Software Security. Encryption. Encryption. Encryption. Encryption. Encryption. Week 5 Part 1. Masking Data from Unwelcome eyes

Transcription

1 Software Security Encryption Week 5 Part 1 Masking Data from Unwelcome eyes Encryption Encryption Encryption is the process of transforming data into another form Designed to make it readable only by those with special knowledge The original data (without encryption) is called plaintext Even though it can be anything from text to an image 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Encryption Encryption The mathematical function / algorithm used to encrypt the plaintext is called a cipher The result of the process is encrypted data called ciphertext (even though it can contain anything) Plaintext Cipher Ciphertext 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

2 Friends & enemies: Alice, Bob, Trudy Friends & enemies: Alice, Bob, Trudy Plaintext Plaintext Ciphertext Plaintext Alice All your data are belong to us! Bob Alice Curses! Bob Trudy Trudy 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Importance of Cryptology Terminology The Internet was not designed with much security in mind As a result, all the data being sent over the network can be copied by anyone If they are malicious, they can intercept passwords, and other information Cryptography allows the data to be hidden so only the recipient can read it Cryptology is the umbrella study of cryptography and cryptanalysis Cryptosystems disguise messages, allowing only selected people to see through it Cryptography is the science (or art) of designing, building, and using cryptosystems Cryptanalysis is the science (or art) of breaking a cryptosystem 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Basic Methods Two Basic Methods Relies on two basic methods: transposition: letters (data) are rearranged into a different order substitution: letters (data) are replaced by other letters and/or symbols Frequency of letters in a typical sample of text has a distinctive & predictable shape Transposition letters (data) are rearranged into a different order e.g. cat tca Substitution letters (data) are replaced by other letters and/or symbols e.g. cat dbu 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

3 Letter Frequency Example: Caesar Cipher Caesar cipher was named after Julius Caesar who used it to communicate with his generals Uses substitution based on a shifting letters 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Caesar Cipher: How to Use Example ROT13 Letters are replaced with letters a fixed number of positions up/down the alphabet So, if the shift is 1, A B, B C, etc ROT13 is a substitution cipher that replaces each letter with the another by shifting 13 positionsso conversion is quite easy! It is the Caesar Cipher using 13 Can you decode this? T b d s b n f o u p T u b u f Decrypt this: Z b e r u b z r j b e x c y r n f r 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Example ROT13 Main types of cryptography Decrypt this: Z b e r u b z r j b e x c y r n f r A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Most major ciphers use a complex mathematical algorithm to encrypt data It can only be decrypted using a large unique value called a key 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

4 Main types of cryptography Symmetric: Private Key Encryption The more of bits in the key, typically the better the security Two approaches to keys: symmetric private keys asymmetric public and private keys It uses the same key to both encrypt and decrypt a message This is a shared secret! Most significant challenge: sharing keys prior to needing them and keeping others from learning them 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Common Ciphers Commonly Ciphers (low to high) Commonly used symmetric key encryptions: DES, 3DES, IDEA, AES, and Blowfish Data Encryption Standard (DES) was selected by the U.S. in 1976 It was broken in Jan 1999 and is no longer considered to be secure This is true of all ciphers, as computers become faster and more powerful, the size of the key must increase Cipher Bit Size Data Encryption Standard (DES) 56 Advanced Encryption Standard (AES) 64 Triple DES (3DES) 168, 112, 56 International Data Encryption Algorithm (IDEA) 128 Blowfish 32 to 448 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Asymmetric Encryption Asymmetric Encryption Enables you to communicate over any open channel with a high degree of confidence It uses two keys: one public and one private Two Keys! Too Cool! 6/25/2018 CSC Cook - Sacramento State - Summer

5 Advantages Asymmetric Encryption 1. Authentication: Messages you receive are from their advertised source 2. Privacy: Messages you send can be read only by their intended receiver(s) 3. Message integrity: All messages sent and received arrive intact Typically, the key lengths that are used with strong asymmetric key cryptography are 1024 bits (128 bytes) Messages are encrypted using both keys The two keys that compose a pair are mathematically related, but neither can be derived from the other 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer The Keys Pretty Good Privacy The Public Key shared with everyone you want to communicate with privately it is validated by a separate, independent, source called a certificate authority The Private Key still kept private like before must be shared secretly Pretty Good Privacy (PGP) is distributed key management approach that does not rely on certificate authorities Created in 1991 by Philip Zimmermann 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer PGP: How it Works Battle Over PGP Users sign other s user public keys someone who signs another s public key acts as an introducer for that person to someone so, there is no single authority government enforcement not possible So, if someone trusts the introducer they should also trust the new person adds some confidence to a key s validity His goal was to create the equivalent of a sealed envelope However, PGP started a conflict started between Zimmerman and the U.S. Government 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

