Internet Security Lectures by Prabhaker MatetiPrabhaker Mateti
Abstract:Data integrity and privacy on the Internet primarily rests on usingcryptography well. Unfortunately, it is easily compromised by errorsin (operating) system configuration. This lecture is a quick overviewof cryptography as relevant in Internet security and passwords.
Data integrity and privacy on the Internet primarily rests on usingcryptography well. The design and implementation of cryptographyrequires deep understanding of discrete mathematics and number theory.Unfortunately, when cryptography is deployed carelessly, it is easilycompromised by errors in (operating) system configuration. Thislecture is a quick overview of cryptography as relevant in Internetsecurity and passwords.
A cryptographic encryption algorithm, also known as cipher,transforms a "plain text" (e.g., humanreadable) pt and outputs cipher textct as the output,
so that it is possible to re-generate the pt fromthe ct through a companion decryption algorithm. Notethat we said "for example, human readable" and not"that is, human readable" as an explanation for the phrase"plain text". Often, the so-called "plain text"is human un-readable binary data that is ready-to-be-used by acomputer.
Ciphers use keys together with plain text as the input to produce cipher text. It is in the key that the security of a modern cipher lies, not in the details of the algorithm.
Roughly speaking, computationally infeasible means that a certaincomputation that we are talking about takes way too long (hundreds ofyears) to compute using the fastest of (super)computers.
Suppose our key is a 128-bit number. There are
128-bit numbers starting from zero (i.e., 128 bits of 0). Torecover a particular key by brute force, one must, on average, searchhalf the key space:
If we use 1,000,000,000 machines that could try 1,000,000,000keys/sec, it would take all these machines longer than the universe aswe know it has existed to find the key.
This is not the same thing as saying that computationalinfeasibility is the same idea as Turing-incomputable. Nor is it thesame thing as saying that you cannot make a lucky guess, orheuristically arrive at a possible answer, and then systematicallyverify that the guessed answer is indeed the correct answer, all donewithin a matter of seconds on a lowly PC. Here is an example:Microsoft Windows NT uses the DES encryption algorithm in storing thepasswords. Brute-forcing such a scrambled password to compute theplain text password can take, according to Microsoft, "about abillion years." But the L0pht team( http://www.l0pht.com) claims thatL0phtCrack breaks Windows passwords in about one week, running in thebackground on an old Pentium PC.
In the context of cryptography, the factorization of an arbitrarilylarge number N, into its constituent primes, determining the powersn2, n3, n5, n7, etc. of the primes, is computationally infeasible --as far as we know.
N = 2n2 * 3 n3* 5 n5 * 7 n7* ...
Based on this, the decryption is computationally infeasible. Note thatthis is assuming that we are using known methods, including brute force.
Is it possible that some one or some country has actuallydiscovered fast algorithms, but chose to keep them secret, for these tasksthat we believe to be computationally infeasible?
A hash function maps input sequences of bytes into a fixed-lengthsequence. The fixed length is considerably shorter than thetypical length (thousands of bytes) of the input, and hence thefunction is a hash function.
The nature of all hash functions is that there must exist multipleinput sequences that map to the same hash. The inverse is amathematical relation, not a mathematical function. But, good hashfunctions have the following properties: It is hard to find twostrings, from the expected set of typically used strings, that wouldproduce the same hash value. A slight change in an input stringcauses the hash value to change drastically.
A "one way" hash function is designed to be computationallyinfeasible to reverse the process, that is, to algorithmicallydiscover a string that hashes to a given value.
One-way hashfunctions are also known as message digests (MD), fingerprints, orcompression functions. The most popular one-way hash algorithms areMD4 and MD5 (both producing a 128-bit hash value), and SHA, also knownas SHA1 (producing a 160-bit hash value).
As of 2006, both MD5 and SHA1 are considered separately broken. Thatis, given plain text p, it is possible to modify p to a desired p' sothat md5(p) == md5(p'); similarly, for SHA1. What is not known is ifwe can modify p to a p' so that md5(p) == md5(p') and sha1(p)== sha1(p').
Symmetric-key cryptography is an encryption system in which thesender and receiver of a message share a single, common key to encryptand decrypt the message. Symmetric-key systems are simpler andfaster, but their main drawback is that the two parties must somehowexchange the key in a secure way. Symmetric-key cryptography issometimes also called secret-key cryptography.
If ct = encryption (pt, key), then pt = decryption (ct, key).
The most popular symmetric-key system is the DES, short for DataEncryption Standard. DES was developed in 1975 andstandardized by ANSI in 1981 as ANSI X.3.92. DES encrypts data in64-bit blocks using a 56-bit key. The algorithm transforms theinput in a series of steps into a 64-bit output.
