SE420 Software Quality Assurance

Similar documents
CS317 File and Database Systems

19.1. Security must consider external environment of the system, and protect it from:

Security: Focus of Control. Authentication

CTS2134 Introduction to Networking. Module 08: Network Security

Chapter 15: Security. Operating System Concepts 8 th Edition,

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Cryptographic Concepts

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

(2½ hours) Total Marks: 75

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Chapter 19 Security. Chapter 19 Security

Security: Focus of Control

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

CompTIA Security+ (2008 Edition) Exam

Information Security: Principles and Practice Second Edition. Mark Stamp

e-commerce Study Guide Test 2. Security Chapter 10

Cyber Security Practice Questions. Varying Difficulty

Linux Network Administration

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

Distributed Systems. Lecture 14: Security. 5 March,

CS System Security 2nd-Half Semester Review

Security and Authentication

Curso: Ethical Hacking and Countermeasures

CS System Security Mid-Semester Review

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Network Security Issues and Cryptography

Most Common Security Threats (cont.)

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Verteilte Systeme (Distributed Systems)

Chapter 6: Security of higher layers. (network security)

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Network Security and Cryptography. 2 September Marking Scheme

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Computer Networks. Wenzhong Li. Nanjing University

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Security: Cryptography

Wireless LAN Security (RM12/2002)

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Authentication CHAPTER 17

CS 356 Operating System Security. Fall 2013

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Endpoint Security - what-if analysis 1

A Review Paper on Network Security Attacks and Defences

CS140 Operating Systems and Systems Programming Final Exam

Implementing Cisco Network Security (IINS) 3.0

Keep the Door Open for Users and Closed to Hackers

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

10 Defense Mechanisms

The Security Problem

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Microsoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Protection and Security

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Authentication. Chapter 2

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

WHITE PAPER. Secure communication. - Security functions of i-pro system s

OS Security IV: Virtualization and Trusted Computing

Sectigo Security Solution

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

CPSC 467: Cryptography and Computer Security

Chapter 15: Security. Chapter 15: Security

Protection and Security. Sarah Diesburg Operating Systems CS 3430

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Children s Health System. Remote User Policy

IBM i Version 7.2. Security Digital Certificate Manager IBM

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Chapter 10: Security and Ethical Challenges of E-Business

HP Instant Support Enterprise Edition (ISEE) Security overview

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Understanding Cisco Cybersecurity Fundamentals

APNIC elearning: Cryptography Basics

CSC 474/574 Information Systems Security

Language-Based Protection

Ethical Hacking and Prevention

Troubleshooting and Cyber Protection Josh Wheeler

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Operating systems and security - Overview

Operating systems and security - Overview

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Access Controls. CISSP Guide to Security Essentials Chapter 2

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

CSC 774 Network Security

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

SSH. Partly a tool, partly an application Features:

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Transcription:

SE420 Software Quality Assurance Encryption Backgrounder September 5, 2014 Sam Siewert

Encryption - Substitution Re-map Alphabet, 1-to-1 and On-to (function) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ssiewert@ssiewert-virtualbox:~/a320/crypto$./a.out A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS! WONGPBNWJ WMQP! BETA>INTRODUCTION TO COMPUTERS QGWOHITSWQHG WH SHDETWJOP INTRODUCTION TO COMPUTERS BETA>abcdefghijklmnopqrstuvwxyz NASIJKCMQRFBDGHELOPWTZYVUX ABCDEFGHIJKLMNOPQRSTUVWXYZ BETA>exit JVQW EXIT Sam Siewert 2

Encryption - Transposition Permute Text Block (e.g. up to 10 characters at a time) 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 ssiewert@ssiewert-virtualbox:~/a320/crypto$./a.out 0123456789ABCD 6275134908ABCD TRAN>introduction to computers utcdnroiitc o ntopomuters introduction to computers TRAN>abcdefghijklmnopqrstuvwxyz gchfbdejaiqmrplnotksuvwxyz abcdefghijklmnopqrstuvwxyz TRAN>exit exit exit Sam Siewert 3

Encryption - Automation Substitution with transposition Enigma Code, U571 ssiewert@ssiewert-virtualbox:~/a320/crypto$./crypt A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS! WONGPBNWJ WMQP! NNWBOGP WJWMQP! CRYPT>abcdefghijklmnopqrstuvwxyz NASIJKCMQRFBDGHELOPWTZYVUX CSMKAIJRNQLDOEBGHWFPTZYVUX CRYPT>introduction to computers QGWOHITSWQHG WH SHDETWJOP TWSIGOHQQWS H GWHEHDTWJOP CRYPT>exit JVQW JVQW Sam Siewert 4

Encryption Keys Symmetric Keys Can I encrypt and decrypt with the same key? struct charmap submap[alphabet] = { {'A','N'}, {'B','A'}, {'C','S'}, {'D','I'}, {'E','J'}, {'F','K'}, {'G','C'}, {'H','M'}, {'I','Q'}, {'J','R'}, {'K','F'}, {'L','B'}, {'M','D'}, {'N','G'}, {'O','H'}, {'P','E'}, {'Q','L'}, {'R','O'}, {'S','P'}, {'T','W'}, {'U','T'}, {'V','Z'}, {'W','Y'}, {'X','V'}, {'Y','U'}, {'Z','X'} }; With the substitution Key, Yes // 0 1 2 3 4 5 6 7 8 9 int transmap[block_size]= {6, 2, 7, 5, 1, 3, 4, 9, 0, 8}; int detransmap[block_size]={8, 4, 1, 5, 6, 3, 0, 2, 9, 7}; With the transposition Key, Yes This is a Symmetric Key System Sam Siewert 5