6 Battle Over PGP Battle of PGP The Federal Government was about to pass legislation requested by the FBI prohibiting encryption information that law enforcement could not decode Not possible with PGP FBI started hounding Zimmermann and in 1993 there was formal criminal investigation for munitions export without a license After several years the case was closed without filing criminal charges 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer PGP Goes Public The source code was then published in a book that cost only $60 It was scanned, modified, and spread around the World becoming the most popular cipher Often used to encrypt documents that can be shared via over the open Internet Open sesame! Passwords 6/25/2018 CSC Cook - Sacramento State - Summer How Passwords Work How Passwords Work Passwords are stored on the server Protecting these passwords from hackers is vital Either... passwords are encrypted or a hash is created for each password A "hash" is unique digital value created from a piece of text, file, etc... They are like a digital "fingerprint" and are used throughout computer science 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

7 When the User Enters a Password Password Weaknesses Hash is created using the user s input This hash value is compared to the hash in the data file If they match, then the password matches and access is granted Note: the hashes are compared, not real passwords They are dependent on human memory humans can only memorize a limited # of items long, complex passwords are most effective but are more difficult to memorize Security policies mandate passwords must expire users must repeatedly memorize passwords 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Password Weaknesses Attacks on Passwords Users don t like to remember multiple passwords And often take shortcuts weak passwords: common words, personal info reuse the same password for multiple accounts Social engineering trick the user into giving up a password e.g. phishing, shoulder surfing Capturing get the original password from the computer e.g. keylogger, sniffer 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Attacks on Passwords Password Cracker Resetting gain physical access to computer and reset password Offline cracking method used by most password attacks today steal encrypted password file compare with encrypted passwords they have created A password cracker is software used to break encrypted password files Generally uses brute force and/or a word list 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

8 Password Cracker Beowulf Cluster Works by: generating possible passwords creating the hashes for each look in the password file for a match Hacker may use a Beowulf Cluster 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Attack Program Methods Attack Program Methods Tests password file against 1000 common passwords Combines common passwords with common suffixes Uses 5000 common dictionary words, 10,000 names, 100,000 comprehensive dictionary words Uses lowercase, initial uppercase, all uppercase, and final character uppercase Makes common substitutions for letters in the dictionary words Examples: $ for for a 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer John the Ripper Password Crackers Are Useful John the Ripper is a freely available password cracker Used by both criminals and system administers to find weak passwords Sac State College of Engineering and Computer Science (ECS) uses them Used on password file to identify all weak passwords Students, who passwords are broken, are notified to change it 90% of past break-ins to ECS were caused by weak passwords 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

9 A Possible Scenario Worst Passwords of 2016 Attacker scans a network and finds a running service that has a security hole They then attack exploit the hole and get "super user" powers download the password file use a nuker to destroy evidence Later, on their computer they run password crackers on the stolen file using found passwords, they login as real users password qwerty football baseball 11. welcome abc qaz2wsx 16. dragon 17. master 18. monkey 19. letmein 20. login 21. princess 22. qwertyuiop 23. solo 24. passw0rd 25. starwars 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Password Defenses Creating Strong Passwords Creating strong passwords examining attack methods the less a password is formatted how "they" expect to be, the harder it is to break Most passwords consist of: root attachment Prefix or suffix 6/25/2018 CSC Cook - Sacramento State - Summer Do not use dictionary words or phonetic words Do not use birthdays, family names, pet names, addresses or any personal info Do not repeat characters or use sequences Do not use short passwords Optional defense use non-keyboard chars Unicode contains 65,000+ characters access them with the Character Map or holding down the ALT and type a number on the keypad 6/25/2018 CSC Cook - Sacramento State - Summer Character Map Good Password Management Alt keystroke Change passwords frequently Do not reuse old passwords Never write password down Use unique passwords for each account Set up temporary password for another user s access 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

