Q1: Different Types of Security Attacks Along With Prevention Techniques?
Q1: Different Types of Security Attacks Along With Prevention Techniques?
Q1: Different Types of Security Attacks Along With Prevention Techniques?
Passive Attacks: - A passive attack attempts to learn or make use of information from
the system but doesn’t affect system resources. Passive attacks are in the nature of
eavesdropping on, or monitoring of transmissions. The goal of the opponent is to obtain
information that is being transmitted. Following are the two types of passive attacks: -
o Release of message contents (eavesdropping): - A telephone conversation, an
electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning
the contents of these transmissions.
Prevention Techniques
1. Use equipment with no or limited signal leakage ('tempest') or put the equipment in a
shielded room. Although effective, those methods are expensive and are only to be
recommended when there is an extremely high risk. Optical fibers can be used to
prevent emission leakage from the lines running between peripherals and the Local
Area Network (LAN).
2. Encryption of the Wide Area Network (WAN) will not stop electromagnetic emissions
but the eavesdropper will not be able to use the information without the encryption
key.
1. Install an 'Identification and Authorization' system. Adopt a 'two-man rule' for granting
privileges.
2. Regularly check logs.
3. Regularly check that configuration is correct. Install a firewall
1. Firewalls- have simple rules such as to allow or deny protocols, ports or IP addresses.
Firewalls can effectively prevent users from launching simple flooding type attacks from
machines behind the firewall.
2. Switches-Most switches have rate limiting capability. Some switches provide automatic
rate limiting, deep packet inspection and delayed binding to detect and remediate DoS
attack.
1. Principle- Make the adversary spend time and energy to detect and jam.
2. Frequency Hopping- Modulate frequency according to keys
3. Spread Spectrum- Transform Signal to high band low power, so that it is difficult to
detect under noise floor
A WAN is a data communications network that covers a relatively broad geographic area
and often uses transmission facilities provided by common carriers, such as telephone
companies. WAN technologies function at the lower three layers of the OSI reference model:
the physical layer, the data link layer, and the network layer. Figure below illustrates the
relationship between the common WAN technologies and the OSI model.
A virtual circuit is a logical circuit created to ensure reliable communication between two
network devices. Two types of virtual circuits exist: switched virtual circuits (SVCs) and
permanent virtual circuits (PVCs).
SVCs are virtual circuits that are dynamically established on demand and terminated when
transmission is complete. Communication over an SVC consists of three phases: circuit
establishment, data transfer, and circuit termination. The establishment phase involves creating
the virtual circuit between the source and destination devices. Data transfer involves
transmitting data between the devices over the virtual circuit, and the circuit-termination
phase involves tearing down the virtual circuit between the source and destination devices.
SVCs are used in situations in which data transmission between devices is sporadic, largely
because SVCs increase bandwidth used due to the circuit establishment and termination
phases, but decrease the cost associated with constant virtual circuit availability.
PVCs are permanently established virtual circuit that consists of one mode: data transfer. PVCs
are used in situations in which data transfer between devices is constant. PVCs decrease the
bandwidth use associated with the establishment and termination of virtual circuits, but
increase costs due to constant virtual circuit availability.
PVCs are also permanent circuits dedicated to a single subscriber. The connection is always
active. However, because multiple virtual circuits share a physical circuit, there is no guarantee
that any specific amount of bandwidth will be available at any specific time. Sometimes there
may not be any bandwidth available on the physical circuit because the physical circuit is
saturated.
When the physical circuit is saturated, the traffic is temporarily stored at a switching point until
bandwidth becomes available. When bandwidth becomes available, the stored traffic is
forwarded to its destination. This process is referred to as store-and-forward processing, or
packet switching, which is same as processing method used on LANs.
PVCs provide an average bandwidth guarantee. The average bandwidth guarantee is
accomplished through statistical multiplexing (STM), which underlies packet switching
technology. Because PVCs are more cost effective for the public carrier, PVCs are usually less
expensive for the subscriber than dedicated circuits. PVCs are commonly used for Frame
Relay.
