Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Unit V

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 49

CB3491– Cryptography and cyber security (Regulation2021)

III Year / V Semester - CSE

CYBER CRIMES AND CYBER SECURITY UNIT-5

Cyber Crime and Information Security – classifications of Cyber Crimes – Tools


and Methods – Password Cracking, Keyloggers, Spywares, SQL Injection –
Network Access Control – Cloud Security – Web Security – Wireless Security
Cyber Crime and Information Security
Crime committed using a computer and the internet to steal data or information, Illegal imports,
Malicious programs.
Origin of the word
Origin of the word Cyber Crime Cyber came from cybernetics. Cybernetics influences game,
system, and organizational theory. Cybernetics derived from the Greek kubernētēs which refers to a
pilot or steersman. Related is the Greek word kubernēsis which means “the gift of governance” and
applies to leadership.

Define Cyber Crime


 Cybercrime is defined as a crime in which a computer is the object of the crime (hacking,
phishing, spamming) or is used as a tool to commit an offense (child pornography, hate crimes).
Cybercriminals may use computer technology to access personal information, business trade
secrets or use the internet for exploitative or malicious purposes. Criminals can also use
computers for communication and document or data storage. Criminals who perform these
illegal activities are often referred to as hackers. Cybercrime may also be referred to as
computer crime.
 A crime committed using a computer and the internet to steal a person’s identity (identity theft)
or sell contraband or stalk victims or disrupt operations with malevolent programs.
 Any illegal activity through the Internet or on the computer.
 All criminal activities done using the medium of computers, the Internet, cyber space and the
WWW.

1
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

 Cyber crime refers to the act of performing a criminal act using cyber space as communication
vehicle.

Information Security
Information system means to consider available countermeasures or controls stimulated through
uncovered vulnerabilities and identify an area where more work is needed. The purpose of data security
management is to make sure business continuity and scale back business injury by preventing and
minimising the impact of security incidents.

The basic principle of Information Security is:


 Confidentially
 Authentication
 Non-Repudiation
 Integrity

The need for Information security:


1. Protecting the functionality of the organisation: The decision maker in organisations must set
policy and operates their organisation in compliance with the complex, shifting legislation, efficient
and capable applications.

2. Enabling the safe operation of applications: The organisation is under immense pressure to acquire
and operates integrated, efficient and capable applications. The modern organisation needs to create
an environment that safeguards application using the organisations IT systems, particularly those
application that serves as important elements of the infrastructure of the organisation.

3. Protecting the data that the organisation collects and use: Data in the organisation can be in two
forms that are either in rest or in motion, the motion of data signifies that data is currently used or
processed by the system. The values of the data motivated the attackers to seal or corrupts the data.
This is essential for the integrity and the values of the organisation’s data. Information security
ensures protection od both data in motion as well as data in rest.

4. Safeguarding technology assets in organisations: The organisation must add intrastate services
based on the size and scope of the organisation. Organisational growth could lead to the need for
public key infrastructure, PKI an integrated system of the software, encryption methodologies. The

2
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
information security mechanism used by the large organisation is complex in comparison to a small
organisation. The small organisation generally prefers symmetric key encryption of data.

Threats to Information Systems

 In Information Security threats can be many like Software attacks, theft of intellectual property,
identity theft, theft of equipment or information, sabotage, and information extortion.
 Threat can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, harm object or objects of interest.
 Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that
malware, virus, worms, bots are all same things. But they are not same, only similarity is that
they all are malicious software that behave differently.
 Malware is a combination of 2 terms- Malicious and Software. So Malware basically means
malicious software that can be an intrusive program code or a anything that is designed to
perform malicious operations on system.

Malware can be divided in 2 categories:

1. Infection Methods

2. Malware Actions

Malware on the basis of Infection Method are following:

1. Virus – They have the ability to replicate themselves by hooking them to the program on the host
computer like songs, videos etc and then they travel all over the Internet. Ther Creeper Virus was
first detected on ARPANET. Examples include File Virus, Macro Virus, Boot Sector Virus, Stealth
Virus etc.

2. Worms – Worms are also self replicating in nature but they don’t hook themselves to the program
on host computer. Biggest difference between virus and worms is that worms are network aware.
They can easily travel from one computer to another if network is available and on the target
machine they will not do much harm, they will for example consume hard disk space thus slowing
down the computer.

3
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
3. Trojan – The Concept of Trojan is completely different from the viruses and worms. The name
Trojan derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how the Greeks
were able to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to
the Trojans as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night,
the soldiers emerged and attacked the city from the inside. Their purpose is to conceal themselves
inside the software that seem legitimate and when that software is executed they will do their task of
either stealing information or any other purpose for which they are designed. They often provide
backdoor gateway for malicious programs or malevolent users to enter your system and steal your
valuable data without your knowledge and permission. Examples include FTP Trojans, Proxy
Trojans, Remote Access Trojans etc.

4. Bots –: can be seen as advanced form of worms. They are automated processes that are designed to
interact over the internet without the need of human interaction. They can be good or bad. Malicious
bot can infect one host and after infecting will create connection to the central server which will
provide commands to all infected hosts attached to that network called Botnet. Malware on the basis
of Actions:

1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They display
ads on computer’s desktop or inside individual programs. They come attached with free to use
software, thus main source of revenue for such developers. They monitor your interests and display
relevant ads. An attacker can embed malicious code inside the software and adware can monitor your
system activities and can even compromise your machine.

2. Spyware – It is a program or we can say a software that monitors your activities on computer and
reveal collected information to interested party. Spyware are generally dropped by Trojans, viruses
orworms. Once dropped they installs themselves and sits silently to avoid detection. One of the most
common examples of spyware is KEYLOGGER. The basic job of keylogger is to record user
keystrokes with timestamp. Thus, capturing interesting information like username, passwords, credit
card details etc.

3. Ransomware – It is type of malware that will either encrypt your files or will lock your computer
making it inaccessible either partially or wholly. Then a screen will be displayed asking for money
i.e., ransom in exchange.
4
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
4. Scareware – It masquerades as a tool to help fix your system but when the software is executed it
will infect your system or completely destroy it. The software will display a message to frighten you
and force to take some action like pay them to fix your system.

5. Rootkits – are designed to gain root access or we can say administrative privileges in the user
system. Once gained the root access, the exploiter can do anything from stealing private files to
private data.

6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy and
steal information rather they wait for the command from hackers.

 Theft of intellectual property means violation of intellectual property rights like copyrights,
patents etc.

 Identity theft means to act someone else to obtain person’s personal information or to access vital

Information they have like accessing the computer or social media account of a person by login into

the account by using their login credentials.

 Theft of equipment and information is increasing these days due to the mobile nature of devices
and increasing information capacity.
 Sabotage means destroying company’s website to cause loss of confidence on part of its customer.
 Information extortion means theft of company’s property or information to receive payment in
exchange. For example, ransom ware may lock victims file making them inaccessible thus forcing
victim to make payment in exchange. Only after payment victim’s files will be unlocked.

Information Assurance

Information Assurance concerns implementation of methods that focused on protecting and


safeguarding critical information and relevant information systems by assuring confidentiality,
integrity, availability, and non-repudiation. It is strategic approach focused which focuses more on
deployment of policies rather than building infrastructures.

Information Assurance Model:

The security model is multidimensional model based on four dimensions :

5
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
1. Information States – Information is referred to as interpretation of data which can be found in
three states stored, processed, or transmitted.

2. Security Services – It is fundamental pillar of the model which provides security to system and
consists of five services namely availability, integrity, confidentiality, authentication, and non-
repudiation.

3. Security Countermeasures – This dimension has functionalities to save system from immediate
vulnerability by accounting for technology, policy & practice, and people.

4. Time – This dimension can be viewed in many ways. At any given time, data may be available
offline or online, information and system might be in flux thus, introducing risk of unauthorized
access. Therefore, in every phase of System Development Cycle, every aspect of Information
Assurance model must be well defined and well implemented in order to minimize risk of
unauthorized access.

Classifications of Cyber Crimes


1. Email spoofing
Email spoofing is a form of cyber attack in which a hacker sends an email that has been
manipulated to seem as if it originated from a trusted source. For example, a spoofed email may
pretend to be from a well-known shopping website, asking the recipient to provide sensitive data,
such as a password or credit card number. Alternatively, a spoofed email may include a link that
installs malware on the user's device if clicked. An example of spoofing is when an email is sent
from a false sender address that asks the recipient to provide sensitive data. This email could also
contain a link to a malicious website that contains malware.
2. Spamming

Spamming is the use of electronic messaging systems like e-mails and other digital delivery
systems and broadcast media to send unwanted bulk messages indiscriminately. The term spamming
is also applied to other media like in internet forums, instant messaging, and mobile text messaging,
social networking spam, junk fax transmissions, television advertising and sharing network spam.
Spam is any kind of unwanted, unsolicited digital communication that gets sent out in bulk. Often
spam is sent via email, but it can also be distributed via text messages, phone calls, or social media.

6
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
3. Cyber defamation
 The tort of cyber defamation is an act of intentionally insulting, defaming or  offending
another individual or a party through a virtual medium. It can be both written and oral. 
Defamation means giving an “injury to the reputation of a person” resulting  from a
statement which is false. The term defamation is used in the section 499 of Indian Penal
Code, 1860. Cyber defamation is also known as internet defamation or online defamation
in the world of internet and its users. Cyber defamation is also known as internet
defamation or online defamation in the world of internet and its users.
 Cyber defamation is a new concept but it virtually defames a person through new medium.
The medium of defaming the individual's identity is through the help of computers via
internet.
4. Internet time theft

It refers to the theft in a manner where the unauthorized person uses internet hours paid
by another person. The authorized person gets access to another person's ISP user ID and
password, either by hacking or by illegal means without that person's knowledge. Basically,
Internet time theft comes under hacking. It is the use by an unauthorized person, of the Internet
hours paid for by another person.
5. Salami Attack

A salami attack is a small attack that can be repeated many times very efficiently. Thus
the combined output of the attack is great. In the example above, it refers to stealing the round-
off from interest in bank accounts. Even though it is less than 1 cent per account, when
multiplied by millions of accounts over many months, the adversary can retrieve quite a large
amount. It is also less likely to be noticeable since your average customer would assume that the
amount was rounded down to the nearest cent.
6. Data Diddling

Data diddling is a type of cybercrime in which data is altered as it is entered into a


computer system, most often by a data entry clerk or a computer virus. Data diddling is an illegal
or unauthorized data alteration. Changing data before or as it is input into a computer or output.
Example: Account executives can change the employee time sheet information of employees
before entering to the HR payroll application.
7. Forgery
Forger" redirects here. When a perpetrator alters documents stored in computerized form,
the crime committed may be forgery. In this instance, computer systems are the target of criminal
activity. The term forgery usually describes a message related attack against a cryptographic

7
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
digital signature scheme. That is an attack trying to fabricate a digital signature for a message
without having access to the respective signer's private signing key. Among the many examples
of this crime, taking another's work, whether it be written or visual, such as a artwork, and
attempting to distribute it as either your own or as an original is an example of forgery. Likewise,
either creating fake documents or producing counterfeit items is considered to be forgery as
well.
8. Web Jacking
Illegally seeking control of a website by taking over a domain is know as Web Jacking. Web
jacking attack method is one kind of trap which is spread by the attacker to steal the sensitive
data of any people, and those people got trapped who are not aware about cyber security. Web
jacking attack method is another type of social engineering phishing attack where an attacker
create a fake web page of victim website An attacker send it to the victim and when a victim
click on that link, a message display on the browser “the site abc.com has move on another
address, click here to go to the new location” If a victim does click on the link, he/she will
redirect on the fake website page where an attacker can ask for any sensitive data such as credit
card number, username, password etc.
9. Emanating from UseNet
Usenet is a kind of discussion group where people can share views on topic of their interest. The
article posted to a newsgroup becomes available to all readers of the newsgroup. By its very
nature, Usenet groups may carry very offensive, harmful, inaccurate or otherwise inappropriate
material, or in some cases, postings that have been mislabeled or are deceptive in another way.
Therefore, it is expected that you will use caution and common sense and exercise proper
judgment when using Usenet, as well as use the service at your own risk.
10. Industrial Espionage
Industrial espionage describes a series of covert activities in the corporate world such as the theft
of trade secrets by the removal, copying, or recording of confidential or valuable information in a
company. The information obtained is meant for use by a competitor. Economic or industrial
espionage commonly occurs in one of two ways.
i) a dissatisfied employee appropriates information to advance interests or to damage the
company.
ii) Secondly, a competitor or foreign government seeks information to advance its own
technological or financial interest. Industrial espionage and spying can occur in any industry --
from food and beverage to fashion and entertainment. However, technology is one of the most
targeted industries. Key technology industries that are often targeted include computer,

8
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
semiconductor, electronics, automotive, aerospace, biotechnology, energy, pharmaceutical and
high-tech manufacturing.

Tools and Methods


Tools and methods used in Cyber Crime Network attack incidents reveal that attackers are often very
systematic in launching their attacks. The basic stages of an attack are described here to understand
how an attacker can compromise a network here

1. Initial Uncovering
2. Network probe
3. Crossing the line toward electronic crime (E-crime)
4. Capturing the network
5. Grab the data
6. Covering tracks
1. Initial Uncovering

Two steps are involved here. In the first step called as reconnaissance, the attacker gathers
information, as much as possible, about the target by legitimate means – searching the information
about the target on the Internet by Googling social networking websites and people finder websites.

2. Network probe

At the network probe stage, the attacker uses more invasive techniques to scan the
information. Usually, a “ping sweep” of the network IP addresses is performed to seek out potential
targets, and then a “port scanning” tool.

3. Crossing the line toward electronic crime(E-crime)

Now the attacker is toward committing what is technically a “computer crime.” He/she
does this by exploiting possible holes on the target system.

4. Capturing the network At this stage, the attacker attempts to “own”the network. The attacker
gains a foothold in the internal network quickly and easily, by compromising low-priority target
systems. The next step is to remove any evidence of the attack.

9
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
5. Grab the data:

Now that the attacker has “captured the network” he/she takes advantage of his/her position
to steal confidential data, customer credit card information, deface webpages, alter processes and even
launch attacks at other sites from your network, causing a potentially expensive and embarrassing
situation for an individual and/or for an organization.

