Unit-2 CSDF
Unit-2 CSDF
• As a common non-technical person point of view security attacks can be classified into three types.
• 1. Criminal Attack
• The main aim of attacker in criminal attack is to maximize financial gain or harm to other or the systems. Some of the
examples of criminal attacks are: fraud, scams, identity theft, intelligent property t brand theft etc...
2. Publicity Attack
The sole aim of an attacker in publicity attack is to get publicity instead of
financial gain. Generally, this type of attackers are not usually hardcore
criminals. They are people like students or employees who tries to get
publicity through applying new approach of attack. Example of such attack
is damage or hijacking web page of popular web site.
3. Legal Attack
The aim of the attacker is to exploit the weakness of the judge and the jury
in technological matters. This form of attack is quite new and unique in
which the attacker tries to convince the judge and the jury that there is
inherent weakness in the computer system and he is not responsible for any
wrongful activity.
Ex. Attacker excuse that he has just clicked as the system asked. He done
nothing.
2.1.2 Technical point of view
As a technical point of view, attacks can be grouped into two types:
passive attacks and active attacks
1. Active Attacks
Active attacks are the attacks in which attacker not only observes traffic
but also tries to modify the original message or creates false message.
These kinds of attacks cannot be easily prevented. Such kind of attacks
can be detected with some effort, and attempts can be made to recover
from it.
Further classification of passive attacks into two sub-categories. These categories are, namely
release of message contents and traffic analysis.
Release of message Content
Release of message contents attack is very simple to understand. Suppose sender wants to
send confidential message to recipient without being released to any else. But an attacker
accesses this message by somehow. We can prevent release of message attack with
encryption like security mechanism.
Traffic Analysis
Sometime passive attacker collects large number of messages passing through network and
figure out similarities between and sort out some pattern. Such attempt of analyzing
encrypted messages to find out original messages is called traffic analysis.
2.1.3 Implementation point of view
All the discussed attacks above can be further can be classified with implementation
point of view as Application-level attacks and Network level attacks.
1. Application-level Attacks.
These are the attacks in which an attacker attempts to access, modify, or prevent access
to information of a particular application, or the application itself.
2. Network-level Attacks
Network level attacks are usually applied to the networks with the aim to reduce the
capabilities of a network by different ways. These attacks may slow down, or
completely halt the computer system network. Once an attacker gets control over
network, he may apply application-level attacks also.
2.2 DIGITAL SIGNATURE
Confidentiality is achieved by using cryptographic techniques.
Integrity can be achieved by using hashing functions and algorithms like SHA Algorithm and MD5
Message Digest. With the use of various activities by network administrator availability can be maintain.
But how can authenticate that a particular message, data, software or document is specific sender. That
is the case where digital signature plays an important role.
2.2.1 What is Digital Signature?
A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital
document, message or software.
It is the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent
security. A digital signature is intended to solve the problem of tampering and impersonation in digital
communications.
Digital signatures can provide evidence of origin, identity and status of electronic documents,
transactions or digital messages. Signers can also use them to acknowledge informed consent. In many
countries, digital signatures are considered legally in the same way as traditional handwritten document
signatures.
2.2.2 Properties of Digital Signature?
Message Authentication is the mechanism used to protect sender and receiver of digital da transmission from the third
party. But it does not protect two communicating parties from each other. Several disputes between them arise like
below.
Receiver may forge an original message and claim that it was sent by sender.
E. g. Electronic fund transfer takes place, receiver may increase the amount and claims that larger amount had
arrived from the sender.
Sender may deny about sent message
E.g. A stockholder sends an instruction to his stockbroker, and then pretends that he never sent such instruction.
In such situations where there is not complete trust between sender and receiver, something more man authentication
is needed. The most attractive solution to this problem is the digital signature.
• SSL Architecture
• SSL is designed to make use of TCP to provide a reliable end-to-end
secure service.
SSL Architecture
Layer-
1
Layer-
2
SSL Protocol Stack
• SSL is not a single protocol but rather two layers of
protocols.
• The SSL Record Protocol provides basic security services to
various higher layer protocols.