Frame Relay
Frame Relay is a layer-2 protocol used in wide area networking. It uses the Telecommunication
provider's packet-switching infrastructure to move data. Frame Relay can provide speeds from
56kbps DS0 up to 43Mbps DS3 connections depending on the capability of the service
provider's network.
The WAN is typically built up of many point to point connections, at both layers 1 and 2. This
can make it difficult for the designer to consider connectivity. To make the routing most
efficient the layer 2 network must often be fully meshed, to reduce the number of hops
between sites. (A full mesh is one where all sites are completely connected to every other site.)
If all traffic goes back and forth from central site to remote, there is little problem. When all
sites have to share information equally the number of interfaces required per site, physical or
virtual, will be N-1=interfaces, where N equals the number of sites.
Virtual circuits, such as created with Frame Relay, will add another layer of complexity to this
and will add connection points if you want a “full mesh” as described with the physical layer
example. Notice the example with Frame Relay. Even though there is only one physical
connection there are two arrow points at each physical connection. In essence the same
formula applies. It is just that you will need to consider both the “raw” physical bandwidth
available on a physical single link and then the committed information rate for the two virtual
links.
Packet Switching
Packet switching is a WAN switching method in which network devices share a single point-to-
point link to transport packets from a source to a destination across a carrier network.
Statistical multiplexing is used to enable devices to share these circuits. Asynchronous Transfer
Mode (ATM), Frame Relay, Switched Multimegabit Data Service (SMDS), and X.25 are examples
of packet-switched WAN technologies.
Point-to-Point Links
A point-to-point link provides a single, pre-established WAN communications path from the
customer premises through a carrier network, such as a telephone company, to a remote
network. A point-to-point link is also known as a leased line because its established path is
permanent and fixed for each remote network reached through the carrier facilities. The carrier
company reserves point-to-point links for the private use of the customer. These links
accommodate two types of transmissions: datagram transmissions, which are composed of
individually addressed frames, and data-stream transmissions, which are composed of a stream
of data for which address checking occurs only once.
Q 3: Difference between Kerberos and RADIUS authentication along with 4
advantages and disadvantages of each?
RADIUS - Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and
software that enables remote access servers to communicate with a central server to
authenticate dial-in users and authorize their access to the requested system or service. It
provides centralized Authentication, Authorization, and Accounting (AAA) management for
computers to connect and use a network service. RADIUS allows a company to maintain user
profiles in a central database that all remote servers can share. It provides better security,
allowing a company to set up a policy that can be applied at a single administered network
point. Having a central service also means that it's easier to track usage for billing and for
keeping network statistics.
3. PORT One feature that all Kerberos RADIUS has officially assigned
tools have in common is that UDP Ports 1812 for RADIUS
by default, Kerberos uses authentication and 1813 for
port 88. This means that RADIUS accounting.
when tools are designed and
developed, the logon ids,
user ids and passwords need
to first communicate
through port 88.
4. SUITABILITY It is well suited for PC and It is well suited for PC and
workstation network. workstation.
5. SIGN-ON Has single sign-on capability. Does not have single sign
capability.
6. MUTUAL It does mutual Does not provide mutual
AUTHENTICATION authentication between authentication.
client and server i.e. both
sides prove their identity to
the other party, not just the
user to the server.
Advantages of Kerberos
Tight Security - User's passwords are never sent across the network, encrypted or in
plain text. Secret keys are only passed across the network in encrypted form. Hence, a
miscreant snooping and logging conversations on a possibly insecure network cannot
deduce from the contents of network conversations enough information to impersonate
an authenticated user or an authenticated target service.
Time Stamping of the Tickets - , the tickets passed between clients and servers in the
Kerberos authentication model include timestamp and lifetime information. This allows
Kerberos clients and Kerberized servers to limit the duration of their users'
authentication. While the specific length of time for which a user's authentication
remains valid after his initial ticket issued is implementation dependent, Kerberos
systems typically use small enough ticket lifetimes to prevent brute-force and replay
attacks.
