UNIT-4

SECURITY PRACTICE & SYSTEM SECURITY

Authentication applications – Kerberos – X.509 Authentication services - Internet

Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology-
Types of Firewalls - Firewall designs – SET for E-Commerce Transactions.
Intruder – Intrusion detection system – Virus and related threats –
Countermeasures – Firewalls design principles – Trusted systems – Practical
implementation of cryptography and security.
KERBEROS
• Kerberos is an authentication service developed by MIT and is one of the
best known and most widely implemented trusted third party key
distribution systems.
• Provides a centralized authentication server whose function is to authenticate
users to servers and servers to users.
• Kerberos relies exclusively on symmetric encryption, making no use of
public-key encryption.

Kerberos Requirements
• Secure: A network eavesdropper should not be able to obtain the necessary
information to impersonate a user.
• Reliable: Kerberos should be highly reliable and should employ a distributed
server architecture, with one system able to back up another.
• Transparent: The user should not be aware that authentication is taking
place, beyond the requirement to enter a password.
• Scalable: The system should be capable of supporting large numbers of
clients and servers. This suggests a modular, distributed architecture.
• Kerberos is a basic third-party authentication scheme.
Authentication Server (AS)
 Knows the passwords of all users and stores these in a centralized database.
 AS shares a unique secret key with each server.
 These keys have been distributed physically or in some other secure manner
 Users initially negotiate with AS to identify self
 AS provides a non-corruptible authentication credential (ticket granting ticket
TGT)

Ticket Granting server (TGS)

 Issues tickets to users who have been authenticated to AS
 Users subsequently request access to other services from TGS on basis of
users’ TGT

Simple Authentication Dialogue

(1) C →AS: IDC || PC || IDV
(2) AS →C: Ticket
(3) C →V : IDC || Ticket
Ticket = E(Kv , [IDC || ADC || IDV])
Where
C = client, IDV = identifier of V, AS = authentication server, PC = password of
user on C, V =server, ADC = network address of C, IDC = identifier of user on
C, Kv = secret encryption key shared by AS and V.

Drawback of simple authentication dialogue

• The password Pc is transmitted as a simple plain text. So, there is a
possibility of capturing by the attacker.

More Secure Authentication Dialogue:

Table: Kerberos Version 4 Message Exchanges

(1) C →AS IDc || IDtgs || TS1

(2) AS →C E(Kc,[Kc,tgs || IDtgs || TS2 || Lifetime2 || Tickettgs])

Tickettgs = E(Ktgs, [Kc,tgs || IDc || ADc || IDtgs || TS2 || Lifetime2])

Authentication Service Exchange to obtain ticket-granting ticket
(3) C→TGS IDv || Tickettgs || Authenticatorc
(4) TGS →C E(Kc,tgs , [Kc,v || IDv || TS4 || Ticketv])

Tickettgs = E(Ktgs, [Kc,tgs || IDC || ADC || IDtgs || TS2 || Lifetime2])

Ticketv = E(Kv, [Kc,v || IDC || ADC || IDv || TS4 || Lifetime4])

Authenticatorc = E(Kc,tgs , [IDC || ADC || TS3])

Ticket-Granting Service Exchange to obtain service-granting ticket

(5) C →V Ticketv || Authenticatorc
(6) V→C E(Kc,v , [TS5 + 1]) (for mutual authentication)

Ticketv = E(Kv , [Kc,v || IDc || ADc || IDv || TS4 || Lifetime4])

Authenticatorc = E(Kc,v ,[IDc || ADc || TS5])
Overview of Kerberos
Overall Steps
• Client sends a message to the AS requesting access to the TGS.

• AS responds with a message, encrypted with a key derived from the user's
password (Kc) that contains the ticket.

• Encrypted message also contains a copy of the session key, Kc,tgs, where the
subscripts indicate that this is a session key for C and TGS.

• Session key is inside the message encrypted with Kc, only the user's client can
read it.

• Same session key is included in the ticket, which can be read only by the TGS.

• Thus, the session key has been securely delivered to both C and the TGS.

• Message (1) includes a timestamp, so that the AS knows that the message is
timely.

• Message (2) includes several elements of the ticket in a form accessible to C.

This enables C to confirm that this ticket is for the T
Kerberos Realms
• Kerberos environment consisting of a Kerberos server, a number of clients,
and a number of application servers requires the following:

1. The Kerberos server must have the user ID and hashed passwords of all
participating users in its database. All users are registered with the Kerberos
server.

2. The Kerberos server must share a secret key with each application server. All
application servers are registered with the Kerberos server.

3. The Kerberos server in each interoperating realm shares a secret key with the
Kerberos server in the other realm. The two Kerberos servers are registered
with each other.
• Such an environment is referred to as a Kerberos realm. The concept of
realm can be explained as follows. A Kerberos realm is a set of managed
nodes that share the same Kerberos database.

