lowered by Zacks Investment Research - Riverton Roll - January 5th, 2020
- The Army Bans TikTok - WIRED - January 5th, 2020
- Acer Introduces New TravelMate P6, a Durable and Thin-and-Light Notebook for Mobile Professionals - PRNewswire - January 5th, 2020
- Know in Depth about Internet Security Software Market Trends, In-Depth Analysis and Forecast To 2026 | Symantec, McAfee, Trend Micro, AVG - AnalyticSP - December 31st, 2019
- Staying Out Of Trouble In 2020 With New Security Practices And Human Firewalls - Forbes - December 31st, 2019
- Expansion of the Internet Security Software Market is Forecasted to Reach at Very High Rate By 2026 - Market Research Sheets - December 31st, 2019
- Bangladesh shuts down internet along India's border 'for the sake of the countrys security in the current cir - Business Insider India - December 31st, 2019
- The year in #StupidSecurity 2019's biggest security and privacy blunders - The Daily Swig - December 31st, 2019
- Together with the community, weve given away more than 100,000 for important causes - Security Boulevard - December 31st, 2019
- The Most Dangerous People on the Internet This Decade - WIRED - December 31st, 2019
- The Top Security Stories of 2019, Part Two - Foreign Policy - December 31st, 2019
- About That IoT Device You Received as a Holiday Gift... - Security Intelligence - December 31st, 2019
- China nears completion of its GPS competitor, increasing the potential for Internet balkanization - TechCrunch - December 31st, 2019
- Best Android antivirus? The top 11 tools - CIO East Africa - December 31st, 2019
- 4 Ways to Make Security Training A Priority in Your Healthcare Organization - HIT Consultant - December 31st, 2019
- Beware of the Smart Device: Ways to Stay Private and Safe - The New York Times - December 31st, 2019
- A ton of Ruckus wireless routers are vulnerable to hackers - TechCrunch - December 31st, 2019
- The MS-ISAC Helps State and Local Governments Boost Their Cybersecurity - StateTech Magazine - December 31st, 2019
- Discover Lafayette podcast with Rader Solutions' security team: Here are 9 tips to prevent data breaches - The Advocate - December 31st, 2019
- #SocialSec Hot takes on this week's biggest cybersecurity news (Dec 27) - The Daily Swig - December 31st, 2019
- Ookla Adds Free VPN To It's Speedtest App For iOS And Android - Techworm - December 31st, 2019
- How to Keep a Security Breach Out of your Internet-Connected Stocking this Christmas - Forbes - December 13th, 2019
- Internet Security Market: Deep Analysis by Production Overview and Insights 2019-2025 - Drnewsindustry - December 13th, 2019
- The Great $50M African IP Address Heist - Krebs on Security - December 13th, 2019
- Avast announces cybersecurity predictions for 2020, expects rise in mobile scams and IoT Malware - Gadgets Now - December 13th, 2019
- Office and Penetration Testing Software Increasingly Becoming Vectors for Malware - Campus Technology - December 13th, 2019
- Network attacks increased in third quarter, WatchGuard says - TechRepublic - December 13th, 2019
- What is a VPN Used for on Android? - eTurboNews | Trends | Travel News - December 13th, 2019
- Pulse Secure Partners with Nozomi Networks in IT-OT Convergence Play - Channel Futures - December 13th, 2019
- 2 Dead in Protests Over Indias Religion-Based Citizenship Bill - The New York Times - December 13th, 2019
- RIPE NCC and TRA hold roundtable in UAE on government role in Internet - Intelligent CIO ME - December 13th, 2019
- Global and Regional IT Security Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - Industry PressRelease - December 13th, 2019
- How do Cypriots spend their time on the Internet? - In-Cyprus.com - December 13th, 2019
- CipherCloud and Thales Collaborate to Support Zero Trust Data Access - Business Wire - December 13th, 2019
- Malware variety grows by 13.7 percent in 2019 due to web skimmers - Eagle Online - December 13th, 2019
- Installing a Fake Internet with INetSim and PolarProxy - Security Boulevard - December 10th, 2019
- China to ban all American-made hardware and software in government and public offices - ConsumerAffairs - December 10th, 2019
- TLS 1.3 Is Coming: Here's What You Need To Know To Be Prepared For It - Forbes - December 10th, 2019
- Global Internet Security Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - Breaking News Updates - December 10th, 2019
- Now, keep your data safe in a private, digital home on the internet, thanks to this tech startup - YourStory - December 10th, 2019
- Red Balloon Security Partners with Siemens to Deliver Cybersecurity to Building Automation Systems - Business Wire - December 10th, 2019
- Internet of Things (IoT) Security Product Market Expected to Deliver Dynamic Progression until 2028| Cisco Systems Inc - Global Market News 24 - December 10th, 2019
- Global IT Security Spending in Government Market 2018 Check Point Software Technologies, Cisco Systems, Fortinet - The Industry Press Releases - December 10th, 2019
- Poor Conducts By Avast Antivirus Review: Is Avast Good? - The Daily Sound - December 10th, 2019
- Global IT Security Spending Market 2018 Check Point Software Technologies, Cisco Systems, EMC, Fortinet, Juniper Networks - The Industry Press... - December 10th, 2019
- Global IT Security Spending in Government Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - The Industry Press... - December 10th, 2019
- Internet security Market 2019 Business Growth, Size and Comprehensive Research Study Forecast to 2026 - Montana Ledger - December 9th, 2019
- $200,000 Internet Fraud: Will Anyone Investigate? - BankInfoSecurity.com - December 9th, 2019
- Will Your Small Business Withstand A Cyberattack? - Forbes - December 9th, 2019
- Analysis of the Greater China Secure Content Management Market 2018-2019 - Forecast to 2023 - ResearchAndMarkets.com - Business Wire - December 8th, 2019
- TikTok is the best place on the internet. We should all delete it - CNET - December 8th, 2019