Reusability and Durability - Authentications are reusable and durable. A user need only
authenticate to the Kerberos system once (using his principal and password). For the
lifetime of his authentication ticket, he may then authenticate to Kerberized services
across the network without re-entering his personal information.
Multi User Security Issue - Kerberos was designed for use with single-user client
systems. In the more general case, where a client system may itself be a multi-user
system, the Kerberos authentication scheme can fall prey to a variety of ticket-stealing
and replay attacks. The overall security of multi-user Kerberos client systems (filesystem
security, memory protection, etc.) is therefore a limiting factor in the security of
Kerberos authentication. No amount of cleverness in the implementation of a Kerberos
authentication system can replace good system administration practices on Kerberos
client and server machines.
The Kerberos authentication model is vulnerable to brute-force attacks against the KDC
(the initial ticketing service and the ticket-granting service). The entire authentication
system depends on the trust ability of the KDC(s), so anyone who can compromise
system security on a KDC system can theoretically compromise the authentication of all
users of systems depending on the KDC.
Advantages of RADIUS
Tight Security - In large networks, security information may be scattered throughout the
network on different devices. RADIUS allows user information to be stored on one host,
minimizing the risk of security loopholes. All authentication and access to network
services is managed by the host functioning as the RADIUS server.
Flexibility - RADIUS can be adapted to work with existing security systems and
protocols. The RADIUS server may be adapted to your network, rather than adjusting
your network to work with RADIUS. RADIUS may be used with any communications
server that supports the RADIUS protocol. When new security technology becomes
available or security needs increase, RADIUS may be expanded to offer new services.
Disadvantages of RADIUS
The RADIUS protocol does not transmit passwords in cleartext between the NAS and
RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with
the MD5 hashing algorithm to obfuscate passwords. Because this particular
implementation is not considered to be a very strong protection of the user's
credentials, additional protection - such as IPsec tunnels or physically-secured data-
center networks - should be used to further protect the RADIUS traffic between the NAS
device and the RADIUS server.
The user's security credentials are the only part protected by RADIUS itself, yet other
user-specific attributes such as tunnel-group IDs or vlan memberships passed over
RADIUS may be considered sensitive (helpful to an attacker) or private (sufficient to
identify the individual client) information as well.
Conventional RADIUS uses the unreliable User Datagram Protocol (UDP) for transport.
UDP does not guarantee to deliver messages. The RADIUS protocol permits a limited
number of retransmissions, but it does not guarantee to deliver requests, and therefore
conventional RADIUS requests can sometimes be lost or dropped, especially on a
congested network. This can cause inconvenience for users trying to log in, and lost
accounting messages can mean lost income for operators.
Q 4: List down and make a table for WAP devices only with respect to following:
Name of Manufacturer
Name of device
Operating Layer
Speed/Bandwidth supported
Minimum 4 technical specifications and minimum 3 manufacturers?
• Unified Messaging applications, access to voice mail, e-mail and fax mail
• Information services like stock quotes, restaurants, cinemas etc. • Reservation services
• News services
• E-commerce and bank applications (e.g. Commonwealth Bank/Telstra in Australia)
Q 5: What do you mean by Public Key and Private Key? Along with creating
private and public keys with PGP steps?
Data that can be read and understood without any special measures is called plaintext or clear
text. The method of disguising plaintext in such a way as to hide its substance is called
encryption. Encrypting plaintext results in unreadable gibberish called cipher text. You use
encryption to ensure that information is hidden from anyone for whom it is not intended, even
those who can see the encrypted data. The process of reverting cipher text to its original
plaintext is called decryption.
The secret piece of using a well-known encryption algorithm is the key. The key can be any
value that is made up of a large sequence of random bits. Is it just any random number of bits
crammed together? Not really. An algorithm contains a key space, which is a range of values
that can be used to construct a key. The key is made up of random values within the key space
range. The larger the key space, the more available values can be used to represent different
keys, and the more random the keys are, the harder it is for intruders to figure them out.
