Internet Security Lectures by Prabhaker MatetiPrabhaker Mateti
Abstract:Data integrity and privacy on the Internet primarily rests on usingcryptography well. Unfortunately, it is easily compromised by errorsin (operating) system configuration. This lecture is a quick overviewof cryptography as relevant in Internet security and passwords.
Data integrity and privacy on the Internet primarily rests on usingcryptography well. The design and implementation of cryptographyrequires deep understanding of discrete mathematics and number theory.Unfortunately, when cryptography is deployed carelessly, it is easilycompromised by errors in (operating) system configuration. Thislecture is a quick overview of cryptography as relevant in Internetsecurity and passwords.
A cryptographic encryption algorithm, also known as cipher,transforms a "plain text" (e.g., humanreadable) pt and outputs cipher textct as the output,
so that it is possible to re-generate the pt fromthe ct through a companion decryption algorithm. Notethat we said "for example, human readable" and not"that is, human readable" as an explanation for the phrase"plain text". Often, the so-called "plain text"is human un-readable binary data that is ready-to-be-used by acomputer.
Ciphers use keys together with plain text as the input to produce cipher text. It is in the key that the security of a modern cipher lies, not in the details of the algorithm.
Roughly speaking, computationally infeasible means that a certaincomputation that we are talking about takes way too long (hundreds ofyears) to compute using the fastest of (super)computers.
Suppose our key is a 128-bit number. There are
128-bit numbers starting from zero (i.e., 128 bits of 0). Torecover a particular key by brute force, one must, on average, searchhalf the key space:
If we use 1,000,000,000 machines that could try 1,000,000,000keys/sec, it would take all these machines longer than the universe aswe know it has existed to find the key.
This is not the same thing as saying that computationalinfeasibility is the same idea as Turing-incomputable. Nor is it thesame thing as saying that you cannot make a lucky guess, orheuristically arrive at a possible answer, and then systematicallyverify that the guessed answer is indeed the correct answer, all donewithin a matter of seconds on a lowly PC. Here is an example:Microsoft Windows NT uses the DES encryption algorithm in storing thepasswords. Brute-forcing such a scrambled password to compute theplain text password can take, according to Microsoft, "about abillion years." But the L0pht team( http://www.l0pht.com) claims thatL0phtCrack breaks Windows passwords in about one week, running in thebackground on an old Pentium PC.
In the context of cryptography, the factorization of an arbitrarilylarge number N, into its constituent primes, determining the powersn2, n3, n5, n7, etc. of the primes, is computationally infeasible --as far as we know.
N = 2n2 * 3 n3* 5 n5 * 7 n7* ...
Based on this, the decryption is computationally infeasible. Note thatthis is assuming that we are using known methods, including brute force.
Is it possible that some one or some country has actuallydiscovered fast algorithms, but chose to keep them secret, for these tasksthat we believe to be computationally infeasible?
A hash function maps input sequences of bytes into a fixed-lengthsequence. The fixed length is considerably shorter than thetypical length (thousands of bytes) of the input, and hence thefunction is a hash function.
The nature of all hash functions is that there must exist multipleinput sequences that map to the same hash. The inverse is amathematical relation, not a mathematical function. But, good hashfunctions have the following properties: It is hard to find twostrings, from the expected set of typically used strings, that wouldproduce the same hash value. A slight change in an input stringcauses the hash value to change drastically.
A "one way" hash function is designed to be computationallyinfeasible to reverse the process, that is, to algorithmicallydiscover a string that hashes to a given value.
One-way hashfunctions are also known as message digests (MD), fingerprints, orcompression functions. The most popular one-way hash algorithms areMD4 and MD5 (both producing a 128-bit hash value), and SHA, also knownas SHA1 (producing a 160-bit hash value).
As of 2006, both MD5 and SHA1 are considered separately broken. Thatis, given plain text p, it is possible to modify p to a desired p' sothat md5(p) == md5(p'); similarly, for SHA1. What is not known is ifwe can modify p to a p' so that md5(p) == md5(p') and sha1(p)== sha1(p').