• Kerberos principal, which is a service or user that is known to the Kerberos

system. Each Kerberos principal is identified by its principal name. Principal
names consist of three parts: a service or user name, an instance name, and a
realm name.

• A user wishing service on a server in another realm needs a ticket for that
server. The user's client follows the usual procedures to gain access to the
local TGS and then requests a ticket-granting ticket for a remote TGS (TGS
in another realm). The client can then apply to the remote TGS for a service-
granting ticket for the desired server in the realm of the remote TGS.
X.509 AUTHENTICATION SERVICE
ITU-T recommendation X.509 is part of the X.500 series of recommendations
that define a directory service. X.509 defines a framework for the provision of
authentication services by the X.500 directory to its users. The directory may
serve as a repository of public-key certificates.
• Each certificate contains the public key of a user and is signed with the
private key of a trusted certification authority. X.509 certificate format is
used in S/MIME, IP Security, and SSL/TLS and SET. X.509 is based on the
use of public-key cryptography and digital signature algorithms. Figure
illustrates the generation of public key.

Certificates
Figure shows the general format of a certificate, which includes the following
elements:
 Version: Differentiates among successive versions of the certificate format;
the default is version 1.
 Serial number: An integer value, unique within the issuing CA, that is
unambiguously associated with this certificate.
 Signature algorithm identifier: The algorithm used to sign the certificate,
together with any associated parameters .
 Issuer name: X.500 name of the CA that created and signed this certificate.
 Period of validity: Consists of two dates: the first and last on which the
certificate is valid.
 Subject name: The name of the user to whom this certificate refers. That is,
this certificate certifies the public key of the subject who holds the
corresponding private key.
 Subject's public-key information: The public key of the subject, plus an
identifier of the algorithm for which this key is to be used, together with any
associated parameters.
 Issuer unique identifier: An optional bit string field used to identify
uniquely the issuing CA in the event the X.500 name has been reused for
different entities.
 Subject unique identifier: An optional bit string field used to identify
uniquely the subject in the event the X.500 name has been reused for
different entities.
 Extensions: A set of one or more extension fields.
 Signature: It covers all other fields of the certificate. It contains hash code of
other fields encrypted with CA’s private key. This field includes the signature
algorithm identifier.
• The standard uses the following notation to define a certificate:
CA<<A>> = CA {V, SN, AI, CA, TA, A, Ap}

• The CA signs the certificate with its private key. If the corresponding public
key is known to a user, then that user can verify that a certificate signed by
the CA is valid.

Obtaining a Certificate
• User certificates generated by a CA have the following characteristics:
 Any user with access to the public key of the CA can verify the user public
key that was certified.
 No party other than the certification authority can modify the certificate
without this being detected.

• Because certificates are unforgeable, they can be placed in a directory

without the need for the directory to make special efforts to protect them.
Certificate Revocation
Certificates have a period of validity.
• May need to revoke before expiry, because:
 User's private key is compromised
 User is no longer certified by this CA
 CA's certificate is compromised

• CA maintains a list consisting of all revoked but not expired certificates

issued by that CA, including both those issued to users and to other CAs.
Each certificate revocation list (CRL) posted to the directory is signed by the
issuer.

• When a user receives a certificate in a message, the user must determine

whether the certificate has been revoked. The user could check the directory
each time a certificate is received.
Authentication Procedures
• All these procedures make use of public-key signatures. It is assumed that the
two parties know each other's public key, either by obtaining each other's
certificates from the directory or because the certificate is included in the
initial message from each side.

1. One-Way Authentication
• One way authentication involves a single transfer of information from one
user (A) to another (B), and establishes the following:
1. The identity of A and that the message was generated by A
2. That the message was intended for B
3. The integrity and originality (it has not been sent multiple times) of the
message

• Only the identity of the initiating entity is verified in this process, not that of
the responding entity.
2. Two-Way Authentication
• In addition to the three elements just listed, two-way authentication
establishes the following elements:
1. The identity of B and that the reply message was generated by B
2. That the message was intended for A
3. The integrity and originality of the reply

• Two-way authentication thus permits both parties in a communication to

verify the identity of the other.

3. Three-Way Authentication
• In three-way authentication, a final message from A to B is included, which
contains a signed copy of the nonce rB.

• The intent of this design is that timestamps need not be checked: Because
both nonces are echoed back by the other side, each side can check the
returned nonce to detect replay attacks. This approach is needed when
synchronized clocks are not available.
FIREWALL
• A firewall is a device or group of devices that controls access between
networks. A firewall generally consists of filters and gateway(s), varying
from firewall to firewall.

• It is a security gateway that controls access between the public Internet and
an intranet and is a secure computer system placed between a trusted network
and an untrusted Internet.

• A firewall is an agent that screens network traffic in some way, blocking

traffic it believes to be inappropriate, dangerous, or both. Firewalls act as an
intermediate server in handling SMTP and HTTP connections in either
direction.

