INTERNET SECURITY INTERNET SECURITY HOLESHOLES

Internet security is used to reduce attacks across the internet.

Security related attacks may be of two types. Passive and Active

Passive attack leads to the changing of information but does not affect the system resources.

Passive attacks do not involve the alteration of data.

Active attacks result in false stream messages. It involves masquerade, modification of messages,

replay and denial of service.

Masquerade is a technique in which one entity pretends that it is not the original entity but a different entity.

The replay mechanism captures the unauthorized effect of the message.

The modification of messages represents that type of technique in which a little part is altered so that the overall message is not altered.

For example, come to see the confidential file. This message can be changed as come to see the ordinary file. That is altered a little. So the entire meaning is changed.

Denial of service attacks affect on specific target that can be caused for potential physical, software, virtual networking vulnerabilities.

In active attacks block the data stream in either one or both parties.

The attacker is located between both communicating parties.

Without checking the integrity of the receiving data, the server does not detect whether the origin of data is from a genuine or an authenticated person.

 

The above figure represents an active attack. Here Alice is the sender of the message and Bob is the

receiver of the message. Eve is an active intruder between these two parties who

plays the role of man-in- the-middle attack. An active attacker plays the role of man-in-the-middle

attack in which he inserts own data into the message of data stream.

Data is inserted into as playback data from other connections.

This playback data is sent in both directions, such as same and opposite directions but with same connections.

The direction represents both parties who send and receive the message.

The man-in-the-middle attack sits at the middle to make a communication link, intercepting and substituting the message.

He tries to fool both parties where it is felt that both parties are talking directly, but in real, they are talking via an attacker.

Both parties represent the sender and receiver of the message.

Passive attack occurs when an unauthorized attacker monitors the communication between both parties.

Alice (Telnet Client)

Bob (Telnet Client)

Eve (Passive

Eavesdropper)

The above figure represents a passive attack. In passive attacks Eve is a passive eavesdropper who

monitors all communication between Alice and Bob. After analyzing the complete situation Eve alters the

message and in this way, she is able to change the message.

CryptographyCryptographyCryptography is derived from the Greek words kryptos

(hidden, secret) and grapho (I write).

It is the practice and study of hiding information.

The lack of data security on the Internet has become a complex issue in e-business. Hence e-security has become a major concern.

Cryptography is considered as a branch of mathematics and computer science.

It is extensively used in information theory, computer security and engineering.

Cryptography is used in applications which require security of data, such as ATM cards, computer passwords and electronic commerce.

The science of writing in a secret code is called cryptography.

With the development of computer communication arose the need for security of communication media.

Cryptography began to be used to provide this security while communicating over any untrusted medium, particularly the internet.

These security requirements include:Authentication: Giving proof of one’s identity.

Privacy/confidentiality: Making sure that no one other than the intended reader reads the message.

Integrity: Providing assurance to the receiver that the message received by him is no different from the original one.

Non-repudiation: A mechanism which will prove that the message was actually sent by the sender and no one else.

Cryptography serves a dual purpose: Data is protected from being stolen or altered and

Users are authenticated.

This is done in three ways: a) Secret key (or symmetric) cryptography b) Public-key (or asymmetric) cryptography c) Hash functions.The unencrypted data is called plaintext.It is encrypted into ciphertext, and then decrypted into

usable plaintext.

Encryption as the basis for Encryption as the basis for data and messaging securitydata and messaging securityEncryption is a cryptography technology to scramble

(encrypt) the data with a key so that no one can make sense of it while it is being transmitted.

When data reaches its destination, the information is unscrambled (decrypted) using the same or different key.

Cryptography uses 3 common terms. They are: Intruder Plaintext Ciphertext

Intruder: An intruder is any person who does not have the authorization to access the network or the information.

Plaintext: It is an intelligible message that needs to be converted into an encrypted message.

Ciphertext: A message in an encrypted form.

(Encrypted Form) (Decrypted Form)

Plain text Algorithm Cipher text Algorithm Plain text

Goods Next two letters

Iqqfu Previous two letters

Goods

Sales Previous one letter

Rzkdr Next one letter

Sales

Encryption is a method by which plaintext can be converted into a cipher text.

Decryption is a method by which cipher text can be converted into a plaintext.

Algorithm: a cryptography algorithm is a mathematical function.

Key: It is a string of digits.