Symmetric-key cryptography is an encryption system in which thesender and receiver of a message share a single, common key to encryptand decrypt the message. Symmetric-key systems are simpler andfaster, but their main drawback is that the two parties must somehowexchange the key in a secure way. Symmetric-key cryptography issometimes also called secret-key cryptography.
If ct = encryption (pt, key), then pt = decryption (ct, key).
The most popular symmetric-key system is the DES, short for DataEncryption Standard. DES was developed in 1975 andstandardized by ANSI in 1981 as ANSI X.3.92. DES encrypts data in64-bit blocks using a 56-bit key. The algorithm transforms theinput in a series of steps into a 64-bit output.
IDEA (International Data Encryption Algorithm) is a block cipherwhich uses a 128-bit length key to encrypt successive 64-bit blocks ofplain text. The procedure is quite complicated using subkeys generatedfrom the key to carry out a series of modular arithmetic and XORoperations on segments of the 64-bit plaintext block. The encryptionscheme uses a total of fifty-two 16-bit subkeys.
Blowfish is a symmetric block cipher that can be used as a drop-inreplacement for DES or IDEA. It takes a variable-length key, from 32bits to 448 bits, making it ideal for both domestic and exportableuse. Blowfish is unpatented and license-free, and is availablefree for all uses.
Public key cryptography uses two keys -- a public key knownto everyone, and a private or secret key that is safeguarded. Public key cryptography was invented in 1976 by WhitfieldDiffie and Martin Hellman. For this reason, it is sometimes alsocalled Diffie-Hellman encryption. It is also calledasymmetric encryption because it uses two keys instead of one key. The two keys are mathematically related, yet it is computationally infeasible to deduce one from the other.
Unfortunately, public-key cryptography is about 1000 times slowerthan symmetric key cryptography.
The most well-known of the public-key encryption algorithms is RSA, named after its designers Rivest, Shamir, and Adelman. The un-breakability of the algorithm is based on the fact that there is no efficient way to factor very large numbers into their primes.
An example of the above numbers: rsa.txt. Look up the man page: openssl(1).
The e and d are symmetric in that using either ((n,e) or (n,d)) as the encryption key, the other can be used as the decryption key.
The only way known to find d is to know p and q. If the number n is small, p and q are easy todiscover by prime factorization. Thus, p and q are chosen to be as large as possible,say, a few hundred digits long. Obviously, p and qshould never be revealed, preferably destroyed.
Encryption isdone as follows. Consider the entire message to be encrypted asa sequence of bits. Suppose the length of n in bits is b. Split the message into blocks of length b or b-1. A block viewedas a b-bit number should be less than n; if it is not, choose it to beb-1 bits long. Each block is separately encrypted, and theencryption of the entire message is the catenation of the encryptionof the blocks. Let m stand for a block viewed as a number. Multiply m with itself e times, and take the modulo n result as c,which is the encryption of m. That is, c = m^emod n.
Decryption is the "inverse" operation: m = c^dmod n.
The Digital Signature Algorithm (DSA) is a United States Federal Government standard for digital signatures.
An example of the above numbers: dsa.txt.Look up the man page: openssl(1).
Public-key systems, such as Pretty Good Privacy (PGP), are popular for transmitting information via the Internet. They are extremely secure and relatively simple to use. You need to retrieve the recipient's public key from one of several world-wide registries of public keys that now exist to encrypt a message.
When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
In real-world implementations, public keys are rarely used to encrypt actual messages because public-key cryptography is slow. Instead, public-key cryptography is used to distribute symmetric keys, which are then used to encrypt and decrypt actual messages, as follows:
A digital signature is a way to authenticate to a recipient that a received object is indeed that of the sender.
The public key-based communication between Alice and Bob described above is vulnerable to a man-in-the-middle attack.
Let us assume that Mallory, a cracker, not only can listen to thetraffic between Alice and Bob, but also can modify, delete, andsubstitute Alice's and Bob's messages, as well as introduce newones. Mallory can impersonate Alice when talking to Bob andimpersonate Bob when talking to Alice. Here is how the attackworks.
A man-in-the-middle attack works because Alice and Bob have no wayto verify they are talking to each other. An independent third partythat everyone trusts is needed to foil the attack. This third partycould bundle the name "Bob" with Bob's public key and signthe package with its own private key. When Alice receives the signedpublic key from Bob, she can verify the third party's signature. Thisway she knows that the public key really belongs to Bob, and notMallory.
A package containing a person's name (and possibly some otherinformation such as an E-mail address and company name) and his publickey and signed by a trusted third party is called a digital certificate (ordigital ID). An independent third party that everyone trusts, whoseresponsibility is to issue certificates, is called a CertificationAuthority (CA). A digital certificate serves two purposes. First, itprovides a cryptographic key that allows another party to encryptinformation for the certificate's owner. Second, it provides a measureof proof that the holder of the certificate is who they claim to be -because otherwise, they will not be able to decrypt any informationthat was encrypted using the key in the certificate.
The recipient of an encrypted message uses the CA's public key todecode the digital certificate attached to the message, verifies it asissued by the CA and then obtains the sender's public key andidentification information held within the certificate. With thisinformation, the recipient can send an encrypted reply.
The most widely used standard for digital certificates is X.509,which defines the following structure for public-key certificates:
You can obtain a personal certificate from companies likeverisign.com or comodo.com.
- Common Internet of Things security pitfalls Urgent Comms - Urgent Communications - July 29th, 2020
- US starts work on making virtually unhackable internet a reality; All you need to know about Quantum Internet - The Financial Express - July 29th, 2020
- Internet Of Everything (IoE) Market Growth Analysis By Manufacturers, Regions, Types and Application Forecast - Market Research Posts - July 29th, 2020
- What are you giving away on social media? | IT PRO - IT PRO - July 29th, 2020
- Explained: Why is spyware, stalkerware gaining traction during the pandemic? - The Indian Express - July 29th, 2020
- Are we seeing the beginnings of an Indian internet? - Deccan Herald - July 29th, 2020
- What the Tech? Check Your Internet Security When Working from Home - Alabama News Network - July 27th, 2020
- Security of the internet is improving, but there is work to be done - Security Magazine - July 27th, 2020
- Outlook on the Internet Security Software Market to 2025 by Application, End-user and Geography - CueReport - July 27th, 2020
- U.S. Government Says Its Building A Virtually Unhackable Quantum Internet - Forbes - July 27th, 2020
- Amid 'heightened tensions,' US government issues warning to critical infrastructure providers - Utility Dive - July 27th, 2020
- The global Internet of Things (IoT) security market size is expected to grow from USD 12.5 billion in 2020 to USD 36.6 billion by 2025, at a Compound... - July 27th, 2020
- WISeKey to Showcase its Cybersecurity Solutions for Artificial Intelligence Used in Drones and Robots at SIDO 2020 - GlobeNewswire - July 27th, 2020
- Various Politicians, Companies, And Activists Are Targeted By A Secretive Industry - See How India Has Become A Hire-for-hack Place For Other... - July 27th, 2020
- Internet of Things (IoT) Security Product Market Forecasts and Opportunity Assessment Analysis 2019-2025 - Owned - July 27th, 2020
