Security In Computing
Dept of Computer Science & Engg, VJCET
1.0 INTRODUCTION TO SECURITY Security refers to any measures taken to protect something. Examples of security in the real world include locks on doors, alarms in our cars, police officers. Computer security is a field of computer science concerned with the control of risks related to computer use. It describe the methods of protecting the integrity of data stored on a computer.In computer security the measures taken are focused on securing individual computer hosts. Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and the effectiveness (or lack) of these measures combined together. It starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are allowed to be accessed by the network users. Even though it prevents unauthorized access, it prevents harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware. 1.1 Threats in Network Security The following describe the general threats to the security of the distributed systems Disclosure of information Organizations maintain valuable information on their computer systems. This information may be used by other parties in such a way as to damage the interest of the organization owning the information. Therefore information stored on or processed by computer systems must be protected against disclosure both internal and external to the user organization.
Security In Computing
Dept of Computer Science & Engg, VJCET
Contamination of information Valuable information may become worthless if unauthorized information is mixed with it. The damage may be as great as the damage through information disclosure. Unauthorized use of resources Unauthorized use of resources may lead to destruction, modification, loss of integrity etc. of resources and thus the authorization of individual users will be limited. Misuse of resources Authorized use of resources may give authorized individuals the opportunity to perform activities that are harmful to the organization. Misuse of resources, intentional or accidental, may be harmful to the organization through corruption, destruction, disclosure, loss or removal of resources. Such misuse may affect the liability of an organization for information entrusted to it or for transactions and information exchanged with other organizations. Unauthorized information flow In a distributed system, information flow must be controlled not only between users of end-systems but also between end-systems. Depending on the prevailing security policy information flow restrictions may be applied to the basis of classification of data objects and end-systems, user clearances, etc. Repudiation of information flow Repudiation of information flow involves denial of transmission or receipt of messages. Since such messages may carry purchasing agreement, instructions for payment etc., the scope for criminal repudiation of such messages is considerable. Denial of service Because of the wide range of services performed with the aid of computer systems, denial of service may significantly affect the capability of a user organisation to
Security In Computing
Dept of Computer Science & Engg, VJCET
perform its functions and to fulfill its obligations. Detection and prevention of denial of service must be considered as part of any security policy. 1.2 SECURITY SERVICES In order to protect against perceived threats, various security services need to be provided, the main security services are: Authentication Authentication is the process of proving the identity of a user of a system by means of a set of credentials. Credentials are the required proof needed by the system to validate the identity of the user. The user can be the actual customer, a process, or even another system. A person is a validated through a credential. The identity is who the person is. If a person has been validated through a credential, such as attaching a name to a face, the name becomes a principal. An authentication service is concerned with assuring that the communication is authentic. In the case of a single message, such as warning or alarm signal, the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from. In the case of an ongoing interaction, such as the connection of a terminal to a host, two aspects are involved. First, at the time of connection initiation, the service assures that the two entities are authentic, that is, that each is the entity that it claims to be. Second, the service must assure that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties for the purpose of unauthorized transmission or reception. Authorization The process by which a user is given access to a system resource is known as authorization. The authorization process is the check by the organization’s system to see whether the user should be granted access to the user’s record. The user has logged in to the system, but he still may not have the permission necessary from the system to access the records. When deploying a system, access to system resources should also be mapped out. Security documents that detail the rights of individuals to specific
frequency. On the other hand. it means that the data has not been modified or corrupted. Validation is the process of ensuring data integrity. Again the most useful and straightforward approach is total stream protection. one that deals with individual messages only without regard to any larger context. or selected fields within a message. maliciously or otherwise. insertion. This requires the prevention of the attacker from observing destination. modification. with no duplication. including the protection of single message or even a specific fields within a message. The broadest service protects all user data transmitted between two users over a period of time. and execute privileges. a connectionless integrity service.
Confidentiality Confidentiality is the protection of transmitted data from passive attack. length. With respect to the release of message contents. or other characteristics of the traffic on a communications facility. it is called a cipher text. by a user.
. Integrity During the transmission or storage of data. Narrower forms of this service can also be defined. The other aspect of confidentiality is the protection of traffic flow from analysis. information can be corrupted or changed. which changes the plaintext into cipher text. VJCET
resources must be developed. Thus. write. One technique for ensuring data integrity is called data hashing. delete. When data has integrity. Integrity can apply to a stream of messages. the connection-oriented integrity service addresses both message stream modification and denial of service. a single message.Security In Computing
Dept of Computer Science & Engg. assures that messages are received as sent. When the information is in a protected form. generally provides protection against message modification only. Cipher text uses a cipher. The cipher requires keys to change the information from one form to the other. A connection-oriented integrity service. one that deals with a stream of messages. reordering or replay. These documents must distinguish between the owners and the users of resources as well as read. The destruction of data is also covered under this service. several levels of protection can be identified.
Access Control Access control is the ability to limit and control the access to host systems and applications links. Availability A variety of attacks can result in a form of reduction in availability. Similarly. whereas others require some sort of physical action to prevent or recover from loss of availability of elements of a distributed system. and non-repudiation of delivery proves it has been received. each entity trying to gain access must first be identified. To achieve this control. or authenticated. and applies to a security domain. non-repudiation of origin proves that data has been sent. Access control is implemented according to a policy that defines methods for both authentication and authorization. the sender can prove that the message was in fact received by the alleged receiver.
. when a message is received. In other words. when a message is sent. Some of these attacks are amenable to automated countermeasures.Security In Computing
Dept of Computer Science & Engg. Thus. such as authentication and encryption. VJCET
Non-repudiation Non repudiation prevents either sender or receiver from denying a transmitted message. the receiver can prove that the message was in fact sent by the alleged sender. The goal of access control is to be able to specify and restrict access to subjects and resources to those users and processes which have the appropriate permission.
Security In Computing
Dept of Computer Science & Engg. No single mechanism will support all required functions.3 SECURITY MECHANISM A mechanism that is designed to detect.
. Cryptography is one of the security mechanisms. prevent. Some of the common security mechanisms are: • • • • • • • • • Encryption Digital padding Traffic padding Routing control Trusted functionality Security labels Access controls Event detection Audit trials
1.4 SECURITY ATTACKS Any action that compromises security of information is called a security attack. or recover from a security attack. Some of the common security attacks are given below.
ppt#473. Two types of passive attacks are release of message contents and traffic analysis (masking the content of message.
Active Attacks • • • Involve modification of data stream or creation of a false stream. Difficult to detect. VJCET
Ref: http://www. because no alteration of data.g. Intercept or read data without changing it.ohio-state. Encryption).edu/~anish/694KNotes/694Lecture0. Goal of opponent is to obtain information that is being transmitted. but does not affect system resources. e.cse.9.Security Attacks
Attacks can be active or passive Passive Attacks • • • • • • Learn or make use of information from system.Security In Computing
Dept of Computer Science & Engg. Use of encryption can protect against alteration of the data by arranging that the encrypted data is structured in such a way that meaningful alteration cannot take place without cryptanalysis. The active threat is potentially far more serious. Normally done using encryption. This type of attack has been perpetrated against communication systems ever since the invention of the electric telegraph.
Authentication sequences can be captured and replayed after a valid authentication sequence takes place. modification of messages.
Masquerade: One entity pretends to be a different entity.
1. including computer programming. Logic bombs etc. administration.. A hacker obtains advanced knowledge of operating systems and programming languages.5 HACKERS AND CRACKERS A hacker (also called a White Hat) is often someone who creates and modifies computer software and computer hardware.g. Modification of message: Some portion of message altered. or delayed or reordered. e.Security In Computing
Dept of Computer Science & Engg.. suppressing all messages directed to a particular destination. and security-related items. A hacker is also someone who modifies electronics. ham radio transceivers.. VJCET
Subdivided into four categories: masquerade. replay. Replay: Passive capture of data unit and its subsequence retransmission to produce an unauthorized effect. Denial of Service: Prevents normal use or management of communication facilities. Configuration changes Trap doors. and denial of service. Other active attacks include: • • • • • Flooding Jamming Routing attacks: False routes. worms and viruses. Remote arbitrary code execution via. printers or even home sprinkler systems to get extra functionality or performance. for example. Hackers constantly seek further
. They may know the holes within systems and the reasons for such holes. e.g.
deny legitimate users service. For further reading: http://en. destroy vital data. and never. Viruses are one of the several types of malware or 9
. programs. He breaks into or otherwise violates the system integrity of remote machines.Security In Computing
Dept of Computer Science & Engg. inviting further attacks.org/~esr/faqs/hacker-howto. freely share what they have discovered. Most viruses attach themselves to a file or part of your hard disk and then copy themselves to other places within the operating system. with malicious intent. on the FAT (File Allocation Table). Crackers. A computer virus behaves in a way similar to a biological virus. a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents.wikipedia. rather than revealing them either to the general public or the manufacturer for correction.html
A cracker (also called a Black Hat) is a person who uses their skills with computers and other technological items in a malicious or criminal manner. and the infected file (or executable code that is not part of a file) is called a host.e. Viruses are designed to corrupt or delete date on the hard disk. VJCET
knowledge.org/wiki/Hacker http://catb.org/wiki/Cracker_%28computing%29 1. a virus disguises itself as a legitimate program that a user would not normally suspect to be a virus.6 COMMON INTRUSION TECHNIQUES Virus In computer security technology. Usually to avoid detection. and parts of your operating system. such as documents. or basically cause problems for their targets. Some viruses contain code that inflicts extra damage by deleting files or lowering your security settings. Usually a Black Hat is a person who uses their knowledge of vulnerabilities and exploits for private gain.wikipedia. Extending the analogy. having gained unauthorized access. For further reading: http://en. i. which spreads by inserting itself into living cells. ever intentionally damage data. the insertion of the virus into a program is termed infection. A virus is a program that can copy itself and infect various parts of your computer.
which infect only the DOS boot sector. Every disk (even if it only contains data) has a system sector of some sort. The simplest file virus work by locating a type of file they know how to infect (usually a file name ending in . MNU and BAT files. This allows them to execute the original program after the virus finishes so that everything appears normal. in some cases.Security In Computing
Dept of Computer Science & Engg. Computer viruses cannot directly damage hardware. most just do annoying things. File viruses have a wide variety of infection techniques and infect a large number of file types. though some can infect any program for which execution or interpretation is requested. they can hurt 10
. OVL. PRG. When this program is executed.EXE) and overwriting part of the program they are infecting. There are boot-sector viruses.COM or . this kind of virus can prevent us from being able to boot the hard disk. but are not the most widely found in the wild. The more sophisticated file viruses save (rather than overwrite) the original instructions when they insert their code into the program. These viruses usually infect COM and/or EXE programs. All common boot sector and MBR viruses are memory resident. System sector viruses infect executable code found in certain system areas on a disk. such as SYS. While these actions may not permanently damage data. Macro Virus These are the most common viruses striking computers today. by cross infecting files which then drop system sector viruses when run on clean computers. While some can be destructive. System sector viruses spread easily via floppy disk infections and. such as changing your word processing documents into templates or randomly placing a word such as "Wazoo" throughout a document. only software is damaged directly.
File or Program Virus These viruses infect applications. TYPES OF VIRUSES System or Boot Sector Virus System sectors are special areas on the disk containing programs that are executed when we boot (start) the PC. VJCET
malicious software. The software in the hardware however may be damaged. the virus code executes and infects more files. OBJ.
so as to avoid detection from scanners. They sometimes remove themselves from the memory temporarily to avoid detection and hide from virus scanners. VJCET
productivity. Just like regular encrypted viruses. They have the ability to mutate implying that they change the viral code known as the signature (A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses) each time they spread or infect. Stealth Viruses These viruses are stealthy in nature and use various methods to hide themselves to avoid detection. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Polymorphic Viruses They are the most difficult viruses to detect. But. Some stealth viruses conceal the increase in the length of the infected file and display the original length by reducing the size by the same amount as that of that of the increase. making them difficult to detect.Security In Computing
Dept of Computer Science & Engg. Continual use of the program results in the spread of the virus. the virus runs. In the case of polymorphic viruses however. It infects files you might think of as data files. A well-written polymorphic virus therefore has no parts that stay the same on each infection. are twofold: They are easy to write. anti-viruses which look for specific virus codes are not able to detect such viruses. because they contain macro programs they can be infected. and the reasons they are so troublesome. When a document or template containing the macro virus is opened in the target application. and they exist in programs created for sharing. a polymorphic virus infects files with an encrypted copy of itself. Some macros replicate. which is decoded by a decryption module.
. this decryption module is also modified on each infection. does its damage and copies itself into other documents. The reasons these viruses have become so widespread. Thus. It is a program or code segment written in the internal macro language of an application and attached to a document file (such as Word or Excel). while others infect documents. making it impossible to detect directly using signatures.
*. When the virus had infected 32 files. and an infected file was executed between 17:00 and 18:00 on a Monday: For further reading: http://en.
In April 1994.
.COM) files that it infected. where victims could download a copy of the file. The Pathogen virus counted the number of executable (e.Worms always harm the network (if only by consuming bandwidth).Security In Computing
Dept of Computer Science & Engg.com/TERM/v/virus. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. They are often designed to exploit the file transmission capabilities found on many computers. whereas viruses always infect or corrupt files on a targeted computer.webopedia. A worm is self-contained and unlike a virus.g. This virus infected the boot sector of 5¼ inch floppy diskettes with a 360 kbyte capacity. and telephone number of Brain Computer Services. Pakistan. the Pathogen computer virus was released in the United Kingdom.wikipedia.EXE and *.. address.html Worm A worm is a self-replicating computer program. by uploading an infected file to a computer bulletin board. it does not need to be part of another program to propagate itself. a store in Lahore. VJCET
Examples Brain virus The first computer virus for Microsoft DOS was apparently written in 1986 and contains unencrypted text with the name.org/wiki/Computer_virus http://www.
More recent worms may be multi-headed and carry other executables as a payload. However. Originally Trojan horses were not designed to spread themselves. but which performs harmful acts when it runs. In practice. Trojan Horses in the wild often contain spying functions or backdoor functions that allow a computer. Examples include various implementations of weather alerting programs.html Trojan horse A Trojan horse is a program that masquerades as another common program in an attempt to receive information. and peer to peer file sharing utilities. like a game or image file. even in the absence of such a payload. Trojan horses do not spread by themselves like viruses and worms.
.wikipedia. It is a harmless-looking program designed to trick you into thinking it is something you want. The other type is a standalone program that masquerades as something else.webopedia.com/TERM/w/worm. computer clock setting software. creating a zombie computer. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed. in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives. It is typically received through downloads from the Internet. The basic difference from computer viruses is: a Trojan horse is technically a normal computer program and does not possess the means to spread itself.Security In Computing
Dept of Computer Science & Engg. VJCET
In addition to replication. There are two common types of Trojan horses. a worm can wreak havoc just with the network traffic generated by its reproduction. a worm may be designed to do any number of things. Trojans of recent times also contain functions and strategies that enable their spreading. This moves them closer to the definition of computer viruses. such as delete files on a host system or send documents via email. and it becomes difficult to clearly distinguish such mixed programs between Trojan horses and viruses.org/wiki/Computer_worm http://www. is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. to be remotely controlled from the network. For further reading: http://en. One.
For further reading: http://en.com/TERM/T/Trojan_horse. For example. VJCET
Probably the most famous Trojan horse is a program called "back orifice" which is an unsubtle play on words on Microsoft's Back Office suite of programs for NT server. They are viruses having a delayed payload.wikipedia.webopedia. A logic bomb occurs when the user of a computer takes an action that triggers the bomb.wikipedia. a virus might display a message on a specific day or wait until it has infected a certain number of hosts.Security In Computing
Dept of Computer Science & Engg. For further reading: http://en.html Logic Bomb A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. This program will allow anybody to have complete control over the computer or server it occupies. which is sometimes called a bomb.org/wiki/Logic_bomb
Acts of God (fires. Human Errors (incorrect data entry.1 The Security Environment: The terms Security and Protection are often used interchangeably. managerial. floods. legal. Various issues concerned with security and protection are given below: 2. which include technical. and political issues. unreadable disks or tapes. Intruders come in 2 varieties: 1. Hardware or Software errors (CPU malfunctions. Data Loss is mainly caused by 1. The two important facets of Security are Data Loss and Intruders. Passive Intruders who read files they are not authorized to read. 2. Active Intruders who make unauthorized changes to data.
.1. Protecting this information against unauthorized usage is therefore a major concern of all file systems. wrong tape or disk mounted. Security refers to the overall problem involved in preventing unauthorized reads or modifications. Protection refers to the specific operating system mechanisms used to safeguard information in the computer. wrong program run.1 OS SECURITY File systems often contain information that is highly valuable to their users. program bugs) 3. lost disk or tape). telecommunication errors.Security In Computing
Dept of Computer Science & Engg. VJCET
2. earthquakes) 2.
Viruses and worms both attempt to spread themselves and both can do severe damage.4 Design Principles for Security: Viruses mostly occur on desktop systems. VJCET
Another aspect of Security problem is Privacy: protecting individuals from misuse of information about them.3 Generic Security Attacks: Viruses: A Virus is a program fragment that is attached to a legitimate program with the intention of infecting other programs. making it impossible to boot the computer. A WORM is a self replicating program that replicates itself in seconds on every machine it could gain access to. or encrypt files. Virus problems are easier to prevent than to cure.2 The Internet Worm: The greatest computer security violation began in the form of a worm program.1.1. Some general principles that can be used as a guide to designing secure systems have been identified by Saltzer and Schroeder.Security In Computing
Dept of Computer Science & Engg. In addition to just infecting other programs. whereas a worm is a complete program in itself. modify. a virus can erase. It differs from a worm only in that a virus piggybacks on an existing program. 2. The safest course is only to buy shrink-wrapped software from respectable stores and to avoid uploading free software from bulletin boards or getting pirated copies on floppy disk. On larger systems other problems occur and other methods are needed for dealing with them. They are:
. 2.1. It is also possible for a virus to infect the hard disk’s boot sector. 2.