Roles of Firewalls
• The firewall imposes restrictions on packets entering or leaving the private
network.
• All traffic from inside to outside, and vice versa, must pass through the
firewall, out of which only authorized traffic will be allowed to pass.
• Packets are not allowed through unless they conform to a filtering
specification or unless there is negotiation involving some sort of
authentication.
• The firewall itself must be immune to penetration.
• Firewalls create choke points between an internal private network and an
untrusted Internet. Once the choke points are established, the device can
monitor, filter, and verify all inbound and outbound traffic.
• The firewall may filter on the basis of IP source and destination addresses and
TCP port number.
• The firewall also enforces logging and provides alarm capacities as well.
• The firewall provides protection from various kinds of IP spoofing and
routing attacks.
• A firewall can limit network exposure by hiding the internal network systems
and information from the public Internet.
Four general techniques that firewalls use to control access and enforce the
site's security policy
1. Service control: Determines the types of Internet services that can be
accessed, inbound or outbound. The firewall may filter traffic on the basis of
IP address and TCP port number;

2. Direction control: Determines the direction in which particular service

requests may be initiated and allowed to flow through the firewall.

3. User control: Controls access to a service according to which user is

attempting to access it. This feature is typically applied to users inside the
firewall perimeter (local users).

4. Behavior control: Controls how particular services are used. For example,
the firewall may filter e-mail to eliminate spam, or it may enable external
access to only a portion of the information on a local Web server.
FIREWALL-RELATED TERMINOLOGY
1. Bastion Host
• A bastion host is a publicly accessible device for the network's security,
which has a direct connection to a public network such as the Internet.
Bastion hosts must check all incoming and outgoing traffic and enforce the
rules specified in the security policy.
 Single-homed bastion host: This is a device with only one network
interface, normally used for an application-level gateway. The external router
is configured to send all incoming data to the bastion host, and all internal
clients are configured to send all outgoing data to the host.
 Dual-homed bastion host: This is a firewall device with at least two
network interfaces. The advantage of using such hosts is that they create a
complete break between the external network and the internal network.
 Multi-homed bastion host: Used to allow the user to enforce strict security
mechanisms. When the security policy requires all inbound and outbound
traffic to be sent through a proxy server, a new proxy server should be
created for the new streaming application.
2. Proxy Server
• Proxy servers are used to communicate with external servers on behalf of
internal clients. Application proxies forward packets only when a connection
has been established using some known protocol.
• When the connection closes, a firewall using application proxies rejects
individual packets. Each proxy maintains detailed audit information by
logging all traffic, each connection, and the duration of each connection.
Each proxy is independent of other proxies on the bastion host.
• If there is a problem with the operation of any proxy, or if future
vulnerability is discovered, it is easy to replace the proxy without affecting
the operation of the proxy's applications.

3. SOCKS
• The SOCKS protocol version 4 provides for unsecured firewall traversal for
TCP-based client/server applications, including HTTP, TELNET, and FTP.

• SOCKS define how to establish authenticated connections, but currently, it

does not provide a clear-cut solution to the problem of encrypting the data
traffic.
Choke Point
• A choke point is the point at which a public Internet can access the internal
network. The most comprehensive and extensive monitoring tools should be
configured on the choke points.

• All traffic is flowing through the firewalls, security administrators, as a

firewall strategy, need to create choke points to limit external access to their
networks. Once these choke points have been clearly established, the firewall
devices can monitor, filter, and verify all inbound and outbound traffic.

5. Demilitarized Zone (DMZ)

• In terms of a firewall, the DMZ is a network that lies between an internal
private network and the external public network.

• DMZ networks are sometimes called perimeter networks. A DMZ is used as

an additional buffer to further separate the public network from the internal
network.
6. Logging and Alarms
• Logging is usually implemented at every device in the firewall. Since a
choke point is installed at the firewall, a prospective hacker will go through
the choke point.
• If so, the comprehensive logging devices will probably capture all hacker
activities, including all user activities as well. The user can then tell exactly
what a hacker is doing and have such information available for audit. The
audit log is an essential tool for detecting and terminating intruder attacks.

7. VPN
• VPNs are appropriate for any organization requiring secure external access to
internal resources. All data transmitted over a VPN is usually encrypted
because an opponent with access to the Internet could eavesdrop on the data
as it travels over the public network.
• The VPN encapsulates all the encrypted data within an IP packet.
Authentication, message integrity, and encryption are very important
fundamentals for implementing a VPN.
TYPES OF FIREWALLS
Firewalls are classified into three common types:
1. Packet filtering Router
2. Circuit-level gateways
3. Application-level gateways

1. Packet filtering Router

• A packet filtering router applies a set of rules to each incoming IP packet and
then forwards or discards the packet. The router is typically configured to
filter packets going in both directions. Filtering rules are based on the
information contained in a network packet:
 Source IP address – IP address of the system that originated the IP packet.
Destination IP address – IP address of the system, the IP is trying to reach.
 Source and destination transport level address – transport level port
number.
 Interface – for a router with three or more ports, which interface of the router
the packet come from or which interface of the router the packet is destined
for.
• The packet filter is typically set up as a list of rules based on matches to
fields in the IP or TCP header. If there is a match to one of the rules, that rule
is invoked to determine whether to forward or discard the packet. If there is
no match to any rule, then a default action is taken.
• Two default policies are possible:
• Default = discard: That which is not expressly permitted is prohibited.
Default = forward: That which is not expressly prohibited is permitted.

TELNET packet filtering

• TELNET is a simple remote terminal access that allows a user to log onto a
computer across an Internet. TELNET establishes a TCP connection and then
passes keystrokes from the user's keyboard directly to the remote computer.

• TELNET also carries output from the remote machine back to the user's
screen.
• If a packet is passed through the filter and has a source port of 23, it will
immediately be discarded. If a packet with a destination port of 23 is passed
through this filter, it is discarded only after rule 2 has been applied. All other
packets will be discarded.

FTP packet filtering

• If the FTP service is to apply the same basic rule as applied to TELNET, the
packet filter to allow or block FTP would look like following Table. The FTP
service is typically associated with using TCP ports 20 and 21.
• Advantages of packet filter router – Simple, Transparent to users, Very fast

Weakness of packet filter firewalls

• Because packet filter firewalls do not examine upper-layer data, they cannot
prevent attacks that employ application specific vulnerabilities or functions.
• Because of the limited information available to the firewall, the logging
functionality present in packet filter firewall is limited.
• It does not support advanced user authentication schemes.
• They are generally vulnerable to attacks such as layer address spoofing.

Attacks
• IP address spoofing – The intruders transmit packets from the outside with a
source IP address field containing an address of an internal host. To
overcome this attack, discard the packet with an inside source address if the
packet arrives on an external interface.

• Source routing attacks – The source station specifies the route that a packet
should take as it crosses the internet; i.e., it will bypass the firewall. The
countermeasure is to discard all packets that uses this option.
• Tiny fragment attacks – The intruder create extremely small fragments and
force the TCP header information into a separate packet fragment. The
attacker hopes that only the first fragment is examined and the remaining
fragments are passed through. The countermeasure is to discard all packets
where the protocol type is TCP and the IP fragment offset is equal to 1.

2. Application level gateway

• An Application level gateway, also called a proxy server, acts as a relay of
application level traffic. The user contacts the gateway using a TCP/IP
application, such as Telnet or FTP, and the gateway asks the user for the
name of the remote host to be accessed. When the user responds and provides
a valid user ID and authentication information, the gateway contacts the
application on the remote host and relays TCP segments containing the
application data between the two endpoints.

• Application level gateways tend to be more secure than packet filters. It is

easy to log and audit all incoming traffic at the application level. A prime
disadvantage is the additional processing overhead on each connection.
3. Circuit-Level Gateway
• Circuit level gateway can be a stand-alone system or it can be a specified
function performed by an application level gateway for certain applications.

• A Circuit level gateway does not permit an end-to-end TCP connection;

rather, the gateway sets up two TCP connections, one between itself and a
TCP user on an inner host and one between itself and a TCP user on an outer
host.

• Once the two connections are established, the gateway typically relays TCP
segments from one connection to the other without examining the contents.
The security function consists of determining which connections will be
allowed.
FIREWALL DESIGNS
• The primary step in designing a secure firewall is obviously to prevent the
firewall devices from being compromised by threats. To provide a certain
level of security, the three basic firewall designs are considered:
1. Single-homed bastion host
2. Dual-homed bastion host
3. Screened subnet firewall
1. Screened Host Firewall (Single-Homed Bastion Host)
The first type of firewall is a screened host which uses a single-homed bastion
host plus a packet-filtering router. Single-homed bastion hosts can be configured
as either circuit-level or application-level gateways. When using either of these
two gateways, each of which is called a proxy server, the bastion host can hide
the configuration of the internal network.
• In this configuration, the firewall consists of two systems: a packet filtering
router and a bastion host. Typically, the router is configured so that:
 For traffic from the internet, only IP packets destined for the bastion host
are allowed in.
 For traffic from the internal network, only IP packets from the bastion host
are allowed out.
 The bastion host performs authentication and proxy functions. This
configuration has greater security than simply a packet filtering router or an
application level.

2. Dual-Homed Bastion Host

The configuration of the screened host firewall using a dual-homed bastion
host adds significant security, compared with a single-homed bastion host.
Dual-homed bastion host has two network interfaces. This firewall
implementation is secure due to the fact that it creates a complete break
between the internal network and the external Internet.
3. Screened Subnet Firewall
• The third implementation of a firewall is the screened subnet, which is also
known as a DMZ.
• This firewall is the most secure one among the three implementations,
simply because it uses a bastion host to support both circuit- and
application-level gateways.
• All publicly accessible devices, including modem and server, are placed
inside the DMZ. The screened subnet firewall contains external and internal
screening routers. Each is configured such that its traffic flows only to or
from the bastion host. This router also uses filters to prevent attacks such as
IP spoofing and source routing.
• This configuration offers several advantages:
 There are now three levels of defense to thwart intruders.
 The outside router advertises only the existence of the screened subnet to the
internet; therefore the internal network is invisible to the internet.
 Similarly, the inside router advertises only the existence of the screened
subnet to the internal network; therefore the systems on the internal network
cannot construct direct routes to the internet.
SECURE ELECTRONIC TRANSACTION (SET)
SET is an open encryption and security specification. This is used to protect credit
card transaction on the internet.

Business Requirements for SET

• Confidentiality of information - provide confidentiality of payment and order
information
• Integrity of data - Ensure the integrity of all transmitted data

• Cardholder account authentication - Provide authentication that a cardholder is

a legitimate customer of a branded payment card account

• Merchant authentication - Provide authentication that a merchant can accept

credit card transactions through its relationship with an acquiring financial
institution

• Security techniques - Ensure the use of the best security practices and system
design techniques to protect all legitimate parties in an electronic commerce
transaction.
Creation of brand-new protocol - Create a protocol that neither depends on
transport security mechanisms nor prevents their use)
• Interoperability - Facilitate and encourage interoperability among software.

Set Participants
• Cardholder: A cardholder is an authorized holds of a payment card that has
been issued by an issuer.

• Merchant: A merchant is a person/organization that has goods or services to

sell to the card holder.

• Issuer: The financial institution that provides the card holder with the
payment card. Eg. bank

• Acquirer: The acquirer is a financial institution that establishes an account

with a merchant and process payment card authorization and payments. Eg.
Payment gateway.

• Certification authority: CA is trusted to issue X.509 V3 certificates to the

card holder, merchant and payment gateway.
Sequence of Events Needed for the Transaction
1. The customer opens an account. The customer obtains a credit card account,
such as MasterCard or Visa, with a bank that supports electronic payment and
SET.

2. The customer receives a certificate. After suitable verification of identity, the

customer receives an X.509v3 digital certificate, which is signed by the bank.
The certificate verifies the customer's RSA public key and its expiration date. It
also establishes a relationship, guaranteed by the bank, between the customer's
key pair and his or her credit card.

3. Merchants have their own certificates. A merchant who accepts a certain brand
of card must be in possession of two certificates for two public keys owned by
the merchant: one for signing messages, and one for key exchange. The merchant
also needs a copy of the payment gateway's public-key certificate.

4. The customer places an order. This is a process that may involve the customer
first browsing through the merchant's Web site to select items and determine the
price. The customer then sends a list of the items to be purchased to the
merchant, who returns an order form containing the list of items, their price, a
total price, and an order number.
5. The merchant is verified. In addition to the order form, the merchant sends
a copy of its certificate, so that the customer can verify that he or she is
dealing with a valid store.

6. The order and payment are sent. The customer sends both order and
payment information to the merchant, along with the customer's certificate.
The order confirms the purchase of the items in the order form. The
payment contains credit card details. The payment information is encrypted
in such a way that it cannot be read by the merchant. The customer's
certificate enables the merchant to verify the customer.

7. The merchant requests payment authorization. The merchant sends the

payment information to the payment gateway, requesting authorization that
the customer's available credit is sufficient for this purchase.

8. The merchant confirms the order. The merchant sends confirmation of

the order to the customer.

9. The merchant provides the goods or service. The merchant ships the
goods or provides the service to the customer.
10. The merchant requests payment. This request is sent to the payment
gateway, which handles all of the payment processing.

Dual Signature and Signature Verification

• The purpose of the dual signature is to link two messages that are intended
for two different recipients. In this case, the customer wants to send the order
information (OI) to the merchant and the payment information (PI) to the
bank. The merchant does not need to know the customer's credit card
number, and the bank does not need to know the details of the customer's
order.
DS = E(PRc , [H(H(PI) || H(OI)])

Payment Processing
(i) Purchase request – Merchant
 Verifies cardholder certificates using CA sigs
 Verifies dual signature using customer's public signature key to ensure order
has not been tampered with in transit & that it was signed using cardholder's
private signature key
 Processes order and forwards the payment information to the payment
gateway for authorization (described later)
 Sends a purchase response to cardholder
Purchase request – Merchant
(ii) Purchase Request – Card holder

Cardholder Sends Purchase Request

(iii) Payment authorization
1. Verifies all certificates
2. Decrypts digital envelope of authorization block to obtain symmetric key &
then decrypts authorization block
3. Verifies merchant's signature on authorization block.
4. Decrypts digital envelope of payment block to obtain symmetric key & then
decrypts payment block
5. Verifies dual signature on payment block
6. Verifies that transaction ID received from merchant matches that in PI
received (indirectly) from customer
7. Requests & receives an authorization from issuer
8. Sends authorization response back to merchant.

(iv) Payment Capture

• Merchant sends payment gateway a payment capture request
• Gateway checks request
• Then causes funds to be transferred to merchants account
• Notifies merchant using capture response
INTRUDER
• One of the most publicized attacks to security is the intruder, generally
referred to as hacker or cracker. Three classes of intruders are as follows:
 Masquerader – an individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s
account.
 Misfeasor – a legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuse his or her privileges.
 Clandestine user – an individual who seizes supervisory control of the
system and uses this control to evade auditing and access controls or to
suppress audit collection.
• The masquerader is likely to be an outsider; the misfeasor generally is an
insider; and the clandestine user can be either an outsider or an insider.

Intrusion Techniques
The objective of the intruders is to gain access to a system or to increase the
range of privileges accessible on a system. The password files can be protected in
one of the two ways:
• One way encryption – The system stores only an encrypted form of user’s
password.
• Access control – Access to the password file is limited to one or a very few
accounts.
The following techniques are used for learning passwords.
1. Try default passwords used with standard accounts that are shipped with the
system. Many administrators do not bother to change these defaults.
2. Exhaustively try all short passwords.
3. Try words in the system’s online dictionary or a list of likely passwords.
4. Collect information about users such as their full names, the name of their
spouse and children, pictures in their office and books in their office that are
related to hobbies.
5. Try user’s phone number, social security numbers and room numbers.
6. Try all legitimate license plate numbers.
7. Use a trojan horse to bypass restriction on access.
8. Tap the line between a remote user and the host system.
Two principle countermeasures:
1. Detection – concerned with learning of an attack, either before or after its
success.
2. Prevention – challenging security goal

INTRUSION DETECTION
• Intrusion detection is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways that can be quantified.

• Although the typical behavior of an intruder differs from the typical behavior
of an authorized user, there is an overlap in these behaviors. Thus, a loose
interpretation of intruder behavior, which will catch more intruders, will also
lead to a number of "false positives," or authorized users identified as
intruder.
Profiles of Behavior of Intruders and Authorized Users
Approaches to intrusion detection
1. Statistical anomaly detection
2. Rule-based detection:
3. Distributed Intrusion Detection
4. Honeypot

1. Statistical anomaly detection:

• Involves the collection of data relating to the behavior of legitimate users
over a period of time. Then statistical tests are applied to observed behavior
to determine with a high level of confidence whether that behavior is not
legitimate user behavior.
 Threshold detection: This approach involves defining thresholds,
independent of user, for the frequency of occurrence of various events.

 Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
2. Rule-based detection:
• Involves an attempt to define a set of rules that can be used to decide that a
given behavior is that of an intruder.
 Anomaly detection: Rules are developed to detect deviation from previous
usage patterns.

 Penetration identification: An expert system approach that searches for

suspicious behaviour.

• A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion
detection system. Basically, two plans are used:

1. Native audit records: Virtually all multiuser operating systems include

accounting software that collects information on user activity.

The advantage of using this information is that no additional collection

software is needed. The disadvantage is that the native audit records may not
contain the needed information or may not contain it in a convenient form.
2. Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the
intrusion detection system.

One advantage of such an approach is that it could be made vendor

independent and ported to a variety of systems. The disadvantage is the
extra overhead involved in having, in effect, two accounting packages
running on a machine.

• Each audit record contains the following fields:

 Subject: Initiators of actions. A subject is typically a terminal user but might also
be a process acting on behalf of users or groups of users.

 Action: Operation performed by the subject on or with an object; for example,

login, read, perform I/O, execute.

 Object: Receptors of actions. Examples include files, programs, messages,

records, terminals, printers, and user- or program-created structures.
 Exception-Condition: Denotes which, if any, exception condition is raised
on return.

 Resource-Usage: A list of quantitative elements in which each element gives

the amount used of some resource.

 Time-Stamp: Unique time-and-date stamp identifying when the action took

place.

3. Distributed Intrusion Detection

• Traditional focus is on single systems. But typically have networked systems.
More effective defense has these working together to detect intrusions.
 Dealing with varying audit record formats.
 Integrity & confidentiality of networked data.
 Centralized or decentralized architecture.
Architecture for Distributed Intrusion
Detection Three main components
1. Host agent module: An audit collection module operating as a background
process on a monitored system. Its purpose is to collect data on security-
related events on the host and transmit these to the central manager.

2. LAN monitor agent module: Operates in the same fashion as a host agent
module except that it analyses LAN traffic and reports the results to the
central manager.

3. Central manager module: Receives reports from LAN monitor and host
agents and processes and correlates these reports to detect intrusion.

Agent Architecture
The agent captures each audit record produced by the native audit collection
system.
1. Filter is applied that retains only those records that are of security interest.

2. These records are then reformatted into a standardized format referred to as

the host audit record (HAR).
3. Next, a template-driven logic module analyzes the records for suspicious
activity.