Better Key Management? One Time Stack of Keys Exchanged in Private by Sender and Receiver in Advance Agree to Use Different Symmetric Keys Based on Day of Year or some Universal Coordination Cycle Through 365 Different Keys Attacker Can Still Capture Stack of Keys Better Approach is a Public-Private Key System Public Key Shared Public Key Used to Encrypt Only (Digital Signature) Private Key Used to Decrypt Only (Authentication, Plaintext Recovery) Key Exchange Protocol and Key Rings http://en.wikipedia.org/wiki/public-key_encryption Sam Siewert 6

Authorization and Access Control By Session Login By File (permissions) By Directory Host to Network (Known host Ethernet address, WWID) By Execution Privilege Level (root or user) sudo Authorized Users, Computers, and Applications Require Authentication Proving you are who you claim you are Producing a pass phrase, an answer to a challenge question Key or smartcard Providing biometric scan Sam Siewert 7

Cryptanalysis Attacks on Security Capture Encrypted Data ( Man in the middle ) Capture Encryption code, key, or mechanism Capture Decryption code, key, or mechanism Analyze Examples to Deduce the Substitution and Transposition Cypher Code mappings Inverse Function Defense Very Large Cryptographic Hashing Functions 128-bit, 256-bit or larger random number generators Frequent Key Updates Sam Siewert 8

Denial of Service Rather than Gaining Unauthorized Access, Deny Other Authorized Users Access Bug System with 1000 s or Millions of Invalid Requests Per Second Flood Network with Bad Protocol or Packets Cause Routing Loops, Crash Services Remotely on Purpose Reason for Maximum Login Attempts Withdraw Prompt for Password to A Particular Network Client or Terminal Invalidate a Username Reason for Network Authentication of Clients Block All Traffic for a Specific IP or Ethernet Address Secure Physical Network Switches and Gateway Machines Sam Siewert 9

Malware Software Designed to Harm a Client or Exploit a Known Bug Trojan Horse Present Free Software, an E-mail Application, Plug-In, or other Method to Deliver an Application with Bad Intent User Agrees to Download without Authentication of Source or Verification of Code Data Digest (Unique Signature for Tested and Authentic Code) Beware of Free Software from Unknown Sources Virus Application Code that Installs Itself on a Computer in Key Operating System and Shared Data Locations Boot Code Commonly Used File system Code Transfer Malware via Shared Files, Networks, Disks (e.g. USB stick) Exploit Find Buffer Overflow on Widely Used Operating System or Networking Service to Exploit Buffer Overflow Provides Doorway to Modify Code Perfect Exploit in Private Lab, Release as Trojan Horse or Virus Rootkit Gain Access and Install Monitoring Software or Create Second Administrator Prviliege Password and Account Sam Siewert 10

Phishing Write A Program that Asks for a Password Run this on a Public Computing System Spoofing a Wellknown and Trusted Server Collect Login Credentials from Users (Produce Error Messages) Fake E-mail Requesting Credentials Fake Service or Business Front Impersonation of a Web Service (Re-direction of Traffic) E-mail Indicating your Are Over E-mail Quota Limits, Credit has Been Frozen, Etc. Followed by Request for Credentials Sam Siewert 11

Newer Threats Character Defamation Impersonation of Web Presence to Defame a User Identity Theft Creation of Accounts Using False Credentials Cyber Attacks and Cyber Warfare Malware Designed to Harm or Deny Service to Physical Systems Using Process Control (Water, Power, Traffic Management, etc.) Financial Sector Attacks Discrediting a Company, Service Disruption of Exchanges and Banking Discrediting Governments, Spoofing, Replay Attacks Sam Siewert 12

Best General Defenses Encryption Used for Authentication, Data Exchange (e.g Secure Sockets), and to Sign and Verify All Updates and Upgrades Public Services, Ports, and Terminals Should be Limited Only Necessary Services SSH, SFTP No Plaintext Services FTP, Telnet Routine Monitoring and Logging Review all Connection Attempts and Login Attempts Review Logs for Services that Crash and Restart Installations, Updates, Upgrades Signed Drivers Modifications to Boot Code or CMOS/UEFI (Firmware) Security Patches and Updates from Trusted Sources Sam Siewert 13

Inside Threats Insiders with Physical Access to Machines and Networking Equipment Log all Entry / Exit to/from Data center and labs Cross-checks and Need-to-Know Limited Distributions of Sensitive Data No Password Sharing, Guest or Anonymous Accounts Delete Access and Accounts for Severed Relationships VPN Virtual Private Network Remote Access (Encrypted and Tunnels for Data from Authenticated Client to Host over SSL) Limit Data Removal on Media File Permission and ACL (Access Control List) Maintenance Sam Siewert 14

Extreme Protection Private Network Limited Physical Access (Vault) Strong Encryption, Multi-method Authentication (Smartcard, Pass phrase, and Fingerprint) Compartmentalization - Limit Knowledge of Why Work is Being Done (Hide Global Purpose) Require Multiple Independent User Authentication Combined Key or Pass Phrase Access that Requires Two Logins Quotas on Bandwidth, Storage, Download, Session Time Sam Siewert 15

Encryption Substitution Take Away Transposition cypher blocks Mathematical Basis (mapping functions, random number generation, large hashing functions) Secure Systems Authorization Authentication and Access Control Denial of Service Trojan Horses, Malware, Exploits Sam Siewert 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback