Knowledge in Computer Security & Cryptography
Secure Sockets Layer (ssl)
SL functions around a cryptographic system which uses three keys to set up the SSL connection: public, private, and session keys. Anything encrypted by using the public key can only be decrypted with the private key, and vice versa. SSL Certificate will contain the company name, address, city, state, country, domain name, expiration date of the Certificate and details of the Certification Authority responsible for issuing the Certificate. When a browser connects to a secure site, it retrieves the website's SSL Certificate that authenticates that it has not expired, and that it has been issued by a Certification Authority the browser trusts. If it fails on any of these checks, the browser displays a warning message to the end user, letting them know that the site is not secured by SSL. Many websites use the protocol to collect confidential user information, including credit card numbers. Most web browsers support SSL. SSL connection URL starts with 'https:' instead of 'http:'. The complexities of the SSL protocol remain invisible to the customers. The lock icon in the lower right-hand corner in the browser displays the SSL Certificate and when the icon is clicked, it displays the whole description about the Certificate.
Palak Jain
Path Traversal
Path Traversal is one of the many critical web application security vulnerabilities. It allows an attacker to get access to the files on the web server that is originally inaccessible to him/her. It employs the method of tricking the web application - or directly the web server on which the application is running - into returning files that exist outside of the web root folder. Any application that exposes an HTTP-based interface is potentially vulnerable to Path Traversal. Let’s take a website running on http://www.example123.com. Let us say that the web server we are running makes adding pages to website very easy. All we have to do is add pages to the web root folder ,/var/www, on the server file system and it is done. If we add the file /var/www/articles/latest.html, this page becomes accessible to anyone who will visit http://example123.com/articles/latest.html. Now, you can use some special character sequences like ../ to traverse directory chain and access files outside of root folder i.e. /var/www, like this: http://www.example123.com/../../protected/configuration.xml. The web server on receiving this request appends the user-specified relative path ../../configuration.xml to directory holding web pages /var/www for obtaining full path /var/www/../../configuration.xml. As a result, the attacker successfully obtains confidential information, probably even the database credentials which can be used to steal other users' information or simply wipe it out. A similar situation arises when the web server is up-to-date and non-vulnerable, yet this vulnerability is introduced in the application itself. Consider an application which is a bit advanced wherein every page has a link for downloading a PDF for information. Sample PDF link looks like this: http://www.example123.com/download?file=latest.pdf Using the same .../ technique, the attacker will be able to escape the PDF directory and access anything on the system. http://www.example123.com/download?file=../../protected/configuration.yml. Some easy ways to prevent Path Traversal vulnerability are keeping web server and application up-to-date, not relying on user input for any calls to file system and judiciously applying file system permissions.
Memory Corruption
Memory corruption bugs mostly occur in low-level programming languages like C or C++. It is one of the problems that existed for more than 30 years when it comes to the subject of computer security. The lack of memory safety (or type safety) in such languages allows attackers to exploit memory bugs by altering the program’s behavior or by even taking full control. Memory is used in blocks and malloc()/calloc() methods in C/C++ programming languages and are used for memory allocation and deallocation. Sometimes, array elements accessed beyond the array limit can create many problems. For instance, it can set unpredictable values to the next memory elements or it can set invalid pointer values. It can even corrupt dynamic memory allocators which can cause the application process to crash. Exploitation can be stopped by preventing stack, heap and integer overflows. Stack overflows are by far the most commonly exploited class of memory corruption flaws. The programming languages like Java, Ada, SML etc. are much safer than C/C++ and buffer overflow. There are several ways to defeat security attacks. Type-safe programming languages, formal methods and compiler analyses have been adopted to stop programmers from writing insecure software. This doesn’t solve all security problems, but does help solve most of them.