Methods of encryptionMethods of encryptionThere are 3 types of cryptography or methods of

encryption: Secret key or private key or symmetric key cryptography. Public key or asymmetric key cryptography. Hash function.

Secret key cryptographyIn this scheme, both the sender and the recipient possess

the same key to encrypt and decrypt the data. Figure shows how secret or private key cryptography

works.  

Original Message

Original Message

Encrypted Message

Encrypted Message

Internet

Secret Key

Encrypted

Message

Secret Key

Decrypt

Data Encryption StandardData Encryption StandardData Encryption Standard (DES) is an example of

secret key cryptography.It was developed by IBM.DES is block cipher-based scheme which encrypts a

64-bit data block using a 56-bit key.The block is transformed in such a way that it involves

sixteen iterations.This is done by using the security key.For example, A encrypts a message with a secret key

and e-mails it to B, who on receiving it, checks the header to identify the sender. B then has to take the duplicate of the secret key to decrypt the message.

Drawbacks of secret key Drawbacks of secret key cryptographycryptographyBoth parties must agree upon a shared key.

If there are ‘n’ correspondents, we has to keep track of ‘n’ different secret keys. If the same key is used by more than one correspondent, the common key holders can read each other’s mail.

Symmetric encryption schemes are also subject to authenticity problems.

Since both the sender and the receipt have the same secret key, the identify of originator or recipient cannot be proved. Both can encrypt or decrypt the message.

Public key cryptographyPublic key cryptographyThis scheme operates on a double key, called pair key,

one of which is used to encrypt the message and the other is used to decrypt it.

This can be viewed as two parts: one part of the key pair, the private key, is known only by the designated owner.

The other part, the public key, is published widely but is still associated with the owner of the private key.

Figure shows how public key encryption works.

Original MessageEncrypted Message

Encrypted Message

Internet

Public Key

Encrypted

Message

Private Key Decrypt

Original Message

Advantages of public key cryptography

Message confidentiality can be proved.Authenticity of the message originator can be proved.Easy to distribute public key.

Hash FunctionIt is a formula that converts a message of a given length

into a string of digits called message digest. A mathematical transformation is used by the hash

function to encrypt information.The encrypted ciphertext message cannot be decrypted

back to plaintext.

The main advantage of using the hash function for encryption is that even if an unauthorized person accesses public key, he will not be able to get to the hash function-generated key, thus making the digital signature authentic and secure.

Codes and CiphersCodes and CiphersEncryption is the process of transforming information

by using an algorithm. This is done to make the document (called ciphertext)

secure so that only people with special skills would be able to read it.

In some contexts, however the process of encryption is often applied to the reverse process or decryption.

The process of decryption can be used to make unreadable documents readable.

Encryption has been used by military intelligence and governments to help in secret communication.

Military intelligence would often replace numbers for letters, change the order of the letters or scramble voices by inverting band frequencies in a bid to encrypt information.

PGP encryptionA combination of data compression, public –key

cryptography, hashing and symmetric-key cryptography is used for encryption in PGP.

It uses a number of complicated software’s, number of algorithm and a public key to link with e-mail address.

The earliest version of PGP software is called a Web of Trust.

As the software evolves, it supports new algorithms that help in creating new encryption techniques that the older version failed to do despite possessing valid keys.

Thus it is necessary for partners to understand the technology well to communicate effectively.

In order to maintain secrecy of communication, PGP combines public-key and symmetric-key encryption keys. These are used only once and are called session keys.

The session key is secured by encrypting it with the receiver’s public key so that the message can be decrypted only by the receiver.

A digital signature helps in maintaining authenticity of the report.

PGP includes an ‘identity certificate’ which is prepared cryptographically so that no one can tamper the public key.

PGP have included a process of revoking identity certificates to help lost private keys secure their communication.

PGP encryption has been found to protect data not only during transit, but also when it is stored in a hard disk over a period of time.

Classification of encryption systemsClassification of encryption systemsEncryption systems can be classified into two major

types- the private key system and the public key system.Private key encryption: Here, both the server and the client use the same key for

encryption and decryption of messages.The key (private key) is used both to encrypt data by the

sending party and decrypt it at the receiving end. Since both the sender’s as well as the receiver’s keys

are the same, both of them must keep the keys safe from hackers and unauthorized parties to avoid leaking of sensitive data.