6. Covering tracks

This is the last step in any cyber-attack, which refers to the activities undertaken by the
attacker to extend misuse of the system without being detected.

Password Cracking
 While checking electronic mail (E-Mail) one day a user finds a message from the bank threatening
him/her to close the bank account if he/she does not reply immediately. Although the message seems
to be suspicious from the contents of the message, it is difficult to conclude that it is a fake/false
EMail.
 It is believed that Phishing is an alternative spelling of “fishing,” as in “to fish for information.” The
first documented use of the word “Phishing” was in 1996.
 Password is like a key to get an entry into computerized systems like a lock. Password cracking is a
process of recovering passwords from data that have been stored in or transmitted by a computer
system. The purpose of password cracking is as follows:

1. To recover a forgotten password.


2. As a preventive measure by system administrators to check for easily crack able passwords.
3. To gain unauthorized access to a system.
Manual password cracking is to attempt to logon with different passwords. The attacker follows the
following steps
1. Find a valid user account such as an administrator or guest;
2. Create a list of possible passwords;
3. Rank the passwords from high to low probability;
4. Key-in each password;

10
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
5. Try again until a successful password is found.

Passwords can be guessed sometimes with knowledge of the user’s personal information:
1. Blank (none);
2. The words like “password,” “passcode” and “admin”;
3. Series of letters from the “qwerty” keyboard, for example, qwerty, asdf or qwertyuiop.
4. User’s name or login name;
5. Name of user’s friend/relative/pet;
6. User’s birthplace or date of birth, or a relative’s or a friend’s;
7. User’s vehicle number, office number, residence number or mobile number;
8. Name of a celebrity who is considered to be an idol bythe user;
9. Simple modification of one of the preceding, such as suffixing a digit, particularly1, or reversing
the order of letters.
Online Attacks
An attacker can create a script file (i.e., automated program) that will be executed to try each
password in a list and when matches, an attacker can gain the access to the system. The most popular
online attack is man-in-the middle (MITM) attack, also termed as “bucket-brigade attack” or
sometimes “Janus attack.”
Offline Attacks
Mostly offline attacks are performed from a location other than the target (i.e., either a computer
system or while on the network) where these passwords reside or are used.
Strong, Weak and Random Passwords
A weak password is one, which could be easily guessed, short, common and a system default
password that could be easily found by executing a brute force attack and by using a subset of all
possible passwords. Here are some of the examples of “weak passwords”:
1. Susan: Common personal name;
2. aaaa: repeated letters, can be guessed;
3. rover: common name for a pet, also a dictionary word;
4. abc123: can be easily guessed;
5. admin: can be easily guessed;
11
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
6. 1234: can be easily guessed;
7. QWERTY: a sequence of adjacent letters on many keyboards;
8. 12/3/75: date, possibly of personal importance;
9. nbusr123: probably a username, and if so, can be very easily guessed;
10. p@$$\/\/0rd: simple letter substitutions are preprogrammed into password cracking tools;
11. password: used very often – trivially guessed;
12. December12: using the date of a forced password change is very common.
Here are some examples of strong passwords:
1. Convert_£100 to Euros!: Such phrases are long, memorable and contain an extended symbol to
increase the strength of the password.
2. 382465304H: It is mix of numbers and a letter at the end, usually used on mass user accounts and
such passwords can be generated randomly.
3. 4pRte!ai@3: It is not a dictionary word; however it has cases of alpha along with numeric and
punctuation characters.
4. MoOoOfIn245679: It is long with both alphabets and numerals.
5. t3wahSetyeT4: It is not a dictionary word; however, it has both alphabets and numerals.
Random Passwords
We have explained in the previous section how most secure passwords are long with
random strings of characters and how such passwords are generally most difficult to remember.
Password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols,
when allowed, for the same number of characters. The general guidelines applicable to the password
policies, which can be implemented organization-wide, are as follows:
1. Passwords and user logon identities (IDs) should be unique to each authorized user.
2. Passwords should consist of a minimum of eight alphanumeric characters.
3. There should be computer-controlled lists of prescribed password rules and periodic testing to
identify any password weaknesses.
4. Passwords should be kept private, that is, not shared with friends, colleagues.
5. Passwords shall be changed every 30/45 days or less.
6. User accounts should be frozen after five failed logon attempts.

12
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
7. Sessions should be suspended after 15 minutes (or other specified period) of inactivity and require
the passwords to be re-entered.
8. Successful logons should display the date and time of the last logon and logoff .
9. Logon IDs and passwords should be suspended after a specified period of non-use.
10. For high-risk systems, after excessive violations, the system should generate an alarm and be able
to simulate a continuing session (with dummy data) for the failed user.

Key loggers
Keystroke logging, often called keylogging, is the practice of noting (or logging) the keys struck on a
keyboard, typically in a covert manner so that the person using the keyboard is unaware that such
actions are being monitored.

1. Software Keyloggers

Software keyloggers are software programs installed on the computer systems which usually
are located between the OS and the keyboard hardware, and every key stroke is recorded.

SC-KeyLog PRO

It allows to secretly record computer user activities such as E-Mails, chat conversations, visited
websites, clipboard usage, etc. in a protected log file.

Spytech SpyAgent Stealth

It provides a large variety of essential computer monitoring features as well as website and
application filtering, chat blocking and remote delivery of logs via E-Mail or FTP.

All in one Keylogger

It is an invisible keystrokes recorder and a spy software tool that registers every activity on the
PC to encrypted logs. Stealth Keylogger, Perfect Keylogger, KGB Spy ,Spy Buddy, Elite Keylogger ,
CyberSpy ,Powered Keylogger.

13
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
2. Hardware Keyloggers

To install these keyloggers, physical access to the computer system is required. Hardware keyloggers
are small hardware devices. Listed are few websites where more information about hardware
keyloggers can be found:
1. http://www.keyghost.com
2. http://www.keelog.com
3. http://www.keydevil.com 4
. http://www.keykatcher.com
3. Antikeylogger

Antikeylogger is a tool that can detect the keylogger installed on the computer system and also can
remove the tool. Visit http://www.anti-keyloggers.com for more information. Advantages of using
Antikeylogger are as follows:

1. Firewalls cannot detect the installations of keyloggers on the systems; hence, Antikeylogger can
detect installations of keylogger.

2. Thissoftwaredoesnotrequireregularupdatesofsignaturebasestoworkeff ectivelysuchas other antivirus


and antispyprograms..

3. Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.

4. It prevents ID theft.

5. It secures E-Mail and instant messaging/chatting.

Spywares

Spyware is a type of malware that is installed on computers which collects information about users
without their knowledge.

The features and functions of such Spywares are beyond simple monitoring.

1. 007 Spy: It has following key features:

14
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
• Capability of overriding “antispy” programs like “ad-aware”;

• Record all websites url visited in internet;

• Powerful keylogger engine to capture all passwords;

• View logs remotely from anywhere at any time;

• Export log report in html format to view it in the browser;

• Automatically clean-up on outdated logs;

• Password protection.

