Professional Documents
Culture Documents
Unit 1
1.0 INTRODUCTION TO SECURITY
Computer security is a field of computer science concerned with the control of risks
related to computer use. It describes the methods of protecting the integrity of data
stored on a computer.In computer security the measures taken are focused on securing
individual computer hosts.
The following describe the general threats to the security of the distributed systems
Disclosure of information
1
Security In Computing
Contamination of information
Misuse of resources
In a distributed system, information flow must be controlled not only between users of
end-systems but also between end-systems. Depending on the prevailing security
policy information flow restrictions may be applied to the basis of classification of
data objects and end-systems, user clearances, etc.
Denial of service
Because of the wide range of services performed with the aid of computer systems,
denial of service may significantly affect the capability of a user organization to
2
Security In Computing
perform its functions and to fulfill its obligations. Detection and prevention of denial
of service must be considered as part of any security policy.
Authentication
Authentication is the process of proving the identity of a user of a system by
means of a set of credentials. Credentials are the required proof needed by the system
to validate the identity of the user. The user can be the actual customer, a process, or
even another system. A person is a validated through a credential. The identity is who
the person is. If a person has been validated through a credential, such as attaching a
name to a face, the name becomes a principal.
An authentication service is concerned with assuring that the communication
is authentic. In the case of a single message, such as warning or alarm signal, the
function of the authentication service is to assure the recipient that the message is
from the source that it claims to be from. In the case of an ongoing interaction, such
as the connection of a terminal to a host, two aspects are involved. First, at the time of
connection initiation, the service assures that the two entities are authentic, that is, that
each is the entity that it claims to be. Second, the service must assure that the
connection is not interfered with in such a way that a third party can masquerade as
one of the two legitimate parties for the purpose of unauthorized transmission or
reception.
Authorization
The process by which a user is given access to a system resource is known as
authorization. The authorization process is the check by the organization’s system to
see whether the user should be granted access to the user’s record. The user has
logged in to the system, but he still may not have the permission necessary from the
system to access the records.
When deploying a system, access to system resources should also be
mapped out. Security documents that detail the rights of individuals to specific
3
Security In Computing
resources must be developed. These documents must distinguish between the owners
and the users of resources as well as read, write, delete, and execute privileges.
Confidentiality
Integrity
During the transmission or storage of data, information can be corrupted or
changed, maliciously or otherwise, by a user. Validation is the process of ensuring
data integrity. When data has integrity, it means that the data has not been modified or
corrupted. One technique for ensuring data integrity is called data hashing.
4
Security In Computing
Non-repudiation
Access Control
Access control is the ability to limit and control the access to host systems and
applications links. To achieve this control, each entity trying to gain access must first
be identified, or authenticated. The goal of access control is to be able to specify and
restrict access to subjects and resources to those users and processes which have the
appropriate permission. Access control is implemented according to a policy that
defines methods for both authentication and authorization, and applies to a security
domain.
Availability
5
Security In Computing
6
Security In Computing
• Learn or make use of information from system, but does not affect system
resources.
• Intercept or read data without changing it.
• Goal of opponent is to obtain information that is being transmitted.
• This type of attack has been perpetrated against communication systems ever
since the invention of the electric telegraph.
• Two types of passive attacks are release of message contents and traffic
analysis (masking the content of message. e.g. Encryption).
• Difficult to detect, because no alteration of data. Normally done using
encryption.
Active Attacks
7
Security In Computing
Replay: Passive capture of data unit and its subsequence retransmission to produce
an unauthorized effect.
A hacker (also called a White Hat) is often someone who creates and modifies
computer software and computer hardware, including computer programming,
administration, and security-related items. A hacker is also someone who modifies
electronics, for example, ham radio transceivers, printers or even home sprinkler
systems to get extra functionality or performance. A hacker obtains advanced
knowledge of operating systems and programming languages. They may know the
holes within systems and the reasons for such holes. Hackers constantly seek further
8
Security In Computing
knowledge, freely share what they have discovered, and never, ever intentionally
damage data.
A cracker (also called a Black Hat) is a person who uses their skills with computers
and other technological items in a malicious or criminal manner. He breaks into or
otherwise violates the system integrity of remote machines, with malicious intent.
Crackers, having gained unauthorized access, destroy vital data, deny legitimate users
service, or basically cause problems for their targets. Usually a Black Hat is a person
who uses their knowledge of vulnerabilities and exploits for private gain, rather than
revealing them either to the general public or the manufacturer for correction.
Virus
In computer security technology, a virus is a self-replicating program that
spreads by inserting copies of itself into other executable code or documents. A virus
is a program that can copy itself and infect various parts of your computer, such as
documents, programs, and parts of your operating system. Most viruses attach
themselves to a file or part of your hard disk and then copy themselves to other places
within the operating system. Some viruses contain code that inflicts extra damage by
deleting files or lowering your security settings, inviting further attacks. Usually to
avoid detection, a virus disguises itself as a legitimate program that a user would not
normally suspect to be a virus. Viruses are designed to corrupt or delete date on the
hard disk, i.e. on the FAT (File Allocation Table).
9
Security In Computing
TYPES OF VIRUSES
System or Boot Sector Virus
System sectors are special areas on the disk containing programs that
are executed when we boot (start) the PC. Every disk (even if it only contains data)
has a system sector of some sort. System sector viruses infect executable code found
in certain system areas on a disk. There are boot-sector viruses, which infect only the
DOS boot sector, this kind of virus can prevent us from being able to boot the hard
disk. All common boot sector and MBR viruses are memory resident. System sector
viruses spread easily via floppy disk infections and, in some cases, by cross infecting
files which then drop system sector viruses when run on clean computers.
Macro Virus
These are the most common viruses striking computers today. While some can
be destructive, most just do annoying things, such as changing your word processing
documents into templates or randomly placing a word such as "Wazoo" throughout a
document. While these actions may not permanently damage data, they can hurt
10
Security In Computing
productivity. The reasons these viruses have become so widespread, and the reasons
they are so troublesome, are twofold: They are easy to write, and they exist in
programs created for sharing.
It is a program or code segment written in the internal macro language of an
application and attached to a document file (such as Word or Excel). It infects files
you might think of as data files. But, because they contain macro programs they can
be infected.
When a document or template containing the macro virus is opened in the
target application, the virus runs, does its damage and copies itself into other
documents. Continual use of the program results in the spread of the virus. Some
macros replicate, while others infect documents.
Stealth Viruses
These viruses are stealthy in nature and use various methods to hide
themselves to avoid detection. They sometimes remove themselves from the memory
temporarily to avoid detection and hide from virus scanners. Some can also redirect
the disk head to read another sector instead of the sector in which they reside. Some
stealth viruses conceal the increase in the length of the infected file and display the
original length by reducing the size by the same amount as that of that of the increase,
so as to avoid detection from scanners, making them difficult to detect.
Polymorphic Viruses
They are the most difficult viruses to detect. They have the ability to
mutate implying that they change the viral code known as the signature (A signature
is a characteristic byte-pattern that is part of a certain virus or family of viruses) each
time they spread or infect. Thus, anti-viruses which look for specific virus codes are
not able to detect such viruses. Just like regular encrypted viruses, a polymorphic
virus infects files with an encrypted copy of itself, which is decoded by a decryption
module. In the case of polymorphic viruses however, this decryption module is also
modified on each infection. A well-written polymorphic virus therefore has no parts
that stay the same on each infection, making it impossible to detect directly using
signatures.
11
Security In Computing
Examples
Brain virus
The first computer virus for Microsoft DOS was apparently written in 1986
and contains unencrypted text with the name, address, and telephone number of Brain
Computer Services, a store in Lahore, Pakistan. This virus infected the boot sector of
5¼ inch floppy diskettes with a 360 Kbyte capacity.
Pathogen Virus
The Pathogen virus counted the number of executable (e.g., *.EXE and *.COM)
files that it infected. When the virus had infected 32 files and an infected file was
executed between 17:00 and 18:00 on a Monday:
Worm
A worm is a self-replicating computer program. It uses a network to
send copies of itself to other nodes (computer terminals on the network) and it may do
so without any user intervention. A worm is self-contained and unlike a virus, it does
not need to be part of another program to propagate itself. They are often designed to
exploit the file transmission capabilities found on many computers.Worms always
harm the network (if only by consuming bandwidth), whereas viruses always infect or
corrupt files on a targeted computer.
12
Security In Computing
Trojan horse
A Trojan horse is a program that masquerades as another common
program in an attempt to receive information. It is a harmless-looking program
designed to trick you into thinking it is something you want, but which performs
harmful acts when it runs. It is typically received through downloads from the
Internet. Trojan horses do not spread by themselves like viruses and worms. In
practice, Trojan Horses in the wild often contain spying functions or backdoor
functions that allow a computer, to be remotely controlled from the network, creating
a zombie computer.
There are two common types of Trojan horses. One, is otherwise
useful software that has been corrupted by a cracker inserting malicious code that
executes while the program is used. Examples include various implementations of
weather alerting programs, computer clock setting software, and peer to peer file
sharing utilities. The other type is a standalone program that masquerades as
something else, like a game or image file, in order to trick the user into some
misdirected complicity that is needed to carry out the program's objectives.
The basic difference from computer viruses is: a Trojan horse is technically a
normal computer program and does not possess the means to spread itself. Originally
Trojan horses were not designed to spread themselves. They relied on fooling people
to allow the program to perform actions that they would otherwise not have
voluntarily performed. Trojans of recent times also contain functions and strategies
that enable their spreading. This moves them closer to the definition of computer
viruses, and it becomes difficult to clearly distinguish such mixed programs between
Trojan horses and viruses.
13
Security In Computing
Probably the most famous Trojan horse is a program called "back orifice"
which is an unsubtle play on words on Microsoft's Back Office suite of programs for
NT server. This program will allow anybody to have complete control over the
computer or server it occupies.
Logic Bomb
A logic bomb is a piece of code intentionally inserted into a software
system that will set off a malicious function when specified conditions are met. They
are viruses having a delayed payload, which is sometimes called a bomb. For
example, a virus might display a message on a specific day or wait until it has
infected a certain number of hosts. A logic bomb occurs when the user of a computer
takes an action that triggers the bomb.
14
Security In Computing
Unit 2
2.1 OS SECURITY
File systems often contain information that is highly valuable to their users. Protecting
this information against unauthorized usage is therefore a major concern of all file
systems. Various issues concerned with security and protection are given below:
The terms Security and Protection are often used interchangeably. Security refers to
the overall problem involved in preventing unauthorized reads or modifications,
which include technical, managerial, legal, and political issues. Protection refers to
the specific operating system mechanisms used to safeguard information in the
computer.
The two important facets of Security are Data Loss and Intruders.
1. Passive Intruders who read files they are not authorized to read.
2. Active Intruders who make unauthorized changes to data.
15
Security In Computing
The greatest computer security violation began in the form of a worm program. A
WORM is a self replicating program that replicates itself in seconds on every machine
it could gain access to.
Viruses:
In addition to just infecting other programs, a virus can erase, modify, or encrypt files.
It is also possible for a virus to infect the hard disk’s boot sector, making it impossible
to boot the computer.
Virus problems are easier to prevent than to cure. The safest course is only to buy
shrink-wrapped software from respectable stores and to avoid uploading free software
from bulletin boards or getting pirated copies on floppy disk.
Viruses mostly occur on desktop systems. On larger systems other problems occur
and other methods are needed for dealing with them.
Some general principles that can be used as a guide to designing secure systems have
been identified by Saltzer and Schroeder. They are:
16
Security In Computing
i. The system design should be public - Assuming that the intruder will not
know how the system works serves only to delude the designers.
ii. The default should be no access - Errors in which legitimate access is refused
will be reported much faster than errors in which unauthorized access is
allowed.
iii. Check for current authority - Many systems check for permission when a file
is opened, and not afterward. This means that a user who opens the file, and
keeps it open for weeks, will continue to have access, even if the owner has long
since changed the file protection.
iv. Give each process the least privilege possible - If an editor has only the access
the file to be edited, editors with Trojan horses will not be able to do much
damage.
vi. The Scheme chosen must be psychologically acceptable - If users feel that
protecting their files is too much work, they just will not do it.
The problem of identifying users when they log in is called user authentication.
Most authentication methods are based on identifying something the user knows,
something the user has, or something the user is.
Passwords:
The most widely used form of authentication is to require the user to type a password.
Password protection is easy to implement and easy to understand. Password
17
Security In Computing
protection is also easy to defeat. Guessing a user name and password combination
constitutes the break-in all the time virtually.
Some computers require users to change their passwords regularly, to limit the
damage done if a password leaks out. The most extreme form of this approach is the
One-Time Password. When one-time passwords are used, the user gets a book
containing a list of passwords. Each login uses the next password in the list. If an
intruder ever discovers a password, it won’t be of any good, since next time a
different password must be used. It is suggested that the user try to avoid losing the
password book.
Another variation is Challenge-Response. When this is used, the user
picks an algorithm when signing up as a user, for example 2x. When the user logs in,
the computer types an argument, say 7, in which case the user types 14. The algorithm
can be different on different days of the weeks, at different times, from different
terminals, and so on.
Physical Identification:
This approach checks whether the user has some item, normally a plastic card
with a magnetic stripe on it. The card is inserted into the terminal, which then checks
to see whose card is it. This method can be combined with a password, so a user can
only log in if he has the card and knows the password. Automated cash-dispensing
machines usually work this way. To measure physical characteristics that are hard to
forge is another method. For example, a fingerprint or a voiceprint reader in the
terminal could identify the user’s identity.
Another technique is Signature Analysis, where the user signs his name
with a special pen connected to the terminal, and the computer compares it to a known
specimen stored on line. Even better is not to compare the signature, but compare the
pen motions while writing it. A good forger may be able to copy the signature, but
will not have a clue as to the exact order in which the strokes were made.
In Finger Length Analysis, each terminal has a device similar to the palm.
The user inserts his hands into it, and the length of all his fingers is measured and
checked against the database.
2.2 PROTECTION MECHANISMS
Some of the detailed technical ways that are used in operating systems to protect files
and other things are discussed here. All these techniques clearly distinguish between
18
Security In Computing
policy and mechanism. POLICY involves whose data are to be protected from whom
and MECHANISM involves how the system enforces the policy.
A computer system contains many OBJECTS that need to be protected. These objects
can be hardware such as CPUs, memory segments, terminals, disk drives or printers
or they can be Software such as processes, files, data bases, or semaphores. Each
object has a unique name by which it is referenced and a set of operations that can be
carried out on it. READ and WRITE operations appropriate to a file; UP and DOWN
make sense on semaphore.
Protection mechanism is a way used to prohibit processes from
accessing objects that they are not authorized to access. This mechanism should also
restrict processes to a subset of the legal operations when that is needed. For example
process A may be entitled to read, but not write, file F.
A DOMAIN is a set of (object, rights) pairs. Each pair specifies an object and
some subset of the operations that can be performed on it. A RIGHT here means
permission to perform one of the operations.
File3[R]
File1[R] File4[RWX]
File2 [RW] File6[RWX]
Printer1[W]
Plotter2[W]
File5[RW]
The above figure depicts 3 domains, showing the objects in each domain and the
rights [Read, Write, execute] available on each object. Printer1 is in 2 domains at
the same time.
It is also possible for the same object to be in multiple domains, with different
rights in each domain. At every instant of time, each process runs in some
19
Security In Computing
Example:
In UNIX, the domain of a process is defined by its uid and gid. Given any (uid,
gid) combination, it is possible to make a complete list of objects (files, including
I/O devices represented by special files, etc) that can be accessed, and whether
they can be accessed for reading, writing, or executing. 2 processes with same
(uid, gid) combination will have access to exactly the same set of objects.
Processes with different (uid, gid) values will have access to a different set of
files, although there will be considerable overlap in most cases.
Each process in UNIX has 2 halves: the USER part and the
KERNEL part. When the process does a system call, it switches from the user part
to the kernel part. The kernel part has access to a different set of objects from the
user part. For example, the kernel can access all the pages in physical memory, the
entire disk, and all the other protected resources. Thus, a system call causes a
domain switch.
Protection Matrix:
This is used to know how the system keeps track of which object belongs to which
domain. Imagine a large matrix, with the rows being the domains and the columns
being the objects. Each box lists the rights, if any, that the domain contains for the
object.
The matrix for the first figure (3 protection domains) is shown below:
20
Security In Computing
Domai Object
n
1 Read Read
Write
Read
2 Read Write Read Write
Execute Write
Read
3 Write Write Write
Execut
e
Given this matrix and the current domain number, the system can tell if
an access to given object in a particular way from a specified domain is allowed.
Domain switching itself can be easily included in the matrix model by realizing that a
domain is itself an object, with the operation ENTERS. The figure below shows the
matrix of the above figure again, only now with the three domains as objects
themselves. Processes in domain 1 can switch to domain 2, but once there, they
cannot go back.
21
Security In Computing
Domai Object
n
Storing very large and sparse matrices are rarely done in practice. Most domains have
no access at all to most objects, so storing a big, empty matrix is a waste of disk
space. 2 methods used practically are storing the matrix by rows or by columns, and
then storing only the nonempty elements.
Storing by columns:
It consists of associating with each object an (ordered) list containing all the domains
that may access the object. This list is called the Access Control List or ACL. As
only the nonempty entries of the matrix are stored, the total storage required for all the
ACLs combined is much less than would be needed for the whole matrix.
The owner of an object can change its ACL at any time, thus making it easy
to prohibit accesses that were previously allowed. The only problem is that changing
the ACL will probably not affect any users who are currently using the object (e.g.,
have the files open).
22
Security In Computing
Storing by rows:
It is the slicing up the matrix by rows. Here, associated with each process is a list of
object that may be accessed, along with an indication of which operations are
permitted on each (its domain). This list is called a Capability List or C-lists, and the
individual items on it are called Capabilities.
Type RightsObject
O File R-- Pointer to File3
1 File RWX Pointer to File4
2 File RW- Pointer to File5
3 Printer -W- Pointer to Printer1
C-lists are themselves objects, and may be pointed from other C-lists, thus facilitating
sharing of sub domains. Capabilities are often referred to by their position in the
capability list. C-lists must be protected from user tampering. 3 methods have been
proposed to protect them:
1. The first way requires a tagged architecture, a hardware design in which each
memory word has an extra (or tag) bit that tells whether the word contains a capability
or not. The tag bit is not used by arithmetic, comparison, or similar ordinary
instructions and it can be modified only by programs running in the kernel mode (i.e.,
the operating system).
23
Security In Computing
2. The second way is to keep the C-list inside the operating system, and just have
processes refer to capabilities by their slot number.
3. The third way is to keep the C-list in user space, but encrypt each capability with a
secret key unknown to the user. This approach is particularly suited to distributed
systems.
In addition to the specific object-dependent rights, such as read and execute,
capabilities usually have generic rights which are applicable to all objects. Examples
of generic rights are:
24
Security In Computing
Protection matrices are not static. They frequently change as new objects are created,
old objects are destroyed, and owners decide to increase or restrict the set of users for
their objects.
There are 6 primitive operations on the protection matrix that can be
used as a base to model any protection system. These operations are: CREATE
OBJECT, DELETE OBJECT, CREATE DOMAIN, DELETE DOMAIN, INSERT
RIGHT, and REMOVE RIGHT. The 2 latter primitives insert and remove rights from
specific matrix elements. These 6 primitives can be combined into protection
commands. User programs execute these protection commands to change the matrix.
They may not execute the primitives directly. At any instant, the matrix determines
what a process in any domain can do, not what it is authorized to do. The matrix is
what is enforced by the system; authorization has to do with management policy.
Example:
25
Security In Computing
Objects Objects
In the figure (a) the intended protection policy is seen: Henry can read and write
mailbox7, Robert can read and write secret, and all the 3 can read and execute
compiler.
If Robert found a way to issue commands and have the matrix changed to
figure (b); then he can access mailbox7, something he is not authorized to have. If he
tries to read it, the operating system will carry out his request because it does not
know that the state is an unauthorized one.
The set of all possible matrices can be partitioned into 2 disjoint sets:
a. The set of all authorized states, and
b. The set of all unauthorized states.
1. No process may read any object whose level is higher that its own, but it may
freely read objects at a lower level or at its own level. A secret process may
read confidential objects, but not top secret ones.
2. No process may write information into any object whose level is lower than its
own. A secret process may write in a top secret file but not in a confidential
one.
26
Security In Computing
To make formal models for protection systems is much futile. Even in a system that
has been rigorously proven to be absolutely secure, leaking information between
processes that in theory cannot communicate at all is relatively straightforward.
Client
Encapsulated
Server server
Collaborator
Covert
Channel
Kernel Kernel
The object here is to design a system in which it is impossible for the server to leak to
the collaborator the information that it has legitimately received from the client.
Lampson called this the confinement problem.
27
Security In Computing
For example, the server can try to communicate a binary bit stream as
follows. To send a 1 bit, it computes as hard as it can for a fixed interval of time. To
send a 0 bit, it goes to sleep for the same length of time. The collaborator can try to
detect the bit stream by carefully monitoring its response time. In general, it will get
better response time when the server is sending a 1. This communication channel is
known as a covert channel.
Modulating the CPU usage is not only the covert channel. The paging
rate can also be modulated (many page faults for a 1, no page faults for a 0). Almost
any way of degrading system performance in a clocked way is a candidate. If the
system provides a way of locking files, then the server can lock some file to indicate a
1, and unlock it to indicate a 0. It may be possible to detect the status of a lock even
on a file that cannot be accessed.
Acquiring and releasing dedicated resources (tape drives, plotters, etc) can
also be used for signaling. The server acquires the resource to send a 1 and releases it
to send a 0. But, even finding all the covert channels, let alone blocking them, is
extremely difficult.
One of the features of the Criteria that are required of a secure system is the
enforcement of discretionary access control (DAC). DAC is a means of restricting
28
Security In Computing
access to objects based on the identity of subjects and/or groups to which they belong.
The controls are discretionary in the sense that a user or process given discretionary
access to information is capable of passing that information along to another subject.
The discretionary security control objective is: Security policies defined for systems
that are used to process classified or other sensitive information must include
provisions for the enforcement of discretionary access control rules. That is, they must
include a consistent set of rules for controlling and limiting access based on identified
users who have been determined to have need-to-know for the information.
DEFINITIONS
29
Security In Computing
DAC controls are used to restrict a user's access to protected objects on the system.
The user may also be restricted to a subset of the possible access types available for
those protected objects. Access types are the operations a user may perform on a
particular object (e.g., read, write, execute). Typically, for each object, a particular
user or set of users has the authority to distribute and revoke access to that object.
Users may grant or rescind access to the objects they control based on "need to know"
or "whom do I like" or other rules. DAC mechanisms control access based entirely on
the identities of users and objects.
The identity of the users and objects is the key to discretionary access control. This
concept is relatively straightforward in that the access control matrix contains the
names of users on the rows and the names of objects on the columns. Regardless of
how the matrix is represented in memory, whether by rows or by columns, the names
of the users and objects must be used in the representation. For example, in a row-
based representation an entry might read the equivalent of “KIM can access
KIMSFILE and DONSFILE". In a column based representation, one might find the
equivalent of "DONSFILE can be accessed by DON, JOE and KIM".
Discretionary access control mechanisms restrict access to objects based solely on the
identity of subjects who are trying to access them. This basic principle of
discretionary access control contains a fundamental flaw that makes it vulnerable to
Trojan horses. On most systems, any program which runs on behalf of a user inherits
30
Security In Computing
the DAC access rights of that user. An example of the workings of a Trojan horse will
illustrate how most DAC mechanisms are vulnerable.
31
Security In Computing
mechanism in high threat environments. The Trojan horse threat can be reduced in
systems that implement many domains or dynamic small domains for each process. In
most systems today, with only user and supervisor domains, all of the user's objects
are available to a process running on that user's behalf. If domains were created
dynamically for each process, with only the necessary objects available, in that
domain (implementing the least privilege principle), then a Trojan horse would be
limited to accessing only those objects within the domain.
32
Security In Computing
2. Profiles
3. Access Control Lists (ACLs)
4. Protection Bits
5. Passwords
CAPABILITIES
A pure capability system includes the ability for users to pass the capability to other
users. Because this ability is not controlled and capabilities can be stored, determining
all the users who have access for a particular object generally is not possible. This
makes a complete DAC implementation, including revocation, very difficult.
(Revocation may not be an issue, however, since a user who has access to an object
can make a copy of the information in another object. Revoking the user's access on
the original object does not revoke access to the information contained in the user's
copy. After revocation, however, changes can be made to the original object without
the knowledge of revoked users.)
33
Security In Computing
Since capabilities implement dynamic domains they can ideally limit the objects
accessible to any program. This would limit a Trojan horse's access to only the
protected objects handed to it. At this time, few systems have been implemented with
capabilities and very few, if any, have attempted to implement a complete DAC
mechanism. Capabilities could be useful in enforcing the least privilege principle and
providing dynamically changeable domains, making discretionary access controls less
vulnerable to Trojan horse attacks.
PROFILES
Profiles which have been implemented in some form on several systems use a list of
protected objects associated with each user. Since object names are not consistent or
amenable to grouping, their size and number are difficult to reduce. If a user has
access to many protected objects, the profile can get very large and difficult to
manage. Also, all protected object names must be unique so full pathnames must be
used. Creating, deleting and changing access to protected objects requires many
operations since multiple users' profiles must be updated. Timely revocation of access
to an object is very difficult unless the user's profile is automatically checked each
time the object is accessed. Deleting an object may require some method of
determining every user who has the object in his profile. In general, with profiles as
with capabilities, answering the question of who has access to a protected object is
very difficult. Since this is usually an important question in a secure system and more
efficient mechanisms exist, profiles are not a recommended implementation of DAC.
ACCESS CONTROL LISTS (ACLs)
34
Security In Computing
be excluded or restricted in access rights. In the Apollo, if a user is not on the ACL by
user-id, but is a member of a group, those rights are used and organization and node
memberships are not examined. Multiple group mechanisms add more complexity
and may facilitate administrative control of a system, but do not affect the utility of a
DAC mechanism.
Access to ACLs should be protected just as other objects are protected. The creation
of groups must be controlled, since becoming a member of a group can change the
objects accessible to any member. In many systems, e.g., Multics, a user must be a
member of at least one group. One detriment of the group mechanism is that changing
the members of a group results in changes to an unknown set of ACLs for protected
objects. Allocation of groups could be a Systems Administrator function only, or it
could be distributed to a Project Administrator type function. Problems could result
from allowing any user to create a group and then be "owner'' of that group. If users
were prohibited from listing the members of groups they are not in because of covert
channels and privacy, it would be difficult to determine if a group was the correct one
to use. System or Project Administrator control is a preferred mechanism.
Wild Cards
A wild card mechanism allows a string replacement where the wild card is specified.
For example, in the Multics system ```PAYROL rw'' gives read and write access to
any user in the PAYROL group. ``Smith.* r'' gives Smith read access, no matter what
group the user Smith belongs to. ``*.*'' gives any user access. The group and wild
card mechanisms allow the ACL list to be kept to a reasonable size. The use of wild
cards raises the possibility of conflicts if a user has multiple ACL entries for an
object. In the above example, Smith has a possible conflict; as a member of any group
he can read and as a member of the PAYROL group he can read and write. The
system must make a decision as to which one of the ACL entries it will apply when
granting Smith access to the object. Various systems have different rules for resolving
conflicts. One approach might be to have the system enforce an ordering of the ACLs.
Another approach might be to allow ordering of the ACLs by the users. In any case,
the users must understand the rules in order to create effective ACL entries. A wild
card mechanism adds more complexity, but does not affect the utility of a DAC
mechanism.
35
Security In Computing
Default ACLs
There are many side issues in the implementation of access control lists. Default
ACLs are usually necessary for the user friendliness of the DAC mechanism. At the
very least, when an object is created by a user, the user should be placed on its ACL
by default. Some of the other possible default mechanisms include a system-wide
default, a user-associated default or if the file structure is a tree, a default associated
with the directory.
A system-wide default could be used as the default in cases where no other default
had been specified. A system-wide default might give access only to the creating user.
A user-associated default might work well on a system with a flat file structure. When
a user is first entered on the system, his default ACL would have to be specified. For
file structures that are trees, a default(s) associated with the directory could be most
efficient. If the user organizes the directory structure to represent project work or
areas of interest, then the ACLs for all objects in a sub -tree would be similar. One
default ACL in the directory would be for children that are files. For children that are
directories either a separate sub-directory default ACL should be specified or the
default ACLs should have to be stated explicitly by the user. Otherwise, unless care is
taken, those with access to the root sections of the storage hierarchy could by
automatic default get access to all of the storage hierarchy.
The overriding principle of least privilege implies that the use of defaults should not
inadvertently give away more access than the user intended. In other words, to err on
the conservative side is preferred. In all implementations some user(s) must have
permission to change the ACLs after they have been set by default, and the ability to
change the defaults is very useful. Defaults can be implemented in two ways: they can
be copied to the ACL or they can be pointed to by the ACL. If they are copied, then
changes to the default will not affect the ACL; otherwise, changes in the default may
cause changes in many ACLs.
Named ACLs
Another possible user friendly feature is "named" ACLs. One implementation of this
feature uses a named ACL as a template. If a user often sets ACLs to the same list of
36
Security In Computing
Users, the setting user may want to create a named ACL as a template which, when
used, copies that list into the ACL. When the named ACL is changed, there is no
effect on the ACLs already in existence. This use of named ACLs has no particular
detriments and is of limited usefulness. The other implementation of named ACLs
places a pointer in the real ACL to the named ACL. Now when the named ACL gets
changed, all of the real ACLs that use it also get changed. This is very convenient for
the user, but when a named ACL is changed the user has no way of determining all of
the protected objects affected by the change. The named ACLs also have to be
protected in the same way as the real ACLs. Most of the features of named ACLs can
be replaced by some group and default mechanisms.
Protection bits are an incomplete attempt to represent the access control matrix by
column. Implementation of protection bits includes systems such as UNIX which use
protection bits associated with objects instead of a list of users who may access an
object. In the UNIX case the protection bits indicate whether everyone, the object's
group or only the owner has any of the access modes to the protected object. The user
who created the object is the owner, and that can only be changed through superuser
privileges. The owner is the only one (besides a superuser) who can change protection
bits.
The problem with protection bits is that they are an incomplete implementation of the
access control matrix model. The system cannot conveniently allow or disallow
access to a protected object on any single user basis. It has been suggested that groups
be set up so that any needed combination of users can be specified. But, for more than
a few users, the combinatory of such a solution are unrealistic. Also, groups are
controlled by the system administrator, and such a scheme would require full-time
attention.
PASSWORD DAC MECHANISMS
37
Security In Computing
Password protection of objects attempts to represent the access control matrix by row.
If each user possessed his own password to each object, then the password is a ticket
to the object, similar to a capability system (except, of course, with no dynamic
domains). In most implementations of password protection, only one password per
object or one password per object per access mode exists. Passwords on protected
objects have been used in IBM's MVS and with other mechanisms in CDC's NOS to
implement DAC.
Many problems are associated with using a password protected DAC system. The use
of passwords prevents the TCB from controlling distribution of access permissions.
The sharing of passwords takes place outside the system. For a user to remember a
password for each protected object is virtually impossible and if the passwords are
stored in programs they are vulnerable. To restrict access to certain access modes
requires a password for each combination of access modes, but in most systems that
use passwords, access to a protected object is all or none. In such implementations,
revoking a user's access requires revoking access from all other users with similar
access and then distributing a new password to those who are to retain access. This
becomes almost impossible when passwords are stored in programs. To be secure,
passwords should be changed periodically, which is very difficult to do in such
password protected DAC systems.
In systems such as MVS the default access to a file is unrestricted access. A file is
protected only when the password protection is initiated for that file. Thus a new file
in MVS is not protected until the password protection mechanism is invoked. If
passwords are used as in the CDC NOS system to supplement another DAC
mechanism, they do have one positive aspect. If all objects are protected with
different passwords, Trojan horses can be restricted to only the objects that are handed
to them. The use of passwords for a complete DAC is strongly discouraged, because
there is no way to determine who has access to an object, and because managing such
a system properly is very difficult.
38
Security In Computing
Mandatory access control (MAC) involves aspects that the user cannot control (or is
not usually allowed to control). An example is that of a hardware address that cannot
be changed by a user. Under MAC, objects are tagged with labels representing the
sensitivity of the information contained within. MAC restricts access to objects based
on their sensitivity. Subject needs formal clearance (authorization) to access objects.
Authentication is performed by the system to be sure the user is really who they claim
to be. Authentication may be done at and for a local computer or at a global level for a
domain using domain controllers across the network.
Process of Logging On
39
Security In Computing
o User ticket - Used to get other Kerberos tickets for accessing other
domain resources.
4. The client decrypts the tickets and uses the session key to log on.
In the UNIX operating system environment, files and directories are organized in a
tree structure with specific access modes. The setting of these modes, through
permission bits (as octal digits), is the basis of UNIX system security. Permission bits
determine how users can access files and the type of access they are allowed. There
are three user access modes for all UNIX system files and directories: the owner, the
group, and others. Access to read, write and execute within each of the user types is
also controlled by permission bits.
Permission modes
40
Security In Computing
------------------------------------------------------------------
-------------------------------------------------------------------
r = read
w = write
x = execute
Each file (and directory) has associated access rights, which may be found
by typing ls -l. Also, ls -lg gives additional information as to which group
owns the file (beng95 in the following example):
41
Security In Computing
The 9 remaining symbols indicate the permissions, or access rights, and are taken as
three groups of 3.
• The left group of 3 gives the file permissions for the user that owns the file (or
directory) (ee51ab in the above example);
• The middle group gives the permissions for the group of people to whom the
file (or directory) belongs (eebeng95 in the above example);
• The rightmost group gives the permissions for all others.
• r (or -), indicates read permission (or otherwise), that is, the presence or
absence of permission to read and copy the file
• w (or -), indicates write permission (or otherwise), that is, the permission (or
otherwise) to change a file
• x (or -), indicates execution permission (or otherwise), that is, the permission
to execute a file, where appropriate
So, in order to read a file, you must have executed permission on the directory
containing that file, and hence on any directory containing those directories as a
subdirectory, and so on, up the tree.
Some examples
42
Security In Computing
-rwxrwxrwx a file that everyone can read, write and execute (and delete).
a file that only the owner can read and write - no-one else
-rw------- can read or write and no-one has execution rights (e.g. your
mailbox file).
Only the owner of a file can use chmod to change the permissions of a file. The
options of chmod are as follows
Symbol Meaning
u user
g group
o other
a all
r read
w write (and delete)
x execute (and access directory)
+ add permission
- take away permission
For example, to remove read write and execute permissions on the file biglist for
the group and others, type
43
Security In Computing
Unit 3
Definitions
44
Security In Computing
(source: www.PGPi.com):
At some earlier point in time the two correspondents, the sender and the recipient,
must have agreed on that key. If they are in different locations, they must trust a
courier or a phone system to transmit the secret key in a secure manner. Surely, this is
not very practical, particularly when many (new) parties are involved.
However, the major problem is the total number of keys involved. 2 correspondents
use 1 key, 3 use 3 keys, 4 use 6 keys, 5 use 10 keys, 100 use 4950 keys, 1000 use
499500 keys, etc. And each key must be stored in a secure manner. Key management
is enough of a difficult task that a name was invented for it: The Key Distribution
Problem. It is the reason why One-Key-Cryptography is not appropriate for today's
secure electronic data transfers between many parties involved.
45
Security In Computing
cryptosystem shall not be based on keeping the algorithm secret, but solely keeping
the key secret.
Private Key Cryptography means that the knowledge of the encoding key yields the
decoding key. Such Ciphers are therefore also called "Symmetric Ciphers". If a
Cipher only offers a small number of keys (i.e. the Caesar Cipher) it can be broken by
simply testing the possible keys. A huge number of keys assures the security of a
cipher
Private Key Cryptography provides "high-security" ciphers, however, their usage is
not practical because of the key distribution problem. It describes the difficulty of
exchanging and handling a large number of keys. I.e. 1000 correspondents have to
handle a total of 499500 keys. The number of keys increases with the square of the
number of correspondents.
(source: www.PGPi.com):
The primary benefit of public key cryptography is that it allows people who have no
preexisting security arrangement to exchange messages securely. The need for sender
and receiver to share secret keys via some secure channel is eliminated; all
46
Security In Computing
communications involve only public keys, and no private key is ever transmitted or
shared.
Substitution and Transposition Ciphers are two categories of ciphers used in classical
cryptography. Substitution and Transposition differ in how chunks of the message are
handled by the encryption process. Substitution ciphers encrypt plaintext by changing
the plaintext one piece at a time.
The Ceasar Cipher was an early substitution cipher. In the Caesar Cipher, each
character is shifted three places up. Therefore, A becomes D and B becomes E, etc...
This table shows "VOYAGER" being encrypted with the Caesar substution cipher:
Plaintext V O Y A G E R
Key +3 +3 +3 +3 +3 +3 +3
Ciphertext Y R B D J H U
Transposition ciphers encrypt plaintext by moving small pieces of the message
around.
This table shows "VOYAGER" being encrypted with a primitive transposition cipher
where every two letters are switched with each other:
V OYAGE R
O VAYE GR
Block and Stream Ciphers are two categories of ciphers used in classical
cryptography. Block and Stream Ciphers differ in how large a piece of the message is
processed in each encryption operation. Block ciphers encrypt plaintext in chunks.
Common block sizes are 64 and 128 bits. Stream ciphers encrypt plaintext one byte or
one bit at a time. A stream cipher can be thought of as a block cipher with a really
small block size. Generally speaking, block ciphers are more efficient for computers
and stream ciphers are easier for humans to do by hand.
The simplest of all substitution ciphers is the one in which the cipher letters results
from shifting plain letters by the same distance. Among those, the best known is
47
Security In Computing
The sender encodes each plain text letter P using the key b as follows:
C= (P+b) mod 26
The recipient decodes each cipher text letter C using the key b as follows:
P=(C-b) mod 26
The best known substitution cipher that encrypts pairs of letters is the Playfair Cipher
invented by Sir Charles Wheatstone but championed at the British Foreign Office by
Lyon Playfair, the first Baron Playfair of St. Andrews, whose name the cipher bears.
Here, a 5 x 5-square matrix containing the 26 letters of the alphabet (I and J are
treated as the same letter) is used to carry out the encryption. A key word,
MONARCHY in this example, is filled in first, and the remaining unused letters of
the alphabet are entered in their lexicographic order.
Pairs of plaintext letters are encrypted with the matrix by first locating the two
plaintext letters in the matrix. They are
(1) in different rows and columns or
(2) in the same row or
(3) in the same column or
(4) alike.
48
Security In Computing
letter that is in the same row but in the other column; i.e., to encrypt WE, W is
replaced by U and E by G.
2. If two letters are in the same row simply shift both one position to the right. I.e. A
and R are in the same row. A is encrypted as R and R (reading the row cyclically) as
M.
3. Similarly, if two letters are in the same column shift both one position down. I.e. I
and S are in the same column. I is encrypted as S and S as X.
The Caesar Cipher, the Multiplication Cipher and the Linear Cipher have one
property in common. They all fall in the category of Monoalphabetic Ciphers: "Same
plain letters are encoded to the same cipher letter." i.e. in the Caesar Cipher each "a"
turned into "d", each "b" turned into "e", etc.
The reason why such Ciphers can be broken is the following: Although letters are
changed the underlying letter frequencies are not! If the plain letter "a" occurs 10
times its cipher letter will do so 10 times. Therefore, any monoalphabetic Cipher can
be broken with the aid of letter frequency analysis.
Now to encrypt the message ``The quick brown fox jumped over the lazy dog" we
would alternate between the two cipher alphabets, using #1 for every first letter and
#2 for every second, to get: ``Msj joxfp dicda ucu tfzkjw ceji msj xzyb hln".
Polyalphabetic substitution ciphers are useful because they cannot be broken using
49
Security In Computing
Vigenere Cipher
The polyalphabetic substitution cipher involves the use of two or more cipher
alphabets. Instead of there being a one-to-one relationship between each letter and its
substitute, there is a one-to-many relationship between each letter and its substitutes.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
A ABCDEFGHIJKLMNOPQRSTUVWXYZ
B BCDEFGHIJKLMNOPQRSTUVWXYZA
C CDEFGHIJKLMNOPQRSTUVWXYZAB
D DEFGHIJKLMNOPQRSTUVWXYZABC
E EFGHIJKLMNOPQRSTUVWXYZABCD
F FGHIJKLMNOPQRSTUVWXYZABCDE
G GHIJKLMNOPQRSTUVWXYZABCDEF
H HIJKLMNOPQRSTUVWXYZABCDEFG
I IJKLMNOPQRSTUVWXYZABCDEFGH
J JKLMNOPQRSTUVWXYZABCDEFGHI
K KLMNOPQRSTUVWXYZABCDEFGHIJ
L LMNOPQRSTUVWXYZABCDEFGHIJK
M MNOPQRSTUVWXYZABCDEFGHIJKL
N NOPQRSTUVWXYZABCDEFGHIJKLM
O OPQRSTUVWXYZABCDEFGHIJKLMN
P PQRSTUVWXYZABCDEFGHIJKLMNO
Q QRSTUVWXYZABCDEFGHIJKLMNOP
R RSTUVWXYZABCDEFGHIJKLMNOPQ
S STUVWXYZABCDEFGHIJKLMNOPQR
T TUVWXYZABCDEFGHIJKLMNOPQRS
U UVWXYZABCDEFGHIJKLMNOPQRST
50
Security In Computing
V VWXYZABCDEFGHIJKLMNOPQRSTU
W WXYZABCDEFGHIJKLMNOPQRSTUV
X XYZABCDEFGHIJKLMNOPQRSTUVW
Y YZABCDEFGHIJKLMNOPQRSTUVWX
Z ZABCDEFGHIJKLMNOPQRSTUVWXY
Note that each row of the table corresponds to a Caesar Cipher. The first row is a shift
of 0; the second is a shift of 1; and the last is a shift of 25.
The Vigenere cipher uses this table together with a keyword to encipher a message.
For example, enciphering the plaintext message:
The strength of the Vigenere cipher against frequency analysis can be seen by
examining the above ciphertext. Note that there are 7 'T's in the plaintext message and
that they have been encrypted by 'H,' 'L,' 'K,' 'M,' 'G,' 'X,' and 'L' respectively. This
successfully masks the frequency characteristics of the English 'T.' One way of
looking at this is to notice that each letter of our keyword RELATIONS picks out 1 of
the 26 possible substitution alphabets given in the Vigenere tableau. Thus, any
51
Security In Computing
3.7 CRYPTANALYSIS
Cryptanalysis (from the Greek kryptós, "hidden", and analýein, "to loosen" or "to
untie") is the study of methods for obtaining the meaning of encrypted information,
without access to the secret information which is normally required to do so.
Typically, this involves finding the secret key. In non-technical language, this is the
practice of code breaking or cracking the code, although these phrases also have a
specialized technical meaning
52
Security In Computing
Feistel networks and similar constructions are product ciphers, and so combine
multiple rounds of repeated operations, such as:
Split the plaintext block into two equal pieces, (L0, R0)
L i = Ri − 1
R i − 1 = Li
One advantage of this model is that the function used does not have to be invertible,
and can be very complex. This diagram illustrates both encryption and decryption.
53
Security In Computing
Note the reversal of the subkey order for decryption; this is the only difference
between encryption and decryption:
DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the
effective key strength is only 56 bits, as explained below). It takes a 64-bit block of
plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on
blocks of equal size and it uses both permutations and substitutions in the algorithm,
DES is both a block cipher and a product cipher.
DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the
ciphertext. It has been found that the number of rounds is exponentially proportional
to the amount of time required to find a key using a brute-force attack. So as the
number of rounds increases, the security of the algorithm increases exponentially.
54
Security In Computing
Although the input key for DES is 64 bits long, the actual key used by DES is only 56
bits in length. The bits at positions of multiples of eight are ignored, thus resulting in
a key length of 56 bits.
The first step is to pass the 64-bit key through a permutation called Permuted Choice
1, or PC-1 for short. The table for this is given below. Note that in all subsequent
descriptions of bit numbers, 1 is the left-most bit in the number, and n is the rightmost
bit.
55
Security In Computing
Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit
subkeys, called K[1]-K[16], which are used in the 16 rounds of DES for encryption
and decryption. The procedure for generating the subkeys - known as key scheduling -
is fairly simple:
2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half) and
R (the right-hand half).
3. Rotate L left by the number of bits specified in the table below, and rotate R left by
the same number of bits as well.
5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round
number we are on.
6. Increment R by 1 and repeat the procedure until we have all 16 subkeys K[1]-
K[16].
56
Security In Computing
rotate
PC-2: Permuted Choice 2
Bit 0 1 2 3 4 5
1 14 17 11 24 1 5
7 3 28 15 6 21 10
13 23 19 12 4 26 8
19 16 7 27 20 13 2
25 41 52 31 37 47 55
31 30 40 51 45 33 48
37 44 49 39 56 34 53
43 46 42 50 36 29 32
Once the key scheduling has been performed, the next step is to prepare the plaintext
for the actual encryption. This is done by passing the plaintext through a permutation
called the Initial Permutation, or IP for short. This table also has an inverse, called the
Inverse Initial Permutation, or IP^(-1). Sometimes IP^(-1) is also called the Final
Permutation. Both of these tables are shown below.
57
Security In Computing
this bit becomes bit 29 of the 64-bit block after the permutation. Now let's apply IP^(-
1). In IP^(-1), bit 29 is located at the intersection of the column labeled 7 and the row
labeled 25. So this bit becomes bit 32 after the permutation. And this is the bit
position that we started with before the first permutation. So IP^(-1) really is the
inverse of IP. It does the exact opposite of IP. If you run a block of plaintext through
IP and then pass the resulting block through IP^(-1), you'll end up with the original
block.
Once the key scheduling and plaintext preparation have been completed, the actual
encryption or decryption is performed by the main DES algorithm. The 64-bit block
of input data is first split into two halves, L and R. L is the left-most 32 bits, and R is
the right-most 32 bits. The following process is repeated 16 times, making up the 16
rounds of standard DES. We call the 16 sets of halves L[0]-L[15] and R[0]-R[15].
1. R[I-1] - where I is the round number, starting at 1 - is taken and fed into the E-Bit
Selection Table, which is like a permutation, except that some of the bits are used
more than once. This expands the number R[I-1] from 32 to 48 bits to prepare for the
next step.
2. The 48-bit R[I-1] is XORed with K[I] and stored in a temporary buffer so that R[I-
1] is not modified.
3. The result from the previous step is now split into 8 segments of 6 bits each. The
left-most 6 bits are B[1], and the right-most 6 bits are B[8]. These blocks form the
index into the S-boxes, which are used in the next step. The Substitution boxes,
known as S-boxes, are a set of 8 two-dimensional arrays, each with 4 rows and 16
columns. The numbers in the boxes are always 4 bits in length, so their values range
from 0-15. The S-boxes are numbered S[1]-S[8].
4. Starting with B[1], the first and last bits of the 6-bit block are taken and used as an
index into the row number of S[1], which can range from 0 to 3, and the middle four
bits are used as an index into the column number, which can range from 0 to 15. The
number from this position in the S-box is retrieved and stored away. This is repeated
with B[2] and S[2], B[3] and S[3], and the others up to B[8] and S[8]. At this point,
we now have 8 4-bit numbers, which when strung together one after the other in the
order of retrieval, give a 32-bit result.
58
Security In Computing
5. The result from the previous stage is now passed into the P Permutation.
6. This number is now XORed with L[I-1], and moved into R[I]. R[I-1] is moved into
L[I].
7. At this point we have a new L[I] and R[I]. Here, we increment I and repeat the core
function until I = 17, which means that 16 rounds have been executed and keys K[1]-
K[16] have all been used.
When L[16] and R[16] have been obtained, they are joined back together in the same
fashion they were split apart (L[16] is the left-hand half, R[16] is the right-hand half),
then the two halves are swapped, R[16] becomes the left-most 32 bits and L[16]
becomes the right-most 32 bits of the pre-output block and the resultant 64-bit number
is called the pre-output.
59
Security In Computing
60
Security In Computing
Column
0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S-Box 8: Substitution Box 8
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
The purpose of this example is to clarify how the S-boxes work. Suppose we have the
following 48-bit binary number:
011101000101110101000111101000011100101101011101
In order to pass this through steps 3 and 4 of the Core Function as outlined above, the
number is split up into 8 6-bit blocks, labeled B[1] to B[8] from left to right:
Now, eight numbers are extracted from the S-boxes - one from each box:
In each case of S[n][row][column], the first and last bits of the current B[n] are used
as the row index, and the middle four bits as the column index.
The results are now joined together to form a 32-bit number which serves as the input
to stage 5 of the Core Function (the P Permutation):
00110100111001011010010110101001
61
Security In Computing
The final step is to apply the permutation IP^(-1) to the pre-output. The result is the
completely encrypted ciphertext.
The same algorithm can be used for encryption or decryption. The method described
above will encrypt a block of plaintext and return a block of ciphertext. In order to
decrypt the ciphertext and get the original plaintext again, the procedure is simply
repeated but the subkeys are applied in reverse order, from K[16]-K[1]. That is, stage
2 of the Core Function as outlined above changes from R[I-1] XOR K[I] to R[I-1]
XOR K[17-I]. Other than that, decryption is performed exactly the same as
encryption.
62
Security In Computing
More flexible
Blowfish 64 bits 64 bits 32-448 16 Fast and secure
bits Compact
RC5 32/64/128 32/64/128 0-2040 variable Simple and fast
bits bits bits Adaptable to
processors of different
word length
Data dependent
rotations
This is the regular DES algorithm. Data is divided into 64-bit blocks and each
block is encrypted one at a time. Separate encryptions with different blocks
are totally independent of each other. This means that if data is transmitted
over a network or phone line, transmission errors will only affect the block
containing the error. It also means, however, that the blocks can be rearranged,
thus scrambling a file beyond recognition, and this action would go
undetected. ECB is the weakest of the various modes because no additional
security measures are implemented besides the basic DES algorithm.
However, ECB is the fastest and easiest to implement, making it the most
common mode of DES.
63
Security In Computing
64
Security In Computing
65
Security In Computing
plaintext, and the output of that is the final ciphertext. Finally, the ciphertext is fed
back into the Shift Register, and used as the plaintext seed for the next block to be
encrypted. As with CBC mode, an error in one block affects all subsequent blocks
during data transmission. This mode of operation is similar to CBC and is very
secure, but it is slower than ECB due to the added complexity.
This is similar to CFB mode, except that the ciphertext output of DES
is fed back into the Shift Register, rather than the actual final ciphertext. The
Shift Register is set to an arbitrary initial value, and passed through the DES
algorithm. The output from DES is passed through the M-box and then fed
back into the Shift Register to prepare for the next block. This value is then
XORed with the real plaintext (which may be less than 64 bits in length, like
66
Security In Computing
CFB mode), and the result is the final ciphertext. Note that unlike CFB and
CBC, a transmission error in one block will not affect subsequent blocks
because once the recipient has the initial Shift Register value, it will continue
to generate new Shift Register plaintext inputs without any further data input.
However, this mode of operation is less secure than CFB mode because only
the real ciphertext and DES ciphertext output is needed to find the plaintext of
the most recent block. Knowledge of the key is not required.
67
Security In Computing
A counter, equal to the plaintext block size is used. The counter value must be
different for each plaintext block that is encrypted. The counter is initialized to some
value and then incremented by 1 for each substitution. For encryption, the counter is
encrypted and then XORed with the plaintext block to produce the ciphertext block.
68
Security In Computing
The scheme lets us freely distribute a public key, and only you will be able to read
data encrypted using this key. In general, to send encrypted data to someone, we
encrypt the data with that person's public key, and the person receiving the encrypted
data decrypts it with the corresponding private key. Compared with symmetric-key
69
Security In Computing
As it happens, the reverse of the scheme shown in Figure also works: data encrypted
with your private key can be decrypted only with your public key. This would not be
a desirable way to encrypt sensitive data, however, because it means that anyone with
your public key, which is by definition published, could decrypt the data.
Nevertheless, private-key encryption is useful, because it means you can use your
private key to sign data with your digital signature--an important requirement for
electronic commerce and other commercial applications of cryptography.
The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at
MIT; the letters RSA are the initials of their surnames. This is the most commonly
used algorithm in public key cryptography
1. Choose two large prime numbers and such that , randomly and
independently of each other.
2. Compute .
70
Security In Computing
n, the modulus, which is public and appears in the public key, and
Suppose Bob wishes to send a message M to Alice. He turns M into a number m < n,
using some previously agreed-upon reversible protocol known as a padding scheme.
Bob now has m, and knows n and e, which Alice has announced. He then computes
the ciphertext c corresponding to m:
Alice receives c from Bob, and knows her private key d. She can recover m from c by
the following procedure:
Here is an example of RSA encryption and decryption. The parameters used here are
artificially smallWe let
71
Security In Computing
The security of the RSA cryptosystem is based on two mathematical problems: the
problem of factoring very large numbers, and the RSA problem. Full decryption of an
RSA ciphertext is thought to be infeasible on the assumption that both of these
problems are hard, i.e., no efficient algorithm exists for solving them.
The RSA problem is defined as the task of taking eth roots modulo a composite n:
recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c
is an RSA ciphertext. Currently the most promising approach to solving the RSA
problem is to factor the modulus n. With the ability to recover prime factors, an
attacker can compute the secret exponent d from a public key (e, n), then decrypt c
using the standard procedure. To accomplish this, an attacker factors n into p and q,
and computes (p-1)(q-1) which allows the determination of d from e. No polynomial-
time method for factoring large integers on a classical computer has yet been found,
but it has not been proven that none exists.
Speed
Key distribution
72
Security In Computing
As with all ciphers, how RSA public keys are distributed is important to security. Key
distribution must be secured against a man-in-the-middle attack. In principle, neither
sender nor receiver would be able to detect an outsider’s presence. Defenses against
such attacks are often based on digital certificates.
Timing attacks
3.14.1 Description
73
Security In Computing
The simplest, and original, implementation of the protocol uses the multiplicative
group of integers modulo p, where p is prime and g is primitive mod p. Modulo (or
mod) simply means that the integers between 1 and p − 1 are used with normal
multiplication, exponentiation and division, except that after each operation the result
keeps only the remainder after dividing by p. Here is an example of the protocol:
1. Alice and Bob agree to use a prime number p=23 and base g=5.
2. Alice chooses a secret integer a=6, then sends Bob (ga mod p)
o 56 mod 23 = 8.
3. Bob chooses a secret integer b=15, then sends Alice (gb mod p)
o 196 mod 23 = 2.
815 mod 23 = 2.
Both Alice and Bob have arrived at the same value, because gab and gba are equal. Note
that only a, b, gab and gba are kept secret. All the other values are sent in the
clear. Once Alice and Bob compute the shared secret they can use it as an
encryption key, known only to them, for sending messages across the same
open communications channel. Of course, much larger values of a,b, and p
would be needed to make this example secure, since it is easy to try all the
possible values of gab mod 23 (there will be, at most, 22 such values, even if a
and b are large). If p was a prime of more than 300 digits, and a and b were at
least 100 digits long, then even the best known algorithms for finding a given
only g, p, and ga mod p (known as the discrete logarithm problem) would take
longer than the lifetime of the universe to run. g need not be large at all, and in
practice is usually either 2 or 5.
74
Security In Computing
1. Alice and Bob agree on a finite cyclic group G and a generating element g in
G. (This is usually done long before the rest of the protocol; g is assumed to be
known by all attackers.) We will write the group G multiplicatively.
5. Bob computes (ga)b. Both Alice and Bob are now in possession of the group
element gab which can serve as the shared secret key.
3.14.2 Security
The order of G should be prime or have a large prime factor to prevent obtaining a or
b. The secret integers a and b are discarded at the end of the session.
Therefore, Diffie-Hellman key exchange by itself trivially achieves perfect
forward secrecy because no long-term private keying material exists to be
disclosed.
3.14.3 Authentication
In the original description, the Diffie-Hellman exchange by itself does not provide
authentication of the parties, and is thus vulnerable to man in the middle
attack. The man-in-the-middle may establish two distinct Diffie-Hellman keys,
one with Alice and the other with Bob, and then try to masquerade as Alice to
Bob and/or vice-versa, perhaps by decrypting and re-encrypting messages
passed between them. Some method to authenticate these parties to each other
is generally needed
75
Security In Computing
c) Non-repudiation of origin
Message Encryption
MAC
Hash functions
3.15.1 MAC
MAC = CK(M)
76
Security In Computing
MAC is a many-to-one function. Potentially many messages have same MAC. But
finding these needs to be very difficult
77
Security In Computing
Instead of encrypting the data itself, the signing software creates a one-way hash of
the data, then uses the private key to encrypt the hash. The encrypted hash, along with
other information, such as the hashing algorithm, is known as a digital signature.
The figure shows a simplified view of the way a digital signature can be used to
validate the integrity of signed data.
78
Security In Computing
The figure shows two items transferred to the recipient of some signed data: the
original data and the digital signature, which is basically a one-way hash (of the
original data) that has been encrypted with the signer's private key. To validate the
integrity of the data, the receiving software first uses the signer's public key to decrypt
the hash. It then uses the same hashing algorithm that generated the original hash to
generate a new one-way hash of the same data. (Information about the hashing
algorithm used is sent with the digital signature, although this isn't shown in the
figure.) Finally, the receiving software compares the new hash against the original
hash. If the two hashes match, the data has not changed since it was signed. If they
don't match, the data may have been tampered with since it was signed, or the
signature may have been created with a private key that doesn't correspond to the
public key presented by the signer. If the two hashes match, the recipient can be
certain that the public key used to decrypt the digital signature corresponds to the
private key used to create the digital signature. Confirming the identity of the signer,
however, also requires some way of confirming that the public key really belongs to a
particular person or other entity
79
Security In Computing
deny having signed the data. In some situations, a digital signature may be as
legally binding as a handwritten signature.
QUESTIONS
1. What is cryptography?
2. What is a block cipher?
3. What is a Fiestel cipher?
4. What are weak keys?
5. What is DES?
6. What is triple DES?
7. What are ECB and CBC modes?
8. What is Blowfish?
9. What is multiple encryption?
10. What is stream cipher?
11. What is public key cryptography?
12. What are the key management issues involved in public key cryptography?
13. What are certificates?
14. What are the advantages of public key cryptography over symmetric key
cryptography?
15. What is a one-way function?
16. What is the significance of one way function in cryptography?
17. What is RSA?
18. What are the different types of attacks on RSA?
19. What is the RSA factoring challenge?
20. How is RSA used for authentication in practice?
21. What is Diffie Hellman key exchange?
22. What is the significance of factoring in cryptography?
23. What is the discrete logarithm problem?
24. What are MACs?
25. What is a hash function?
Unit 4
80
Security In Computing
4.1 KERBEROS
The three heads of Kerberos comprise the Key Distribution Center (KDC), the client
user and the server with the desired service to access. The KDC is installed as part of
the domain controller and performs two service functions: the Authentication Service
(AS) and the Ticket-Granting Service (TGS). As exemplified in Figure 1, three
exchanges are involved when the client initially accesses a server resource:
1. AS Exchange
2. TGS Exchange
3. Client Server(CS) Exchange
Source : www.microsoft.com
4.1.1 AS Exchange
81
Security In Computing
The user presents the TGT to the TGS portion of the KDC when desiring access to a
server service. The TGS on the KDC authenticates the user's TGT and creates a ticket
and session key for both the client and the remote server. This information, known as
the service ticket, is then cached locally on the client machine.
The TGS receives the client's TGT and reads it using its own key. If the TGS
approves of the client's request, a service ticket is generated for both the client and the
target server. The client reads its portion using the TGS session key retrieved earlier
from the AS reply. The client presents the server portion of the TGS reply to the
target server in the client/server exchange coming next.
Once the client user has the client/server service ticket, he can establish the session
with the server service. The server can decrypt the information coming indirectly
from the TGS using its own long-term key with the KDC. The service ticket is then
used to authenticate the client user and establish a service session between the server
and client. After the ticket's lifetime is exceeded, the service ticket must be renewed
to use the service.
4.2. X.509
82
Security In Computing
A public-key certificate is a digitally signed statement from one entity, saying that the
public key (and some other information) of another entity has some specific value.
Now a Certification Authority (CA) can act as a Trusted Third Party. CAs are entities
that are trusted to sign (issue) certificates for other entities. It is assumed that CAs will
only create valid and reliable certificates as they are bound by legal agreements. There
are many public Certification Authorities, such as VeriSign, Thawte, Entrust, and so
on.
The X.509 standard defines what information can go into a certificate, and describes
how to write it down (the data format). All X.509 certificates have the following data,
in addition to the signature:
Version
This identifies which version of the X.509 standard applies to this certificate,
which affects what information can be specified in it. Thus far, three versions
are defined.
Serial Number
The entity that created the certificate is responsible for assigning it a serial
number to distinguish it from other certificates it issues. This information is
used in numerous ways, for example when a certificate is revoked its serial
number is placed in a Certificate Revocation List (CRL).
Signature Algorithm Identifier
This identifies the algorithm used by the CA to sign the certificate.
Issuer Name
The X.500 name of the entity that signed the certificate. This is normally a
CA. Using this certificate implies trusting the entity that signed this certificate.
Validity Period
83
Security In Computing
Each certificate is valid only for a limited amount of time. This period is described
by a start date and time and an end date and time, and can be as short as a few
seconds or almost as long as a century. The validity period chosen depends on a
number of factors, such as the strength of the private key used to sign the
certificate or the amount one is willing to pay for a certificate. This is the expected
period that entities can rely on the public value, if the associated private key has
not been compromised.
Subject Name
The name of the entity whose public key the certificate identifies. This name uses
the X.500 standard, so it is intended to be unique across the Internet. This is the
Distinguished Name (DN) of the entity, for example,
X.509 Version 1 has been available since 1988, is widely deployed, and is the most
generic.
X.509 Version 2 introduced the concept of subject and issuer unique identifiers to
handle the possibility of reuse of subject and/or issuer names over time. Most
certificate profile documents strongly recommend that names not be reused, and that
certificates should not make use of unique identifiers. Version 2 certificates are not
widely used.
X.509 Version 3 is the most recent and supports the notion of extensions, whereby
anyone can define an extension and include it in the certificate
84
Security In Computing
•confidentiality
–protection from disclosure
•authentication
–of sender of message
•message integrity
–protection from modification
•non-repudiation of origin
–protection from denial by sender
4.3.1 PGP
(For diagrams refer text book- William Stallings)
PGP is an official email security system. It was developed by Phil Zimmermann.PGP
is available on Unix, PC, Macintosh and Amiga systems. It is originally free, now
have commercial versions available also
Authentication
1.The sender creates a message
2.SHA-1 used to generate 160-bit hash code of message
3.The hash code is encrypted with RSA using the sender's private key, and result is
attached to message.
4.The receiver uses RSA or DSS with sender's public key to decrypt and recover hash
code
5.The receiver generates new hash code for message and compares with decrypted
hash code, if match, message is accepted as authentic
Confidentiality
85
Security In Computing
1. The sender generates message and random 128-bit number to be used as session
key for this message only.
2.The message is encrypted, using CAST-128 / IDEA/3DES with session key.
3.The session key is encrypted using RSA with recipient's public key, then attached to
message.
4.The receiver uses RSA with its private key to decrypt and recover session key.
5.The session key is used to decrypt message.
Compression
By default PGP compresses message after signing but before encrypting and can store
uncompressed message & signature for later verification. It uses ZIP compression
algorithm.
Email- Compatibility
When using PGP we will have binary data to send (encrypted message etc).However
email was designed only for text. Hence PGP must encode raw binary data into
printable ASCII characters. For this it uses radix-64 algorithm, which maps 3 bytes to
4 printable characters and also appends a CRC
4.3.2 S/MIME
86
Security In Computing
encrypted message. So to send a message via S/MIME the sender must look up the
public key in a global directory or already have it available. Once the key has been
found, the sender must encrypt the message/attachment and forward it to the
destination server.
In order for the message to be read, the encrypted message must be decoded by the
mail client or by the mail server. There are issues with either of these solutions:
• Decryption by the mail client. At the current time, not many mail clients
support S/MIME decryption. Further there is the issue of configuring the mail
client with the correct private key so that decryption works OK. Since
messages are stored encrypted, if the key becomes compromised at any point
in the future and must be changed, there is the risk that the messages will
become unavilable in the future.
• Decryption by the mail server. This requires the server to hold both the
encryption and decryption key for each user. Clearly there will be additional
load on the server as it manages each message and messages are likley to be
stored unencrypted on the server itself (there is no point in them being
encrypted since the key is available on the server).
The Secure Sockets Layer protocol is a protocol layer which may be placed between a
reliable connection-oriented network layer protocol (e.g. TCP/IP) and the application
protocol layer (e.g. HTTP). SSL provides secure communication between client and
server by allowing mutual authentication, the use of digital signatures for integrity,
and encryption for privacy. The protocol is designed to support a range of choices for
specific algorithms used for cryptography, digests, and signatures. Choices are
negotiated between client and server at the start of establishing a protocol session.
87
Security In Computing
SSL v2.0 Vendor Standard First SSL protocol for which implementations exists
(from Netscape
Corp.)
SSL v3.0 Expired Internet Revisions to prevent specific security attacks, add non-
Draft (from RSA ciphers, and support for certificate chains
Netscape Corp.)
TLS v1.0 Proposed Internet Revision of SSL 3.0 to update the MAC layer to
Standard (from HMAC, add block padding for block ciphers, message
IETF) order standardization and more alert messages.
There are a number of versions of the SSL protocol, as shown. SSL 3.0 is the basis for
the Transport Layer Security protocol standard, currently in development by the
Internet Engineering Task Force (IETF).
The SSL session is established by following a handshake sequence between client and
server. This sequence may vary, depending on whether the server is configured to
provide a server certificate or request a client certificate. Though cases exist where
additional handshake steps are required for management of cipher information, this
article summarizes one common scenario: see the SSL specification for the full range
of possibilities. Once an SSL session has been established it may be reused, thus
avoiding the performance penalty of repeating the many steps needed to start a
session. For this the server assigns each SSL session a unique session identifier which
is cached in the server and which the client can use on forthcoming connections to
reduce the handshake.
88
Security In Computing
The elements of the handshake sequence, as used by the client and server, are listed
below:
The first step, Cipher Suite Negotiation, allows the client and server to choose a
Cipher Suite supportable by both of them. The SSL3.0 protocol specification defines
31 Cipher Suites. A Cipher Suite is defined by the following components:
The key exchange method defines how the shared secret symmetric cryptography key
used for application data transfer will be agreed upon by client and server. SSL 2.0
uses RSA key exchange only, while SSL 3.0 supports a choice of key exchange
89
Security In Computing
algorithms including the RSA key exchange when certificates are used, and Diffie-
Hellman key exchange for exchanging keys without certificates and without prior
communication between client and server. One variable in the choice of key exchange
methods is digital signatures -- whether or not to use them, and if so, what kind of
signatures to use.
• No encryption
• Stream Ciphers
o RC4 with 40-bit keys
o RC4 with 128-bit keys
• CBC Block Ciphers
o RC2 with 40 bit key
o DES with 40 bit key
o DES with 54 bit key
o Triple-DES with 168 bit key
o Idea (128 bit key)
90
Security In Computing
TCP
IP
SSL Record Protocol takes care of the data transmission. SSL Record Protocol
provides two services, confidentiality and integrity. Confidentiality uses symmetric
encryption with a shared secret key defined by Handshake Protocol and integrity uses
a MAC with shared secret key.SSL is used to transfer application and SSL Control
data between the client and server. It possibly fragments the data into smaller units,
compress the data, attach signatures and encrypt these units before transmitting them.
4.5. IPSec
91
Security In Computing
the beginning. IPSec can be used to protect one or more data flows between a pair of
hosts, gateways and between both gateways and hosts.
IKE is used to handle negotiation of protocols and algorithms that are based on local
policy that generate the encryption and the authentication. Some of these is DES,
MD5, AH and SHA. IKE provides a authentication of the IPSec peers and establishes
the IPSec key.
DES (The Data Encryption Standard) is used to encrypt the packet data. DES use
cipher block chaining to initialize a vector to start the encryption.
SHA (Secure Hash Algorithm) and MD5 (Message Digest 5) are hash algorithms and
these are used to authenticate the data.
92
Security In Computing
ESP includes several parts, the first of which is the control header that contains the
SPI and the sequence number field. The SPI and sequence number serve the same
purpose as in the AH. The SPI indicates which security algorithms and keys were
used for a particular connection, and the sequence number keeps track of the order in
which packets are transmitted. The payload data can be of any size because it's the
actual data being carried by the packet. Along with the payload data, the ESP also
contains 0 bytes to 255 bytes of padding, which ensures the data, will be of the correct
length for particular types of encryption algorithms. This area of the ESP also
includes the pad length, which tells how much padding is in the payload, and the next
header field, which gives information about the data and the protocol used.
Authentication data is the field that contains a digital signature that has been applied
to everything in the ESP except the authentication data itself.
93
Security In Computing
packet. To authenticate users, the AH can use either Message Digest 5 algorithm or
the Secure Hash Algorithm.
There are two different modes in IPsec, transport mode and tunnel mode.
In Transport mode, only the data from the upper-layer protocol and the data
transported by the IP datagrams are protected. This mode is usable only on final
equipment.
In tunnel mode, the IP header is also protected (authentication, integrity and/or
confidentiality) and is replaced by a new header. This new header is used to transport
the packet to the end of the tunnel, where the original header is restored. Tunnel mode
is usable either on final equipment or on security gateways. This mode makes it
possible to ensure a more significant protection against traffic analysis.
4.6. FIREWALLS
4.6.1 Terminologies
Bastion host.
A general-purpose computer used to control access between the internal
(private) network (intranet) and the Internet (or any other untrusted network).
Router.
A special purpose computer for connecting networks together. Routers also
handle certain functions, such as routing , or managing the traffic on the
networks they connect.
Access Control List (ACL).
Many routers now have the ability to selectively perform their duties, based on
a number of facts about a packet that comes to it. This includes things like
origination address, destination address, destination service port, and so on.
94
Security In Computing
These can be employed to limit the sorts of packets that are allowed to come
in and go out of a given network.
Proxy.
This is the process of having one host act in behalf of another. A host that has
the ability to fetch documents from the Internet might be configured as a
proxy server, and host on the intranet might be configured to be proxy clients.
All hosts on the intranet are able to access resources on the Internet without
having the ability to direct talk to the Internet.
Application Gateways
The first firewalls were application gateways, and are sometimes known as proxy
gateways. These are made up of bastion hosts that run special software to act as a
proxy server. This software runs at the Application Layer of the ISO/OSI Reference
Model, hence the name. Clients behind the firewall must be proxitized (that is, must
know how to use the proxy, and be configured to do so) in order to use Internet
services. Traditionally, these have been the most secure, because they don't allow
anything to pass by default, but need to have the programs written and turned on in
order to begin passing traffic.
Packet Filtering
Packet filtering is a technique whereby routers have ACLs (Access Control Lists)
turned on. By default, a router will pass all traffic sent it, and will do so without any
95
Security In Computing
sort of restrictions. Employing ACLs is a method for enforcing security policy with
regard to what sorts of access you allow the outside world to have to your internal
network, and vice versa. There is less overhead in packet filtering than with an
application gateway, because the feature of access control is performed at a lower
ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead
and the fact that packet filtering is done with routers, which are specialized computers
optimized for tasks related to networking, a packet filtering gateway is often much
faster than its application layer.
Java applets are far more powerful than the usual HTML code served up on the Web.
When not restricted by applet-security measures, Java is a complete and powerful
programming language capable of sending information over the network; reading,
altering, or deleting files; using system resources; and so on. This is powerful stuff,
and in the hands of a malicious programmer. Java should restrict itself such that the
full power and potential of the Java language is not misused. Java applets we retrieve
from the Web have been written by someone else, we cannot trust them to perform
with integrity. Java downloaded from the Net is automatically considered untrusted
code. In order to ensure that untrusted code does nothing mischievous, it is important
to limit what that untrusted code can do.
Following are the basic categories of potential attacks Java applets could facilitate:
96
Security In Computing
The default sandbox is made of three interrelated parts: the Verifier, the Class Loader,
and the Security Manager. If any of the three parts breaks, the entire security system
breaks. The Verifier is built in to the VM and cannot be accessed by Java
programmers or Java users. In most Java implementations, when Java code arrives at
the VM and is formed into a Class by the Class Loader, the Verifier automatically
examines it. The Verifier checks byte code at a number of different levels. The
simplest test makes sure that the format of a code fragment is correct. If the Verifier
discovers a problem with a class file, it throws an exception, loading ceases, and the
class file never executes. The verification process, in concert with the security
features built into the language and checked at runtime, helps to establish a base set of
security guarantees. The Verifier also ensures that class files that refer to each other
preserve binary compatibility. There are rules of compatibility that govern the ability
to change use of classes and methods without breaking binary compatibility. For
example, it is okay to add a method to a class that is used by other classes, but not
okay to delete methods from a class used by other classes. The Verifier enforces
compatibility rules. Once byte code passes through verification, the following things
are guaranteed:
97
Security In Computing
The Verifier acts as the primary gatekeeper in the Java security model. It ensures that
each piece of byte code downloaded from the outside plays by the rules. That way, the
Java VM can safely execute byte code that may not have been created by a Java
compiler. When the Verifier finds a problem in a class, it rejects the malformed class
and throws an exception. This is obviously a much more reasonable behavior than
running buggy or malicious code that crashes the VM.
All Java objects belong to classes. Class loaders determine when and how classes can
be added to a running Java environment. Part of their job is to make sure that
important parts of the Java runtime environment are not replaced by impostor code.
Class loaders perform two functions. First, when the VM needs to load the byte code
for a particular class, it asks a class loader to find the byte code. Each class loader can
use its own method for finding requested byte code files: It can load them from the
local disk, fetch them across the Net using any protocol, or it can just create the byte
code on the spot. This flexibility is not a security problem as long as the party who
wrote the code that is being loaded trusts the class loader. Second, class loaders define
the namespaces seen by different classes and how those namespaces relate to each
other. Namespace is a set of unique names of classes loaded by a particular Class
Loader and a binding of each name to a specific class object. Applet Class Loaders,
which are typically supplied by the browser vendor, load all applets and the classes
they reference, usually getting the classes from HTTP servers. When an applet loads
across the network, its Applet Class Loader receives the binary data and instantiates it
as a new class. Under normal operation, applets are forbidden to install a new Class
Loader
Summary
Each Java class begins as source code. This is then compiled into byte code and
distributed to machines anywhere on the Net. A Java-enabled browser automatically
98
Security In Computing
downloads a class when it encounters the <APPLET> tag in an HTML document. The
Verifier examines the byte code of a class file to ensure that it follows Java's strict
safety rules. The Java VM interprets byte code declared safe by the Verifier. The Java
specification allows classes to be unloaded when they are no longer needed, but few
current Java implementations unload classes.
Java's ability to dynamically load classes into a running Java environment is fraught
with security risks. The class-loading mechanisms mitigate these risks by providing
separate namespaces set up according to where mobile code originates. This
capability ensures that essential Java classes cannot be spoofed (replaced) by external,
untrusted code. The Applet Class Loader in particular is a key piece of the Java
security model.
The third part of the base Java security model is the Security Manager. This part of
the security model restricts the ways an applet uses visible interfaces (Java API calls).
The Security Manager implements a good portion of the entire security model and is
the part of the security model most often encountered (in terms of a
SecurityException) by Java applet developers.
The job of the Security Manager is to keep track of who is allowed to do which
dangerous operations. A standard Security Manager will disallow most operations
when they are requested by untrusted code, and will allow trusted code to do whatever
it wants.
The Security Manager is a single Java object that performs runtime checks on
dangerous methods. Code in the Java library consults the Security Manager whenever
a potentially dangerous operation is attempted. The Security Manager can veto the
operation by generating a SecurityException. Decisions made by the Security
Manager take into account the origin of the requesting class. Obviously, built-in
classes are usually given more privilege than classes loaded across the Net. The
Security Manager makes the final decision as to whether a particular operation is
permitted or rejected. The Java API provides all calls necessary to interface to the
operating system, thus making isolation of all required security checks possible within
99
Security In Computing
the API. When a dangerous call is made to the Java library, the library queries the
Security Manager. These queries use a set of methods that check access.
Each VM can have only one Security Manager installed at a time, and once a Security
Manager has been installed it cannot be uninstalled (except by restarting the VM).
Java-enabled applications such as Web browsers install a Security Manager as part of
their initialization, thus locking in the Security Manager before any potentially
untrusted code has a chance to run.
Source : www.securingjava.com
• Prevent installation of new class loaders. The job of class loaders is to keep
the namespaces properly organized. Because security checks are requested by
classes in the Java library, applets must be prevented from spoofing the library
classes.
• Protect threads and thread groups from each other.
• Control the execution of other application programs.
• Control the ability to shut down the VM.
• Control access to other application processes.
• Control access to system resources such as print queues, clipboards, event
queues, system properties, and windows.
• Control file system operations such as read, write, and delete. Access to local
files is strictly controlled.
• Control network socket operations such as connect and accept.
100
Security In Computing
Unit 5
Database security is a very broad area that addresses many issues like:
101
Security In Computing
102
Security In Computing
103
Security In Computing
104
Security In Computing
1. The account level – At this level, the DBA specifies the particular privileges
that each account holds independently of the relations in the database.
The privileges at the account level are
a) Create schema or Create table - To create a schema or base relation.
b) Create view – To create virtual relations.
c) Alter - To apply schema changes such as adding or removing attributes from
relations.
d) Drop - To delete relations or views.
e) Modify - To insert, delete, or update tuples
f) Select - To retrieve information from the database by using a SELECT query.
2. The relation (or table) level – At this level, the DBA can control the privilege
to access each individual relation or view in the database. The relation level
privileges are applied to base relations or virtual relations (views). Privileges at
the relation level specify for each user the individual relations on which each type
of command can be applied.
105
Security In Computing
Revoking Privileges
The owner of a relation may want to grant certain privileges to a user for a specific
task and then revoke those privileges, once the task is completed. In SQL, REVOKE
command is used for canceling privileges.
106
Security In Computing
107
Security In Computing
Apparent key - The apparent key of a multilevel relation is the set of attributes that
would have formed the primary key in a regular (single-level) relation.
Polyinstantiation – It is the state at which several tuples can have the same apparent
key value but have different attribute values for users at different classification levels.
Consider an e.g.
Employee
Name Salary Job Performance TC
Smith U 40000 Fair S S
C
Brown C Good C S
80000 S
Fig (1)
Assume that the Name attribute is the apparent key. Now consider a select query
‘select * from employee’.
Case 1: A user with security clearance S would see the original relation as it is, i.e.
108
Security In Computing
80000 S
Fig (2)
Case 2: A user with security clearance C would see the relation as:
Fig (4)
Thus we can see that filtering introduces null values for attribute values whose
security classification is higher than the user’s security clearance.
The entity integrity rule for multilevel relations state that all attributes
that are members of the apparent key must not be null and must have the same
security classification within each individual tuple. In addition, all other attribute
values in the tuple must have a security classification greater than or equal to the
apparent key.
Suppose that a user with security clearance C tries to update the value of
‘JobPerformance’ of Smith to ‘Excellent’; the SQL statement would be
Update employee
Set JobPerformance = ‘Excellent’
109
Security In Computing
80000 S
This is necessary since the new tuple cannot be filtered from the existing tuple of
classification S.
5.7. INTRODUCTION TO STATISTICAL DATABASE SECURITY
Statistical databases are used mainly to produce statistics on various populations. (A
population is a set of tuples of a relation that satisfy some selection condition). The
database may contain confidential data, which should be protected from user access.
However, users are permitted to retrieve statistical information on populations, such
as sum, average, maximum, minimum and standard deviation. i.e. statistical database
users are not allowed to retrieve individual data but are allowed to access statistical
data as a whole. Statistical database security techniques must prohibit the retrieval of
individual data. This can be controlled by prohibiting queries that retrieve attribute
values and by allowing only queries that involve statistical aggregate functions such
as COUNT, SUM, MIN, MAX, AVERAGE and STANDARD DEVIATION. Such
queries are called statistical queries.
In some cases it is possible to infer the values of individual tuples from a sequence of
statistical queries. As an e.g. consider the two statistical queries:
110
Security In Computing
REFERENCES
111
Security In Computing
112