Professional Documents
Culture Documents
Security
Chapter 3
Ge.be09@yahoo.com
Research Thrusts
How do we integrate active components into real-time network defenses?
How do we build scalable detection systems?
How do we develop situational awareness to enhance alert accuracy?
How do we build resilient honeynet deployments?
Active mapping techniques, Data pollution attempts
Aggregated,
reassembled and
Shared
annotated connection Memory
records Module Match?
Forward to
ALERT
Active Sink Database
Responder Inspector
(Kernel) (Kernel)
Dark IP traffic
Production traffic
Honeynet response
No match? To
network
Minimal UI
Apache web server with PHP/HTML front end
Displays currently active automatons
Displays matched connection count summaries
Displays cluster information along with the generalized PFSA
However, IDS is only useful if contingency plans are in place to curb attacks as
they are occurring
A reasonably effective IDS can identify
Internal hacking
External hacking attempts
Allows the system administrator to quantify the level of attack the site is under
May act as a backstop if a firewall or other security measures fail
Digital IDs, Intrusion Detection Systems and PC Card
System Solutions
Paradigm for intrusion detection
Attack Detection
DMZ
Network
Internet WWW Desktop
Router
Server
w/some
screening Internal
Network
Firewall
IDS IDS detects (and counts) attacks against
the Web Server and firewall
WWW Internal
Internet Server Network
Router
w/some
screening
Firewall
IDS detects hacking activity WITHIN
the protected network, incoming or outgoingIDS
Placing an IDS within the perimeter will detect instances of clearly improper behavior
Hacks via backdoors
Hacks from staff against other sites
Hacks that got through the firewall
When the IDS alarm goes off, it’s a red alert
Digital IDs, Intrusion Detection Systems and PC Card
System Solutions
PC card system solutions: recording what to throw away
Things that you know aren’t interesting
Consider keeping counts of the number of uninteresting events occur
Event frequency of uninteresting events may be interesting!
Build a stop list and forward all remaining output to a human intelligence
Building IDS
Things you need:
Sources of data
Network listeners
Host software (syslog, C2, application data)
Data analysis routines
Artificial ignorance
Counting/thresholding software
Long-term storage
Building statistics
Excel is your friend
3 changes
The shift is linear and equidistributed
f
g
h
g
h
i
h
i
j
i
j
k
j
k
l
k
l
m
l
m
n
m
n
o
n
o
p
o
p
q
i j k l m n o p q r
I agree lcdjuhh j
k
l
k
l
m
l
m
n
m
n
o
n
o
p
o
p
q
p
q
r
q
r
s
r
s
t
s
t
u
m n o p q r s t u v
i+3=l n o p q r s t u v w
o p q r s t u v w x
Space=c [+3] p q r s t u v w x y
q r s t u v w x y z
r s t u v w x y z 0
s t u v w x y z 0 1
Key Cipher t u v w x y z 0 1 2
u v w x y z 0 1 2 3
k.n.gupta 62 mewam3rzjba z
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
1 2 3 4 5 6 7 8 9 .
2 3 4 5 6 7 8 9 .
k+2=m 3 4 5 6 7 8 9 . a
4 5 6 7 8 9 . a b
5 6 7 8 9 . a b c
(dot)=e [+6] 6 7 8 9 . a b c d
7 8 9 . a b c d e
8 9 . a b c d e f
n=w [+9] 9 . a b c d e f g
. (Dot) a b c d e f g h
Space a b c d e f g h i
Network management and security Chapter 3
Encrypted files and biometrics
Encrypted files: Encryption and decryption
ENCRYPTION DECRYPTION
Message 1 Encrypted Message 1
Central to the growth of e-commerce and e- 9a46894335be49f0b9cab28d755aaa9cd98571b
governance is the issue of trust in electronic 275bbb0adb405e6931e856ca3e5e569edd13528
environment. 5482
Same Key
Message 2 SYMMETRIC
The Internet knows no geographical boundaries. Encrypted Message 2
It has redefined time and space. Advances in a520eecb61a770f947ca856cd675463f1c95a9a2b
computer and telecommunication technologies 8d4e6a71f80830c87f5715f5f59334978dd7e97da
have led to the explosive growth of the Internet. 0707b48a1138d77ced56feba2b467c398683c7db
This in turn is affecting the methods of eb86b854f120606a7ae1ed934f5703672adab0d7
communication, work, study, education, be66dccde1a763c736cb9001d0731d541106f50b
interaction, leisure, health, governance, trade b7e54240c40ba780b7a553bea570b99c9ab3df13
and commerce. d75f8ccfdddeaaf3a749fd1411
Encrypted Message 2 Message 2
a520eecb61a770f947ca856cd675463f1c95 The Internet knows no geographical boundaries. It has
a9a2b8d4e6a71f80830c87f5715f5f5933497 redefined time and space. Advances in computer and
8dd7e97da0707b48a1138d77ced56feba2b4 telecommunication technologies have led to the
67c398683c7dbeb86b854f120606a7ae1ed9 explosive growth of the Internet. This in turn is
Different Keys
34f5703672adab0d7be66dccde1a763c736c affecting the methods of communication, work, study,
b9001d0731d541106f50bb7e54240c40ba7 education, interaction, leisure, health, governance,
[Keys of a pair – Public and Private]
80b7a553bea570b99c9ab3df13d75f8ccfddd trade and commerce.
ASYMMETRIC
eaaf3a749fd1411
[PKI]
Network management and security Chapter 3
Encrypted files and biometrics
Encrypted files: Encryption and decryption
General concepts
• A 1024 bits number is a very big number much bigger than the total number of
electrons in whole world.
• Trillions of Trillions of pairs of numbers exist in this range with each pair having
following property
– A message encrypted with one element of the pair can be decrypted ONLY
by the other element of the same pair
• Two numbers of a pair are called keys, the Public Key & the Private Key. User
himself generates his own key pair on his computer
Extract Formulate
Acquire and Digitize
High Quality Biometric Biometric Database
Biometric Data
Features/Representation Feature/Rep Template Template
Repository
Authentication/Verification: Capture and processing of
user biometric data in order to render an authentication
decision based on the outcome of a matching process of the
stored to current template.
Yes
Decision No
Yes Confidence?
Recollect
Transmission Module
Compress and encrypt sensor digital data, reverse process.
Recollect
Transmission
Biometric Data Collection Signal Processing,
Feature Extraction,
Biometric Presentation Sensor
Transmission
Compression
Representation
Decompress
Decryption
Encryption
Transmission
Signal Processing Quality
Feature Extraction, Control
Transmission
Compression
Decompress
Representation
Decryption
Encryption
Yes
Generate Template
Decision No
Yes Confidence?
Transmission
Signal Processing Quality
Feature Extraction, Control
Transmission
Compression
Representation
Decryption
Encryption
Expansion
Yes
Generate Template
Database
Templates Template Match
Biometric Template: A file holding a
Images
mathematical representation of the
identifying features extracted from the Decision No
raw biometric data. Yes 2 - 41
Confidence?
Transmission
Signal Processing Quality
Feature Extraction, Control
Transmission
Compression
Decompress
Decryption
Encryption
Representation
Yes
Generate Template
Database
Templates
Template Match
Images
Decision No
Yes 2 - 42
Confidence?
Potential Problems:
Encryption with a 10-bit key?
Are some “corrected” values more likely than others?
What happens when the person changes --- you still need a back door.