- ESET scores high in the Business Security Test 2020 - My Startup World - July 27th, 2020
- Global Internet of Things (IoT) Security Market 2020 Trends Analysis and Coronavirus (COVID-19) Effect Analysis | KEY PLAYERS MARKET WITH COVID-19... - July 27th, 2020
- The 12 Coolest AWS Tools Of 2020 (So Far) - CRN - July 27th, 2020
- Smart Home Market with COVID-19 Impact Analysis by Product, Software & Services, and Region - Global Forecast to 2025 - GlobeNewswire - July 27th, 2020
- MailVault ties up with BD Soft as the National Distributor, for the Indian Markets - CRN.in - July 27th, 2020
- WISeKey Appoints Ben Stump as Chief Revenue Officer to Drive the Next Phase of its Global Growth - GlobeNewswire - July 27th, 2020
- 4G internet not a security concern, no objection restoring it: JK admin tells Centre - The Kashmir Walla - July 27th, 2020
- This Is a Good Time to Buy Fastly Stock on the Dip - InvestorPlace - July 27th, 2020
- How firms are keeping staff and secrets safe from hackers now everyone is working remotely - CNBC - July 27th, 2020
- Cloudflare goes down, and takes the internet's security blanket with it - Mashable - July 23rd, 2020
- Should You Connect Your Brain to the Internet? - Security Boulevard - July 23rd, 2020
- Global Internet Security Market Growth Rate and Opportunities By 2025 With COVID-19 Outbreak, Top Players: HPE, IBM, Intel, Symantec, AlienVault,... - July 23rd, 2020
- Global Internet Security Market 2020 Growth Rate, Gross Margin, Competitive Situation and Trends, Forecast To 2026 - 3rd Watch News - July 23rd, 2020
- How Coronavirus Pandemic Will Impact Internet Security Software Market Size, Growth Opportunitis, Current trends, Forecast By 2026 - 3rd Watch News - July 23rd, 2020
- IT Security Consulting Services Market 2020: Potential Growth, Challenges, and Know the Companies List Could Potentially Benefit or Loose out From the... - July 23rd, 2020
- Scammers prey on Coronavirus fears - The Tomahawk - July 23rd, 2020
- Popular Chinese-Made Drone Is Found to Have Security Weakness - The New York Times - July 23rd, 2020
- Internet of Things (IoT) Security Marketplace 2020-2025 - Google, Cisco, IBM, and Intel Leading the IoT Revolution - WFMZ Allentown - July 23rd, 2020
- Digital culture in the age of COVID-19: Viral 'U' creators and politiktoks - The Michigan Daily - July 23rd, 2020
- Global IT Security Market 2025 To Expect Maximum Benefit and Growth Potential During this COVID 19 Outbreak During this COVID 19 Outbreak: Blue Coat,... - July 23rd, 2020
- Securing Travel and Transportation Operations - Security Intelligence - July 23rd, 2020
- Global Cloud DDoS Mitigation Software Market 2025 Potential Scope for Growth in This Pandamic : Amazon Web Services, Microsoft, Webroot, Google,... - July 23rd, 2020
- Internet of Things (IoT) Security Market Foresees Skyrocketing Growth in the Coming Years - Market Research Posts - July 23rd, 2020
- DDoS Protection Market 2020 | In-Depth Study On The Current State Of The Industry And Key Insights Of The Business Scenario By 2027 - Cole of Duty - July 23rd, 2020
- Exhaustive Study on DDoS Protection and Mitigation Market 2020 | Strategic Assessment by Top Players Akamai Technologies; Imperva; Radware - 3rd Watch... - July 23rd, 2020
- IT spending on Internet connectivity, security to rise in India: Report - Business Insider India - July 6th, 2020
- VPNs are the need-of-the-hour for safe and fast connections as we work-from-home - The Hindu - July 6th, 2020
- What is network security in the cloud computing era? - TechRadar - July 6th, 2020
- Revealed: How home router manufacturers dropped the ball on security - TechHive - July 6th, 2020
- Malaysia Internet of Things (IoT) Security Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Akamai Is an Overlooked Web Infrastructure Play. Its a Buy, Analyst Says. - Barron's - July 6th, 2020
- According to Latest Report on Internet of Things (IoT) Security Market to Grow with an Impressive CAGR - 3rd Watch News - July 6th, 2020