The protection mechanism should be simple.Errors in which legitimate access is refused will be reported much faster than errors in which unauthorized access is allowed. ii. Check for current authority . Security is not an add-on feature. vi. and keeps it open for weeks.1. editors with Trojan horses will not be able to do much damage. something the user has.
2.If users feel that protecting their files is too much work. uniform and built in to the lowest layers of the system .Trying to retrofit security to an existing insecure system is nearly impossible. Most authentication methods are based on identifying something the user knows. Password protection is easy to implement and easy to understand. and not afterward. they just will not do it. or something the user is. Passwords: The most widely used form of authentication is to require the user to type a password. iv.Many systems check for permission when a file is opened.Assuming that the intruder will not know how the system works serves only to delude the designers. The system design should be public .5 User Authentication: The problem of identifying users when they log in is called user authentication. v. iii.If an editor has only the access the file to be edited. will continue to have access. Give each process the least privilege possible . This means that a user who opens the file. even if the owner has long since changed the file protection.Security In Computing
Dept of Computer Science & Engg. The default should be no access . VJCET
i. Password 17
. The Scheme chosen must be psychologically acceptable .
from different terminals. to limit the damage done if a password leaks out.Security In Computing
Dept of Computer Science & Engg. Even better is not to compare the signature. The algorithm can be different on different days of the weeks. since next time a different password must be used. each terminal has a device similar to the palm. The user inserts his hands into it. in which case the user types 14. Guessing a user name and password combination constitutes the break-in all the time virtually. The most extreme form of this approach is the One-Time Password. so a user can only log in if he has the card and knows the password. a fingerprint or a voiceprint reader in the terminal could identify the user’s identity. the computer types an argument. say 7. Each login uses the next password in the list. For example. The card is inserted into the terminal. at different times. but compare the pen motions while writing it. for example 2x. normally a plastic card with a magnetic stripe on it. Another variation is Challenge-Response. To measure physical characteristics that are hard to forge is another method. the user gets a book containing a list of passwords. In Finger Length Analysis. A good forger may be able to copy the signature. Some computers require users to change their passwords regularly.2 PROTECTION MECHANISMS Some of the detailed technical ways that are used in operating systems to protect files and other things are discussed here. Another technique is Signature Analysis. Automated cash-dispensing machines usually work this way. which then checks to see whose card is it. it won’t be of any good. If an intruder ever discovers a password. where the user signs his name with a special pen connected to the terminal. 2. and so on. and the computer compares it to a known specimen stored on line. VJCET
protection is also easy to defeat. When one-time passwords are used. the user picks an algorithm when signing up as a user. This method can be combined with a password. When this is used. Physical Identification: This approach checks whether the user has some item. but will not have a clue as to the exact order in which the strokes were made. When the user logs in. It is suggested that the user try to avoid losing the password book. and the length of all his fingers is measured and checked against the database. All these techniques clearly distinguish between 18
2.1 Protection Domains A computer system contains many OBJECTS that need to be protected.1: Three Production Domains. Write. This mechanism should also restrict processes to a subset of the legal operations when that is needed. It is also possible for the same object to be in multiple domains. These objects can be hardware such as CPUs. The above figure depicts 3 domains. A DOMAIN is a set of (object. VJCET
policy and mechanism. POLICY involves whose data are to be protected from whom and MECHANISM involves how the system enforces the policy. A RIGHT here means permission to perform one of the operations. UP and DOWN make sense on semaphore. memory segments. READ and WRITE operations appropriate to a file. but not write. Protection mechanism is a way used to prohibit processes from accessing objects that they are not authorized to access. or semaphores. files. terminals. At every instant of time.Security In Computing
Dept of Computer Science & Engg. with different rights in each domain. Each pair specifies an object and some subset of the operations that can be performed on it. rights) pairs. Each object has a unique name by which it is referenced and a set of operations that can be carried out on it. eXecute] available on each object. each process runs in some 19
Domain 1 File1[R] File2 [RW]
Domain 2 File3[R] File4[RWX] Printer1[W] File5[RW]
Fig 2. data bases. file F. For example process A may be entitled to read. Printer1 is in 2 domains at the same time. disk drives or printers or they can be Software such as processes. showing the objects in each domain and the rights [Read.
and whether they can be accessed for reading. The rules for domain switching are highly system dependent. For example. there is some collection of objects it can access. Given any (uid. Each process in UNIX has 2 halves: the USER part and the KERNEL part. it switches from the user part to the kernel part. a system call causes a domain switch. etc) that can be accessed. with the rows being the domains and the columns being the objects. it is possible to make a complete list of objects (files. or executing. gid) values will have access to a different set of files. the domain of a process is defined by its uid and gid. Imagine a large matrix. writing. Example: In UNIX. and all the other protected resources. Each box lists the rights. Processes with different (uid. the kernel can access all the pages in physical memory. if any. When the process does a system call. gid) combination will have access to exactly the same set of objects. including I/O devices represented by special files. the entire disk. and for each object it has some set of rights. 2 processes with same (uid. Processes can also switch from domain to domain during execution.
Protection Matrix: This is used to know how the system keeps track of which object belongs to which domain. VJCET
protection domain. Thus.
The matrix for the first figure (3 protection domains) is shown below:
. that the domain contains for the object.Security In Computing
Dept of Computer Science & Engg. In other words. The kernel part has access to a different set of objects from the user part. gid) combination. although there will be considerable overlap in most cases.
Domain switching itself can be easily included in the matrix model by realizing that a domain is itself an object. Given this matrix and the current domain number.2: A Protection Matrix. Write Write Write
. The figure below shows the matrix of the above figure again. the system can tell if an access to given object in a particular way from a specified domain is allowed. Processes in domain 1 can switch to domain 2. but once there. they cannot go back. VJCET
File 1 1 Read
File 2 Read Write
Printer 1 Plotter 2
Read 2 Read Write Execute 3 Read Write Read Write Execut e Fig 2. with the operation ENTERS. only now with the three domains as objects themselves.Security In Computing
Dept of Computer Science & Engg.
have the files open). W W W
.Security In Computing
Dept of Computer Science & Engg. The only problem is that changing the ACL will probably not affect any users who are currently using the object (e. This list is called the Access Control List or ACL..3: A protection matrix with domains as objects. As only the nonempty entries of the matrix are stored. and then storing only the nonempty elements. 2 methods used practically are storing the matrix by rows or by columns. empty matrix is a waste of disk space. Storing very large and sparse matrices are rarely done in practice. Most domains have no access at all to most objects. thus making it easy to prohibit accesses that were previously allowed. The owner of an object can change its ACL at any time. so storing a big.g. the total storage required for all the ACLs combined is much less than would be needed for the whole matrix. VJCET
Printe r 1
Enter 1 R R W R 2 R W X 3 R W R W X Fig 2. Storing by columns: It consists of associating with each object an (ordered) list containing all the domains that may access the object.
The tag bit is not used by arithmetic. C-lists must be protected from user tampering. or similar ordinary instructions and it can be modified only by programs running in the kernel mode (i. Here. associated with each process is a list of object that may be accessed. A typical capability list is shown below: Type O 1 2 3 RightsObject R-RWX RW-WPointer to File3 Pointer to File4 Pointer to File5 Pointer to Printer1
File File File Printer
Each capability has a: Type field ------> specifies what kind of object it is. The first way requires a tagged architecture.
. along with an indication of which operations are permitted on each (its domain). Capabilities are often referred to by their position in the capability list. Object field-----> which is a pointer to the object itself. Rights field-----> which is a bit map indicating which of the legal operations on this type of object are permitted. VJCET
Storing by rows: It is the slicing up the matrix by rows. and may be pointed from other C-lists. a hardware design in which each memory word has an extra (or tag) bit that tells whether the word contains a capability or not. the operating system). comparison.Security In Computing
Dept of Computer Science & Engg.. This list is called a Capability List or C-lists.e. and the individual items on it are called Capabilities. 3 methods have been proposed to protect them: 1. thus facilitating sharing of sub domains. C-lists are themselves objects.
The owner of a file capability can perform only some of the operations on the file. Examples of generic rights are: a. The third way is to keep the C-list in user space. A problem arises here. DESTROY OBJECT: permanently remove an object and a capability.) 24
. object unaffected. since they may be stored in C-lists all over the disk. revoking access to an object is quite difficult. These requests are accompanied by the relevant capability. Many capability systems are organized as a collection of modules. One approach is to have each capability point to an indirect object. with type manager modules for each type of object. d. whereas requests to do something with a mailbox go to the mailbox manager. COPY CAPABILITY: create a new capability for the same object. It is hard for the system to find all the outstanding capabilities for any object to take them back. Hydra solved this problem by a technique called rights amplification. c. such as read and execute. The second way is to keep the C-list inside the operating system. rather than to the object itself. In addition to the specific object-dependent rights. the system can always break that connection. but encrypt each capability with a secret key unknown to the user. REMOVE CAPABILITY: delete an entry from the C-list. In Capability systems.
and just have
3. the user will discover that the indirect object is now pointing to a null object. VJCET
2. This approach is particularly suited to distributed systems. capabilities usually have generic rights which are applicable to all objects. thus invalidating the capabilities. but cannot get at its internal representation. It is necessary that the type manager module be able to do more with the capability than an ordinary process. COPY OBJECT: create a duplicate object with a new capability. processes refer to capabilities by their slot number. in which type managers were given a rights template that gave them more rights to an object than the capability itself allowed. b. (When a capability to the indirect object is later presented to the system.Security In Computing
Dept of Computer Science & Engg. By having the indirect object point to the real object. after all. because the type manager module is just an ordinary program. Requests to perform operations on a file are sent to the file manager.
Only if they agree. Neither scheme allows selective revocation. old objects are destroyed. authorization has to do with management policy. CREATE DOMAIN. DELETE DOMAIN. INSERT RIGHT. The owner of an object can request that the random number in the object be changed. There are 6 primitive operations on the protection matrix that can be used as a base to model any protection system. VJCET
Amoeba uses another scheme to achieve revocation. The matrix is what is enforced by the system.Security In Computing
Dept of Computer Science & Engg. not what it is authorized to do. These operations are: CREATE OBJECT. DELETE OBJECT. 2. They frequently change as new objects are created.
. and owners decide to increase or restrict the set of users for their objects. Each object contains a long random number. which is also present in the capability. that is. User programs execute these protection commands to change the matrix. The 2 latter primitives insert and remove rights from specific matrix elements. but nobody else’s. thus invalidating existing capabilities. the matrix determines what a process in any domain can do. taking back only one’s permission.2. They may not execute the primitives directly. At any instant. and REMOVE RIGHT. When a capability is presented for use. is the operation allowed. Protection Models Protection matrices are not static.2. These 6 primitives can be combined into protection commands. the two are compared.
2. Objects Compiler Read Execute Read Execute Read Mailbox7 Secret Eric Read Write Read Write Robert Henry Objects Compiler Read Execute Read Execute Read Mailbox7 Secret
Eric Henry Robert
Read Write Read Read Write
Execute Fig: (a) An authorized state. No process may read any object whose level is higher that its own. The set of all possible matrices can be partitioned into 2 disjoint sets: a.
.Security In Computing
Dept of Computer Science & Engg. Robert can read and write secret. but not top secret ones. something he is not authorized to have. The set of all authorized states. where domains correspond to user. No process may write information into any object whose level is lower than its own.
Execute (b) An unauthorized state. The security policy enforced by the protection commands has 2 rules: 1. but it may freely read objects at a lower level or at its own level. and all the 3 can read and execute compiler. The set of all unauthorized states. the operating system will carry out his request because it does not know that the state is an unauthorized one. A secret process may write in a top secret file but not in a confidential one. If he tries to read it.
In the figure (a) the intended protection policy is seen: Henry can read and write mailbox7. A secret process may read confidential objects. If Robert found a way to issue commands and have the matrix changed to figure (b). VJCET
Consider the simple system below. and b. then he can access mailbox7.
The third process is the Collaborator. the goal is to encapsulate or confine the server in such a way that it cannot communicate with the collaborator by writing into a file to which the collaborator has read access. leaking information between processes that in theory cannot communicate at all is relatively straightforward. From the system designer’s point of view.3. and is primarily applicable to large time sharing systems. the Server. The client and the server do not entirely trust each other. Lampson proposed a model which involves 3 processes.2. VJCET
2. Covert Channels To make formal models for protection systems is much futile. The first process is a Client. which is conspiring with the server to indeed steal the client’s confidential data. which wants some work performed by the second one. Lampson called this the confinement problem. Even in a system that has been rigorously proven to be absolutely secure.Security In Computing
Dept of Computer Science & Engg. The collaborator and server are typically owned by the same person. These 3 processes are shown in the figure below:
Client Server Encapsulated server
Covert Channel Kernel Kernel
The object here is to design a system in which it is impossible for the server to leak to the collaborator the information that it has legitimately received from the client. It is also necessary to ensure that the server cannot communicate with the collaborator by using the system’s
For example. no page faults for a 0). let alone blocking them. the server can try to communicate a binary bit stream as follows. plotters. Modulating the CPU usage is not only the covert channel. The covert channel is a noisy channel.Security In Computing
Dept of Computer Science & Engg.
2. The use of an error-correcting code reduces the already low bandwidth of the covert channel even more. But. even finding all the covert channels.g. it will get better response time when the server is sending a 1. But more subtle communication channels may be available. but it still may be enough to leak substantial information. etc) can also be used for signaling. containing a lot of extraneous information. DAC (Discretionary Access Control) One of the features of the Criteria that are required of a secure system is the enforcement of discretionary access control (DAC). Almost any way of degrading system performance in a clocked way is a candidate. In general. It may be possible to detect the status of a lock even on a file that cannot be accessed. The server acquires the resource to send a 1 and releases it to send a 0. The paging rate can also be modulated (many page faults for a 1. Acquiring and releasing dedicated resources (tape drives. No protection model based on a matrix of objects and domains can prevent this kind of leakage. To send a 0 bit.3. a hamming code). DAC is a means of restricting 28
. is extremely difficult. This communication channel is known as a covert channel. But information can be reliably sent over a noisy channel by using an error-correcting code (e. it computes as hard as it can for a fixed interval of time. and unlock it to indicate a 0. The collaborator can try to detect the bit stream by carefully monitoring its response time. it goes to sleep for the same length of time. VJCET
inter-process communication mechanism. then the server can lock some file to indicate a 1. To send a 1 bit. If the system provides a way of locking files.
e. In a classified environment. Discretionary security differs from mandatory security in that it implements the access control decisions of the user. they must include a consistent set of rules for controlling and limiting access based on identified users who have been determined to have need-to-know for the information. such as proprietary. DEFINITIONS 29
. discretionary security provides for a finer granularity of control within the overall constraints of the mandatory policy. Both discretionary and mandatory controls can be used to implement an access control policy to handle multiple categories or types of information.e. The discretionary security control objective is: Security policies defined for systems that are used to process classified or other sensitive information must include provisions for the enforcement of discretionary access control rules.. and (b) access is necessary for the performance of official duties. In any environment in which information is protected. The basis of this kind of security is that an individual user. is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user's control. Mandatory controls are driven by the results of a comparison between the user's trust level or clearance and the sensitivity designation of the information. financial. The controls are discretionary in the sense that a user or process given discretionary access to information is capable of passing that information along to another subject. personnel or classified information. VJCET
access to objects based on the identity of subjects and/or groups to which they belong. granted a personnel security clearance . consistent with the overriding mandatory policy restrictions. determined to have need-to-know . Discretionary control is the most common type of access control mechanism implemented in computer systems today. i. i.Security In Computing
Dept of Computer Science & Engg. or program operating on the user's behalf. no person may have access to classified information unless: (a) that person has been determined to be trustworthy.DISCRETIONARY.. Such information can be assigned different sensitivity designations and those designations enforced by the mandatory controls. Discretionary controls can give a user the discretion to specify the types of access other users may have to information under the user's control. Discretionary controls are not a replacement for mandatory controls.MANDATORY. That is.
g. This basic principle of discretionary access control contains a fundamental flaw that makes it vulnerable to Trojan horses. AN INHERENT DEFICIENCY IN DISCRETIONARY ACCESS CONTROL A FUNDAMENTAL FLAW IN DISCRETIONARY ACCESS CONTROL Discretionary access control mechanisms restrict access to objects based solely on the identity of subjects who are trying to access them. whether by rows or by columns. read.” DAC controls are used to restrict a user's access to protected objects on the system. In a column based representation. the names of the users and objects must be used in the representation. write. This concept is relatively straightforward in that the access control matrix contains the names of users on the rows and the names of objects on the columns. Typically. The user may also be restricted to a subset of the possible access types available for those protected objects. Users may grant or rescind access to the objects they control based on "need to know" or "whom do I like" or other rules. On most systems. The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. a particular user or set of users has the authority to distribute and revoke access to that object. VJCET
Discretionary Access Control (DAC)-The Criteria defines discretionary access control as: “A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. any program which runs on behalf of a user inherits
. execute). DAC mechanisms control access based entirely on the identities of users and objects. The identity of the users and objects is the key to discretionary access control. For example. in a rowbased representation an entry might read the equivalent of “KIM can access KIMSFILE and DONSFILE". one might find the equivalent of "DONSFILE can be accessed by DON. Access types are the operations a user may perform on a particular object (e.Security In Computing
Dept of Computer Science & Engg. for each object. Regardless of how the matrix is represented in memory. JOE and KIM"..
DRAKESFILE has an ACL associated with it that allows processes executing on Doe’s behalf to write to it. VJCET
the DAC access rights of that user. Drake induces Doe to execute his utility program by telling him how useful and efficient it is.Security In Computing
Dept of Computer Science & Engg. No other users are authorized to access the file. This example should make clear the danger of Trojan horse attacks and the inadequacy of most DAC mechanisms to protect against such attacks. Doe has a data file which contains highly sensitive data. Doe executes the corrupted program and it appears to perform perfectly. This assumption dictates that discretionary access control not be used as the sole protection 31
. testing. He has diligently set the ACL to allow only himself to read the file. and Doe is unaware of what is happening. Configuration management. He has legitimate access to the system which allows him to implement a useful utility program. it is wise to assume that unevaluated software does contain Trojan horses. This copying takes place completely within the constraints of the DAC mechanism. However. and a dishonest user. while allowing Drake’s processes to read it. DOE. Doe is confident that no one but himself will be able to access his data file. At this time it copies the contents of DOESFILE to DRAKESFILE. especially if the system has a high EPL rating. while it is operating on Doe's behalf. It should be noted that an elaborate DAC mechanism may provide illusory security to users who are unaware of its vulnerability to Trojan horse attacks. An example of the workings of a Trojan horse will illustrate how most DAC mechanisms are vulnerable. it assumes his identity and thus his access rights to DOESFILE. AN EXAMPLE OF A TROJAN HORSE Consider a system where an access control list mechanism is used to implement discretionary access control. There are two users on this particular system: an honest user. However. and trusted distribution should ensure that software produced by the computer system manufacturer does not contain Trojan horses. DRAKE. Drake is determined to gain access to DOESFILE. software from other sources does not come with these assurances. In this utility Drake embeds a covert function to read DOESFILE and copy the contents into a file in Drake’s address space called DRAKESFILE. Drake is careful not to tell Doe about the covert function (Trojan horse) that is resident in the utility program. this file is known as DOESFILE. In very high threat environments.
the program cannot be allowed to write to a non-sensitive file. The mandatory access control implementation would prevent the Trojan horse from disclosing the information to a user who is not permitted access to the information under the mandatory access rules. the program reads DOESFILE. For the sake of simplicity. A reference monitor which implements a mandatory security policy which includes the *-property would provide robust protection against Trojan horse attacks. with only user and supervisor domains. Capabilities 32
. In most systems today. DRAKE is only allowed to read non-sensitive files. As before. The program takes on the sensitivity level and the identity of DOE. and DOESFILE is sensitive. with only the necessary objects available.Security In Computing
Dept of Computer Science & Engg. the levels are called sensitive and non-sensitive. so DRAKESFILE is nonsensitive. The Trojan horse threat can be reduced in systems that implement many domains or dynamic small domains for each process. Within the constraints of the mandatory and the discretionary security policies. The computer system implements a mandatory security policy with two hierarchical sensitivity levels. An access control matrix has users represented on the rows and protected objects on the columns. However. That would be a violation of the *-property. AN OVERVIEW OF DAC MECHANISMS Implementing a complete DAC system requires retaining the information that is represented by the access control matrix model in some form. The entries in the matrix describe what type of access each user has to each object. DRAKE is not authorized to access sensitive data. VJCET
mechanism in high threat environments. then a Trojan horse would be limited to accessing only those objects within the domain. DOE operates at the sensitive level. all of the user's objects are available to a process running on that user's behalf. so he operates at the non-sensitive level. in that domain (implementing the least privilege principle). Since the Trojan horse is no w executing at the sensitive level. Current operating systems have attempted to represent that information using five basic mechanisms: 1. when the Trojan horse tries to write the sensitive data to DRAKESFILE. Drake’s Trojan horse program is executed by DOE. the reference monitor disallows the operation. If domains were created dynamically for each process.
Protection Bits 5. however. In some implementations.g. Capabilities can usually be passed along to other processes and can sometimes be increased or decreased in scope. Access Control Lists (ACLs) 4.. Revoking the user's access on the original object does not revoke access to the information contained in the user's copy. write. Passwords CAPABILITIES In a capability-based system. (Revocation may not be an issue. Ability to access an object is demonstrated when a process has a capability or “ticket” to the object. This makes a complete DAC implementation. very difficult. access to protected objects such as files is granted if the would. The capability is a protected identifier that both identifies the object and specifies the access rights to be allowed to the accessor who possesses the capability. After revocation. A pure capability system includes the ability for users to pass the capability to other users. however. Because this ability is not controlled and capabilities can be stored.)
.Security In Computing
Dept of Computer Science & Engg. including revocation. Capability-based systems provide dynamically changeable domains (name spaces) for processes to run in. programs can contain capabilities or capabilities can be stored in files. VJCET
2. determining all the users who have access for a particular object generally is not possible. execute). since a user who has access to an object can make a copy of the information in another object. changes can be made to the original object without the knowledge of revoked users. Profiles 3. The capability also contains allowable access modes (e. Two fundamental properties of capabilities are that they may be passed from one accessor (subject) to another and that the accessor who possesses capabilities may not alter or fabricate capabilities without the mediation of the operating sys tem TCB. They are protected by hardware and software mechanisms or by encryption.be accessor possesses a capability for the object. read.
Creating. if the ACL specifies access rights for the user by user-id then group access rights are ignored.” As in Multics.PAYROL r" appear to conflict. The Apollo system has a multiple. making discretionary access controls less vulnerable to Trojan horse attacks. Since this is usually an important question in a secure system and more efficient mechanisms exist. The ACL entry has the form “userid. the profile can get very large and difficult to manage. Capabilities could be useful in enforcing the least privilege principle and providing dynamically changeable domains. all protected object names must be unique so full pathnames must be used. Also. if any. the ACL entries "PAYROL rw" and "Jones.group. This allows a particular user to 34
. but can be resolved in the design of the DAC mechanism.node. In general. few systems have been implemented with capabilities and very few. They implement the access control matrix b y representing the columns as lists of users attached to the protected objects. Timely revocation of access to an object is very difficult unless the user's profile is automatically checked each time the object is accessed. their size and number are difficult to reduce. Since object names are not consistent or amenable to grouping. This would limit a Trojan horse's access to only the protected objects handed to it. The use of groups raises the possibility of conflicts between group and individual user. As an example. If a user has access to many protected objects. ACCESS CONTROL LISTS (ACLs) ACLs allow any particular user to be allowed or disallowed access to a particular protected object. with profiles as with capabilities. have attempted to implement a complete DAC mechanism. At this time.organization. answering the question of who has access to a protected object is very difficult.Security In Computing
Dept of Computer Science & Engg. PROFILES Profiles which have been implemented in some form on several systems use a list of protected objects associated with each user. VJCET
Since capabilities implement dynamic domains they can ideally limit the objects accessible to any program. deleting and changing access to protected objects requires many operations since multiple users' profiles must be updated. hierarchical group mechanism. profiles are not a recommended implementation of DAC. Deleting an object may require some method of determining every user who has the object in his profile. The lists do not have to be excessively long if groups and wild cards (see below) are used.
Multiple group mechanisms add more complexity and may facilitate administrative control of a system.* r'' gives Smith read access. In many systems. One detriment of the group mechanism is that changing the members of a group results in changes to an unknown set of ACLs for protected objects. Access to ACLs should be protected just as other objects are protected..*'' gives any user access. One approach might be to have the system enforce an ordering of the ACLs. 35
. those rights are used and organization and node memberships are not examined. but do not affect the utility of a DAC mechanism. Various systems have different rules for resolving conflicts. ``Smith. The use of wild cards raises the possibility of conflicts if a user has multiple ACL entries for an object. A wild card mechanism adds more complexity. Another approach might be to allow ordering of the ACLs by the users. as a member of any group he can read and as a member of the PAYROL group he can read and write. the users must understand the rules in order to create effective ACL entries. VJCET
be excluded or restricted in access rights. or it could be distributed to a Project Administrator type function. Smith has a possible conflict. In the above example. In the Apollo. since becoming a member of a group can change the objects accessible to any member. but is a member of a group.Security In Computing
Dept of Computer Science & Engg. ``*. The system must make a decision as to which one of the ACL entries it will apply when granting Smith access to the object. Wild Cards A wild card mechanism allows a string replacement where the wild card is specified. but does not affect the utility of a DAC mechanism. in the Multics system ```PAYROL rw'' gives read and write access to any user in the PAYROL group. if a user is not on the ACL by user-id.g. The group and wild card mechanisms allow the ACL list to be kept to a reasonable size. it would be difficult to determine if a group was the correct one to use. a user must be a member of at least one group. In any case. System or Project Administrator control is a preferred mechanism. Allocation of groups could be a Systems Administrator function only. Multics. For example. The creation of groups must be controlled. no matter what group the user Smith belongs to. e. If users were prohibited from listing the members of groups they are not in because of covert channels and privacy. Problems could result from allowing any user to create a group and then be "owner'' of that group.
For children that are directories either a separate sub-directory default ACL should be specified or the default ACLs should have to be stated explicitly by the user. a default associated with the directory. his default ACL would have to be specified. changes in the default may cause changes in many ACLs. A system-wide default could be used as the default in cases where no other default had been specified.Security In Computing
Dept of Computer Science & Engg. then the ACLs for all objects in a sub -tree would be similar. Default ACLs are usually necessary for the user friendliness of the DAC mechanism. When a user is first entered on the system. If the user organizes the directory structure to represent project work or areas of interest. A user-associated default might work well on a system with a flat file structure. when an object is created by a user. a user-associated default or if the file structure is a tree. At the very least. Defaults can be implemented in two ways: they can be copied to the ACL or they can be pointed to by the ACL. otherwise. For file structures that are trees. One default ACL in the directory would be for children that are files. One implementation of this feature uses a named ACL as a template. a default(s) associated with the directory could be most efficient. The overriding principle of least privilege implies that the use of defaults should not inadvertently give away more access than the user intended. Otherwise. those with access to the root sections of the storage hierarchy could by automatic default get access to all of the storage hierarchy. and the ability to change the defaults is very useful. VJCET
Default ACLs There are many side issues in the implementation of access control lists. In all implementations some user(s) must have permission to change the ACLs after they have been set by default. A system-wide default might give access only to the creating user. the user should be placed on its ACL by default. Some of the other possible default mechanisms include a system-wide default. If a user often sets ACLs to the same list of 36
. to err on the conservative side is preferred. unless care is taken. Named ACLs Another possible user friendly feature is "named" ACLs. In other words. If they are copied. then changes to the default will not affect the ACL.
The other implementation of named ACLs places a pointer in the real ACL to the named ACL. access control lists are the most desirable implementation of discretionary access control. Most of the features of named ACLs can be replaced by some group and default mechanisms. all of the real ACLs that use it also get changed. PASSWORD DAC MECHANISMS 37
. This use of named ACLs has no particular detriments and is of limited usefulness. and such a scheme would require full-time attention.Security In Computing
Dept of Computer Science & Engg. ACLs conveniently lend themselves to specifying a list of named users who are allowed to access each object. when used. Also. there is no effect on the ACLs already in existence. The problem with protection bits is that they are an incomplete implementation of the access control matrix model. the combinatory of such a solution are unrealistic. Also. but when a named ACL is changed the user has no way of determining all of the protected objects affected by the change. PROTECTION BITS Protection bits are an incomplete attempt to represent the access control matrix by column. In summary. This is very convenient for the user. groups are controlled by the system administrator. The owner is the only one (besides a superuser) who can change protection bits. The named ACLs also have to be protected in the same way as the real ACLs. The system cannot conveniently allow or disallow access to a protected object on any single user basis. the object's group or only the owner has any of the access modes to the protected object. for more than a few users. In the UNIX case the protection bits indicate whether everyone. copies that list into the ACL. the setting user may want to create a named ACL as a template which. Now when the named ACL gets changed. The user who created the object is the owner. and that can only be changed through superuser privileges. It has been suggested that groups be set up so that any needed combination of users can be specified. But. VJCET
Users. Implementation of protection bits includes systems such as UNIX which use protection bits associated with objects instead of a list of users who may access an object. When the named ACL is changed. providing access to defined groups of users is easily done with ACL-based mechanisms.
The sharing of passwords takes place outside the system.Security In Computing
Dept of Computer Science & Engg. If all objects are protected with different passwords. 2. In most implementations of password protection. with no dynamic domains). then the password is a ticket to the object. they do have one positive aspect. Trojan horses can be restricted to only the objects that are handed to them. because there is no way to determine who has access to an object. which is very difficult to do in such password protected DAC systems. but in most systems that use passwords. The use of passwords prevents the TCB from controlling distribution of access permissions. only one password per object or one password per object per access mode exists. If passwords are used as in the CDC NOS system to supplement another DAC mechanism. For a user to remember a password for each protected object is virtually impossible and if the passwords are stored in programs they are vulnerable. In systems such as MVS the default access to a file is unrestricted access. similar to a capability system (except. and because managing such a system properly is very difficult. If each user possessed his own password to each object. VJCET
Password protection of objects attempts to represent the access control matrix by row. In such implementations. This becomes almost impossible when passwords are stored in programs.4. of course. Many problems are associated with using a password protected DAC system. MANDATORY ACCESS CONTROL
. passwords should be changed periodically. To restrict access to certain access modes requires a password for each combination of access modes. access to a protected object is all or none. Passwords on protected objects have been used in IBM's MVS and with other mechanisms in CDC's NOS to implement DAC. Thus a new file in MVS is not protected until the password protection mechanism is invoked. A file is protected only when the password protection is initiated for that file. To be secure. revoking a user's access requires revoking access from all other users with similar access and then distributing a new password to those who are to retain access. The use of passwords for a complete DAC is strongly discouraged.
2. two Kerberos tickets are made and encrypted with the password. objects are tagged with labels representing the sensitivity of the information contained within. The tickets are:
User session key . and ordinary users cannot change labels. CTRL+ALT+DEL is pressed.Used to log on. The tickets are sent back to the client computer. 39
. on Trusted Solaris.5. 3. An example is that of a hardware address that cannot be changed by a user. MAC restricts access to objects based on their sensitivity. the name and password are encrypted into a key. It's discretionary as a file's owner can change its permissions at his discretion. Authentication may be done at and for a local computer or at a global level for a domain using domain controllers across the network. It's mandatory as the labeling of information happens automatically. The MAC policy compares a user's current sensitivity label to that of the object being accessed. Subject needs formal clearance (authorization) to access objects. Authentication uses X. This information is sent to the Windows 2000 domain controller with an authentication request. As an example. Process of Logging On 1. VJCET
Mandatory access control (MAC) involves aspects that the user cannot control (or is not usually allowed to control). MAC relies on sensitivity labels attached to objects. and local or domain logon is indicated. the name and password are checked against the local database. The user is denied access unless certain MAC checks are passed. 2. name and password entered. If the logon is local.509 standard and Kerberos. The domain controller decrypts the information and checks for a valid timestamp. and timestamp information is encrypted. If the timestamp is valid. DAC uses file permissions and optional access control lists (ACLs) to restrict information based on the user's ID (uid) or his group ID (gid). Under MAC. If the logon is a domain logon.Security In Computing
Dept of Computer Science & Engg. In contrast. WINDOWS 2000 AUTHENTICATION Authentication is performed by the system to be sure the user is really who they claim to be.
Used to get other Kerberos tickets for accessing other domain resources. 2. 4. user name. and checks the information against its ACL for the object being requested. UNIX AUTHENTICATION In the UNIX operating system environment. The domain controller decrypts the information. and timestamp. 2. 5. The client sends a request for the resource with the session key to the server that has the resource.
4. The receiving server decrypts the session key. The user ticket. Access to read. are sent with a Kerberos ticket granting service request to the domain controller. files and directories are organized in a tree structure with specific access modes. VJCET
User ticket . is the basis of UNIX system security.6. The setting of these modes. The client decrypts the tickets and uses the session key to log on. checks the timestamp. write and execute within each of the user types is also controlled by permission bits. There are three user access modes for all UNIX system files and directories: the owner. Authentication when Accessing an Object 1. name of the object to access. The user tries to access the network object. and others. 3. Permission bits determine how users can access files and the type of access they are allowed. through permission bits (as octal digits).
.Security In Computing
Dept of Computer Science & Engg. the group. makes an encrypted session key (with user account and group information) and returns the key to the local client.
r = read w = write x = execute
-rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file
drwx-----. and indicates a directory: otherwise . which may be found by typing ls -l. and.will be the starting symbol of the string.
.1 ee51ab beng95 2450 Sept29 11:52 file1 In the left-hand column is a 10 symbol string consisting of the symbols d. s or S.2 sam A1 2 May 01 12:01 directory Each file (and directory) has associated access rights. r.Security In Computing
Dept of Computer Science & Engg. ls -lg gives additional information as to which group owns the file (beng95 in the following example): -rwxrw-r-. it will be at the left hand end of the string. occasionally. Also. If d is present. -. x. w.
in order to read a file. Some examples
. indicates write permission (or otherwise). indicates execution permission (or otherwise). the presence or absence of permission to read and copy the file w (or -). you must have executed permission on the directory containing that file. that is. VJCET
The 9 remaining symbols indicate the permissions. and are taken as three groups of 3. where appropriate
Access rights on directories. This implies that you may read files in the directory provided you have read permission on the individual files. that is.
The symbols r. and hence on any directory containing those directories as a subdirectory..
So. indicates read permission (or otherwise). and so on. Access rights on files.
r (or -).
The left group of 3 gives the file permissions for the user that owns the file (or directory) (ee51ab in the above example). w means that users may delete files from the directory or move files into it. up the tree. The middle group gives the permissions for the group of people to whom the file (or directory) belongs (eebeng95 in the above example). that is. w. x means the right to access files in the directory. the permission to execute a file. have slightly different meanings depending on whether they refer to a simple file or to a directory.Security In Computing
Dept of Computer Science & Engg. etc. The rightmost group gives the permissions for all others.
• • •
r allows users to list files in the directory. or access rights. the permission (or otherwise) to change a file x (or -).
to remove read write and execute permissions on the file biglist for the group and others.Security In Computing
Dept of Computer Science & Engg. % chmod a+rw biglist
. Chmod (changing a file mode) Only the owner of a file can use chmod to change the permissions of a file. To give read and write permissions on the file biglist to all. The options of chmod are as follows Symbol u g o a r w x + Meaning user group other all read write (and delete) execute (and access directory) add permission take away permission
For example. type % chmod go-rwx biglist This will leave the other permissions unaffected. a file that only the owner can read and write . VJCET
-rwxrwxrwx a file that everyone can read.no-one else -rw------can read or write and no-one has execution rights (e. your mailbox file).g. write and execute (and delete).
Security In Computing
Dept of Computer Science & Engg." "The process of reverting the cipher text back to the plain text. lógos=science." "The process of disguising the plaintext.1 CRYPTOGRAPHY INTRODUCTION Definitions Plaintext Encoding/Encryption Ciphertext Decoding/Decryption Cryptography Cryptanalysis Cryptology "The original message before it is encoded." "The science (and art) of deciphering encoded messages without the knowledge of the used key." Greek: kryptós = hidden." "The science of keeping messages secret and of ensuring authentication. VJCET
3. "The combination of
." "The enciphered version of the plaintext.
2 correspondents use 1 key. The security of the
. And each key must be stored in a secure manner. 100 use 4950 keys. The sender may now choose from the number of possible keys to encode his secret message. particularly when many (new) parties are involved. Every Cipher is made up of two ingredients: an encryption method (the "algorithm") and the set of all possible keys (the "key space").PGPi. If they are in different locations. the major problem is the total number of keys involved. the sender and the recipient share the same key as their common secret
(source: www." 3. must have agreed on that key. However. this is not very practical. 4 use 6 keys. VJCET
cryptography and cryptanalysis "The science of hidden. 1000 use 499500 keys.1 Conventional Encryption/Private-key Cryptography In a "One-Key-Encryption" or "Conventional Encryption". disguised information. 5 use 10 keys. the sender and the recipient. they must trust a courier or a phone system to transmit the secret key in a secure manner. etc.com): At some earlier point in time the two correspondents.Security In Computing
Dept of Computer Science & Engg. Key management is enough of a difficult task that a name was invented for it: The Key Distribution Problem.2 TYPES OF CRYPTOGRAPHY 3. Surely. It is the reason why One-Key-Cryptography is not appropriate for today's secure electronic data transfers between many parties involved. 3 use 3 keys.2.
If a Cipher only offers a small number of keys (i. however.2.PGPi. but solely keeping the key secret. The clue: Although the encoding key available to the whole world. 1000 correspondents have to handle a total of 499500 keys.com):
The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely. I.e.
(source: www.2 Two-key/Public-key Cryptography The "Two-Key Cryptography" or "Public-Key Cryptography" was a major breakthrough in 1976. the Caesar Cipher) it can be broken by simply testing the possible keys. It describes the difficulty of exchanging and handling a large number of keys. The figure below shows the how "Two-Key Cryptography" is performed. its corresponding Private Key is used to decode the cipher text. A huge number of keys assures the security of a cipher Private Key Cryptography provides "high-security" ciphers.Security In Computing
Dept of Computer Science & Engg. The number of keys increases with the square of the number of correspondents. It makes the inconceivable reality: A Public Key is used to encode the plain text.e. VJCET
cryptosystem shall not be based on keeping the algorithm secret. 3. their usage is not practical because of the key distribution problem. Private Key Cryptography means that the knowledge of the encoding key yields the decoding key. The need for sender and receiver to share secret keys via some secure channel is eliminated. all
. nobody is capable of figuring out the decoding key. Such Ciphers are therefore also called "Symmetric Ciphers".
Security In Computing
Dept of Computer Science & Engg, VJCET
communications involve only public keys, and no private key is ever transmitted or shared. 3.2.3 Transposition and Substitution Ciphers Substitution and Transposition Ciphers are two categories of ciphers used in classical cryptography. Substitution and Transposition differ in how chunks of the message are handled by the encryption process. Substitution ciphers encrypt plaintext by changing the plaintext one piece at a time. The Ceasar Cipher was an early substitution cipher. In the Caesar Cipher, each character is shifted three places up. Therefore, A becomes D and B becomes E, etc... This table shows "VOYAGER" being encrypted with the Caesar substution cipher: Plaintext V O Y A G E R Key +3 +3 +3 +3 +3 +3 +3 Ciphertext Y R B D J H U Transposition ciphers encrypt plaintext by moving small pieces of the message around. This table shows "VOYAGER" being encrypted with a primitive transposition cipher where every two letters are switched with each other: V OYAGE R O VAYE GR
3.2.4 Stream and Block Ciphers Block and Stream Ciphers are two categories of ciphers used in classical cryptography. Block and Stream Ciphers differ in how large a piece of the message is processed in each encryption operation. Block ciphers encrypt plaintext in chunks. Common block sizes are 64 and 128 bits. Stream ciphers encrypt plaintext one byte or one bit at a time. A stream cipher can be thought of as a block cipher with a really small block size. Generally speaking, block ciphers are more efficient for computers and stream ciphers are easier for humans to do by hand. 3.3 CAESAR SUBSTITUTION The simplest of all substitution ciphers is the one in which the cipher letters results from shifting plain letters by the same distance. Among those, the best known is
Security In Computing
Dept of Computer Science & Engg, VJCET
called "Caesar Cipher", used by Julius Caesar, in which each A is encrypted as D, B as E, C as F,... etc. Here key is 3 Mathematically, the encryption and decryption functions can be described as follows: The sender encodes each plain text letter P using the key b as follows: C= (P+b) mod 26 The recipient decodes each cipher text letter C using the key b as follows: P=(C-b) mod 26 3.4 PLAYFAIR CIPHER The best known substitution cipher that encrypts pairs of letters is the Playfair Cipher invented by Sir Charles Wheatstone but championed at the British Foreign Office by Lyon Playfair, the first Baron Playfair of St. Andrews, whose name the cipher bears. Here, a 5 x 5-square matrix containing the 26 letters of the alphabet (I and J are treated as the same letter) is used to carry out the encryption. A key word, MONARCHY in this example, is filled in first, and the remaining unused letters of the alphabet are entered in their lexicographic order.
Pairs of plaintext letters are encrypted with the matrix by first locating the two plaintext letters in the matrix. They are (1) in different rows and columns or (2) in the same row or (3) in the same column or (4) alike. The corresponding encryption (replacement) rules are the following: 1. If the pair of letters are in different rows and columns, each letter is replaced by the
Security In Computing
Dept of Computer Science & Engg, VJCET
letter that is in the same row but in the other column; i.e., to encrypt WE, W is replaced by U and E by G. 2. If two letters are in the same row simply shift both one position to the right. I.e. A and R are in the same row. A is encrypted as R and R (reading the row cyclically) as M. 3. Similarly, if two letters are in the same column shift both one position down. I.e. I and S are in the same column. I is encrypted as S and S as X. 4. If a double letter occurs, a spurious symbol, say Q, is introduced so that the MM in SUMMER would encrypt into NL for MQ and CL for ME. 5. An X is appended to the end of the plaintext if necessary to cause the plaintext to have an even number of letters. 3.5 MONOALPHABETIC SUBSTITUTION The Caesar Cipher, the Multiplication Cipher and the Linear Cipher have one property in common. They all fall in the category of Monoalphabetic Ciphers: "Same plain letters are encoded to the same cipher letter." i.e. in the Caesar Cipher each "a" turned into "d", each "b" turned into "e", etc. The reason why such Ciphers can be broken is the following: Although letters are changed the underlying letter frequencies are not! If the plain letter "a" occurs 10 times its cipher letter will do so 10 times. Therefore, any monoalphabetic Cipher can be broken with the aid of letter frequency analysis. 3.6 POLYALPHABETIC SUBSTITUTION Polyalphabetic substitution cipher is simply a substitution cipher with an alphabet that changes. For example one could have two alphabets: Plain Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher Alphabet #1: B D F H J L N P R T V X Z A C E G I K M O Q S U W Y Cipher Alphabet #2: Z Y X W V U T S R Q P O N M L K J I H G F E D C B A Now to encrypt the message ``The quick brown fox jumped over the lazy dog" we would alternate between the two cipher alphabets, using #1 for every first letter and #2 for every second, to get: ``Msj joxfp dicda ucu tfzkjw ceji msj xzyb hln". Polyalphabetic substitution ciphers are useful because they cannot be broken using 49
Security In Computing
Dept of Computer Science & Engg. The Vigenere Cipher . Vigenere Cipher The polyalphabetic substitution cipher involves the use of two or more cipher alphabets. Instead of there being a one-to-one relationship between each letter and its substitute. there is a one-to-many relationship between each letter and its substitutes. the stronger the cipher.The number of letters encrypted before a polyalphabetic substitution cipher returns to its first cipher alphabet is called its period. The larger the period. VJCET
frequency analysis. proposed by Blaise de Vigenere is a polyalphabetic substitution based on the following tableau: ABCDEFGHIJKLMNOPQRSTUVWXYZ A ABCDEFGHIJKLMNOPQRSTUVWXYZ B BCDEFGHIJKLMNOPQRSTUVWXYZA C CDEFGHIJKLMNOPQRSTUVWXYZAB D DEFGHIJKLMNOPQRSTUVWXYZABC E EFGHIJKLMNOPQRSTUVWXYZABCD F FGHIJKLMNOPQRSTUVWXYZABCDE G GHIJKLMNOPQRSTUVWXYZABCDEF H HIJKLMNOPQRSTUVWXYZABCDEFG I IJKLMNOPQRSTUVWXYZABCDEFGH J JKLMNOPQRSTUVWXYZABCDEFGHI K KLMNOPQRSTUVWXYZABCDEFGHIJ L LMNOPQRSTUVWXYZABCDEFGHIJK M MNOPQRSTUVWXYZABCDEFGHIJKL N NOPQRSTUVWXYZABCDEFGHIJKLM O OPQRSTUVWXYZABCDEFGHIJKLMN P PQRSTUVWXYZABCDEFGHIJKLMNO Q QRSTUVWXYZABCDEFGHIJKLMNOP R RSTUVWXYZABCDEFGHIJKLMNOPQ S STUVWXYZABCDEFGHIJKLMNOPQR T TUVWXYZABCDEFGHIJKLMNOPQRS U UVWXYZABCDEFGHIJKLMNOPQRST 50
Security In Computing
Dept of Computer Science & Engg. Thus.' 'X. enciphering the plaintext message: TO BE OR NOT TO BE THAT IS THE QUESTION using the keyword RELATIONS.' 'L. Keyword: Plaintext: Ciphertext: RELAT IONSR ELATI ONSRE LATIO NSREL TOBEO RNOTT OBETH ATIST HEQUE STION KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY
Decipherment of an encrypted message is equally straightforward. any
V VWXYZABCDEFGHIJKLMNOPQRSTU W WXYZABCDEFGHIJKLMNOPQRSTUV X XYZABCDEFGHIJKLMNOPQRSTUVW Y YZABCDEFGHIJKLMNOPQRSTUVWX Z ZABCDEFGHIJKLMNOPQRSTUVWXY Note that each row of the table corresponds to a Caesar Cipher. The Vigenere cipher uses this table together with a keyword to encipher a message.' 'M. for each letter in the plaintext. Note that there are 7 'T's in the plaintext message and that they have been encrypted by 'H. the second is a shift of 1. above the plaintext message. For example.' One way of looking at this is to notice that each letter of our keyword RELATIONS picks out 1 of the 26 possible substitution alphabets given in the Vigenere tableau. One writes the keyword repeatedly above the message: Keyword: Ciphertext: Plaintext: RELAT IONSR ELATI ONSRE LATIO NSREL KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY TOBEO RNOTT OBETH ATIST HEQUE STION
This time one uses the keyword letter to pick a column of the table and then traces down the column to the row containing the ciphertext letter. one finds the intersection of the row given by the corresponding keyword letter and the column given by the plaintext letter itself to pick out the ciphertext letter. repeated as many times as necessary. The index of that row is the plaintext letter. The strength of the Vigenere cipher against frequency analysis can be seen by examining the above ciphertext.' 'G. To derive the ciphertext using the tableau. We begin by writing the keyword. This successfully masks the frequency characteristics of the English 'T. and the last is a shift of 25.' 'K. The first row is a shift of 0.' and 'L' respectively.
and analýein. without access to the secret information which is normally required to do so. for example. "to loosen" or "to untie") is the study of methods for obtaining the meaning of encrypted information. for example. Typically.7 CRYPTANALYSIS Cryptanalysis (from the Greek kryptós.8. but the relationship between them is known. 2 Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts or codetexts. although these phrases also have a specialized technical meaning
Types of Cryptanalytic attacks 1 Brute force Attacks: It is a method of defeating a cryptographic scheme by trying a large number of possibilities. FIESTEL NETWORKS
. Similarly Adaptive chosen ciphertext attack. In most schemes. "hidden". the theoretical possibility of a brute force attack is recognized. two keys that differ in the one bit. except the attacker can choose subsequent plaintexts based on information learned from previous encryptions. this involves finding the secret key. 5 Adaptive chosen-plaintext: like a chosen-plaintext attack. 4 Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts (plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own choosing. but it is set up in such a way that it would be computationally infeasible to carry out. 3. VJCET
message encrypted by a Vigenere cipher is a collection of as many simple substitution ciphers as there are letters in the keyword. In non-technical language. exhaustively working through all possible keys in order to decrypt a message. this is the practice of code breaking or cracking the code. 3. 3 Known-plaintext: the attacker has a set of ciphertexts to which he knows the corresponding plaintext. The keys are unknown.Security In Computing
Dept of Computer Science & Engg. except the attacker can obtain ciphertexts encrypted under two different keys. 6 Related-key attack: Like a chosen-plaintext attack.
it is also commonly known as a Feistel network. VJCET
In cryptography. diffusion refers to the property that redundancy in the statistics of the plaintext is "dissipated" in the statistics of the ciphertext. Bit shuffling creates the diffusion effect. In Shannon's original definitions. The basic operation is as follows: Split the plaintext block into two equal pieces. even identical in some cases. (L0. compute
where f is the round function and Ki is the sub-key.Security In Computing
Dept of Computer Science & Engg. while substitution is used for confusion. 53
. R0) For each round L i = Ri − 1 . decryption is accomplished via R i − 1 = Li
One advantage of this model is that the function used does not have to be invertible. and can be very complex. The Feistel structure has the advantage that encryption and decryption operations are very similar. This diagram illustrates both encryption and decryption. A large proportion of block ciphers use the scheme. and so combine multiple rounds of repeated operations. confusion refers to making the relationship between the key and the ciphertext as complex and involved as possible. Regardless of the function f. including the Data Encryption Standard(DES). Then the ciphertext is (Ln. named after IBM cryptographer Horst Feistel. a Feistel cipher is a block cipher with a particular structure. Feistel networks and similar constructions are product ciphers. requiring only a reversal of the key schedule. Rn). such as: Bit-shuffling (often called permutation boxes or P-boxes) Simple non-linear functions (often called substitution boxes or S-boxes) Linear mixing (in the sense of modular algebra) using XOR to produce a function with large amounts of what Claude Shannon described as "confusion and diffusion". Therefore the size of the code or circuitry required to implement such a cipher is nearly halved.
So as the number of rounds increases. 54
. DES has 16 rounds. using a 64-bit key (although the effective key strength is only 56 bits. this is the only difference between encryption and decryption:
3. the security of the algorithm increases exponentially. Since it always operates on blocks of equal size and it uses both permutations and substitutions in the algorithm.Security In Computing
Dept of Computer Science & Engg. DES is both a block cipher and a product cipher. meaning the main algorithm is repeated 16 times to produce the ciphertext. It takes a 64-bit block of plaintext as input and outputs a 64-bit block of ciphertext. as explained below). VJCET
Note the reversal of the subkey order for decryption. It has been found that the number of rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack.9 DATA ENCRYPTION STANDARD DES encrypts and decrypts data in 64-bit blocks.
The first step is to pass the 64-bit key through a permutation called Permuted Choice 1. VJCET
The block diagram of DES is depicted below.1 Key Scheduling Although the input key for DES is 64 bits long.9. The bits at positions of multiples of eight are ignored. Note that in all subsequent descriptions of bit numbers. thus resulting in a key length of 56 bits.Security In Computing
Dept of Computer Science & Engg.
. 1 is the left-most bit in the number. The table for this is given below. the actual key used by DES is only 56 bits in length. and n is the rightmost bit. or PC-1 for short.
3. Rotate L left by the number of bits specified in the table below. Set the round number R to 1. Here are the tables involved in these operations:
Subkey Rotation Table Round Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Number of bits to 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 56
. the next step is to use this key to generate 16 48-bit subkeys. 2. where R is the round number we are on.known as key scheduling is fairly simple: 1. called K-K. 5. which are used in the 16 rounds of DES for encryption and decryption. The procedure for generating the subkeys . L (the left-hand half) and R (the right-hand half). 4. 6. K. Join L and R together to get the new K. Increment R by 1 and repeat the procedure until we have all 16 subkeys KK. Apply Permuted Choice 2 (PC-2) to K to get the final K[R]. VJCET
PC-1: Permuted Choice 1 Bit 0 1 2 3 4 1 57 49 41 33 25 8 1 58 50 42 34 15 10 2 59 51 43 22 19 11 3 60 52 29 63 55 47 39 31 36 7 62 54 46 38 43 14 6 61 53 45 50 21 13 5 28 20
5 17 26 35 44 23 30 37 12
6 9 18 27 36 15 22 29 4
Now that we have the 56-bit key.Security In Computing
Dept of Computer Science & Engg. and rotate R left by the same number of bits as well. up into two 28-bit blocks. Split the current 56-bit key.
This is done by passing the plaintext through a permutation called the Initial Permutation. bit 32 is located at the intersection of the column labeled 4 and the row labeled 25. By looking at the table is becomes apparent why one permutation is called the inverse of the other. called the Inverse Initial Permutation. Sometimes IP^(-1) is also called the Final Permutation. For example. or IP^(-1). or IP for short. This table also has an inverse.Security In Computing
Dept of Computer Science & Engg. Both of these tables are shown below. So 57
. the next step is to prepare the plaintext for the actual encryption. let's examine how bit 32 is transformed under IP.9. VJCET
rotate PC-2: Permuted Choice 2 Bit 0 1 2 3 4 1 14 17 11 24 1 7 3 28 15 6 21 13 23 19 12 4 26 19 16 7 27 20 13 25 41 52 31 37 47 31 30 40 51 45 33 37 44 49 39 56 34 43 46 42 50 36 29 3.2 Plaintext Preparation Once the key scheduling has been performed. In the table. IP: Initial Permutation Bit 0 1 2 3 4 1 58 50 42 34 26 9 60 52 44 36 28 17 62 54 46 38 30 25 64 56 48 40 32 33 57 49 41 33 25 41 59 51 43 35 27 49 61 53 45 37 29 57 63 55 47 39 31 5 18 20 22 24 17 19 21 23 6 10 12 14 16 9 11 13 15 7 2 4 6 8 1 3 5 7 5 5 10 8 2 55 48 53 32
IP^(-1): Inverse Initial Permutation Bit 0 1 2 3 4 5 6 7 1 40 8 48 16 56 24 64 32 9 39 7 47 15 55 23 63 31 17 38 6 46 14 54 22 62 30 25 37 5 45 13 53 21 61 29 33 36 4 44 12 52 20 60 28 41 35 3 43 11 51 19 59 27 49 34 2 42 10 50 18 58 26 57 33 1 41 9 49 17 57 25 These tables are used just like PC-1 and PC-2 were for the key scheduling.
so their values range from 0-15. bit 29 is located at the intersection of the column labeled 7 and the row labeled 25. each with 4 rows and 16 columns.is taken and fed into the E-Bit Selection Table. which when strung together one after the other in the order of retrieval. 1.
. At this point. L and R. And this is the bit position that we started with before the first permutation.9. are a set of 8 two-dimensional arrays. starting at 1 . we now have 8 4-bit numbers. give a 32-bit result. The numbers in the boxes are always 4 bits in length. The number from this position in the S-box is retrieved and stored away. VJCET
this bit becomes bit 29 of the 64-bit block after the permutation. B and S. which is like a permutation. The 64-bit block of input data is first split into two halves.3 DES Core Function Once the key scheduling and plaintext preparation have been completed. We call the 16 sets of halves L-L and R-R. This is repeated with B and S. and the right-most 6 bits are B. The Substitution boxes. Starting with B. except that some of the bits are used more than once. and the middle four bits are used as an index into the column number. the first and last bits of the 6-bit block are taken and used as an index into the row number of S. which can range from 0 to 3. 3. and R is the right-most 32 bits. R[I-1] . In IP^(-1). making up the 16 rounds of standard DES. So this bit becomes bit 32 after the permutation. 4. This expands the number R[I-1] from 32 to 48 bits to prepare for the next step. you'll end up with the original block. The left-most 6 bits are B. 2. So IP^(-1) really is the inverse of IP. 3. the actual encryption or decryption is performed by the main DES algorithm. The following process is repeated 16 times. and the others up to B and S. L is the left-most 32 bits. The result from the previous step is now split into 8 segments of 6 bits each.where I is the round number. known as S-boxes. The 48-bit R[I-1] is XORed with K[I] and stored in a temporary buffer so that R[I1] is not modified. Now let's apply IP^(1).Security In Computing
Dept of Computer Science & Engg. The S-boxes are numbered S-S. which are used in the next step. If you run a block of plaintext through IP and then pass the resulting block through IP^(-1). which can range from 0 to 15. It does the exact opposite of IP. These blocks form the index into the S-boxes.
R[I-1] is moved into L[I]. This number is now XORed with L[I-1]. When L and R have been obtained. R is the right-hand half). they are joined back together in the same fashion they were split apart (L is the left-hand half.
Tables used in the DES Core Function E-Bit Selection Table Bit 0 1 2 3 1 32 1 2 3 7 4 5 6 7 13 8 9 10 11 19 12 13 14 15 25 16 17 18 19 31 20 21 22 23 37 24 25 26 27 43 28 29 30 31 P Permutation Bit 0 1 2 1 16 7 20 5 29 12 28 9 1 15 23 13 5 18 31 17 2 8 24 21 32 27 3 25 19 13 30 29 22 11 4 4 4 8 12 16 20 24 28 32 3 21 17 26 10 14 9 6 25 5 5 9 13 17 21 25 29 1
. Here. and moved into R[I]. 7. VJCET
5. The result from the previous stage is now passed into the P Permutation. R becomes the left-most 32 bits and L becomes the right-most 32 bits of the pre-output block and the resultant 64-bit number is called the pre-output. 6. then the two halves are swapped. we increment I and repeat the core function until I = 17. which means that 16 rounds have been executed and keys KK have all been used. At this point we have a new L[I] and R[I].Security In Computing
Dept of Computer Science & Engg.
Security In Computing
Dept of Computer Science & Engg. VJCET
S-Box 1: Substitution Box 1 Row / 0 1 2 3 4 Column 0 1 2 3 14 0 4 15 4 15 1 12 13 7 14 8 1 4 8 2 2 14 13 4
5 15 2 6 9
6 11 13 2 1
7 8 1 11 7
8 3 10 15 5
9 10 6 12 11
10 11 12 13 14 15 6 12 9 3 12 11 7 14 5 9 3 10 9 5 10 0 0 3 5 6 7 8 0 13
S-Box 2: Substitution Box 2 Row / 0 1 2 3 Column 0 15 1 8 1 3 13 4 2 0 14 7 3 13 8 10 S-Box 3: Substitution Box 3 Row / 0 1 2 14 7 11 1 3
4 6 15 10 3 4 5 6 3 8 6 4 0 6 12 10 4 7 4 10 1 5
5 11 2 4 15 6
6 3 8 13 4 7
7 4 14 1 2 8
8 9 12 5 11 9
9 10 11 12 13 14 15 7 0 8 6 2 1 12 7 13 10 6 12 12 6 9 0 0 9 3 5 5 11 2 14 10 5 15 9
10 11 12 13 14 15 12 5 2 14 10 8 2 3 5 7 14 12 3 11 5 12 14 11 11 12 5 11 12 11 1 5 12 4 11 10 5 13 12 10 2 7 2 15 14 2 14 4 14 8 2 8 1 7 12 15 15 9 4 14
Column 0 10 0 9 14 1 13 7 0 9 2 13 6 4 9 3 1 10 13 0 S-Box 4: Substitution Box 4 Row / Column 0 1 2 3 0 7 13 14 3 1 13 8 11 5 2 10 6 9 0 3 3 15 0 6 S-Box 5: Substitution Box 5 Row / 0 1 2 3 Column 0 2 12 4 1 1 14 11 2 12 2 4 2 1 11 3 11 8 12 7 S-Box 6: Substitution Box 6 Row / 0 1 2 3 Column 0 12 1 10 1 10 15 4 2 9 14 15 3 4 3 2 S-Box 7: Substitution Box 7 Row / 0 1 2 15 2 5 12 3
3 4 15 9 5 6 15 11 1
15 6 3 8 6 9 0 7 13 6 11 13 7 2 6 6 9 12 15
5 10 0 7 7 10 3 13 8 7 6 1 8 13 7 8 5 3 10 7
1 2 11 4 8 1 4 15 9 8 8 5 15 6 8 0 6 7 11 8
13 8 1 15 9 2 7 1 4 9 5 0 9 15 9 13 1 0 14 9
10 11 12 13 14 15 3 15 12 0 15 10 5 9 13 3 6 10 0 9 3 4 14 8 0 5 9 6 14 3
10 7 13 14
4 5 9 7 2 9 4 2 12 8 5
10 11 12 13 14 15 3 13 4 1 4 14 10 7 14 0 1 6 7 11 13 0 5 3 11 8 11 8 6 13
10 11 12 13 14 15
eight numbers are extracted from the S-boxes . and the middle four bits as the column index. 0010) = S[2 ] = 4 = 0100 B = S(11. Suppose we have the following 48-bit binary number: 011101000101110101000111101000011100101101011101 In order to pass this through steps 3 and 4 of the Core Function as outlined above. 1110) = S = 3 = 0011 B = S(01. 1110) = S = 5 = 0101 B = S(11. 1110) = S = 9 = 1001 In each case of S[n][row][column].one from each box: B = S(01.9. 0110) = S[6 ] = 10 = 1010 B = S(01. labeled B to B from left to right: 011101 000101 110101 000111 101000 011100 101101 011101 Now. The results are now joined together to form a 32-bit number which serves as the input to stage 5 of the Core Function (the P Permutation): 00110100111001011010010110101001
. 0100) = S[4 ] = 10 = 1010 B = S(00. the first and last bits of the current B[n] are used as the row index.4 How to use the S-Boxes The purpose of this example is to clarify how the S-boxes work. 1010) = S = 14 = 1110 B = S(01. VJCET
Column 0 4 11 2 1 13 0 11 2 1 4 11 3 6 11 13 S-Box 8: Substitution Box 8 Row / 0 1 2 Column 0 1 2 3 13 1 7 2 2 15 11 1 8 13 4 14
14 7 13 8 3 4 4 8 1 7
15 4 12 1 5
0 9 3 4
8 1 7 10 6 11 7 14 8
13 10 14 7 7 1 4 2 13
3 14 10 9 8 10 12 0 15
12 3 15 5 9 9 5 6 12
9 5 6 0
7 12 8 15
5 2 0 14
10 15 5 2
6 8 9 3
1 6 2 12
10 11 12 13 14 15 3 6 10 9 14 11 13 0 5 0 15 3 0 14 3 5 12 9 5 6 7 2 8 11
6 10 9 4
15 3 12 10
3.Security In Computing
Dept of Computer Science & Engg. the number is split up into 8 6-bit blocks. 0011) = S[3 ] = 5 = 0101 B = S(10.
from K-K. The method described above will encrypt a block of plaintext and return a block of ciphertext. supported
. 3.Security In Computing
Dept of Computer Science & Engg. AES 128 bits 128 bits difficult to crytanalyse 128/192/ 10/12/14 Longer keylengths 256 bits resp.5 Ciphertext Preparation The final step is to apply the permutation IP^(-1) to the pre-output. That is.
3. a brute force attack becomes impractical Design algorithm of S-boxes is kept a secret DES is also resistant to timing attacks
3. the procedure is simply repeated but the subkeys are applied in reverse order.6 Encryption and Decryption The same algorithm can be used for encryption or decryption.9.7 Strength of DES 1 2 3 With a key length of 56 bits.10 COMPARISON OF MODERN SYMMETRIC KEY ALGORITHMS Algorithm DES Plaintext 64 bits Ciphertext 64 bits Key size Rounds 56 bits 16 Advantages Simple and fast Less mathematical calculations Cryptanalysis is 3DES 64 bits 64 bits 168 bits 48 DES rounds difficult More reliable Easy to upgrade the software to 3DES Longer keylength. Other than that. decryption is performed exactly the same as encryption. The result is the completely encrypted ciphertext. In order to decrypt the ciphertext and get the original plaintext again.9.9. stage 2 of the Core Function as outlined above changes from R[I-1] XOR K[I] to R[I-1] XOR K[17-I].
11. however. and this action would go undetected.1 ECB (Electronic Code Book) This is the regular DES algorithm. This means that if data is transmitted over a network or phone line.
. Separate encryptions with different blocks are totally independent of each other.11 MODES OF OPERATION OF DES 3. However. thus scrambling a file beyond recognition. Data is divided into 64-bit blocks and each block is encrypted one at a time. ECB is the fastest and easiest to implement. that the blocks can be rearranged.Security In Computing
Dept of Computer Science & Engg. It also means. making it the most common mode of DES. transmission errors will only affect the block containing the error. VJCET
64 bits 32/64/128 bits
64 bits 32/64/128 bits
32-448 bits 0-2040 bits
More flexible Fast and secure Compact Simple and fast Adaptable to processors of different word length Data dependent rotations
3. ECB is the weakest of the various modes because no additional security measures are implemented besides the basic DES algorithm.
This means that in order to find the plaintext of a particular block.
. the error will be carried forward to all subsequent blocks since each block is dependent upon the last.11.
In this mode of operation. So if data is transmitted over a network or phone line and there is a transmission error. each block of ECB encrypted ciphertext is XORed with the next plaintext block to be encrypted.2
CBC (Cipher Block Chaining).Security In Computing
Dept of Computer Science & Engg. and the ciphertext for the previous block. This mode of operation is more secure than ECB because the extra XOR step adds one more layer to the encryption process. thus making all the blocks dependent on all the previous blocks. so the plaintext is XORed with a 64-bit number called the Initialization Vector. the key. you need to know the ciphertext. VJCET
3. The first block to be encrypted has no previous ciphertext. or IV for short.
This value is XORed with the real
. blocks of plaintext that are less than 64 bits long can be
encrypted. The plaintext itself is not actually passed through the DES algorithm. special processing has to be used to handle files whose size is not a perfect multiple of 8 bytes. VJCET
3. This is initially set to some arbitrary value. where M is the number of bits in the block we wish to encrypt.Security In Computing
Dept of Computer Science & Engg. but merely XORed with an output block from it. but this mode removes that necessity (Stealth handles this case by adding several dummy bytes to the end of a file before encrypting it). which simply selects the left-most M bits of the ciphertext.11.3
CFB (Cipher Feed Back) In this mode. in the following manner: A 64-bit block called the Shift Register is used as the input plaintext to DES. Normally. The ciphertext is then passed through an extra component called the Mbox. and encrypted with the DES algorithm.
This mode of operation is similar to CBC and is very secure. an error in one block affects all subsequent blocks during data transmission. rather than the actual final ciphertext. but it is slower than ECB due to the added complexity.Security In Computing
Dept of Computer Science & Engg. VJCET
plaintext. This value is then XORed with the real plaintext (which may be less than 64 bits in length. and the output of that is the final ciphertext. and used as the plaintext seed for the next block to be encrypted. As with CBC mode. like 66
. The Shift Register is set to an arbitrary initial value.11.4
OFB (Output Feed Back) This is similar to CFB mode. except that the ciphertext output of DES
is fed back into the Shift Register.
3. The output from DES is passed through the M-box and then fed back into the Shift Register to prepare for the next block. the ciphertext is fed back into the Shift Register. and passed through the DES algorithm. Finally.
a transmission error in one block will not affect subsequent blocks because once the recipient has the initial Shift Register value. Knowledge of the key is not required.Security In Computing
Dept of Computer Science & Engg. Note that unlike CFB and CBC. and the result is the final ciphertext. VJCET
. this mode of operation is less secure than CFB mode because only the real ciphertext and DES ciphertext output is needed to find the plaintext of the most recent block. However. it will continue to generate new Shift Register plaintext inputs without any further data input.
The counter value must be different for each plaintext block that is encrypted.12 PUBLIC KEY CRYPTOGRAPHY
.5 CTR (Counter) A counter. VJCET
3. For encryption.11.Security In Computing
Dept of Computer Science & Engg. The counter is initialized to some value and then incremented by 1 for each substitution. equal to the plaintext block size is used. the counter is encrypted and then XORed with the plaintext block to produce the ciphertext block.
Security In Computing
Dept of Computer Science & Engg. With most symmetric algorithms.12. but can encrypt new messages and send them as if they came from one of the two parties who were originally using the key. and the corresponding private key is kept secret. as shown in Figure
Implementations of symmetric-key encryption can be highly efficient. VJCET
3. A person with an unauthorized symmetric key not only can decrypt messages sent with that key. to send encrypted data to someone. Each public key is published. the same key is used for both encryption and decryption. so that users do not experience any significant time delay as a result of the encryption and decryption. In general. and only you will be able to read data encrypted using this key. Public-key encryption (also called asymmetric encryption) involves a pair of keys--a public key and a private key--associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data. the encryption key can be calculated from the decryption key and vice versa. it affects both confidentiality and authentication. If anyone else discovers the key. The figure shows a simplified view of the way public-key encryption works. Symmetric-key encryption is effective only if the symmetric key is kept secret by the two parties involved. we encrypt the data with that person's public key. and the person receiving the encrypted data decrypts it with the corresponding private key.1 Comparison of Symmetric Key and Public Key Cryptography With symmetric-key encryption. Compared with symmetric-key
The scheme lets us freely distribute a public key. Data encrypted with the public key can be decrypted only with the private key.
and such that . which can then be used to encrypt additional data.Security In Computing
Dept of Computer Science & Engg. private-key encryption is useful. Compute the totient 4. Choose two large prime numbers independently of each other. which is by definition published. the reverse of the scheme shown in Figure also works: data encrypted with your private key can be decrypted only with your public key. however. because it means that anyone with your public key. Nevertheless. Compute . VJCET
encryption.13. Compute d such that
The public key consists of n. This is the most commonly used algorithm in public key cryptography 3. randomly and
3. However. it's possible to use public-key encryption to send a symmetric key. This would not be a desirable way to encrypt sensitive data. X takes the following steps to generate a public key and a private key: 1.1 Key Generation Suppose a user X wishes to allow Y to send a private message over an insecure transmission medium. the modulus. public-key encryption requires more computation and is therefore not always appropriate for large amounts of data.13 RSA ALGORITHM The algorithm was described in 1977 by Ron Rivest. the letters RSA are the initials of their surnames. 3. could decrypt the data. . because it means you can use your private key to sign data with your digital signature--an important requirement for electronic commerce and other commercial applications of cryptography. 2. and 70
. Choose an integer e such that 5. which is coprime to . Adi Shamir and Len Adleman at MIT. As it happens.
public exponent (to be made public) . the private exponent (sometimes decryption exponent). and d. the modulus. He then computes the ciphertext c corresponding to m:
Bob then transmits c to Alice
3. The private key is d.4 A working example
Here is an example of RSA encryption and decryption. the public exponent (sometimes encryption exponent).second prime number (to be kept secret or deleted securely) . She can recover m from c by the following procedure:
The proof is given in Appendix
3. The private key consists of n. Bob now has m. using some previously agreed-upon reversible protocol known as a padding scheme.modulus (to be made public) .first prime number (to be kept secret or deleted securely) . The parameters used here are artificially smallWe let p = 61 q = 53 n = pq = 3233 e = 17 d = 2753 . which must be kept secret.Security In Computing
Dept of Computer Science & Engg. which Alice has announced. He turns M into a number m < n. which is public and appears in the public key. n). VJCET
e. and knows her private key d.2 Encrypting messages
Suppose Bob wishes to send a message M to Alice.3 Decrypting messages
Alice receives c from Bob.13.private exponent (to be kept secret)
The public key is (e. The encryption function is: 71
.13.13. and knows n and e.
n) is an RSA public key and c is an RSA ciphertext.5 Security of RSA The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring very large numbers. No polynomialtime method for factoring large integers on a classical computer has yet been found. then decrypt c using the standard procedure. VJCET
encrypt(m) = me mod n = m17 mod 3233 where m is the plaintext.Security In Computing
Dept of Computer Science & Engg. n). Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard. With the ability to recover prime factors.6 Practical Considerations
RSA is much slower than DES and other symmetric cryptosystems.. an attacker factors n into p and q. i. To encrypt the plaintext value 123.
. To accomplish this. Currently the most promising approach to solving the RSA problem is to factor the modulus n. we calculate decrypt(855) = 8552753 mod 3233 = 123 3. 3.13. The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that me=c mod n. The decryption function is: decrypt(c) = cd mod n = c2753 mod 3233 where c is the ciphertext.13. we calculate encrypt(123) = 12317 mod 3233 = 855 To decrypt the ciphertext value 855. and computes (p-1)(q-1) which allows the determination of d from e. where (e. and the RSA problem. no efficient algorithm exists for solving them.e. an attacker can compute the secret exponent d from a public key (e. but it has not been proven that none exists.
.14. Defenses against such attacks are often based on digital certificates.
3.13. neither sender nor receiver would be able to detect an outsider’s presence. different same no
bytes ciphering & deciphering same key ciphering & deciphering different algorithm algorithm contains only XOR and branching cryptanalysis method no
differential method product factorization
3.14 DIFFIE HELLMAN KEY EXCHANGE
Diffie-Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel.Security In Computing
Dept of Computer Science & Engg. how RSA public keys are distributed is important to security. VJCET
As with all ciphers. limited. not defined.7 Comparison of RSA and DES
Feature speed data block length key length use of data space DES high 64 bits 56 bits full. Key distribution must be secured against a man-in-the-middle attack.
Timing attacks 3. In principle. 8 RSA low minimum 512 bits minimum 512 bits variable. 64 bits (264).
even if a and b are large). All the other values are sent in the clear. If p was a prime of more than 300 digits. Alice computes (gb mod p)a mod p o 196 mod 23 = 2. Both Alice and Bob have arrived at the same value. where p is prime and g is primitive mod p. b.Security In Computing
Dept of Computer Science & Engg. much larger values of a. gab and gba are kept secret.
3. Alice and Bob agree to use a prime number p=23 and base g=5. Of course. except that after each operation the result keeps only the remainder after dividing by p. Alice chooses a secret integer a=6. since it is easy to try all the possible values of gab mod 23 (there will be. implementation of the protocol uses the multiplicative group of integers modulo p. exponentiation and division. known only to them. Note that only a. Once Alice and Bob compute the shared secret they can use it as an encryption key. and a and b were at least 100 digits long. at most.
5. 2. and ga mod p (known as the discrete logarithm problem) would take longer than the lifetime of the universe to run. Here's a more general description of the protocol:
. for sending messages across the same open communications channel. and in practice is usually either 2 or 5. Bob chooses a secret integer b=15. VJCET
4.b. 22 such values. and p would be needed to make this example secure. because gab and gba are equal. then sends Alice (gb mod p) o 515 mod 23 = 19. then sends Bob (ga mod p) o 56 mod 23 = 8. then even the best known algorithms for finding a given only g. Modulo (or mod) simply means that the integers between 1 and p − 1 are used with normal multiplication. and original. Here is an example of the protocol: 1. g need not be large at all. Bob computes (ga mod p)b mod p 815 mod 23 = 2. p.
1.2 Security The protocol is considered secure against eavesdroppers if G and g are chosen properly. Both Alice and Bob are now in possession of the group element gab which can serve as the shared secret key.Security In Computing
Dept of Computer Science & Engg. perhaps by decrypting and re-encrypting messages passed between them. Bob computes (ga)b. An efficient algorithm to solve the discrete logarithm problem would make it easy to compute a or b and solve the Diffie-Hellman problem.
Alice picks a random natural number a and sends ga to Bob. making this protocol insecure. The man-in-the-middle may establish two distinct Diffie-Hellman keys. 4.
Alice and Bob agree on a finite cyclic group G and a generating element g in G. Alice computes (gb)a. g is assumed to be known by all attackers. and is thus vulnerable to man in the middle attack.14. one with Alice and the other with Bob. 5. Some method to authenticate these parties to each other is generally needed
. The secret integers a and b are discarded at the end of the session. The order of G should be prime or have a large prime factor to prevent obtaining a or b. 3. (This is usually done long before the rest of the protocol. The eavesdropper must solve the Diffie-Hellman problem to obtain gab. and then try to masquerade as Alice to Bob and/or vice-versa. Bob picks a random natural number b and sends gb to Alice.3 Authentication In the original description. Diffie-Hellman key exchange by itself trivially achieves perfect forward secrecy because no long-term private keying material exists to be disclosed. Therefore. 3. the Diffie-Hellman exchange by itself does not provide authentication of the parties.
3. This is currently considered difficult.) We will write the group G multiplicatively.14.
A MAC is a cryptographic checksum MAC = CK(M) 76
. The MAC value protects both a message's integrity as well as its authenticity. which is a hazardous task. But still we need to recognize corrupted messages 3. both confidentiality and authentication is provided.1 MAC A cryptographic message authentication code (MAC) is a short piece of information used to authenticate a message. If public key encryption is used and public key is used for encryption.15. and outputs a MAC (sometimes known as a tag). If symmetric key encryption is used receiver and sender should communicate the secret key. VJCET
3.15. However if sender uses private key for encryption. MESSAGE AUTHENTICATION CODE (MAC) AND HASH FUNCTIONS Message authentication is concerned with a) Protecting integrity of the message b) Validating identity of the originator c) Non-repudiation of origin There are three different ways to achieve message authentication Message Encryption MAC Hash functions Message encryption can be either a symmetric key encryption or public key encryption. there is no confidence of sender.Security In Computing
Dept of Computer Science & Engg. by allowing verifiers (who also possess the secret key) to detect any changes to the message content. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated.
H(x) is one-way. which is called the hash value h (that is.2 HASH Functions
A hash function H is a transformation that takes a variable-size input m and returns a fixed-size string. but when employed in cryptography the hash functions are usually chosen to have some additional properties. Potentially many messages have same MAC. But finding these needs to be very difficult Requirements for MAC 1. is infeasible to find another message with same MAC 2. Knowing a message and MAC.15.
MAC is a many-to-one function. h = H(m)). H(x) is relatively easy to compute for any given x . H(x) is collision-free. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message
3. Hash functions with just this property have a variety of general computational uses.Security In Computing
Dept of Computer Science & Engg. the output has a fixed length. The basic requirements for a cryptographic hash function are:
o o o o o
the input can be of any length.
The encrypted hash. given a message x. it is computationally infeasible to find some input x such that H(x) = h. Digital signature has also been used as a broader term encompassing both public-key digital signature techniques and message authentication codes. where "hard to invert" means that given a hash value h. such as the hashing algorithm.16.Security In Computing
Dept of Computer Science & Engg. the signing software creates a one-way hash of the data. The figure shows a simplified view of the way a digital signature can be used to validate the integrity of signed data. is known as a digital signature. one for signing and the other for verification. A strongly collision-free hash function H is one for which it is computationally infeasible to find any two messages x and y such that H(x) = H(y). then uses the private key to encrypt the hash. DIGITAL SIGNATURE
Digital signature (or public-key digital signature) is a type of method for authenticating digital information analogous to ordinary physical signatures on paper. If.
A hash function H is said to be one-way if it is hard to invert. and the output of the signing process is also called a digital signature. A digital signature method generally defines two complementary algorithms. it is computationally infeasible to find a message y not equal to x such that H(x) = H(y) then H is said to be a weakly collision-free hash function. but implemented using techniques from the field of public-key cryptography. along with other information. Instead of encrypting the data itself.
) Finally. If the two hashes match. the receiving software first uses the signer's public key to decrypt the hash. although this isn't shown in the figure. the data has not changed since it was signed. Confirming the identity of the signer. or the signature may have been created with a private key that doesn't correspond to the public key presented by the signer. To validate the integrity of the data. (Information about the hashing algorithm used is sent with the digital signature. It then uses the same hashing algorithm that generated the original hash to generate a new one-way hash of the same data. the data may have been tampered with since it was signed. the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digital signature. also requires some way of confirming that the public key really belongs to a particular person or other entity The significance of a digital signature is comparable to the significance of a handwritten signature.Security In Computing
Dept of Computer Science & Engg. which is basically a one-way hash (of the original data) that has been encrypted with the signer's private key. If they don't match. the receiving software compares the new hash against the original hash. VJCET
Using a digital signature to validate data integrity
The figure shows two items transferred to the recipient of some signed data: the original data and the digital signature. however. it is difficult to deny doing so later--assuming that the private key has not been compromised or out of the owner's control. This quality of digital signatures provides a high degree of non repudiation--that is. digital signatures make it difficult for the signer to
. Once you have signed some data. If the two hashes match.
What is the discrete logarithm problem? 24. What is DES? 6. In some situations. What are the different types of attacks on RSA? 19. What are MACs? 25. What is cryptography? 2. How is RSA used for authentication in practice? 21. What is Diffie Hellman key exchange? 22. What are certificates? 14. What is the significance of one way function in cryptography? 17. What is a block cipher? 3. a digital signature may be as legally binding as a handwritten signature. What is stream cipher? 11. What is a one-way function? 16.Security In Computing
Dept of Computer Science & Engg. VJCET
deny having signed the data. What is a Fiestel cipher? 4. What is Blowfish? 9. What are weak keys? 5. What is multiple encryption? 10. What is the significance of factoring in cryptography? 23. What is a hash function?
. What is public key cryptography? 12.
QUESTIONS 1. What are the key management issues involved in public key cryptography? 13. What is the RSA factoring challenge? 20. What are the advantages of public key cryptography over symmetric key cryptography? 15. What is triple DES? 7. What are ECB and CBC modes? 8. What is RSA? 18.
Kerberos was a three-headed dog who guarded the gates of Hades.1 AS Exchange 81
. Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT).microsoft. The name is taken from Greek mythology. the client user and the server with the desired service to access. As exemplified in Figure 1. three exchanges are involved when the client initially accesses a server resource: 1.1. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). The three heads of Kerberos comprise the Key Distribution Center (KDC). The user's password does not have to pass through the network. Client Server(CS) Exchange
Source : www.Security In Computing
Dept of Computer Science & Engg. TGS Exchange 3. VJCET
4. AS Exchange 2. Kerberos lets a user request an encrypted "ticket" from an authentication process that can then be used to request a particular service from a server.1 KERBEROS Kerberos is a secure method for authenticating a request for a service in a computer network.com
Security In Computing
Dept of Computer Science & Engg.2.2 TGS Exchange The user presents the TGT to the TGS portion of the KDC when desiring access to a server service. the user is granted a Ticket to Get Tickets (TGT) that is valid for the local domain. The TGT is cached on the local machine in volatile memory space and used to request sessions with services throughout the network. If the TGS approves of the client's request.1. The service ticket is then used to authenticate the client user and establish a service session between the server and client. The client reads its portion using the TGS session key retrieved earlier from the AS reply. The KDC has access to Active Directory user account information. 4. VJCET
When initially logging on to a network. The TGS on the KDC authenticates the user's TGT and creates a ticket and session key for both the client and the remote server.
4.1. The client presents the server portion of the TGS reply to the target server in the client/server exchange coming next. he can establish the session with the server service. X. The server can decrypt the information coming indirectly from the TGS using its own long-term key with the KDC. a service ticket is generated for both the client and the target server. users must negotiate access by providing a log-in name and password in order to be verified by the AS portion of a KDC within their domain. The TGT has a default lifetime of 10 hours and may be renewed throughout the user's log-on session without requiring the user to re-enter his password. After the ticket's lifetime is exceeded.509
. Once successfully authenticated. The TGS receives the client's TGT and reads it using its own key. known as the service ticket. 4.3 Client/Server Exchange Once the client user has the client/server service ticket. the service ticket must be renewed to use the service. This information. is then cached locally on the client machine.
The private key is used to sign data. Thawte.Only the public key is ever shown to anyone else. Signature Algorithm Identifier This identifies the algorithm used by the CA to sign the certificate.509 standard applies to this certificate. in addition to the signature: Version This identifies which version of the X. Issuer Name The X.Security In Computing
Dept of Computer Science & Engg. All X. It is assumed that CAs will only create valid and reliable certificates as they are bound by legal agreements. Entrust. and describes how to write it down (the data format). and so on. CAs are entities that are trusted to sign (issue) certificates for other entities. The X. We need to provide information about the entity being certified. This normally includes information such as name and organizational address. Validity Period
.509 standard defines what information can go into a certificate. Using this certificate implies trusting the entity that signed this certificate.509 certificates have the following data. Serial Number The entity that created the certificate is responsible for assigning it a serial number to distinguish it from other certificates it issues. This is normally a CA. saying that the public key (and some other information) of another entity has some specific value. generated using some special tools.500 name of the entity that signed the certificate. for example when a certificate is revoked its serial number is placed in a Certificate Revocation List (CRL). The main inputs to the certificate creation process are: • • Matched public and private keys. Thus far. such as VeriSign. This information is used in numerous ways. VJCET
A public-key certificate is a digitally signed statement from one entity. three versions are defined. There are many public Certification Authorities. which affects what information can be specified in it. Now a Certification Authority (CA) can act as a Trusted Third Party.
Each certificate is valid only for a limited amount of time. Most certificate profile documents strongly recommend that names not be reused. X.500 standard. The validity period chosen depends on a number of factors.509 Version 3 is the most recent and supports the notion of extensions. for example. OU=Java Software Division. This name uses the X. Organizational Unit. so it is intended to be unique across the Internet. such as the strength of the private key used to sign the certificate or the amount one is willing to pay for a certificate. O=Sun Microsystems Inc. C=US (These refer to the subject's Common Name. Subject Name The name of the entity whose public key the certificate identifies. This period is described by a start date and time and an end date and time. and can be as short as a few seconds or almost as long as a century. This is the Distinguished Name (DN) of the entity.Security In Computing
Dept of Computer Science & Engg.) Subject Public Key Information This is the public key of the entity being named. X.509 Version 2 introduced the concept of subject and issuer unique identifiers to handle the possibility of reuse of subject and/or issuer names over time. Organization. and Country. and is the most generic. This is the expected period that entities can rely on the public value. CN=Java Duke. is widely deployed. X.509 Version 1 has been available since 1988. Version 2 certificates are not widely used. if the associated private key has not been compromised. together with an algorithm identifier which specifies which public key crypto system this key belongs to and any associated key parameters. and that certificates should not make use of unique identifiers. whereby anyone can define an extension and include it in the certificate
if match. now have commercial versions available also
4. and result is attached to message.PGP is available on Unix. It was developed by Phil Zimmermann.The hash code is encrypted with RSA using the sender's private key. E-MAIL SECURITY ENHANCEMENTS
Following is the security enhancements for email •confidentiality –protection from disclosure •authentication –of sender of message •message integrity –protection from modification •non-repudiation of origin –protection from denial by sender
4.The receiver generates new hash code for message and compares with decrypted hash code. PC.3. 4.Security In Computing
Dept of Computer Science & Engg.1 How PGP works
Authentication 1. It is originally free. message is accepted as authentic Confidentiality
.1.The receiver uses RSA or DSS with sender's public key to decrypt and recover hash code 5.SHA-1 used to generate 160-bit hash code of message 3.3.3. VJCET
(For diagrams refer text book.William Stallings) PGP is an official email security system.The sender creates a message 2. Macintosh and Amiga systems.
3.Compatibility When using PGP we will have binary data to send (encrypted message etc). 2. which maps 3 bytes to 4 printable characters and also appends a CRC
4.The receiver uses RSA with its private key to decrypt and recover session key. It uses ZIP compression algorithm. 4.The message is encrypted. 5.
Authentication & Confidentiality
S/MIME is the name given to Secure MIME or Secure encryption of attachments when they are added to email messages.The session key is encrypted using RSA with recipient's public key. Hence PGP must encode raw binary data into printable ASCII characters. Create signature & attach to message 2. The sender generates message and random 128-bit number to be used as session key for this message only. Attach RSA encrypted session key
Compression By default PGP compresses message after signing but before encrypting and can store uncompressed message & signature for later verification.However email was designed only for text. The public key is stored and made available to those who wish to send users an
. then attached to message. For this it uses radix-64 algorithm.Security In Computing
Dept of Computer Science & Engg. using CAST-128 / IDEA/3DES with session key.The session key is used to decrypt message. S/MIME requires a both a private and public key. Encrypt both message & signature 3. 3.
and encryption for privacy. the encrypted message must be decoded by the mail client or by the mail server. VJCET
encrypted message. Once the key has been found. There are issues with either of these solutions:
Decryption by the mail client. if the key becomes compromised at any point in the future and must be changed. At the current time.4. Choices are negotiated between client and server at the start of establishing a protocol session. there is the risk that the messages will become unavilable in the future. digests. HTTP). SSL provides secure communication between client and server by allowing mutual authentication. Further there is the issue of configuring the mail client with the correct private key so that decryption works OK. In order for the message to be read. and signatures. TCP/IP) and the application protocol layer (e. This requires the server to hold both the encryption and decryption key for each user. not many mail clients support S/MIME decryption. The protocol is designed to support a range of choices for specific algorithms used for cryptography.Security In Computing
Dept of Computer Science & Engg. the sender must encrypt the message/attachment and forward it to the destination server. SECURE SOCKET LAYER
The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable connection-oriented network layer protocol (e.g. So to send a message via S/MIME the sender must look up the public key in a global directory or already have it available. the use of digital signatures for integrity. Since messages are stored encrypted.
Decryption by the mail server.
.g. Clearly there will be additional load on the server as it manages each message and messages are likley to be stored unencrypted on the server itself (there is no point in them being encrypted since the key is available on the server).
. depending on whether the server is configured to provide a server certificate or request a client certificate. this article summarizes one common scenario: see the SSL specification for the full range of possibilities. Though cases exist where additional handshake steps are required for management of cipher information.4. Once an SSL session has been established it may be reused. VJCET
SSL v2.0 is the basis for the Transport Layer Security protocol standard. This sequence may vary.0 Vendor Standard (from Netscape Corp.0 Expired Internet Draft (from Netscape Corp.0 to update the MAC layer to HMAC. message order standardization and more alert messages. add block padding for block ciphers. as shown.Security In Computing
Dept of Computer Science & Engg.
There are a number of versions of the SSL protocol. add nonRSA ciphers.) TLS v1. currently in development by the Internet Engineering Task Force (IETF). For this the server assigns each SSL session a unique session identifier which is cached in the server and which the client can use on forthcoming connections to reduce the handshake.0 Proposed Internet Standard (from IETF)
First SSL protocol for which implementations exists
Revisions to prevent specific security attacks.1 Session Establishment The SSL session is established by following a handshake sequence between client and server. and support for certificate chains Revision of SSL 3.) SSL v3. thus avoiding the performance penalty of repeating the many steps needed to start a session. 4.
A Cipher Suite is defined by the following components:
• • •
Key Exchange Method Cipher for Data Transfer Message Digest for creating the Message Authentication Code (MAC)
These three elements are described in the sections that follow. allows the client and server to choose a Cipher Suite supportable by both of them. Negotiate the Cipher Suite to be used during data transfer 2. Cipher Suite Negotiation.0 supports a choice of key exchange
.4. as used by the client and server. Establish and share a session key between client and server 3. 4. are listed below: 1. Optionally authenticate the server to the client 4. while SSL 3.0 protocol specification defines 31 Cipher Suites.Security In Computing
Dept of Computer Science & Engg.2 Key Exchange Method The key exchange method defines how the shared secret symmetric cryptography key used for application data transfer will be agreed upon by client and server. Optionally authenticate the client to the server The first step. SSL 2. The SSL3.0 uses RSA key exchange only. VJCET
The elements of the handshake sequence.
algorithms including the RSA key exchange when certificates are used. 4.4. what kind of signatures to use. including the choice to perform no encryption:
No encryption Stream Ciphers
RC4 with 40-bit keys RC4 with 128-bit keys RC2 with 40 bit key DES with 40 bit key DES with 54 bit key Triple-DES with 168 bit key Idea (128 bit key)
CBC Block Ciphers
o o o o o
FTP SSL change cipher spec protocol
SMTP SSL alert protocol
SSL Record Protocol
. One variable in the choice of key exchange methods is digital signatures -. and if so.4.4 SSL Record Protocol . and DiffieHellman key exchange for exchanging keys without certificates and without prior communication between client and server. There are nine choices.whether or not to use them.Security In Computing
Dept of Computer Science & Engg.3 Cipher for Data Transfer SSL uses the conventional cryptography algorithm (symmetric cryptography) described earlier for encrypting messages in a session.
The group includes the Authentication Header (AH).SSL is used to transfer application and SSL Control data between the client and server.
compress the data. 4. which addresses authentication for IP traffic. attach signatures and encrypt these units before transmitting them. IPSec IPSec is a group of protocols developed by IETF.Security In Computing
Dept of Computer Science & Engg. It can be used in combination with ESP or it simply just use to verify the authenticity of a regular IP packet. Confidentiality uses symmetric encryption with a shared secret key defined by Handshake Protocol and integrity uses a MAC with shared secret key. VJCET
TCP IP SSL Record Protocol takes care of the data transmission.5. which defines encryption for IP data. AH ensures that the packet has not been altered during transmission. confidentiality and integrity. and the Encapsulating Security Payload (ESP). IPSec provides these at the IP layer and its often nowadays build on the networks card from
. It possibly fragments the data into smaller units. The AH also allows the receiver to verify the identity of the sender. SSL Record Protocol provides two services.
1 Encapsulating Security Payload
.Security In Computing
Dept of Computer Science & Engg. AH and SHA. and triples DES to encrypt the payload. modify and delete security associations and their attributes. SHA (Secure Hash Algorithm) and MD5 (Message Digest 5) are hash algorithms and these are used to authenticate the data. It uses symmetric. or secret key. MD5.5. Key management for IPsec: ISAKMP and IKE ISAKMP (Internet Security Association and Key Protocol Management) is designed to negotiate. DES (The Data Encryption Standard) is used to encrypt the packet data. 4. IKE is used to handle negotiation of protocols and algorithms that are based on local policy that generate the encryption and the authentication. gateways and between both gateways and hosts. Some of these is DES. cryptographic algorithms like Data Encryption Standard (DES). IPSec can be used to protect one or more data flows between a pair of hosts. DES use cipher block chaining to initialize a vector to start the encryption. IKE provides a authentication of the IPSec peers and establishes the IPSec key. VJCET
the beginning. establish. ESP (Encapsulating Security Payload) is the protocol that handles encryption of IP data. The default method is 56-bit DES. ISAKMP is a generic framework which does not dependent on the mechanisms in favor of which the negotiation takes place.
Authentication data is a digital signature for the
. The sequence number tells how many packets with the same parameters have been sent. the ESP also contains 0 bytes to 255 bytes of padding.Security In Computing
Dept of Computer Science & Engg. will be of the correct length for particular types of encryption algorithms. Along with the payload data. AH is embedded in the data to be protected AH can be used either by itself or with Encryption Service Payload (ESP). The SPI and sequence number serve the same purpose as in the AH. The first field in the AH is the next header field. The payload length is an 8-bit value that indicates the length of the authentication data field in 32-bit words. this is an 8-bit field that tells which higher-level protocol (such as UDP. This area of the ESP also includes the pad length.5. and the sequence number keeps track of the order in which packets are transmitted. This information includes which algorithms and keys are being applied by the sending device. This number acts as a counter and is incremented each time a packet with the same SPI is bound for the same address. which tells how much padding is in the payload. The Security Parameters Index is a 32-bit number that tells the packet recipient which security protocols the sender is using. TCP. The SPI indicates which security algorithms and keys were used for a particular connection. 4. Authentication data is the field that contains a digital signature that has been applied to everything in the ESP except the authentication data itself. which ensures the data. The payload data can be of any size because it's the actual data being carried by the packet. which gives information about the data and the protocol used.2 Authentication Header
Authentication Header is a security protocol that provides authentication and optional replaydetection services. the first of which is the control header that contains the SPI and the sequence number field. or ESP) follows the AH. VJCET
ESP includes several parts. and the next header field.
3 Operating modes There are two different modes in IPsec. or managing the traffic on the networks they connect. This includes things like origination address. the IP header is also protected (authentication. the AH can use either Message Digest 5 algorithm or the Secure Hash Algorithm. In tunnel mode. Router. Tunnel mode is usable either on final equipment or on security gateways.
. based on a number of facts about a packet that comes to it. where the original header is restored. destination service port. such as routing . 4. only the data from the upper-layer protocol and the data transported by the IP datagrams are protected. VJCET
packet. Access Control List (ACL). This mode is usable only on final equipment.1 Terminologies Bastion host.5. A special purpose computer for connecting networks together. To authenticate users. In Transport mode.6. transport mode and tunnel mode. A firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. FIREWALLS A firewall is simply a group of components that collectively form a barrier between two networks.Security In Computing
Dept of Computer Science & Engg. 4. Many routers now have the ability to selectively perform their duties.6. A general-purpose computer used to control access between the internal (private) network (intranet) and the Internet (or any other untrusted network). This new header is used to transport the packet to the end of the tunnel. and so on. Routers also handle certain functions. destination address. This mode makes it possible to ensure a more significant protection against traffic analysis. integrity and/or confidentiality) and is replaced by a new header. 4.
must know how to use the proxy. this is a network that connects the untrusted to the trusted.Security In Computing
Dept of Computer Science & Engg. The importance of a DMZ is tremendous: someone who breaks into your network from the Internet should have to get through several layers in order to successfully do so. and will do so without any
. The DMZ is a critical part of a firewall: it is a network that is neither part of the untrusted network. All hosts on the intranet are able to access resources on the Internet without having the ability to direct talk to the Internet. A host that has the ability to fetch documents from the Internet might be configured as a proxy server. Packet Filtering
Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. Clients behind the firewall must be proxitized (that is. a router will pass all traffic sent it. hence the name. but need to have the programs written and turned on in order to begin passing traffic. and host on the intranet might be configured to be proxy clients. Proxy. Traditionally. These are made up of bastion hosts that run special software to act as a proxy server. Demilitarized Zone (DMZ). By default. and are sometimes known as proxy gateways. Those layers are provided by various components within the DMZ.2 Types of Firewalls Application Gateways The first firewalls were application gateways. This is the process of having one host act in behalf of another. these have been the most secure. 4. because they don't allow anything to pass by default. nor part of the trusted network. This software runs at the Application Layer of the ISO/OSI Reference Model. and be configured to do so) in order to use Internet services.6. VJCET
These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network. But.
because the feature of access control is performed at a lower ISO/OSI layer (typically. it is important to limit what that untrusted code can do. the transport or session layer). In order to ensure that untrusted code does nothing mischievous. using system resources. reading. Due to the lower overhead and the fact that packet filtering is done with routers. VJCET
sort of restrictions. and so on. They are implemented by malicious applets. a packet filtering gateway is often much faster than its application layer.7. Include mail forging. we cannot trust them to perform with integrity. Java applets we retrieve from the Web have been written by someone else. Consequences Strong Strong JAVA DEFENSE
. SECURITY MECHANISMS IN JAVA PLATFORM Java applets are far more powerful than the usual HTML code served up on the Web. When not restricted by applet-security measures. There is less overhead in packet filtering than with an application gateway. Java should restrict itself such that the full power and potential of the Java language is not misused. and in the hands of a malicious programmer. or deleting files. and vice versa. Following are the basic categories of potential attacks Java applets could facilitate: ATTACK CLASS EXPLANATION AND CONSEQUENCES The most severe class of attacks. Invasion of Privacy If you value your privacy. this attack class may be particularly odious. Employing ACLs is a method for enforcing security policy with regard to what sorts of access you allow the outside world to have to your internal network. 4. which are specialized computers optimized for tasks related to networking. Consequences of these attacks: severe. This is powerful stuff. Java is a complete and powerful programming language capable of sending information over the network.Security In Computing
Dept of Computer Science & Engg. Java downloaded from the Net is automatically considered untrusted code. System Modification Applets that implement such attacks are attack applets. altering.
when Java code arrives at the VM and is formed into a Class by the Class Loader. Antagonism Implemented by malicious applets. in concert with the security features built into the language and checked at runtime. May require restart of browser.Security In Computing
Dept of Computer Science & Engg. VJCET
of these attacks: moderate. Also serious but not severely so. The Verifier is built in to the VM and cannot be accessed by Java programmers or Java users. but not okay to delete methods from a class used by other classes. this attack class is the most commonly encountered. and the Security Manager. The Verifier checks byte code at a number of different levels. The Verifier also ensures that class files that refer to each other preserve binary compatibility. it throws an exception. If any of the three parts breaks. Also implemented by malicious applets.7. Once byte code passes through verification. 4. Consequences of these attacks: light to moderate. The Verifier enforces compatibility rules. For example. In most Java implementations. the Class Loader. the entire security system breaks. May require reboot. the following things are guaranteed: Weak Weak
. The simplest test makes sure that the format of a code fragment is correct.1 Java Sandbox Architecture The default sandbox is made of three interrelated parts: the Verifier. There are rules of compatibility that govern the ability to change use of classes and methods without breaking binary compatibility. it is okay to add a method to a class that is used by other classes. these attacks can bring a machine to a Denial of Service standstill. helps to establish a base set of security guarantees. Consequences of these attacks: moderate. and the class file never executes. loading ceases. If the Verifier discovers a problem with a class file. the Verifier automatically examines it. Merely annoying. The verification process.
• • • • •
The class file has the correct format Stacks will not be overflowed or under flowed Byte code instructions all have parameters of the correct type. its Applet Class Loader receives the binary data and instantiates it as a new class. which are typically supplied by the browser vendor. load all applets and the classes they reference. protected. it rejects the malformed class and throws an exception. Second. This is obviously a much more reasonable behavior than running buggy or malicious code that crashes the VM.Security In Computing
Dept of Computer Science & Engg. Namespace is a set of unique names of classes loaded by a particular Class Loader and a binding of each name to a specific class object. This flexibility is not a security problem as long as the party who wrote the code that is being loaded trusts the class loader. usually getting the classes from HTTP servers. Part of their job is to make sure that important parts of the Java runtime environment are not replaced by impostor code. Applet Class Loaders. Under normal operation. That way. When the Verifier finds a problem in a class. All Java objects belong to classes. or it can just create the byte code on the spot. applets are forbidden to install a new Class Loader Summary
. when the VM needs to load the byte code for a particular class. class loaders define the namespaces seen by different classes and how those namespaces relate to each other. It ensures that each piece of byte code downloaded from the outside plays by the rules. and default accesses are legal
The Verifier acts as the primary gatekeeper in the Java security model. the Java VM can safely execute byte code that may not have been created by a Java compiler. Each class loader can use its own method for finding requested byte code files: It can load them from the local disk. it asks a class loader to find the byte code. No illegal data conversions (casts) occur Private. Class loaders determine when and how classes can be added to a running Java environment. public. fetch them across the Net using any protocol. When an applet loads across the network. First. Class loaders perform two functions.
The class-loading mechanisms mitigate these risks by providing separate namespaces set up according to where mobile code originates. The Security Manager makes the final decision as to whether a particular operation is
. untrusted code. 4. The Security Manager implements a good portion of the entire security model and is the part of the security model most often encountered (in terms of a SecurityException) by Java applet developers. The Java VM interprets byte code declared safe by the Verifier. The Java specification allows classes to be unloaded when they are no longer needed. A Java-enabled browser automatically downloads a class when it encounters the <APPLET> tag in an HTML document. The Applet Class Loader in particular is a key piece of the Java security model. The Security Manager can veto the operation by generating a SecurityException. VJCET
Each Java class begins as source code.Security In Computing
Dept of Computer Science & Engg.7. This part of the security model restricts the ways an applet uses visible interfaces (Java API calls). Code in the Java library consults the Security Manager whenever a potentially dangerous operation is attempted. Java's ability to dynamically load classes into a running Java environment is fraught with security risks. built-in classes are usually given more privilege than classes loaded across the Net. This capability ensures that essential Java classes cannot be spoofed (replaced) by external. A standard Security Manager will disallow most operations when they are requested by untrusted code. and will allow trusted code to do whatever it wants. The job of the Security Manager is to keep track of who is allowed to do which dangerous operations.2 Security Manager The third part of the base Java security model is the Security Manager. Decisions made by the Security Manager take into account the origin of the requesting class. This is then compiled into byte code and distributed to machines anywhere on the Net. but few current Java implementations unload classes. The Verifier examines the byte code of a class file to ensure that it follows Java's strict safety rules. Obviously. The Security Manager is a single Java object that performs runtime checks on dangerous methods.
These queries use a set of methods that check access. Control the execution of other application programs. Control access to system resources such as print queues.Security In Computing
Dept of Computer Science & Engg.
. Each VM can have only one Security Manager installed at a time. thus locking in the Security Manager before any potentially untrusted code has a chance to run. Because security checks are requested by classes in the Java library. Java-enabled applications such as Web browsers install a Security Manager as part of their initialization. The Java API provides all calls necessary to interface to the operating system.7. clipboards. Control the ability to shut down the VM.com 4. and once a Security Manager has been installed it cannot be uninstalled (except by restarting the VM).securingjava. the library queries the Security Manager.
Source : www. and windows. The job of class loaders is to keep the namespaces properly organized.
• • • • •
Protect threads and thread groups from each other.3 What the Security Manager Is Set Up to Do for Untrusted Applets The Security Manager has the following duties:
Prevent installation of new class loaders. When a dangerous call is made to the Java library. event queues. system properties. thus making isolation of all required security checks possible within the API. Control access to other application processes. applets must be prevented from spoofing the library classes. VJCET
permitted or rejected.
including access to security enforcement classes.
. write.Security In Computing
Dept of Computer Science & Engg. and delete. Access to local files is strictly controlled. Control access to Java packages (or groups of classes). Control network socket operations such as connect and accept. VJCET
Control file system operations such as read.
Policy issues at the governmental. TYPES OF SECURITY Database security is a very broad area that addresses many issues like: 1. Access control – The security mechanism of a DBMS must include provisions for restricting access to the database system as a whole. income level and other criteria. This function is called access control and is handled by creating user accounts and passwords to control the login process by the DBMS.Security In Computing
Dept of Computer Science & Engg. 3. Loss of availability is a serious threat to database security. For e. Loss of integrity – Database security refers to the requirement that information be protected from improper modification. THREATS TO DATABASES Important security goals are integrity. The need in some organizations to identify multiple security levels and to categorize the data and users based on these classifications. Integrity is lost if unauthorized changes are made to data by either intentional or accidental acts. Threats to databases result in the loss of degradation of some or all of the security goals. Legal and ethical issues regarding the right to access information. deletion. To protect databases against these types of threats four kinds of countermeasures can be implemented: 1. a database for population statistics based on age groups. availability and confidentiality. 1. Loss of availability – Database availability refers to making objects available to a human user or a program to which they have a legitimate right. 2. 4. 3. Inference control – Statistical database is used to provide statistical information or summaries of values based on various criteria.g. VJCET
5. Modification of data includes insertion. 5. updation etc. It is sometimes possible to deduce or infer certain facts concerning 102
. institutional or corporate level as to what kinds of information should not be made publicly available.1. 2. System related issues such as the system levels at which various security functions should be enforced.2. 2. Loss of confidentiality – Database confidentiality refers to the protection of data from unauthorized disclosure. Unauthorized access to data can lead to loss of database security.
2. In a multiuser database system. which provides powerful capabilities that are not made available to regular database accounts and users. Mandatory security mechanisms – These are used to enforce multilevel security by classifying the data and users into various security classes (or levels) and then implementing the appropriate security policy of the organization. 5. 4. Channels that are pathways for information to flow implicitly in ways that violate security policy of an organization are called covert channels. Privilege granting – This action permits the DBA to grant certain privileges to certain accounts. Data Encryption – It is used to protect sensitive data that is being transmitted via some type of communications network. Encryption is also used for providing additional protection for sensitive portions of a database. the DBMS must provide techniques to enable certain user or user groups to access selected portions of a database without gaining access to the rest of the database. Account creation – This action creates a new account and password for a user or a group of users to enable access to the DBMS. This problem is called statistical database security.Security In Computing
Dept of Computer Science & Engg. There are two types of database security mechanisms: 1. A DBMS includes a database security and authorization subsystem that is responsible for ensuring the security portions of a database against unauthorized access. The data is encoded using some coding algorithm. including the capability to access specific data files.3. The corresponding counter measures are called inference control measures. this must not be permitted. DBA has privileged commands for performing actions like: 1. 2. 3. Flow control – It prevents information from flowing in such a way that it reaches unauthorized users. records or fields in specified mode. VJCET
individuals from queries that involve only summary statistics on groups. DATABASE ADMINISTRATOR (DBA) DBA is the central authority for managing a database system. The DBA has a DBA account which is also called a system or superuser account. Discretionary security mechanisms – These are used to grant privileges to users. 103
Security In Computing
Dept of Computer Science & Engg, VJCET
3. Privilege revocation – This action permits the DBA to revoke (cancel) certain privileges that were preciously given to certain accounts. 4. Security level assignment – This action consists of assigning user accounts to the appropriate security classification level. 5.4. ACCESS PROTECTION, USER ACCOUNTS & DATABASE AUDITS Whenever a person or group of persons needs to access a DBMS, the individual or group must apply for a user account. The DBA will then create a new account number and password for the user if there is a legitimate need to access the database. The user must log into the DBMS by entering the account number and password whenever database access is needed. The DBMS checks that the account number and password are valid; if they are, the user is permitted to use the DBMS. To keep track of database users and their accounts and passwords there is an encrypted table or file with two fields – account number and password. Whenever a new account is created, a new record is inserted into the table. When an account is canceled, the corresponding record is deleted from the table. The database system must also keep track of all operations on the database that are applied by a certain user throughout each login session, which consists of the sequence of database interactions that a user performs from the time of logging in to the time of logging off. When a user logs in, the DBMS can record the user’s account number and associate it with the terminal from which the user logged in. All operations applied from that terminal are attributed to the user’s account until the user logs off. To keep track of all updates applied to the database, a system log is maintained. It includes an entry for each operation applied to the database that may be required for recovery from a transaction failure or system crash. If any tampering with the database is suspected, a database audit is performed, which consists of reviewing the log to examine all accesses and operations applied to the database during a certain time period. When an illegal or unauthorized operation is found, the DBA can determine the account number used to perform this operation. A database log that is used mainly for security purpose is called an audit trail. 5.5. TYPES OF DISCRETIONARY PRIVILEGES 104
Security In Computing
Dept of Computer Science & Engg, VJCET
There are two levels of assigning privileges to use the database system: 1. The account level – At this level, the DBA specifies the particular privileges that each account holds independently of the relations in the database. The privileges at the account level are a) Create schema or Create table - To create a schema or base relation. b) Create view – To create virtual relations. c) Alter - To apply schema changes such as adding or removing attributes from relations. d) Drop - To delete relations or views. e) Modify - To insert, delete, or update tuples f) Select - To retrieve information from the database by using a SELECT query. 2. The relation (or table) level – At this level, the DBA can control the privilege to access each individual relation or view in the database. The relation level privileges are applied to base relations or virtual relations (views). Privileges at the relation level specify for each user the individual relations on which each type of command can be applied. Access Matrix Model The granting and revoking of privileges generally follow an authorization model for discretionary privileges known as access matrix model. In this model the rows of a matrix M represent subjects (users, accounts and programs) and the columns represent objects (relations, records, columns, views, operations). Each position M (i, j) in the matrix represents the types of privileges (read, write, update) that subject i holds on object j. To control the granting and revoking of privileges, each relation R in a database is assigned an owner account. The owner is given all privileges. The owner account holder can pass privileges to other users by granting privileges to their accounts. In SQL, the following types of privileges can be granted: 1. 2. 3. SELECT – This gives the account the privilege to use select statement. MODIFY – This gives the account the privilege to use insert, update REFERENCES – This gives the account the capability to reference
and delete statements. relation R when specifying integrity constraints.
Security In Computing
Dept of Computer Science & Engg, VJCET
Specifying Privileges using views If the owner A of a relation R wants another account B to be able to retrieve only some fields of R, then A can create a view V of R that includes only those attributes and then grant SELECT on V to B. Revoking Privileges The owner of a relation may want to grant certain privileges to a user for a specific task and then revoke those privileges, once the task is completed. In SQL, REVOKE command is used for canceling privileges. Propagation of privileges using the GRANT option Whenever the owner A of a relation grants a privilege on R to another account B, the privilege can be given to B with or without the ‘GRANT OPTION’. If the GRANT OPTION is given, this means that B can also grant the privilege on R to other accounts. Suppose that B is given the GRANT OPTION by A and that B then grants the privilege on R to a third account C, also with GRANT OPTION. In this way, privileges on R can propagate to other accounts without the knowledge of the owner of R. If the owner account A now revokes the privilege granted to B, all the privileges that B propagated based on that privileges should automatically be revoked by the system. It is possible for a user to receive a certain privilege from two or more resources. For e.g. A4 may receive a certain ‘update R’ privilege from both A2 and A3. In such a case, if A2 revokes this privilege from A4, A4 will still continue to have the privilege by virtue of having been granted it from A3. If A3 later revokes the privilege from A4, A4 totally loses the privilege. E.g. 1. GRANT createtab to A1 ---- Gives A1 the privilege to create tables. 2. GRANT INSERT, DELETE ON EMPLOYEE, DEPT to A2 ------ gives the privilege to perform insert and delete operations on Employee and Dept tables. 3. GRANT SELECT ON EMPLOYEE to A3 with GRANT OPTIION ---- gives A3 the privilege to perform select operation. 4. REVOKE SELECT ON EMPLOYEE FROM A3 ---- revokes the privilege to perform SELECT operation on EMPLOYEE from A3.
This is known as the simple security property. 107
. TS > S > C > U The commonly used model for multilevel security known as Bell – LaPadula model classifies each subject (user. Violation of this rule would allow information to flow from higher to lower classifications. This is known as the star property. view. If account A grants a privilege to account B with the vertical propagation set to an integer number j>0. thus making it visible throughout the system. A subject S is not allowed to read access to an object O unless class (S) > class (O). secret (S). 2. The first rule enforces that no subject can read an object whose security classification is higher than the subject’s security clearance. 2.g. 1. where TS is the highest level and U is the lowest. Vertical propagation – Granting a privilege with a vertical propagation of zero is equivalent to granting the privilege with no GRANT OPTION. For e. Horizontal propagation – Limiting horizontal propagation to an integer number i means that an account B given the GRANT OPTION can grant the privilege to at most i other accounts. The second rule prohibits a subject from writing an object at a lower security classification than the subject’s security clearance. The clearance (classification) of a subject S is referred as class (S) and the classification of an object O as class (O). VJCET
Specifying limits on propagation of Privileges 1.6. a user (subject) with TS clearance may make a copy of an object with classification TS and then write it back as a new object with classification U. column. tuple. Two restrictions are enforced on data access based on the subject/object classifications. MANDATORY ACCESS CONTROL FOR MULTILEVEL SECURITY MAC require the classifications of users and data values into security classes and enforce the rules that prohibit flow of information from higher to lower security levels. operation) into one of the security classifications TS. but B can grant privilege to other accounts only with a vertical propagation less than j. confidential (C) and unclassified (U).Security In Computing
Dept of Computer Science & Engg. 5. C or U. S. Typical security classes are top secret (TS). A subject S is not allowed to write an object O unless class (S) < class (O). this means that the account B has the GRANT OPTION on that privilege. account and program) and object (relation.
Name Smith Brown Salary U 40000 C C Good C S Job Performance Fair S TC S
. C2……….e. Employee Name Smith Brown Salary U 40000 C C 80000 Good S Fig (1) C S Job Performance Fair S TC S
Assume that the Name attribute is the apparent key. C1. In addition. Case 1: A user with security clearance S would see the original relation as it is. it is common to consider attribute values and tuples as data objects. i. A2.Security In Computing
Dept of Computer Science & Engg. Apparent key . Hence. Consider an e.g.An. Hence each attribute A is associated with a classification attribute C in the schema and each attribute value in a tuple is associated with a corresponding security classification. Filtering – The process of producing tuples at a lower classification level from a single tuple of a relation stored at a higher classification level. a multilevel relation schema R with n attributes can be represented as R (A1. Now consider a select query ‘select * from employee’. in some models. a tuple classification attribute TC is added to the relation attributes to provide a classification for each tuple as a whole.The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation. Cn. TC) Where each Ci represents the classification attribute associated with the attribute Ai. Polyinstantiation – It is the state at which several tuples can have the same apparent key value but have different attribute values for users at different classification levels. VJCET
To incorporate multilevel security notions into the relational database model.
the SQL statement would be Update employee Set JobPerformance = ‘Excellent’
. all other attribute values in the tuple must have a security classification greater than or equal to the apparent key. Suppose that a user with security clearance C tries to update the value of ‘JobPerformance’ of Smith to ‘Excellent’. In addition.Security In Computing
Dept of Computer Science & Engg. The entity integrity rule for multilevel relations state that all attributes that are members of the apparent key must not be null and must have the same security classification within each individual tuple. VJCET
Fig (2) Case 2: A user with security clearance C would see the relation as: Name Smith Brown Salary U 40000 C C 80000 C Fig (3) Case 3: A user with security clearance U would see the relation as: Name Smith Salary U null Job Performance U null U TC U Good C C Job Performance null C TC C
Fig (4) Thus we can see that filtering introduces null values for attribute values whose security classification is higher than the user’s security clearance.
maximum. statistical database users are not allowed to retrieve individual data but are allowed to access statistical data as a whole. otherwise the user could infer that some non null value exists for the ‘JobPerformance’ attribute of Smith rather than the null value that appears. VJCET
Where Name = ‘Smith’ Since the view provided to users with security clearance C (Fig. However. average. consider the two statistical queries:
. The solution is to create a polyinstantiation for the Smith tuple at the lower classification level C as shown below: Name Smith Smith Brown Salary U 40000 C U 40000 C C 80000 S Good C S Excellent C C Job Performance Fair S TC S
This is necessary since the new tuple cannot be filtered from the existing tuple of classification S. the system should not reject it. This type of inference should not be permitted in highly secure systems. AVERAGE and STANDARD DEVIATION. The database may contain confidential data. (A population is a set of tuples of a relation that satisfy some selection condition). Statistical database security techniques must prohibit the retrieval of individual data. In some cases it is possible to infer the values of individual tuples from a sequence of statistical queries. Such queries are called statistical queries. 3) permits such an update. As an e.Security In Computing
Dept of Computer Science & Engg. 5. SUM. This can be controlled by prohibiting queries that retrieve attribute values and by allowing only queries that involve statistical aggregate functions such as COUNT.e. MIN. which should be protected from user access.7. i. INTRODUCTION TO STATISTICAL DATABASE SECURITY Statistical databases are used mainly to produce statistics on various populations. minimum and standard deviation. MAX. such as sum. users are permitted to retrieve statistical information on populations.g.
Tanenbaum. Module2 Modern operating System. If we get a result of 1 for this query. Prentice Hall of India
.’ and Sex = ‘F’ and City = ‘Bellaire’ and State = ‘Texas’). Andrew S. we can issue statistical queries using the functions MAX. Texas. Suppose that we are trying to find the salary of ‘Jane Smith’ and we know that she has a PH.Security In Computing
Dept of Computer Science & Engg. Module1. we can issue Q2 with the same condition and find the income of ‘Jane Smith’. William S. Another technique for prohibiting retrieval of individual information is to prohibit sequences of queries that refer repeatedly to the same population of tuples. We issue query Q1 in the following condition: (Last_degree = ‘PH. Joseph L.D.. Weber. Q2: select avg (income) from person where <condition>. Pearson Education Asia 2. Even if the result of Q1 on the preceding condition is not 1 but is a small number say 2 or 3. 4 Network Security Essentials Applications & Standards. MIN and AVERAGE to identify the possible range of values for the income of ‘Jane Smith’. The possibility of inferring individual information from statistical queries is reduced if no statistical queries are permitted whenever the number of tuples in the population specified by the selection condition falls below some threshold.
REFERENCES 1. VJCET
Q1: select count (*) from person where <condition>.D. Degree and she lives in the city of Bellaire. Pearson Education Asia 3. Using JAVA 2 platform.
Wiley Dreamtech 7.5 Designing security Architecture Solutions. Module3 Cryptography and network security principles and practice. Module 4. Pearson Education Asia 5. Jay Ramachandran. William Stallings. TMH 6. VJCET
4. Module5 Database Security Mechanisms Muftic. Information theory coding and cryptography.Security In Computing
Dept of Computer Science & Engg. Sead
. Ranjan Bose. John wiles for Computer Network.