2. Spector Pro:

It has following key features:

• Captures and reviews all chats and instant messages;

• captures E-Mails (read, sent and received);

• captures websites visited;

• captures activities performed on social networking sites such as MySpace and Facebook;

• enables to block any particular website and/or chatting with anyone;

• acts as a keylogger to capture every single keystroke (including usernames and passwords).

3. eBlaster: Besides keylogger and website watcher, it also records E-Mailssent and received, files
uploaded/downloaded, logging users’ activities, record online searches, recording Myspace and
Facebook activities and anyother program activity.

4. Remotespy: Besides remote computer monitoring, silently and invisibly, it also monitors and
records users’PC without any need for physical access. Moreover, it records
keystrokes(keylogger),screenshots, E-Mail, passwords, chats, instantmessengerconversations and
websites visited.

5. Stealth Recorder Pro: It is a new type of utility that enables to record a variety of sounds and
transfer them automatically through Internet without being notified by original location or source. It
15
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
has following features: • Real-time mp3 recording via microphone, cd, line-in and stereo mixer as
mp3, wma or wav formatted files;

• Transferring via e-mail or ftp, the recorded files to a user-defined e-mail address or ftp
automatically;

• Controlling from a remote location;

• Voice mail, records and sends the voice messages.

6. Stealth Website Logger: It records all accessed websites and a detailed report can be available on
a specified E-Mail address.

It has following key features:

• Monitor visited websites;

• Reports sent to an E-Mail address;

• Daily log; • Global log for a specified period;

• Log deletion after a specified period;

• Hotkey and password protection;

• Not visible in add/remove programs or task manager.

7. Flexispy: It is a tool that can be installed on a cell/mobile phone. After installation, Flexispy
secretly records coversation that happens on the phone and sends this information to a specified E-
Mail address.

8. Wiretap Professional: It is an application for monitoring and capturing all activities on the
system. It can capture the entire Internet activity. ftis spy software can monitor and record EMail, chat
messages and websites visited. In addition, it helps in monitoring and recording of keystrokes,
passwords entered and all documents, pictures and folders viewed.

9. PC Phone Home: It is a software that tracks and locates lost or stolen laptop and desktop
computers. Every time a computer system on which PC Phone Home has been installed, connected to
the Internet, a stealth E-Mail is sent to a specified E-Mail address of the user’s choice.
16
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
10. SpyArsenal Print Monitor Pro: It has following features:

• Keep track on a printer/plotter usage;

• record every document printed;

• find out who and when certain paper printed with your hardware

SQL Injection
 Structured Query Language (SQL) is a database computer language designed for managing data
in relational database management systems (RDBMS).
 SQL injection is a code injection technique that exploits a security vulnerability occurring in the
database layer of an application.
 The vulnerability is present when user input is either filtered incorrectly for string literal escape
characters embedded in SQL statements or user input is not strongly typed and thereby
unexpectedly executed.
 It is an instance of a more general class of vulnerabilities that can occur whenever one
programming or scripting language is embedded inside another. SQL injection attacks are also
known as SQL insertion attacks.

1. Steps for SQL Injection Attack.


Following are some steps for SQL injection attack:
1. The attacker looks for the web pages that allow submitting data, that is, login page, search page,
feedback, etc.
2. To check the source code of any website, right click on the webpage and click on “view source”
(if you are using IE – Internet Explorer) – source code is displayed in the notepad. The attacker
checks the source code of the HTML, and look for “FORM” tag in theHTML code.
Everything between the

<FORM> and </FORM> have potential parameters that might be useful to find the vulnerabilities.

<FORM action = Search/search.asp method=post>


<input type=hidden name=A value=C> </FORM>

17
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

2. Blind SQL Injection


Blind SQL injection is used when a web application is vulnerable to an SQL injection but the
results of the injection are not visible to the attacker. The page with the vulnerability may not be
the one that displays data.
Using SQL injections, attackers can:
1. Obtain some basic information if the purpose of the attack is reconnaissance.
2. May gain access to the database by obtaining username and their password.
3. Add new data to the database.
4. Modify data currently in the database.
3. Tools used for SQL Server penetration
1. AppDetectivePro
2. DbProtect
3. Database Scanner
4. SQLPoke
5. NGSSQLCrack
6. Microsoft SQL Server Fingerprint (MSSQLFP) Tool
4. How to Prevent SQL Injection Attacks
SQL injection attacks occur due to poor website administration and coding. The following steps
can be taken to prevent SQL injection.
1. Input validation
2. Modify error reports
3. Other preventions
3. The attacker inputs a single quote under the text box provided on the webpage to accept the user-
name and password. This checks whether the user-input variable is sanitized or interpreted literally
by the server.
4. The attacker uses SQL commands such as SELECT statement command to retrieve data from the
database or INSERT statement to add information to the database.

18
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

Network Access Control


Definition
Network access control (NAC) is an umbrella term for managing access to a network. NAC
authenticates users logging into the network and determines what data they can access and actions they
can perform. NAC also examines the health of the user’s computer or mobile device (the endpoints).

Elements of a Network Access Control System


NAC systems deal with three categories of components:

1. Access requestor (AR): The AR is the node that is attempting to access the network and may be any
device that is managed by the NAC system, including workstations, servers, printers, cameras, and other
IP-enabled devices. ARs are also referred to as supplicants, or simply, clients.

2. Policy server: Based on the AR’s posture and an enterprise’s defined policy, the policy server
determines what access should be granted. The policy server often relies on backend systems, including
antivirus, patch management, or a user directory, to help determine the host’s condition.

3. Network access server (NAS): The NAS functions as an access control point for users in remote
locations connecting to an enterprise’s internal network. Also called a media gateway, a remote access
server (RAS), or a policy server, an NAS may include its own authentication services or rely on a
separate authentication service from the policy server.

19
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

Network Access Control Context


 Figure shows the generic network access diagram. A variety of different ARs seek access to an
enterprise network by applying to some type of NAS. The first step is generally to authenticate the
AR. Authentication typically involves some sort of secure protocol and the use of cryptographic keys.
 Authentication may be performed by the NAS, or the NAS may mediate the authentication process. In
the latter case, authentication takes place between the supplicant and an authentication server that is
part of the policy server or that is accessed by the policy server.
 The authentication process serves a number of purposes. It verifies a supplicant’s claimed identity,
which enables the policy server to determine what access privileges, if any, the AR may have.
 The authentication exchange may result in the establishment of session keys to enable future secure
communication between the supplicant and resources on the enterprise network.
 Typically, the policy server or a supporting server will perform checks on the AR to determine if it
should be permitted interactive remote access connectivity.
 These checks—sometimes called health, suitability, screening, or assessment checks—require
software on the user’s system to verify compliance with certain requirements from the organization’s
secure configuration baseline.

Network Access Enforcement Methods


Enforcement methods are the actions that are applied to ARs to regulate access to the enterprise network.
20
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
 IEEE 802.1X: enforces authorization before a port is assigned an IP address. IEEE 802.1X makes use
of the Extensible Authentication Protocol for the authentication process.
 Virtual local area networks (VLANs): the enterprise network, consisting of an interconnected set of
LANs, is segmented logically into a number of virtual LANs. The NAC system decides to which of
the network’s VLANs it will direct an AR.
 Firewall: allow or deny network traffic between an enterprise host and an external user.
 DHCP management: DHCP enables dynamic allocation of IP addresses to hosts. A DHCP server
intercepts DHCP requests and assigns IP addresses. Thus, NAC enforcement occurs at the IP layer
based on subnet and IP assignment.