IDEA (International Data Encryption Algorithm) is a block cipherwhich uses a 128-bit length key to encrypt successive 64-bit blocks ofplain text. The procedure is quite complicated using subkeys generatedfrom the key to carry out a series of modular arithmetic and XORoperations on segments of the 64-bit plaintext block. The encryptionscheme uses a total of fifty-two 16-bit subkeys.
Blowfish is a symmetric block cipher that can be used as a drop-inreplacement for DES or IDEA. It takes a variable-length key, from 32bits to 448 bits, making it ideal for both domestic and exportableuse. Blowfish is unpatented and license-free, and is availablefree for all uses.
Public key cryptography uses two keys -- a public key knownto everyone, and a private or secret key that is safeguarded. Public key cryptography was invented in 1976 by WhitfieldDiffie and Martin Hellman. For this reason, it is sometimes alsocalled Diffie-Hellman encryption. It is also calledasymmetric encryption because it uses two keys instead of one key. The two keys are mathematically related, yet it is computationally infeasible to deduce one from the other.
Unfortunately, public-key cryptography is about 1000 times slowerthan symmetric key cryptography.
The most well-known of the public-key encryption algorithms is RSA, named after its designers Rivest, Shamir, and Adelman. The un-breakability of the algorithm is based on the fact that there is no efficient way to factor very large numbers into their primes.
An example of the above numbers: rsa.txt. Look up the man page: openssl(1).
The e and d are symmetric in that using either ((n,e) or (n,d)) as the encryption key, the other can be used as the decryption key.
The only way known to find d is to know p and q. If the number n is small, p and q are easy todiscover by prime factorization. Thus, p and q are chosen to be as large as possible,say, a few hundred digits long. Obviously, p and qshould never be revealed, preferably destroyed.
Encryption isdone as follows. Consider the entire message to be encrypted asa sequence of bits. Suppose the length of n in bits is b. Split the message into blocks of length b or b-1. A block viewedas a b-bit number should be less than n; if it is not, choose it to beb-1 bits long. Each block is separately encrypted, and theencryption of the entire message is the catenation of the encryptionof the blocks. Let m stand for a block viewed as a number. Multiply m with itself e times, and take the modulo n result as c,which is the encryption of m. That is, c = m^emod n.
Decryption is the "inverse" operation: m = c^dmod n.
The Digital Signature Algorithm (DSA) is a United States Federal Government standard for digital signatures.
An example of the above numbers: dsa.txt.Look up the man page: openssl(1).
Public-key systems, such as Pretty Good Privacy (PGP), are popular for transmitting information via the Internet. They are extremely secure and relatively simple to use. You need to retrieve the recipient's public key from one of several world-wide registries of public keys that now exist to encrypt a message.
When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
In real-world implementations, public keys are rarely used to encrypt actual messages because public-key cryptography is slow. Instead, public-key cryptography is used to distribute symmetric keys, which are then used to encrypt and decrypt actual messages, as follows:
A digital signature is a way to authenticate to a recipient that a received object is indeed that of the sender.
The public key-based communication between Alice and Bob described above is vulnerable to a man-in-the-middle attack.
Let us assume that Mallory, a cracker, not only can listen to thetraffic between Alice and Bob, but also can modify, delete, andsubstitute Alice's and Bob's messages, as well as introduce newones. Mallory can impersonate Alice when talking to Bob andimpersonate Bob when talking to Alice. Here is how the attackworks.
A man-in-the-middle attack works because Alice and Bob have no wayto verify they are talking to each other. An independent third partythat everyone trusts is needed to foil the attack. This third partycould bundle the name "Bob" with Bob's public key and signthe package with its own private key. When Alice receives the signedpublic key from Bob, she can verify the third party's signature. Thisway she knows that the public key really belongs to Bob, and notMallory.
A package containing a person's name (and possibly some otherinformation such as an E-mail address and company name) and his publickey and signed by a trusted third party is called a digital certificate (ordigital ID). An independent third party that everyone trusts, whoseresponsibility is to issue certificates, is called a CertificationAuthority (CA). A digital certificate serves two purposes. First, itprovides a cryptographic key that allows another party to encryptinformation for the certificate's owner. Second, it provides a measureof proof that the holder of the certificate is who they claim to be -because otherwise, they will not be able to decrypt any informationthat was encrypted using the key in the certificate.
The recipient of an encrypted message uses the CA's public key todecode the digital certificate attached to the message, verifies it asissued by the CA and then obtains the sender's public key andidentification information held within the certificate. With thisinformation, the recipient can send an encrypted reply.
The most widely used standard for digital certificates is X.509,which defines the following structure for public-key certificates:
You can obtain a personal certificate from companies likeverisign.com or comodo.com.