Some things you can tell the public, but some things you just want to keep private. In symmetric
key cryptography, a single secret key is used between entities, whereas in public key systems,
each entity has different keys, or asymmetric keys. The two different asymmetric keys are
mathematically related. If a message is encrypted by one key, the other key is required to
decrypt the message.
In a public key system, the pair of keys is made up of one public key and one private key. The
public key can be known to everyone, and the private key must only be known to the owner.
Many times, public keys are listed in directories and databases of e-mail addresses so they are
available to anyone who wants to use these keys to encrypt or decrypt data when
communicating with a particular person. Figure illustrates an asymmetric cryptosystem. The
public and private keys are mathematically related, but cannot be derived from each other. This
means that if an evildoer gets a copy of Bob’s public key, it does not mean he can now use
some mathematical magic and find out Bob’s private key.
If Bob encrypts a message with his private key, the receiver must have a copy of Bob’s public
key to decrypt it. The receiver can decrypt Bob’s message and decide to reply back to Bob in an
encrypted form. All she needs to do is encrypt her reply with Bob’s public key, and then Bob can
decrypt the message with his private key. It is not possible to encrypt and decrypt using the
exact same key when using an asymmetric key encryption technology.
Bob can encrypt a message with his private key and the receiver can then decrypt it with Bob’s
public key. By decrypting the message with Bob’s public key, the receiver can be sure that the
message really came from Bob. A message can only be decrypted with a public key if the
message was encrypted with the corresponding private key. This provides authentication,
because Bob is the only one who is supposed to have his private key. When the receiver wants
to make sure Bob is the only one that can read her reply, she will encrypt the response with his
public key. Only Bob will be able to decrypt the message because he is the only one who has
the necessary private key. Now the receiver can also encrypt her response with her private key
instead of using Bob’s public key. Why would she do that? She wants Bob to know that the
message came from her and no one else. If she encrypted the response with Bob’s public key, it
does not provide authenticity because anyone can get a hold of Bob’s public key. If she uses her
private key to encrypt the message, then Bob can be sure that the message came from her and
no one else. Symmetric keys do not provide authenticity because the same key is used on both
ends. Using one of the secret keys does not ensure that the message originated from a specific
entity.
• Weaknesses
• RSA
• Diffie-Hellman
• El Gamal
Encryption Algorithms
There are several types of asymmetric algorithms used in the computing world today. They may
have different internal mechanisms and methods, but the one thing they do have in common is
that they are all asymmetric. This means that a different key is used to encrypt a message than
the key that is used to decrypt a message.
RSA
RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key
algorithm that is the most understood, easiest to implement, and most popular when it comes
to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital
signatures and encryption. It was developed in 1978 at MIT and provides authentication as well
as encryption. The security of this algorithm comes from the difficulty of factoring large
numbers. The public and private keys are functions of a pair of large prime numbers and the
necessary activities required to decrypt a message from cipher text to plaintext using a public
key is comparable to factoring the product of two prime numbers. (A prime number is a
positive whole number with no proper divisors, meaning the only numbers that can divide a
prime number is one and the number itself.) One advantage of using RSA is that it can be used
for encryption and digital signatures. Using its one-way function, RSA provides encryption and
signature verification and the inverse direction performs decryption and signature generation.
RSA is used in many Web browsers with the Secure Sockets Layer (SSL) protocol. PGP and
government systems that use public key cryptosystems (encryption systems that use
asymmetric algorithms) also use RSA.
El Gamal
El Gamal is a public key algorithm that can be used for digital signatures and key exchange. It is
not based on the difficulty of factoring large numbers, but is based on calculating discrete
logarithms in a finite field
Elliptic curves are rich mathematical structures that have shown usefulness in many different
types of applications. An Elliptic Curve Cryptosystem (ECC) provides much of the same
functionality that RSA provides: digital signatures, secure key distribution, and encryption. One
differing factor is ECC’s efficiency. Some devices have limited processing capacity, storage,
power supply, and bandwidth like the newer wireless devices and cellular telephones. With
these types of devices, efficiency of resource use is very important. ECC provides encryption
functionality requiring a smaller percentage of the resources required by RSA and other
algorithms, so it is used in these types of devices. In most cases, the longer the key length, the
more protection that is provided, but ECC can provide the same level of protection with a key
size that is smaller than what RSA requires. Because longer keys require more resources to
perform mathematical tasks, the smaller keys used in ECC require fewer resources of the
device.
ECC cryptosystems use the properties of elliptic curves in their public key systems. The elliptic
curves provide ways of constructing groups of elements and specific rules of how the elements
within these groups combine. The properties between the groups are used to build
cryptographic algorithms.
Diffie-Hellman
DH is a method for securely exchanging a shared secret between two parties, in real-time, over
an untrusted network. A shared secret is important between two parties who may not have
ever communicated previously, so that they can encrypt their communications. As such, it is
used by several protocols, including Secure Sockets Layer (SSL), Secure Shell (SSH), and Internet
Protocol Security (IPSec).
Digital signatures
A major benefit of public key cryptography is that it provides a method for employing digital
signatures. Digital signatures enable the recipient of information to verify the authenticity of
the information’s origin, and also verify that the information is intact. Thus, public key digital
signatures provide authentication and data integrity A digital signature serves the same
purpose as a handwritten signature. However, a handwritten signature is easy to counterfeit. A
digital signature is superior to a handwritten signature in that it is nearly impossible to
counterfeit, plus it attests to the contents of the information as well as to the identity of the
signer.
PGP is the most widely recognized public key encryption program in the world. It can be used to
protect the privacy of email, data files, drives and instant messaging.
PGP combines some of the best features of both conventional and public key cryptography.
PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses
the plaintext. Data compression saves modem transmission time and disk space and, more
importantly, strengthens cryptographic security. Compression reduces these patterns in the
plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to
compress or which don’t compress well aren’t compressed.) PGP then creates a session key,
which is a one-time-only secret key. This key is a random number generated from the random
movements of your mouse and the keystrokes you type. This session key works with a very
secure, fast Conventional encryption algorithm to encrypt the plaintext; the result is cipher text.
Once the data is encrypted, the session key is then encrypted to the recipient’s public key. This
public key-encrypted session key is transmitted along with the cipher text to the recipient.
Encryption:
Decryption works in the reverse. The recipient’s copy of PGP uses his or her private key to
recover the temporary session key, which PGP then uses to decrypt the conventionally-
encrypted cipher text. The combination of the two encryption methods combines the
convenience of public key encryption with the speed of conventional encryption. Conventional
encryption is about 1,000 times faster than public key encryption. Public key encryption in turn
provides a solution to key distribution and data transmission issues. Used together,
performance and key distribution are improved without any sacrifice in security.
Decryption:
Steps:
The command gpg --gen-key will make a new key for you. You will be prompted for the
following:
Kind of key this is asking which key generation algorithm to use. Choose "DSA and
ElGamal" , RSA etc.
Key length : Decided among below the size u want
Expiry When your key should expire. 0 is the default, which means the key does not
expire - you have to confirm this.
Name Just enter your name as you would normally write .Ex: user ID "Marty McFly”
You need a user ID for your public key. The desired form for this
User ID is your name, followed by your E-mail address enclosed in. If you have an E-mail
address.
Email address the email address that you would like to use .Ex: John Q. Smith
<[email protected]>
Passphrase (twice) this is the password you must enter for certain actions. Choose a
password with a mix of numbers, letters and punctuation. A bad password will
significantly reduce the security value of your key. Enter password two times.
Some random information in the form of keyed in data or mouse movements that PGP
will use generate a strong key