• In particular, the Hypertext Transfer Protocol (HTTP),
which provides the transfer service for Web client/server
interaction.
• Three higher-layer protocols are defined as part of SSL:
1. The Handshake Protocol,
2. The Change Cipher Spec Protocol
3. The Alert Protocol.
• These SSL-specific protocols are used in the management
of SSL exchanges.
SSL Record Protocol
• The SSL Record Protocol provides two services for SSL
connections:
• Confidentiality: The Handshake Protocol defines a shared secret
key that is used for conventional encryption of SSL payloads.
• Message Integrity: The Handshake Protocol also defines a
shared secret key that is used to form a message authentication
code (MAC).
SSL Record Protocol
• The Record Protocol takes an application message to be transmitted,
fragments the data into manageable blocks, optionally compresses the
data, applies a MAC, encrypts, adds a header, and transmits the
resulting unit in a TCP segment.
1. The first step is fragmentation. Each upper-layer message is
fragmented into blocks of 214 bytes (16384 bytes) or less.
2. Next, compression is optionally applied. Compression must be
lossless and may not increase the content length by more than 1024
bytes.
3. The next step in processing is to compute a message authentication
code over the compressed data. For this purpose, a shared secret
key is used.
4. The compressed message plus the MAC are encrypted using
symmetric encryption. Encryption may not increase the content
length by more than 1024 bytes, so that the total length may not
exceed 214 + 2048.
Handshake Protocol
• This protocol allows the server and client to authenticate
each other and to negotiate an encryption and MAC
algorithm and cryptographic keys to be used to protect
data sent in an SSL record.
• The Handshake Protocol is used before any application
data is transmitted.
• The Handshake Protocol consists of a series of messages
exchanged by client and server. message has three fields:
• The handshaking is done in four phases.
A. PHASE 1. ESTABLISH SECURITY CAPABILITIES
B. PHASE 2. SERVER AUTHENTICATION AND KEY EXCHANGE
C. PHASE 3. CLIENT AUTHENTICATION AND KEY EXCHANGE
D. PHASE 4. FINALIZING THE HANDSHAKE PROTOCOL
Details of Phases
• This phase is used to initiate a logical connection and to
establish the security capabilities that will be associated
with it. The exchange is initiated by the client.
• After Phase-1, client and server know the version of
SSL, algorithm for exchange of keys, message
authentication code and encryption. Also it knows
compression model and two random numbers for
key generation.
• After Phase-2, server is authenticated to client and
client knows the public key of the server.
• After Phase-3, the client is authenticated to the
server. Both client and the server know the
cryptographic secret of RSA which is used by them.
• After Phase-4, the client and server are connected
and ready to exchange data.
SSL Handshake
Protocol
Change Cipher Spec Protocol
• The Change Cipher Spec Protocol is one of the three SSL-specific
protocols that use the SSL Record Protocol, and it is the simplest.
• This protocol consists of a single message, which consists of a single
byte with the value 1.
• The server and client cannot use parameters for cryptographic
secrets until they send or receive a special message called the
Change Cipher Spec message, which is generated and exchanged
during handshake protocol.
• The sender and receiver need two state: pending and active state.
The pending state keep track record of the parameters and secrets.
• The active state holds the parameters and secrets which are used by
record protocol to sign/verify or encrypt/decrypt messages.
• The sole purpose of this message is to cause the pending state to be
copied into the current state, which updates the cipher suite to be
used on this connection.
Alert Protocol
• The Alert Protocol is used to convey SSL-related alerts to the peer
entity. As with other applications that use SSL, alert messages are
compressed and encrypted, as specified by the current state.
• Each message in this protocol consists of two bytes.
• The first byte takes the value warning (1) or fatal (2) to convey the
severity of the message. If the level is fatal, SSL immediately
terminates the connection.
• The second byte contains a code that indicates the specific alert.
• fatal: unexpected message, bad record MAC, decompression failure,
handshake failure, illegal parameter
• warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
2.5 IPSEC
2.5.1 Introduction-- IPsec
IPsec (Internet Protocol Security) is a large set of protocols and algorithms. Internet
Engineering Task Force (IETF), developed the IPsec protocols for the purpose of
providing security at the IP layer through authentication and encryption of IP network
packets.