Extensible Authentication Protocol

 The Extensible Authentication Protocol (EAP) acts as a framework for network access and
authentication protocols.
 EAP provides a set of protocol messages, encapsulate various authentication methods to be used
between a client and an authentication server.
 EAP can operate over a variety of network and link level facilities, including pointto-point links,
LANs, and other networks, and can accommodate the authentication needs of the various links and
networks.

Figure EAP Layered Context

EAP Authentication Method

21
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
Numerous methods have been defined to work over EAP. The following are commonly supported
EAP methods:

• EAP-TLS (EAP Transport Layer Security): defines how the TLS protocol can be encapsulated in
EAP messages. It uses the handshake protocol in TLS.

• EAP-TTLS (EAP Tunneled TLS): like EAP-TLS, except only the server has a certificate to
authenticate itself to the client first. In EAP-TLS, a secure connection (the “tunnel”) is established with
secret keys.

• EAP-GPSK (EAP Generalized Pre-Shared Key): is an EAP method for mutual authentication and
session key derivation using a pre-shared key (PSK). It specifies an EAP method based on PSKs and
employs secret key based cryptographic algorithms.

• EAP-IKEv2: based on the Internet Key Exchange protocol ver.2 (IKEv2). It supports mutual
authentication and session key establishment using a variety of methods.

EAP Exchanges
The authentication information and authentication protocol information are carried in EAP
messages.

EAP Protocol Exchanges

22
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
Figure indicates a typical arrangement in which EAP is used. The following components are involved:
 EAP peer: Client computer that is attempting to access a network.
 EAP authenticator: An access point or NAS that requires EAP authentication prior to granting
access to a network.
 Authentication server: A server computer that negotiates the use of a specific EAP method with an
EAP peer, validates the EAP peer’s credentials, and authorizes access to the network. Typically, the
authentication server is a Remote Authentication Dial-In User Service (RADIUS) server.
 The authentication server functions as a backend server that can authenticate peers as a service to a
number of EAP authenticators. The EAP authenticator then makes the decision of whether to grant
access. This is referred to as the EAP pass-through mode. Less commonly, the authenticator takes
over the role of the EAP server; that is, only two parties are involved in the EAP execution.
 As a first step, a lower-level protocol, such as PPP (point-to-point protocol) or IEEE 802.1X, is used
to connect to the EAP authenticator. The software entity in the EAP peer that operates at this level is
referred to as the supplicant. EAP messages containing the appropriate information for a chosen EAP
method are then exchanged between the EAP peer and the authentication server. EAP messages may
include the following fields:
 Code: Identifies the Type of EAP message. The codes are Request (1), Response (2), Success (3),
and Failure (4).
 Identifier: Used to match Responses with Requests.
 Length: Indicates the length, in octets, of the EAP message, including theCode, Identifier,
Length, and Data fields.
 Data: Contains information related to authentication. Typically, the Data field consists of a Type
subfield, indicating the type of data carried, and a Type-Data field.

The Success and Failure messages do not include a Data field. The EAP authentication exchange
proceeds as follows. After a lower-level exchange that established the need for an EAP exchange, the
authenticator sends a Request to the peer to request an identity, and the peer sends a Response with the
identity information. This is followed by a sequence of Requests by the authenticator and Responses by
the peer for the exchange of authentication information. The information exchanged and the number of
Request–Response exchanges needed depend on the authentication method. The conversation continues
until either
23
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
(1) The authenticator determines that it cannot authenticate the peer and transmits an EAP Failure or

(2) The authenticator determines that successful authentication has occurred and transmits an EAP
Success.

EAP Message Flow in Pass-Through Mode


 Figure shows an example of an EAP exchange. Not shown in the figure is a message or signal sent
from the EAP peer to the authenticator using some protocol other than EAP and requesting an EAP
exchange to grant network access. One protocol used for this purpose is IEEE 802.1X, discussed in
the next section.
 The first pair of EAP Request and Response messages is of Type identity, in which the authenticator
requests the peer’s identity, and the peer returns its claimed identity in the Response message. This
Response is passed through the authenticator to the authentication server. Subsequent EAP messages
are exchanged between the peer and the authentication server.
IEEE 802.1X Port-Based Network Access Control
 IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 16.1 briefly defines key terms used in the IEEE 802.11 standard.
The terms
 Supplicant
 Network access point

24
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
 Authentication

Table Terminology Related to IEEE 802.1X


 EAPOL (EAP over LAN) protocol operates at the network layers and makes use of an IEEE 802
LAN (Wifi or Ethernet), at the link layer.
 EAPOL enables a supplicant to communicate with an authenticator and support the exchange of
EAP packets for authentication.

Figure Shows 802.1X Access Control


25
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

802.1X uses the concepts of controlled and uncontrolled ports. Ports are logical entities defined
within the authenticator and refer to physical network connections. Each logical port is mapped to
one of these two types of physical ports.

 An uncontrolled port
 A controlled port

1. An uncontrolled port allows the exchange of protocol data units (PDUs) between the
supplicant and the AS, regardless of the authentication state of the supplicant.

2. A controlled port allows the exchange of PDUs between a supplicant and other systems on the
network only if the current state of the supplicant authorizes such an exchange.

The essential element defined in 802.1X is a protocol known as EAPOL (EAP over LAN).
EAPOL operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or
Wi-Fi, at the link level. EAPOL enables a supplicant to communicate with an authenticator and
supports the exchange of EAP packets for authentication.

Table Shows Common EAPOL Frame Types


 By sending an EAPOL-Start packet to a special group-multicast address reserved for IEEE 802.1X
authenticators, a supplicant can determine whether an authenticator is present and let it know that the
supplicant is ready. In many cases, the authenticator will already be notified that a new device has
connected from some hardware notification.
 For example, a hub knows that a cable is plugged in before the device sends any data. In this case the
authenticator may preempt the Start message with its own message. In either case the authenticator
sends an EAP-Request Identity message encapsulated in an EAPOL-EAP packet.
26
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
 The EAPOL-EAP is the EAPOL frame type used for transporting EAP packets. The authenticator
uses the EAP-Key packet to send cryptographic keys to the supplicant once it has decided to admit it
to the network. The EAP-Logoff packet type indicates that the supplicant wishes to be disconnected
from the network.

The EAPOL packet format includes the following fields:


1. Protocol version: version of EAPOL.
2. Packet type: indicates start, EAP, key, logoff, etc.
3. Packet body length: If the packet includes a body, this field indicates the body length.
4. Packet body: The payload for this EAPOL packet. An example is an EAP packet.

Figure Shows Example Timing Diagram for IEEE 802.1X

Cloud Security

27
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
 Definition of Cloud Computing
Cloud computing: A model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks,servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction. This cloud model promotes availability and is composed of five essential
characteristics, three service models, and four deployment models.
 Cloud Computing Elements
Cloud Computing Characteristics
• Resources related to some aspects, such as storage, processing, memory, network bandwidth, and
virtual machine.
• Broad network access - available over the network and accessed through standard mechanisms, use
by client platforms or other cloud-based services.
• Rapid elasticity - ability to expand and reduce resources according to specific requirements.
• Measured service - control and optimize resource suitable to the appropriate type of service.
Resource usage can be monitored, controlled, reported, provide clearly utilized service.
• On-demand self-service - ability to provision resource capabilities automatically, no need human
interaction. The resource is temporary in IT infrastructure.
• Resource pooling - ability to serve multiple consumers using a multi-tenant model, with different
physical and virtual resources, dynamically assigned and reassigned base on consumer demand

28
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

Cloud Computing Elements


Cloud Computing Service Models
1. Software as a Service (SaaS) - the capability allows consumer to use the provider’s application
running on a cloud infrastructure. The applications are accessible from various client devices by just a
thin client interface (Web browser). SaaS saves the complexity of software installation, maintenance,
upgrades, patches.
2. Platform as a Service (PaaS) - the capability allows consumer to deploy onto the cloud
infrastructure consumer or acquired applications - created. Also, PaaS provides middleware-style
services , such as database and component services use by apps. PaaS is such like an operating system
in the cloud.
3. Infrastructure as a Service (IaaS) - the capability allows consumer to provision processing,
storage, networks, and other computing resources that is used to deploy and run various software. IaaS
enables customers to combine basic computing services to build highly adaptable computer systems.
Cloud Computing Deployment Models
• Public cloud - available to the general public or a large industry group, is owned by an organization
selling cloud services. The cloud provider (CP) is responsible for cloud infrastructure and for control data
and operations within cloud.

29
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
• Private cloud - operated solely for an organization, managed by organization or a third party. The CP is
responsible only for the infrastructure.

• Community cloud - shared by several organizations and supports a specific community shared specific
concerns (mission, policy, security …), managed by the organization or a third party.

• Hybrid cloud - is a composition of two or more clouds remain unique entities but are bound together by
standardized or proprietary technology that enables data and application portability (e.g., cloud bursting
for load balancing between clouds).

Figure Shows Cloud Computing Context


Figure illustrates the typical cloud service context. An enterprise maintains workstations within an
enterprise LAN or set of LANs, which are connected by a router through a network or the Internet to the
cloud service provider. The cloud service provider maintains a massive collection of servers, which it
manages with a variety of network management, redundancy, and security tools. In the figure, the cloud
infrastructure is shown as a collection of blade servers, which is a common architecture.

Cloud Computing Reference Architecture


The NIST cloud computing reference architecture focuses on the requirements of “what” cloud services
provide, not a “how to” design solution and implementation. The reference architecture is intended to
facilitate the understanding of the operational intricacies in cloud computing. It does not represent the

30
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
system architecture of a specific cloud computing system; instead it is a tool for describing, discussing,
and developing a system-specific architecture using a common framework of reference.

Figure NIST Cloud Computing Reference Architecture


NIST developed the reference architecture with the following objectives in mind: to illustrate and
understand the various cloud services in the context of an over all cloud computing conceptual model to
provide a technical reference for consumers to understand, discuss, categorize, and compare cloud
services to facilitate the analysis of candidate standards for security, interoperability and portability and
reference implementations.
The reference architecture, depicted in Figure, defines five major actors in terms of the roles and
responsibilities:

• Cloud consumer - a person or organization maintains a business relationship with, and uses service
from, cloud providers.
• Cloud provider - a person, organization, or entity responsible for making a service available to
interested parties.
• Cloud auditor - a party conducts independent assessment of cloud services, info. system operations,
performance, and security of cloud implementation.
• Cloud broker - an entity manages the use, performance, and delivery of cloud services, and
negotiates relationships between CP and consumers.
• Cloud carrier - an intermediary provides connectivity and transport of cloud services from CPs to
consumers.

Cloud Security Risks and Countermeasures


The following as the top cloud- specific security threats, together with suggested countermeasures:
31
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
• Abuse and nefarious use of cloud computing - The easy of register and use cloud service leads to
high risks from attackers inside the cloud, such as spamming, malicious code attacks, or DOS attack.

Countermeasures: (1) stricter initial registration and validation processes, (2) enhance credit card fraud
monitoring and coordination, (3) comprehensive introspection of customer network traffic, (4)
monitoring public blacklists for one’s network blocks.

• Insecure interfaces and APIs - CPs expose a set of software interfaces or APIs customers use to
manage and interact with cloud services. From authentication and access control, these interfaces need
to be resisted against accidental and malicious attempts.
Countermeasure: (1) analyzing the security model of CP interfaces, (2) ensuring that strong
authentication and access control are implemented with encrypted transmission, (3) understanding the
dependency chain associated with the API.
• Malicious insiders – risk of malicious insider activity. Cloud architectures necessitate roles that
extremely high risk.
Countermeasures: (1) enforce strict supply chain management and conduct a comprehensive supplier
assessment, (2) specify human resource requirements as part of legal contract, (3) require transparency
into overall infor. security and management practices, and compliance reporting, (4) determine security
breach notification processes.
• Shared technology issues: IaaS vendors deliver services by sharing infrastructure which is not strong
enough in isolation properties for a multi-tenant architecture.
Countermeasures: implement security best practices for installation/ configuration, (2) monitor
environment for unauthorized changes/ activity, (3) promote strong authentication and access control for
administrative access and operation.
• Data loss and leakage - for clients. The most devastating from security breach is the loss or leakage of
data.

Counter measures: (1) implement strong API access control, (2) encrypt, protect integrity of data in
transit, (3) analyze data protection at design and run-time, (4) implement strong keys generation, ,
storage and management, destruction practices.

• Account or service hijacking - usually with stolen credentials, attackers can access critical areas of
cloud services, allowing to compromise the confidentiality, integrity, and availability (CIA).

32
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
Countermeasures: (1) prohibit the sharing of account credentials between users and services, (2)
leverage strong two-factor authentication techniques, (3) employ proactive monitoring to detect
unauthorized activity, (4) understand CP security policies and SLAs.

Data Protection in the Cloud


Two database service models:

1. Multi-instance model: Each subscriber gets a unique DBMS on a VM. Subscriber has complete
control over role definition, user authorization, and other administrative tasks related to security

2. Multi-tenant model: Subscriber shares a predefined environment with other tenants, typically by
tagging data with a subscriber identifier.CSP needs to establish and maintain a sound secure database
environment.

33
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

34
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

 Data owner: An organization that produces data to be made available for controlled release,
either within the organization or to external users.
 User: Human entity that presents requests (queries) to the system. The user could be an employee
of the organization who is granted access to the database via the server, or a user external to the
organization who, after authentication, is granted access.
 Client: Frontend that transforms user queries into queries on the encrypted data stored on the
server.
 Server: An organization that receives the encrypted data from a data owner and makes them
available for distribution to clients. The server could in fact be owned by the data owner but, more
typically, is a facility owned and maintained by an external provider.
For our discussion, the server is a cloud server. In relational database parlance, the basic building
block is a relation, which is a flat table. Rows are referred to as tuples, and columns are referred to as
attributes. A primary key is defined to be a portion of a row used to uniquely identify a row in a
table; the primary key consists of one or more column names.
 A user at the client can retrieve a record from the database with the following sequence:

 The user issues a query for fields from one or more records with a specific value of the primary
key.
 The query processor at the client encrypts the primary key, modifies the query accordingly, and
transmits the query to the server.
 The server processes the query using the encrypted value of the primary key and returns the
appropriate record or records.
 The query processor decrypts the data and returns the results.