4. At the lowest level, the agent scans for notable events that are of interest
independent of any past events.

5. At the next higher level, the agent looks for sequences of events, such as
known attack patterns (signatures).

6. Finally, the agent looks for anomalous behaviour of an individual user based
on a historical profile of that user, such as number of programs executed,
number of files accessed, and the like.

7. When suspicious activity is detected, an alert is sent to the central manager.

8. The central manager includes an expert system that can draw inferences
from received data.
9. The manager may also query individual systems for copies of HARs to
correlate with those from other agents.

10. The LAN monitor agent also supplies information to the central manager.

11. The LAN monitor agent audits host-host connections, services used, and
volume of traffic.

12. It searches for significant events, such as sudden changes in network load,
the use of security-related services, and network activities such as rlogin.
4. Honeypots
• Honeypots are decoy systems that are designed to lure a potential attacker
away from critical systems. Honeypots are designed to:
 Divert an attacker from accessing critical systems.
 Collect information about the attacker's activity.
 Encourage the attacker to stay on the system long enough for administrators
to respond.

• These systems are filled with fabricated information designed to appear

valuable but that a legitimate user of the system wouldn't access.

• The system is instrumented with sensitive monitors and event loggers that
detect these accesses and collect information about the attacker's activities.

• Because any attack against the honeypot is made to seem successful,

administrators have time to mobilize and log and track the attacker without
ever exposing productive systems.
Viruses and Malicious Programs
• Computer “Viruses” and related programs have the ability to replicate
themselves on an ever increasing number of computers. They originally
spread by people sharing floppy disks. Now they spread primarily over the
Internet (a “Worm”).

• Other “Malicious Programs” may be installed by hand on a single machine.

They may also be built into widely distributed commercial software
packages. These are very hard to detect before the payload activates (Trojan
Horses, Trap Doors, and Logic Bombs).
Definitions
• A “Bacteria” replicates until it fills all disk space, or CPU cycles.

• Worm - a program that replicates itself across the network (usually riding on
email messages or attached documents (e.g., macro viruses).

• Virus - code that copies itself into other programs.

• Payload - harmful things the malicious program does, after it has had time to
spread.

• Trojan Horse - instructions in an otherwise good program that cause bad things
to happen (sending your data or password to an attacker over the net).

• Logic Bomb - malicious code that activates on an event (e.g., date).

• Trap Door (or Back Door) - undocumented entry point written into code for
debugging that can allow unwanted users.

• Easter Egg - extraneous code that does something “cool.” A way for
programmers to show that they control the product.
Virus Phases
• Dormant phase - the virus is idle, will be activated by some events like date.

• Propagation phase - the virus places an identical copy of itself into other
programs.

• Triggering phase – the virus is activated to perform the function for which it
was intended.

• Execution phase – the function is performed.

Virus Protection
• Have a well-known virus protection program, configured to scan disks and
downloads automatically for known viruses.

• Do not execute programs (or "macro's") from unknown sources (e.g., PS

files, Hypercard files, MS Office documents.

• Avoid the most common operating systems and email programs, if possible.
Virus Structure (Example)
• The above virus program is prepended to the actual program and becomes the
entry point to the program, whenever the actual program is invoked.

• The first line of code is a jump to the main virus program. Second line is a
special marker that is used by the virus to determine whether or not the
current program has been infected already with this virus.

• Upon activation, the virus program seeks out uninfected executable files and
infects them. Then it performs some action usually detrimental to the system.
This action could be performed every time the program is invoked.

Types of Viruses
• Parasitic Virus - attaches itself to executable files as part of their code and
replicates. Runs whenever the host program runs.

• Memory-resident Virus - Lodges in main memory as part of the residual

operating system.
• Boot Sector Virus - infects the boot sector of a disk, and spreads when the
operating system boots up (DOS viruses).

• Stealth Virus - explicitly designed to hide from Virus Scanning programs.

• Polymorphic Virus - mutates with every new host to prevent signature

detection.

• Metamorphic Virus – mutates with every infection. Difference is it rewrites

itself completely.

Macro Viruses
Macro viruses are threatening for a number of reasons:
 Microsoft Office applications allow “macros” to be part of the document.
The macro could run whenever the document is opened, or when a certain
command is selected (Save File).

 Platform independent.
 Infect documents, delete files, generate email and edit letters.

 Easily spread, common method is emails.

• Macro viruses are created by auto executing macros. That is a macro that is
automatically invoked, without explicit user input. Common auto execute
events are opening a file, closing a file and starting an application.

• Microsoft word has three types of such auto executing macros namely Auto
execute, Auto macro, Command macro.

Email Viruses
 Email viruses sends itself to everyone in the mailing list.

 Does local damage

Worms
• A worm actively seeks out more machines to infect and each machine that is
infected serves as automated launching pad for attacks on other machines.

• Network worm programs use network connections to spread from system to

system. Once active within a system, network worm can behave as a
computer virus or bacteria.

• To replicate itself, a network worm uses some sort of network vehicle.