Originally, it was defined with two protocols for securing the IP packets which were
Authentication Header (AH) and Encapsulating Security Payload (ESP).
The former protocol i.e. AH provides data integrity and non-replay services, and the
latter protocol i.e. ESP encrypts and authenticates data.
Thus, IPsec provides the basic services as listed below:
Confidentiality
Authentication
Integrity
Non-Replay
2.5.2 IP Security
Architecture
1. Architecture:
Architecture or IP
Security Architecture
covers the general
concepts, definitions,
protocols, algorithms,
and security
requirements of IP
Security technology.
[Fig. 2.: IP Security Architecture)
2. ESP Protocol:
ESP (Encapsulation Security Payload) provides a confidentiality service.
Encapsulation Security Payload is implemented in either two ways:
ESP with optional Authentication.
ESP with Authentication.
7. Key Management:
Key Management contains the document that describes how the keys are
exchanged between sender and receiver.
2.6 HTTPS (CONNECTION INITIATION & CLOSURE)
2.6.1 Introduction - HTTPS
• Hypertext transfer protocol secure (HTTPS) is the
secure version of HTTP, which is the primary protocol
used to send data between a web browser and a
website.
• HTTPS is particularly important when users transmit
sensitive data, such as by logging credentials for a bank
account, email service, or health insurance provider.
• In modern web browsers such as Chrome, websites
that do not use HTTPS are marked differently than
those that are.
Working of HTTPS
• HTTPS uses an encryption protocol to encrypt the communication
data.
• The protocol used for this encryption is called Transport Layer
Protocol (TLS), formerly it was known as Secure Socket Layer (SSL).
• This protocol uses an asymmetric public key infrastructure. It uses
two different keys: the private key and the public key.
• When information is sent over regular HTTP, the information is
broken into packets of data that can be easily "sniffed using free
software. This makes communication over an unsecure medium,
such as public Wi-Fi, highly vulnerable to interception.
• With HTTPS, traffic is encrypted such that even if the packets are
sniffed or otherwise intercepted. they will come across as
nonsensical characters.
[Fig. 2.18: Working with HTTPS]
2.6.3 Difference between HTTP and HTTPS
HTTP HTTPS
The full form of HTTP is Hypertext Transfer The full form of HTTPS is Hypertext Transfer Protocol
Protocol. Secure.
It operates on application layer. It operates at the transport layer.
The data is transferred in plain text form. The data is transferred in encrypted form, i.e.,
ciphertext.
By default, this protocol operates on port number 80. By default, this protocol operates on port number 443.
The URL start with http:// The URL start with https://
This protocol does not need any certificate. But this protocol requires an SSL (Secure Socket
Layer) certificate.
Communication carried out without encryption. Communication carried out with encryption.
Faster than HTTPS. Slower than HTTP.
It is un-secure. It is highly secure.
Examples of HTTP websites are Educational Sites, Examples of HTTPS websites are shopping websites,
Internet Forums, etc. banking websites, etc.
2.6.4 Advantages of HTTPS
• Secure Communication: HTTPS establishes a secure communication
link between the communicating system by providing encryption
during transmission
• Data Integrity: By encrypting the data, HTTPS ensures data integrity.
This implies that even i the data is compromised at any point; the
hackers won't be able to read or modify the data being exchanged
• Privacy and Security: HTTPS prevents attackers from accessing the
data being exchanged passively, thereby protecting the privacy and
security of the users.
• Faster Performance: HTTPS encrypts the data and reduces its size.
Smaller size accounts for faster data transmission in the case of
HTTPS
2.7 MALICIOUS SOFTWARE
2.7.1 What is Malware ?
Malware "A short name of malicious software, is an umbrella term that describes any malicious program or code
that is harmful to systems. It is specifically designed to disrupt, damage, or gain unauthorized access to a computer
system."
How can malware affect your system ?
Your computer slows down.
Your screen is inundated with annoying ads.
Your system crashes
You notice a mysterious loss of disk space.
There's a weird increase in your system's Internet activity.
Your browser settings change.
homepage changed or you have new toolbars, extensions, or plugins installed etc.