35
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

Cloud Security as a Service (SecaaS)

 SecaaS is a segment of the SaaS, meant a package of security services offered by a service
provider that offloads much of the security responsibility from an enterprise to the security
service provider.
 The services: authentication, antivirus, antimalware-spyware, intrusion detection, security
event management.
 SecaaS categories:
1. Identity and access management
2. Data loss prevention
3. Web security
4. E-mail security
5. Security assessments
6. Intrusion management
7. Security information and event management
8. Encryption
9. Business continuity and disaster recovery
10. Network security

36
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

• Identify and access management - people, processes, and systems. Used to manage access to
enterprise resources, assure the identity is verified, and grants correct level to access. It involves
authentication and access control services.
• Data loss prevention - monitoring, protecting, and verifying the data, implemented by cloud client,
make rules about what functions can be performed on data.
• Web security - real-time protection offered through software/appliance installation or the cloud by
proxying or redirecting web traffic to the CP. Antivirus, antimalware, usage policy enforcement, data
backup, traffic control, web access control within it.
• Email security - provides control over inbound and outbound email, protects from phishing, malicious
attachments, offers corporate policies, spam prevention, digital signatures and email encryption.
• Security assessments - third part audits of cloud services, provides tools and access points to facilitate
assessment activities.
• Intrusion management - intrusion detection, prevention, and response, the core is intrusion detection
systems (IDSs) and intrusion prevention systems (IPSs). IDS detect unauthorized accesses to host
system, while IPS blocks traffic from intruders.
• Security info. and event management - aggregates log and event data from virtual and real networks,
applications, and systems, provides real-time reporting and info./event alarming.

37
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
• Encryption - provides for data, as email traffic, client-specific network management info, and
identifies info. Involves key management, application encryption, and data content access.
• Business continuity and disaster recovery - measures and mechanisms to ensure operational
resiliency in the events or service interruptions. Includes flexible infrastructure, redundancy of
functions and hardware, monitored operations, geographically distributed data centers, and network
survivability.
• Network security - security services that allocate access, distribute, monitor, and protect resource
services. Includes perimeter, server firewalls, DOS protection, in the network security service.

Web Security
Write short notes about Web security
 The World Wide Web is fundamentally a client/server application running over the Internet and
TCP/IP intranets.
 A number of approaches to providing Web security are possible. The various approaches that have
been considered are similar in the services they provide and, to some extent, in the mechanisms that
they use, but they differ with respect to their scope of applicability and their relative location within
the TCP/ IP protocol stack.
 Secure socket layer (SSL) provides security services between TCP and applications that use TCP.
The Internet standard version is called transport layer service (TLS).
 SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message
authentication code.
 SSL/TLS includes protocol mechanisms to enable two TCP users to determine the security
mechanisms and services they will use.
 Secure electronic transaction (SET) is an open encryption and security specification designed to
protect credit card transactions on the Internet.

Secure Socket Layer and Transport Layer Security

 Two important SSL concepts are the SSL session and the SSL connection, which are defined in the
specification as follows:
 Connection: Transport to provide the service between client and server

38
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

 A connection is a transport (in the OSI layering model definition) that provides a suitable type of
service. For SSL, such connections are peer-to-peer relationships. The connections are transient.
Every connection is associated with one session.
 Session: Association between client and server.
 An SSL session is an association between a client and a server. Sessions are created by the
Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be
shared among multiple connections. Sessions are used to avoid the expensive negotiation of new
security parameters for each connection.

A session state is defined by the following parameters

Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable
session state.

Peer certificate: An X509.v3 certificate of the peer. This element of the state may be null.

Compression method: The algorithm used to compress data prior to encryption.

Cipher spec: Specifies the bulk data encryption algorithm (such as null, AES, etc.) and a hash
algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes
such as the hash size.

Master secret: 48-byte secret key shared between the client and server.

Is resumable: A flag indicating whether the session can be used to initiate new connections. A
connection state is defined by the following parameters:

Server and client random: Byte sequences that are chosen by the server and client for each connection.

Server write MAC secret: The secret key used in MAC operations on data sent by the server.

Client write MAC secret: The secret key used in MAC operations on data sent by the client.

Server write key: The conventional encryption key for data encrypted by the server and decrypted by
the client.

Client write key: The conventional encryption key for data encrypted by the client and decrypted by
the server.
39
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is
maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter the
final ciphertext block from each record is preserved for use as the IV with the following record.

Sequence numbers: Each party maintains separate sequence numbers for transmitted and received
messages for each connection.

SSL Architecture

SSL is designed to make use of TCP to provide a reliable end-to-end secure service. SSL is not a single
protocol but rather two layers of protocols.

The SSL Record Protocol provides basic security services to various higher-layer protocols. In
particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web
client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of
SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These SSL-
specific protocols are used in the management of SSL exchanges and are examined later in this section.

SSL Record Protocol:The SSL Record Protocol provides two services for SSL connections:
Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional
encryption of SSL payloads.
Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a
message authentication code (MAC).
40
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
Fig. indicates the overall operation of the SSL Record Protocol.

The Record Protocol takes an application message to be transmitted, fragments the data into
manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and
transmits the resulting unit in a TCP segment.
Received data are decrypted, verified, decompressed, and reassembled and then delivered to higher-level
users.
The final step of SSL Record Protocol processing is to prepend a header, consisting of the following
fields:
● Content Type (8 bits): The higher layer protocol used to process the enclosed fragment.
● Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
● Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
● Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed
fragment if compression is used). The maximum value is 2 powers
● Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
● Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed
fragment if compression is used). The maximum value is 2 power 14 + 2048.

41
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

 The next step in processing is to compute a message authentication code over the compressed
data.
 For this purpose, a shared secret key is used. The calculation is defined as

Change Cipher Spec Protocol

 The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record
Protocol, and it is the simplest.
 This protocol consists of a single message fig below, which consists of a single byte with the value 1.
The sole purpose of this message is to cause the pending state to be copied into the current state,
which updates the cipher suite to be used on this connection.

Handshake Protocol
The Handshake Protocol consists of a series of messages exchanged by client and server. Each
message has three fields:
Type (1 byte): Indicates one of 10 messages.
Length (3 bytes): The length of the message in bytes.

42
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
Content (0 bytes): The parameters associated with this message; these are listed in below table.

The initial exchange needed to establish a logical connection between client and server. The exchange
can be viewed as having four phases.

Alert Protocol
 The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other applications
that use SSL, alert messages are compressed and encrypted, as specified by the current state.
 Each message in this protocol consists of two bytes.
 The first byte takes the value warning (1) or fatal (2) to convey the severity of the message.