- Global Internet Security Market Study Along With Regions, Companies, Segments and Growth Factors By The End Of 2028 - The State News - BBState - December 7th, 2019
- Few Ohio county boards of elections have adopted digital alarm used to detect hacks - Canton Repository - December 7th, 2019
- What Is The Internet Of Bodies? And How Is It Changing Our World? - Forbes - December 7th, 2019
- FBI Issues Drive-By Hacking Warning: This Is How To Secure Your Devices - Forbes - December 7th, 2019
- TikTok is the best place on the internet, but we have to say no - CNET - December 7th, 2019
- 1 in 4 Americans Think Russia's an ally; Sobering shipyard news; Reagan Forum preview, and more... - Defense One - December 7th, 2019
- The Creeping Problems of 5G Security - The Hack Post - December 7th, 2019
- Global Internet Of Everything (IoE) Market to Witness a Healthy Growth during 2020 - Statsflash - December 7th, 2019
- 30 State and Local Government IT Influencers Worth a Follow in 2019 - StateTech Magazine - December 7th, 2019
- Concern rises over Nigerias cyber space - The Nation Newspaper - December 7th, 2019
- Global and Regional IT Security Spending Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - Industry News Releases - December 7th, 2019
- NAPCO Security Technologies to present at the Imperial Capital Security Investor Conference on December 11, 2019 - PRNewswire - December 7th, 2019
- Cyren (NASDAQ:CYRN) Issues Earnings Results - Riverton Roll - December 7th, 2019
- FBI Warns Your Smart TV May Be Spying On You 12/06/2019 - MediaPost Communications - December 7th, 2019
- Global Internet Security Market Growth Opportunities & Factors and Profit Margin | Size, Share, Trends and CAGR Up To 2028 - The State News -... - December 5th, 2019
- Research center planned to help companies protect the Internet of Things more effectively - KU Today - December 5th, 2019
- NATO Should Count Spending on Secure 5G Towards Its 2% Goals - Defense One - December 5th, 2019
- Internet freedom and security challenges: notes from the IGF 2019 - Democracy Without Borders - December 5th, 2019
- A Sprint contractor left thousands of US cell phone bills on the internet by mistake - TechCrunch - December 5th, 2019
- Most recent Internet Security Threats of 2019 - OBN - December 5th, 2019
- 5,183 breaches in first nine months of 2019 exposed 7.9b data records - TEISS - December 5th, 2019
- Click Moment | 'Weak internet signals showed us our strong impact' - Livemint - December 5th, 2019
- What to Make of the Inaugural NetThing 2019 - CircleID - December 2nd, 2019
- cloudtamer.io Announces Availability of Compliance Jumpstarts for Cloud Governance Solution - PR Web - December 2nd, 2019
- 5G hackers: These eight groups will try to break into the networks of tomorrow - ZDNet - December 2nd, 2019
- Opinion | What Iran Did Not Want You to See - The New York Times - December 2nd, 2019
- Multi-domain operations: Like bringing Waze to the battlefield - FedScoop - December 2nd, 2019
- Can New Norms of Behavior Extend the Rules-Based Order Into Cyberspace? - World Politics Review - December 2nd, 2019
- With Brutal Crackdown, Iran Is Convulsed by Worst Unrest in 40 Years - The New York Times - December 2nd, 2019
- What is the Internet of Things? Your IoT roadmap - Ericsson - December 2nd, 2019
- Now even the FBI is warning about your smart TVs security - TechCrunch - December 2nd, 2019
- Cybersecurity: The web has a padlock problem - and your internet safety is at risk - ZDNet - December 2nd, 2019
- How To Secure The Internet: Troy Hunt Talks Breaches, Passwords And IoT - Forbes - December 2nd, 2019
- Chuck Todd challenges John Kennedy on Ukraine: Putin is only other person 'selling this argument' | TheHill - The Hill - December 2nd, 2019
- How Healthcare Organizations Use AI to Boost and Simplify Security - HealthTech Magazine - December 2nd, 2019
- How do I add a Trusted Site in Windows 10 - TWCN Tech News - December 2nd, 2019
- Bargain alert: there's up to $300 off MacBooks right now - Louder - December 2nd, 2019
- 'Restore Internet in J&K without compromising national security' - The Hindu - December 2nd, 2019
- Understanding Biometric Security: The Growing Threats and How to Beat Them - Techopedia - December 2nd, 2019
- Cyber crime: Hackers could gain access to your new internet connected car in seconds - Express - December 2nd, 2019
- Podcast: Digital Trust in the Age of Deepfakes - insideHPC - December 2nd, 2019
- The Debate Over How to Encrypt the Internet of Things - WIRED - November 25th, 2019
- The EU says security is not the only concern when it comes to 5G - CNBC - November 25th, 2019