10 Good Password Management Password Supplements Do not allow computer to automatically sign in to an account Do not enter passwords on public access computers Never enter a password while connected to an unencrypted wireless network Problem: managing numerous strong passwords is burdensome for users One solution: rely on technology to store and manage passwords Disadvantages of password supplements password information specific to one computer passwords vulnerable if another user allowed access to the computer 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Password Supplements Password Supplements Password management applications passwords stored in single user vault file protected by one strong master password Common features drag and drop capability enhanced encryption encrypted in memory timed clipboard clearing Web browsers web browsers can save user passwords encrypted and stored in Windows registry Problems: if you leave an unintended computer, person can log in as you generally you never log out which is a security risk 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Various Applications Password Defense Type Installed application Portable application Internet Storage Description Application installed on local computer Stand-alone application carried on USB drive Application and/or vault is stored online Advantages Can access computers with memorizing them Not limited to computer with preinstalled app and vault file Can access from any computer with Internet access Disadvantages Must be installed on each computer and vault file uploaded User must have USB drive present to use application Storing passwords online may expose them to attacks One important defense: prevent attacker from obtaining encrypted password file Defenses against password file theft do not leave computer unattended screensavers should be set to resume with a password password protect the ROM BIOS physically lock the computer case so it cannot be opened 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

11 Identification Systems Identification Systems Systems that Tell Who is Who Different software/network systems exist that are used to identify users Uses a single authentication credential shared across multiple networks 6/25/2018 CSC Cook - Sacramento State - Summer Identification Systems Windows Live ID Called Federated Identity Management (FIM) when networks are owned by different organizations Single sign-on (SSO) promises to reduce burden of passwords to just one Introduced in 1999 as.net passport Name changed to Microsoft Passport Network, then Windows Live ID Designed as an SSO for Web commerce 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Windows Live ID: Authentication Process User logs into system Given time limited global cookie stored on computer with encrypted ID tag ID tag sent to web site Site uses tag for authentication Site stores encrypted, timelimited, local cookie on user s computer Windows Live ID (cont d.) Windows Live ID was not widely supported Currently used for authentication on: Windows Live Office Live Xbox Live MSN and other Microsoft online services 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

12 OpenID OpenID: Authentication Process Decentralized open source FIM Does not require specific software to be installed on the desktop URL-based identity system OpenID provides a means to prove a user owns the URL User goes to free site and given OpenID account of Me.myopenID.com User visits Web commerce or other site and signs in using his Open ID Site redirects user to MyOpenID.com where he enters password to authenticate MyOpenID.com sends him back to Web site, now authenticated 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer OpenID: Security Weaknesses Relies on DNS which may have own weaknesses Not considered strong enough for most banking and e-commerce Web sites Securing the Operating System Protect the Master Software 6/25/2018 CSC Cook - Sacramento State - Summer Securing the Operating System 5 Steps to Securing the Operating System The operating system is the master control software of a system If it is compromised, all the data and applications are compromised Sadly, operating systems are quite complex allow for multiple exploits 1. Develop the security policy 2. Perform host software baselining 3. Configure operating system security and settings 4. Deploy the settings 5. Implement patch management 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

13 Develop the security policy Perform Host Software Baselining Clearly defines the defense mechanisms Policy should be "written in stone" Baseline: standard or checklist against which systems can be evaluated Configuration settings that are used for each computer in the organization 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer Configure Security and Settings Deploy the Settings Hundreds of different security settings can be manipulated Typical configuration baseline changing insecure default settings eliminating unnecessary software, services, protocols enabling security features such as a firewall 6/25/2018 CSC Cook - Sacramento State - Summer Security template: collections of security settings Process can be automated Group policy windows feature providing centralized computer management a single configuration may be deployed to many users 6/25/2018 CSC Cook - Sacramento State - Summer Implement Patch Management Estimated Size of Some Operating Systems Operating systems have increased in size and complexity New attack tools have made secure functions vulnerable Operating System Linux Kernel 2.6 FreeBSD Red Hat Linux 7 Microsoft Windows 7 Mac OS X 10.4 Debian 5.0 Lines of Code (Approximate) 5 million 9 million 30 million 50 million 86 million 324 million 6/25/2018 CSC Cook - Sacramento State - Summer /25/2018 CSC Cook - Sacramento State - Summer

14 Implement Patch Management Automated Patch Updates Security patch is a general software update to cover discovered vulnerabilities Service pack accumulates security updates and additional features However patches can sometimes create new problems vendor should thoroughly test before deploying 6/25/2018 CSC Cook - Sacramento State - Summer Modern operating systems can download and install updates However, many administrators manage updates manually Advantages don't rely on vendor s online update service can force updates to install by specific date computers not on the Internet can receive updates users cannot disable or circumvent update 6/25/2018 CSC Cook - Sacramento State - Summer