Examples include electronic mail facility, remote execution capability,
remote login capability.
•
• The network worm may attempt to determine whether a system has
previously been infected before copying itself to the system. In a
multiprogramming environment, it may disguise as a system process or
system name to escape from detection.

• By employing proper network security and single system security measures,

the threat of worms can be minimized.
Anti virus Approaches
• Detection: Once infection has occurred, determine that it has occurred and
locate the virus.
• Identification: Once detected successfully, identify the type of virus that
has caused the infection.
• Removal: Once identified, remove all traces of the virus from the infected
program and restore it to original state.

Four generations of antivirus softwares have been identified:

• 1st Generation, Scanners: searched files for any of a library of known virus
“signatures.” Checked executable files for length changes.
• 2nd Generation, Heuristic Scanners: looks for more general signs than
specific signatures (code segments common to many viruses). Checked files
for checksum or hash changes.
• 3rd Generation, Activity Traps: stay resident in memory and look for certain
patterns of software behavior (e.g., scanning files).
• 4th Generation, Full Featured: combine the best of the techniques above.
Advanced Antivirus Techniques
1. Generic Decryption – Enables the antivirus program to detect easily even
the most complex polymorphic viruses, while maintaining fast scanning
speeds. The executable files are made to run through a GD scanner that
contains the following elements:

• CPU Emulator - A s/w based virtual computer. Instructions in an exe file are
interpreted rather than executed in the processor.

• Virus Signature Scanner - Module that scans the target code looking for
known signatures.

• Emulation Control Module - controls the execution of the target code.

2. Digital Immune System – It was introduced by IBM to counter the internet

based threats. The typical steps of operation of the system have been listed
below:
1. A Monitoring program on each PC uses different techniques to infer the
presence of virus. It forwards a copy of any program thought to be infected
to an administrative machine within the organization.
2. The admin machine encrypts the sample and sends it to a central virus
analysis machine.

3. This machine creates a safe environment for the infected program for
analyzing it. It then produces a prescription for identifying and removing the
virus.

4. The resulting prescription is sent back to the administrative machine.

5. The admin forwards the prescription to the infected client.

6. The prescription is also forwarded to other clients in the organization.

7. Subscribers around the world receive regular antivirus updates for protection
from new viruses.
3. Behaviour Blocking Software – It integrates with the operating system of the
host computer and monitors program behaviour in real time for malicious
activities. It then blocks potentially malicious actions before they have a chance
to affect the system.

Trusted Systems
• Implementation of trusted system technology offers defense against intruders
and malicious programs.

• Data Access Control: After successful logon, user is permitted to access host
resources. Such screening is not sufficient for systems with sensitive
information. Through user access control procedure, a user can be identified
to the system. Each user’s profile specifies the permissible operations and file
accesses.

• The DBMS should control access to specific records or even portions of a

record. A general model of access control exercised by an file or DBMS is
that of an access control matrix that contains the following basic elements:
i. Subject: Entity accessing objects. It could be an user or a process.
ii. Object: Any thing to which access is controlled. It could be file, program or
memory segments.

iii. Access Right: Way in which an object is accessed by a subject. It could be

read, write, execute.

One axis of matrix depicts the users or subjects attempting for data access. The
other axis lists the objects that can be accessed. An access matrix can be
decomposed in 2 ways:
1. Column Decomposition: This yields an access control list. For each subject,
an access control list lists users and their permitted access rights.

2. Row Decomposition: This yields capability ticket that specifies authorized

objects and operations for a user.

• Such techniques protect data in a particular system. In general, data or

resources should be protected on the basis of levels of security. When multiple
categories or levels of data are defined, the requirement is defined as
multilevel security.
Multi-Level Systems
They validate the handling of subjects and objects with different rights and levels
of security simultaneously.
Major features of such systems include:
• user identification and authentication
• resource access control and object labeling
• audit trails of all security relevant events
• external validation of the systems security

A multilevel secure system must enforce:

No read up: A subject can only read an object of less or equal security level.
This is referred as simple security property.

No write down: A subject can only write into an object of greater or equal
security level.
• For a data processing system, trusted system concept can be enforced thru
Reference Monitor Concept. The reference monitor is a controlling element
in the hardware and OS of a computer that regulates access of subjects to
objects on the basis of security parameters of the subject and object.

• The reference monitor has access to a file known as Security Kernel

Database, that lists the access privileges of each subject and the protection
attributes of each object. It enforces the security rules and has the following
properties:
 Complete Mediation: Security rules are enforced on every access.
 Isolation: Reference monitor and database are protected from
unauthorized modification.
 Verifiability: The reference monitor’s correctness must be provable.

• The Audit File component records important security events like security
violations, authorized changes made to security kernel database.
• Complete mediation imposes performance penalty and hence solution should
be partly provided thru hardware. Isolation offers protection to reference
monitor and kernel database from security attacks. Verification must be
carried out thru mathematical proof. A system that implements such
verification is referred to as trusted system.