- Enterprise Firewall Market Overview and Regional Outlook with Research Study 2019 2026 - 3rd Watch News - July 6th, 2020
- How Have I Been Pwned became the keeper of the internets biggest data breaches - TechCrunch - July 6th, 2020
- Global Internet of Things (IoT) Security Market Trends, Opportunities, Key Players, Growth, Analysis, Outlook & Forecasts To 2026 - Daily Research... - July 6th, 2020
- WISeKey develops WIShelter Covid-19 secured smartphone app, using digital IDs and blockchain protocols, to certify users that are not infected with... - July 6th, 2020
- Cryptocurrencies Adding to the Safety and Security in the UK Gambling Industry - London Post - July 6th, 2020
- Voice recordings from domestic violence alerting app exposed on the internet - Security Boulevard - June 30th, 2020
- The lack of women in cybersecurity puts us all at greater risk - The Next Web - June 30th, 2020
- Cascading Security Through the Internet of Things Supply Chain - Lawfare - June 30th, 2020
- How to Build the Right Security Assessment - Security Boulevard - June 30th, 2020
- Apple may have just changed a key part of how the internet works - TechRadar - June 30th, 2020
- Indians most concerned about identity theft - Fortune India - June 30th, 2020
- Deeper Connect Mini: Decentralized, Private and Secure Internet for the People, launching June 30th on Indiegogo. - Yahoo Finance - June 30th, 2020
- Internet of Things (IoT) Security: Technologies and Global Markets - Yahoo Finance - June 30th, 2020
- Could Donald Trump claim a national security threat to shut down the internet? - Brookings Institution - June 30th, 2020
- Internet of Things Security Market Strategic Insights 2020 with analysis of Leading players: Check Point Security Software Technologies, Cisco... - June 30th, 2020
- Global IT Security Market is accounted for xx USD million in 2019 and is expected to reach xx USD million by 2025 growing at a CAGR of xx% : Blue... - June 30th, 2020
- Internet of Things (IoT) Security Market Size, Share, Growth, Revenue, Global Industry Analysis and Future Demand |Globalmarketers.biz - Cole of Duty - June 30th, 2020
- Surge in encrypted malware prompts warning about detection strategies - SecurityBrief Europe - June 30th, 2020
- NexTech AR to supply its video conferencing and virtual events platform to Dallas Independent School District - Proactive Investors UK - June 30th, 2020
- Dutch people are least concerned about safety, survey reveals - IamExpat in the Netherlands - June 30th, 2020
- Only 31% of Americans concerned with data security, despite 400% rise in cyberattacks - TechRepublic - June 24th, 2020
- WatchGuard Technologies Report Finds Two-Thirds of Malware is Encrypted, Invisible Without HTTPS Inspection - GlobeNewswire - June 24th, 2020
- How To Turn Off Firewall In Windows And Mac - Ubergizmo - June 24th, 2020
- OTF's Work Is Vital for a Free and Open Internet - EFF - June 24th, 2020
- Microsoft acquires CyberX to bolster Azure IoT security - Internet of Things News - IoT Tech News - June 24th, 2020
- Partner Content: ESET and Spire Technology on why you need a Password Manager - PCR-online.biz - June 24th, 2020
- Internet of Things (IoT) Security Market to Witness Robust Expansion Throughout the Forecast Period 2020 2025 - 3rd Watch News - June 24th, 2020
- Google is on a mission to stop you from reusing passwords - The Verge - June 24th, 2020
- Marking the 30th Anniversary of the Internet and Cybersecurity Treaty - CircleID - June 24th, 2020
- The Cyberlaw Podcast: Using the Internet to Cause Emotional Distress is a Felony? - Lawfare - June 24th, 2020
- DDoS Protection Market 2020 | How The Industry Will Witness Substantial Growth In The Upcoming Years | Exclusive Report By MRE - Cole of Duty - June 24th, 2020
- Julian Assange Extradition and the Freedom of Bitcoin Bitcoin... - Bitcoin Magazine - June 24th, 2020
- How to become a web developer? - The Tribune - June 24th, 2020