Your antivirus product stops working and you cannot turn it back on, leaving you unprotected against the
malware that disabled it.
You lose access to your files or your entire computer.
Adware, Spyware, Virus, Worms, Trojans, Ransomware, Rootkit, keylogger etc. are the
various forms of malware. Each of these have different working method and affects our
system or network very differently,
1. Hardware Keyloggers: Hardware keyloggers are physical devices that are physically attached between the
keyboard and the computer or inserted into the USB port. They record keystrokes directly from the keyboard.
2. Software Keyloggers: Software keyloggers are programs or malicious software installed on a computer or
mobile device. They run in the background and record keystrokes, capturing the information entered by the
user.
3. Memory-Injection Keyloggers: Memory-injection keyloggers inject malicious code into running processes
or the memory of a target system. They intercept and record keystrokes by hooking into the operating system's
keyboard events
4. Form Grabbing Keyloggers: Form grabbing keyloggers target web browsers and capture information
submitted through online forms.
4. Trojan horse
A Trojan, or Trojan horse, is one of the most dangerous malware types. It usually represents
itself as something useful in order to trick you. Once it's on your system, the attackers
behind the Trojan gain unauthorized access to the affected computer. From there, Trojans
can be used to steal financial information or install other forms of malware, often
ransomware
5. Rootkit
Rootkit is a form of malware that provides the attacker with administrator privileges on the
infected system, also known as "root" access. Typically, it is also designed to stay hidden
from the user, other software on the system, and the operating system itself.
6. Adware
Adware is unwanted software designed to throw advertisements up on your screen, most
often within a web browser. Typically, it uses an underhanded method to either disguise
itself as legitimate, or piggyback on another program to trick you into installing it on your
PC, tablet, or mobile device.
7. Spyware
Spyware is malware that secretly observes the computer user's activities without
permission and reports it to the software's author.
8. Backdoors
Backdoor allows someone to enter your house, not from the legal way that is the front
door. In technical terms, the backdoor is any sort of method which allows hacker, or even
government to access your system without your permission. A Backdoor can be installed
on your system by hackers in the form of some malware application or using your
device's software vulnerabilities.
All the malware like rootkits, Trojans, spyware, keyloggers, worms and even
ransomware are considered to be backdoors if installed in user's devices without their
permission or knowledge.
2.8 FIREWALL
2.8.1 Need of Firewall
The unparalleled improvement in the internet technology has opened
the possibilities to connect any computer with any other computer in
the world. It's a great advantage for the individual as well as business
houses or organisations.
But the problems with the large organisations are:
(1) They have large amount of confidential data that must be keep
secret from their business rivals.
(2) They must have mechanism that can protect these valuable and
confidential information from outsider. Firewall is a such mechanism
which protects individual or corporate network from outside attacker.
2.8.2 What is Firewall ?
A firewall is a network security device or software that acts as a barrier
between an internal network and external networks or the internet.
Its primary purpose is to monitor and control incoming and outgoing
network traffic based on predetermined security rules.
Conceptually, a firewall can be compared with a security person standing
outside a house of nation's president. He physically checks person who
enters into or exit from the house. If security person finds a suspicious
person, he stops that person. Firewall also works like security person and
checks every data packet enters or exits from the private network.
Firewalls are designed to prevent unauthorized access to network by
filtering and blocking potentially harmful or malicious traffic while
allowing legitimate communication to pass through. They examine
network packets, which are small units of data, and apply rules to
determine whether the packets should be allowed or blocked.
Fig. 2.20: Firewall working Architecture
1. If the requested data or page exists in the local cache, the proxy
server itself provides the required data or page to the client.
2. If the requested data or page does not exist in the local cache, the
proxy server forwards that request to destination server
3. The proxy servers transfer the replies to the client and also being
cached to them.
Therefore, it can be said that the proxy server acts as a client as well as
the server.
2.9.2 Types of proxy servers
1.Open or Forward Proxy Server:
Forward proxy server refers to those sorts of intermediaries that get demands
from web clients and afterward peruse destinations to gather the mentioned
information. After collecting the data from sites, it forwards the data to the
internet users directly. It bypasses the firewall made by authorities.