Cryptography algorithms
Often grouped into two broad categories, symmetric and asymmetric; today’s
popular cryptosystems use hybrid combination of symmetric and asymmetric
algorithms
Symmetric encryption
KA-B KA-B
Classical substitutions
where letters of plaintext are replaced by other letters or by numbers or
symbols
or if plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with ciphertext bit patterns
Caesar cipher
earliest known substitution cipher
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter later
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
Caesar cipher
can define transformation as:
abcdefghijklmnopqrstuvwxyz
DEFGHIJKLMNOPQRSTUVWXYZABC
KA-B KA-B
Monoalphabetic ciphers
“Cipher” line can be any permutation of the 26 alphabetic char
Statistical analysis
Letters “e” and “t” are the most frequent occurring letters
known plaintext
know/suspect plaintext & ciphertext to attack cipher
chosen plaintext
select plaintext and obtain ciphertext to attack cipher
chosen ciphertext
select ciphertext and obtain plaintext to attack cipher
chosen text
select either plaintext or ciphertext to en/decrypt to attack cipher
cipher(key,PIN)
Crook #2 eavesdrops
Crook #1 changes on the wire and learns
his PIN to a number ciphertext corresponding
of his choice to chosen plaintext PIN
Polyalphabetic ciphers
another approach to improving security is to use multiple cipher
alphabets
called polyalphabetic substitution ciphers
makes cryptanalysis harder with more alphabets to guess and flatter
frequency distribution
use a key to select which alphabet is used for each letter of the message
use each alphabet in turn
repeat from start after end of key is reached
Polyalphabetic encryption
monoalphabetic ciphers + Caesar cipher.
Two Caesar ciphers (k=5, k=19)
Repeating pattern c1, c2, c2, c1, c2
Vigenere Cipher
simplest polyalphabetic substitution cipher is the Vigenère Cipher
Example
write the plaintext out
One time-pad
if a truly random key as long as the message is used, the cipher will be secure
since for any plaintext & any ciphertext there exists a key mapping one to
other
As secure as possible
Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s
computational resources
…as long as the key sequence is truly random
True randomness is expensive to obtain in large quantities
…as long as each key is same length as plaintext
But how does the sender communicate the key to receiver?
Transposition ciphers
now consider classical transposition or permutation ciphers
giving ciphertext
MEMATRHTGPRYETEFETEOAAT
Product Ciphers
ciphers using substitutions or transpositions are not secure
because of language characteristics
And all our problems were solved, who’s key is this anyway?
Secure, reliable, and scalable method for distributing public
keys for secrecy, correctness, and sender verification
“Binds” the owner to the public key using a digital certificate
Maintains and distributes status information for the life of that
binding
Network management and security Chapter 3
Public key infrastructure
One key locks or encrypts the plaintext, and the other unlocks or decrypts
the ciphertext. Neither key can perform both functions by itself.
The public key may be published without compromising security, while
the private key must not be revealed to anyone not authorized to read the
messages.
Public-key cryptography uses asymmetric key algorithms, and can also
be referred to as asymmetric key cryptography.
Network management and security Chapter 3
Public key infrastructure
Public-key cryptographic algorithms have three primary uses:
encryption Key distribution and digital signatures.
thereby proving that the sender had access to the private key and, therefore, is
likely to be the person associated with the public key used.
Key distribution: This is a technique for the distribution of the public key and the
private keys among the users.
Digital signature
A Digital Signature is the result of encrypting the Hash of the data
to be exchanged.
A Hash (or Message Digest) is the process of mathematically
reducing a data stream down to a fixed length field.
The Hash uniquely represents the original data.
The probability of producing the same Hash with two sets of
different data is <.001%.
Signature Process is opposite to Encryption Process
Private Key is used to Sign (encrypt) Data
Public Key is used to verify (decrypt) Signature
Digital Signature
Step 3.
Public
Step 2.
Decrypt
Hash
Digital Signature
Public Key
PKI layers
Registration Authority (RA) to identity proof users
Certificate authority
Registration authority
Enrolling, de-enrolling, and approving or rejecting requested
changes to the certificate attributes of subscribers.
Validating certificate applications.
Authorizing requests for key-pair or certificate generation and
requests for the recovery of backed-up keys.
Accepting and authorizing requests for certificate revocation or
suspension.
Physically distributing personal tokens to and recovering obsolete
tokens from people authorized to hold and use them.
Certificate policy is …
the basis for trust between unrelated entities
not a formal “contract” (but implied)
a framework that both informs and constrains a PKI
implementation
a statement of what a certificate means
a set of rules for certificate holders
a way of giving advice to Relying Parties