Public key encryption: This type of encryption system is more prevalent than

private key encryption. In this type of encryption system, there are two separate

keys-the sending party uses a private key for encoding information/data, and the receiving party uses a public key for decoding information.

RSA (Rivest-Shamir-RSA (Rivest-Shamir-Adleman)Adleman)In cryptography, RSA (which stands for Rivest, Shamir

and Adleman who first publicly described it) is an algorithm for public-key cryptography.

It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography.

RSA is widely used in electronic commerce protocols. RSA is an Internet encryption and authentication system

that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.

The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape.

Breaking Encryption Breaking Encryption SchemeScheme

The Secure Socket Layer(SSL) was developed by Netscape Communication Corporation.

It is a protocol for providing privacy and security on the net.

The various web security layers are represented here:E-COMMERCE APPLICATION

SECURE HYPERTEXT TRANSFER PROTOCOL (SHHTP)

TCP BASED APPLICATION PROTOCOL- HTTP, SMTP

SECURE SOCKETS LAYERS

INTERNET PROTOCOLS (IP)

Suppose someone was sending mail in the post in a transparent envelope.

Anyone who has access to this envelope can see what is inside and take it or change it, if it is valuable.

An SSL Certificate establishes a private communication channel making it possible to encrypt the data transmission.

Every SSL Certificate has a public key and a private key which is used to encrypt and decipher respectively.

A Secure Socket Layer authenticates the server and the client at the time a Web browser points to a secured domain.

Secure transmission begins once an encryption method is established using a unique session.

Cryptographic ApplicationCryptographic ApplicationThe cryptography application block supports

symmetric algorithms only.Symmetric algorithm use the same key for both

encryption and decryption.It does not support asymmetric (public key) encryption,

which uses one key to encrypt a message and another key to decrypt the message.

The various application areas of cryptography are: Digital signatures provide authentication for online

transactions. SSL protocol of internet security.

PGP security standard for e-mail. Provide network security. Convert communication through steganography (a

method of hiding messages in innocent artifacts). Issuing digital certificate. Biometric System: These replace password based

authentication system.

Digital SignatureDigital SignatureA digital signature or digital signature scheme is a

mathematical scheme for demonstrating the authenticity of a digital message or document.

A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit.

Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

A digital signature consists of 2 parts:Signature in the document: Signer AuthenticationDocument authentication

Signer Authentication:A signature should indicate who signed a document ,

message or record and should be difficult for another person to produce without authorization.

Document Authentication:A signature should identify what is signed so that, The sender cannot remove the content of messages

after signing it. The receiver cannot make any changes in the

message.

A digital signature scheme typically consists of three algorithms:

A key generation algorithm that selects a private key uniformly at random from a set of possible private keys.

The algorithm outputs the private key and a corresponding public key.

A signing algorithm that, given a message and a private key, produces a signature.

A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message's claim to authenticity.

Two main properties are required. First, a signature generated from a fixed message and

fixed private key should verify the authenticity of that message by using the corresponding public key.

Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key.

Uses of digital signaturesUses of digital signaturesAs organizations move away from paper documents

with ink signatures or authenticity stamps, digital signatures can provide added assurances of the evidence to provenance, identity, and status of an electronic document as well as acknowledging informed consent and approval by a signatory.

Below are some common reasons for applying a digital signature to communications:

Authentication Integrity Non-repudiation

AuthenticationAlthough messages may often include information

about the entity sending a message, that information may not be accurate.

Digital signatures can be used to authenticate the source of messages.

When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user.

The importance of high confidence in sender authenticity is especially obvious in a financial context.

For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account.

If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.

IntegrityIn many scenarios, the sender and receiver of a

message may have a need for confidence that the message has not been altered during transmission.

Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it.

However, if a message is digitally signed, any change in the message after signature will invalidate the signature.

Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions.

Non-repudiationNon-repudiation, is an important aspect of digital

signatures. By this property an entity that has signed some

information cannot at a later time deny having signed it.The contents are protected as confidential, which means

that only authorized individuals or groups can access the contents of a message or transaction.

The term is often seen in a legal setting wherein the authenticity of a signature is being challenged.

Non-repudiation in digital securityThe most common method of asserting the digital origin

of data is through digital certificates, a form of public key infrastructure, to which digital signatures belong.

They can also be used for encryption.

The digital origin only means that the certified/signed data can be, with reasonable certainty, trusted to be from somebody who possesses the private key corresponding to the signing certificate.