- Perimeter 81 raises $10M to texpand its Network as a Service platform - Help Net Security - November 25th, 2019
- Recent Research: Internet Of Things (IOT) Security Market Comprehensive SWOT Analysis and Competitive Insight Report 2019-2028 - Daily Criticism - November 25th, 2019
- Windows 10 Upgrades Blocked if Using Old Versions of AVG, Avast - BleepingComputer - November 25th, 2019
- Global and Regional IT Security Spending Market 2019 by Manufacturers, Countries, Type and Application, Forecast to 2025 - Daily Industry News Journal - November 25th, 2019
- DDoS Protection Market Witness an Unsold Story - The Market Journal - November 25th, 2019
- Six reasons for organisations to take control of their orphaned encryption keys before it triggers the next security breach - CSO Australia - November 25th, 2019
- Through Its YubiKey, Yubico Provides a Hardware Solution that Maximizes Online Security and Usability while Moving Beyond Passwords - CardRates.com - November 23rd, 2019
- 110 Nursing Homes Cut Off from Health Records in Ransomware Attack - Krebs on Security - November 23rd, 2019
- 'Tool of repression': Iran and regimes from Ethiopia to Venezuela limit Internet, go dark online - USA TODAY - November 23rd, 2019
- Organisations Join Forces To Fight Off Stalkerware And Domestic Violence - Women Love Tech - November 23rd, 2019
- How did Iran's government pull the plug on the Internet? - Euronews - November 22nd, 2019
- Expert: Education industry ranks one of the worst when it comes to cyber security - FOX 59 Indianapolis - November 22nd, 2019
- Putin: 'Thank God' election interference accusations have stopped amid US 'political battles' | TheHill - The Hill - November 22nd, 2019
- The internet as we know it is off in Iran. Heres why this shutdown is different - WGNO New Orleans - November 22nd, 2019
- The eyes have it - Telegraph India - November 22nd, 2019
- The internet loved Fiona Hill blasting sexism in impeachment testimony - INSIDER - November 22nd, 2019
- What is Google Authenticator?: How to set up Googles two-step verification software to secure all of your Google apps - Business Insider - November 22nd, 2019
- Cybersecurity perils: What CISOs must bear in mind - Elets - November 22nd, 2019
- Symantec | Internet Security Threat Report 2019 - November 21st, 2019
- Evaluating Internet Isolation Clouds: Must-Have Features - Security Boulevard - November 21st, 2019
- Perimeter 81 Announces $10 Million Funding Round to Expand its Network as a Service Platform; Partners with SonicWall to Add Unified Security Services... - November 21st, 2019
- Iranians Struggle Without the Internet - VOA News - November 21st, 2019
- 1.19 billion confidential medical images available on the internet - Help Net Security - November 21st, 2019
- AI, cyberbullying, probably the hot topics at the security workshop - Mash Viral - November 21st, 2019
- Senate Democrats urge DHS to fund cyber threat information-sharing programs | TheHill - The Hill - November 21st, 2019
- What is Google Authenticator? How to set up the app - Business Insider - November 21st, 2019
- LINE Antivirus 2.0.2 Update is Now Live with Enhanced Internet Security and New Features - Feed Ride - November 21st, 2019
- Cybercrime Support Network Awarded $1 Million Cooperative Agreement from the US Department of Homeland Security to Create a Uniform Cybercrime... - November 21st, 2019
- Hillicon Valley: Progressives oppose funding bill over surveillance authority | Senators call for 5G security coordinator | Facebook gets questions... - November 21st, 2019
- The 7 'creepiest' smart gadgets people give as holiday gifts, according to experts - Business Insider - November 21st, 2019
- Election Security: How 3 Local Counties Are Preparing For 2020 - Houston Public Media - November 21st, 2019
- Iran: More than 100 protesters believed to be killed as top officials give green light to crush protests - Amnesty International - November 21st, 2019
- Embedded Security For Internet Of Things Market 2019 Global Analysis by Growth, Size, Share, Trend and Forecast 2025 - Eastlake Times - November 21st, 2019
- #InfosecNA: The Benefits of Training Employees to Hack - Infosecurity Magazine - November 21st, 2019
- The Internet: Looking Back and Forward 50 Years - Security Boulevard - November 18th, 2019
- Internet security Market Outlook 2019: Business Overview And Top Company Analysis Forecast By 2026 - The Market Publicist - November 18th, 2019
- Cybersecurity and digital trade: What role for international trade rules? - Brookings Institution - November 18th, 2019