43
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
 If the level is fatal, SSL immediately terminates the connection. Other connections on the same
session may continue, but no new connections on this session may be established.
 The second byte contains a code that indicates the specific alert. First, we list those alerts that are
always fatal (definitions from the SSL specification):
 Unexpected message: An inappropriate message was received.
 bad_record_mac: An incorrect MAC was received.
 decompression_failure: The decompression function received improper input (e.g.,unable to
decompress or decompress to greater than maximum allowable length).
 handshake_failure: Sender was unable to negotiate an acceptable set of security parameters given
the options available.
 illegal_parameter: A field in a handshake message was out of range or inconsistent with other
fields.
 The remainder of the alerts are the following:

●close notify: Notifies the recipient that the sender will not send any more messages on this connection.
Each party is required to send a close notify alert before closing the write side of a connection.
●no_certificate: May be sent in response to a certificate request if no appropriate certificate is available.
● bad_certificate: A received certificate was corrupt (e.g., contained a signature that did not verify).
● unsupported_certificate: The type of the received certificate is not supported.
● certificate_revoked: A certificate has been revoked by its signer.
● certificate_expired: A certificate has expired.
● certificate_unknown: Some other unspecified issue arose in processing the certificate, rendering it
unacceptable.
Public-Key Infrastructure
 public-key infrastructure (PKI) as the set of hardware, software, people, policies, and procedures
needed to create, manage, store, distribute, and revoke digital certificates basedon asymmetric
cryptography.
 The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition
of public keys.
 The Elements of PKI Model:

44
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
End entity: A generic term used to denote end users, devices (e.g., servers, routers), or any other entity
that can be identified in the subject field of a public key certificate. End entities typically consume and/or
support PKI-related services.
Certification authority (CA): The issuer of certificates and (usually) certificate revocation lists (CRLs).
It may also support a variety of administrative functions, although these are often delegated to one or
more Registration Authorities.
Registration authority (RA): An optional component that can assume a number of administrative
functions from the CA. The RA is often associated with the End Entity registration process, but can assist
in a number of other areas as well.
CRL issuer: An optional component that a CA can delegate to publish CRLs.
Repository: A generic term used to denote any method for storing certificates and CRLs so that they can
be retrieved by End Entities.
PKI Architectural Model

 Registration: This is the process whereby a user first makes itself known to a CA (directly, or
through an RA), prior to that CA issuing a certificate or certificates for that user. Registration begins
the process of enrolling in a PKI.
 Initialization: Before a client system can operate securely, it is necessary to install key materials that
have the appropriate relationship with keys stored elsewhere in the infrastructure.
 Certification: This is the process in which a CA issues a certificate for a user's public key, and returns
that certificate to the user's client system and/or posts that certificate in a repository.
 Key pair recovery: Key pairs can be used to support digital signature creation and verification
encryption and decryption, or both.
45
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
 Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new key pair) and
new certificates issued. Update is required when the certificate lifetime expires and as a result of
certificate revocation.
 Revocation request: An authorized person advises a CA of an abnormal situation requiring
certificate revocation. Reasons for revocation include private key compromise, change in affiliation,
and name change.
 Cross certification: Two CAs exchange information used in establishing a cross-certificate. A cross-
certificate is a certificate issued by one CA to another CA that contains a CA signature key used for
issuing certificates.

Wireless Security
Some of the key factors contributing to the higher security risk of wireless networks compared to
wired networks include the following:

Channel: Wireless networking typically involves broadcast communications, which is far more
susceptible to eavesdropping and jamming than wired networks. Wireless networks are also more
vulnerable to active attacks that exploit vulnerabilities in communications protocols.

Mobility: Wireless devices are, in principal and usually in practice, far more portable and mobile than
wired devices. This mobility results in a number of risks, described subsequently.

Resources: Some wireless devices, such as smartphones and tablets, have sophisticated operating
systems but limited memory and processing resources with which to counter threats, including denial of
service and malware.

Accessibility: Some wireless devices, such as sensors and robots, may be left unattended in remote
and/or hostile locations. This greatly increases their vulnerability to physical attacks.

Wireless Networking Components


46
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE

In simple terms, the wireless environment consists of three components that provide point of attack
(Figure). The wireless client can be a cell phone, a Wi-Fi–enabled laptop or tablet, a wireless sensor, a
Bluetooth device, and so on. The wireless access point provides a connection to the network or service.
Examples of access points are cell towers, Wi-Fi hotspots, and wireless access points to wired local or
wide area networks. The transmission medium, which carries the radio waves for data transfer, is also a
source of vulnerability.

Wireless Network Threats


1. Accidental Association: Overlapping networks ⇒ unintentionally connect to neighbors
2. Malicious Association: Malicious access points (Free public WiFi) can steal passwords
3. Ad-Hoc Networks: Two computers can exchange data
4. Non traditional Networks: Bluetooth can be used to eavesdrop
5. MAC Spoofing: Change MAC address to match a privileged computer
6. Man-In-The-Middle Attacks: Using rogue access point between the user and the real access point
7. Denial of Service (DoS): Keep the media busy
8. Network Injection: Spoof routing/management messages.

Wireless Security Measures


wireless security measures into those dealing with wireless transmissions, wireless access points, and
wireless networks (consisting of wireless routers and endpoints).

SECURING WIRELESS TRANSMISSIONS The principal threats to wireless transmission are


eavesdropping, altering or inserting messages, and disruption. To deal with eavesdropping, two types of
countermeasures are appropriate:

Signal-hiding techniques: Organizations can take a number of measures to make it more difficult for an
attacker to locate their wireless access points, including turning off service set identifier (SSID)
broadcasting by wireless access points; assigning cryptic names to SSIDs;

47
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
reducing signal strength to the lowest level that still provides requisite coverage; and locating wireless
access points in the interior of the building, away from windows and exterior walls. Greater security can
be achieved by the use of directional antennas and of signal-shielding techniques.

Encryption: Encryption of all wireless transmission is effective against eavesdropping t o t h e


extent that the encryption keys are secured. The use of encryption and
authentication protocols is the standard method of countering attempts to
alter or insert transmissions.

SECURING WIRELESS ACCESS POINTS

 The main threat involving wireless access points is unauthorized access to the network. The principal
approach for preventing such access is the IEEE 802.1X standard for port-based network access
control.
 The standard provides an authentication mechanism for devices wishing to attach to a LAN or
wireless network. The use of 802.1X can prevent rogue access points and other unauthorized devices
from becoming insecure backdoors.

SECURING WIRELESS NETWORKS


It recommends the following techniques for wireless network security:
1. Use encryption. Wireless routers are typically equipped with built-in encryption mechanisms for
router-to-router traffic.

2. Use antivirus and antispyware software, and a firewall. These facilities should be enabled on all
wireless network endpoints.

3. Turn off identifier broadcasting. Wireless routers are typically configured to broadcast an identifying
signal so that any device within range can learn of the router’s existence. If a network is configured so
that authorized devices know the identity of routers, this capability can be disabled, so as to thwart
attackers.

4. Change the identifier on your router from the default. Again, this measure thwarts attackers who will
attempt to gain access to a wireless network using default router identifiers.

5. Change your router’s pre-set password for administration. This is another prudent step.

48
CB3491– Cryptography and cyber security (Regulation2021)
III Year / V Semester - CSE
6. Allow only specific computers to access your wireless network. A router can be configured to only
communicate with approved MAC addresses. Of course, MAC addresses can be spoofed, so this is just
one element of a security strategy.

49

You might also like