Dns Spoofing
DNS Spoofing is a type of computer attack wherein a user is forced to navigate to a fake website disguised to look like a real one, with the intention of diverting traffic or stealing credentials of the users. Spoofing attacks can go on for a long period of time without being detected and can cause serious security issues. Domain Name Server (DNS) resolves the alphabetical domain names like www.example.com into respective IP addresses that is used for locating and communicating between nodes on the Internet. DNS spoofing is done by replacing the IP addresses stored in the DNS server with the ones under control of the attacker. Once it is done, whenever users try to go to a particular website, they get directed to the false websites placed by the attacker in the spoofed DNS server. There are mainly two methods by which DNS spoofing is carried out – DNS cache poisoning and DNS ID spoofing. In DNS cache poisoning, the local DNS server is replaced with compromised DNS server containing customized entries of genuine website names with attacker’s own IP addresses. Hence, when a request is sent to the local DNS server for IP resolution, it communicates with the compromised DNS server, resulting in the user being redirected to a false website planted by the attacker. In DNS ID spoofing, the packet ID and IP information generated for the resolve request sent by the client is duplicated with false information inside it. As the response ID matches the request ID, the client accepts the response containing the information that is not expected. Common tips to prevent DNS Spoofing include maintaining the DNS software up-to-date, maintaining separate servers for public and internal services and using secure keys to sign updates received from other DNS servers to avoid updates from non-trusted sources
Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability. It is accounted for almost 85% of all website security vulnerabilities. Cross-site scripting (XSS) exploits the 'same-origin-policy' concept of web applications to allow hackers to extract information from the system Attackers conduct script injection that runs at the client side and is sometimes parsed at the server side. There are several ways to do this. The most common way is by putting some malicious data (script) in http query. This data is immediately parsed at the server side. It is a script in itself. When users surf these websites, this malicious script data is also served from the server and is displayed to users in the guise of some link. Users perceive this as simply a link. Once the user clicks on this link, the underlying malicious script gets executed. How can it access the private data of the user? The injected script is now part of the same domain that the user is surfing. This script can read user information from cookies since the injected script unfortunately happens to be in the same domain. So after getting information from the cookie, the script can send it to the attacker's server domain. Another example of XSS is e-mail content. An XSS attacker sends an e-mail to us, which contains malicious script in the form of some clickable html element. Whenever we open that email and click on that html element, the script gets executed.
current affairs pdf in hindi - January 3rd week (2019)
Download current affairs pdf in hindi - January 3rd week (2019)
Edurelation
Adiantum: Encryption for everyone!
“Everyone should have privacy and security, regardless of their phone’s price tag.” — as said by Eugene Liderman, Director of Mobile Security Strategy at Android Security and Privacy Team. In today’s era, where all that matters is ‘data’, this quote seems pretty logical. This safer internet day, mainly on 5th Feb Google surprised us with a bunch of announcements and it’s valuable #SecurityCheckKiya campaign throughout India. But, the biggest announcement which grabbed everyone’s attention was the introduction of ‘Adiantum’: A new form of encryption exclusively for those low-end devices which do not have specialized hardware to use current prevailing methods for storage encryption. Storage encryption protects your data if your phone falls into someone else’s hands. The main motive for this innovation was to ensure that ‘all devices can be encrypted’. Being the dignified and loyal owner of Android, Google apprehended the primary concern of data-security (storage encryption) on low-end devices. Since, here it consumes a lot of resources to complete thereby making the device slow, and in other cases to the point of unusable(hanged). Thus, to resolve this issue, the idea of Adiantum came into being. It is an innovation in cryptography designed to make storage encryption efficient without cryptographic acceleration Originally, this terminology comes from the genus of ferns, which represents sincerity & discretion. Nowadays, Android offers storage encryption using the Advanced Encryption Standard (AES) i.e., it supports AES-128-CBC-ESSIV for full-disk encryption and AES-256-XTS for file-based encryption. Mostly new devices have support for AES using the ARM v8 cryptographic extensions. Moreover, Google has made it mandatory for the device manufacturers to involve AES encryption for all the Android devices above 6.0 or later, exempting the devices with poor performance (50 Mib/s and below). It is here to be considered that Android not only includes the latest premium, flagship and mid-range devices but a major portion is comprised of the entry-level devices involving smartwatches and Android TVs designed mainly with the low-end processors like ARM Cortex-A7 to attract a large pile of consumers with minimum budget. But, these devices do not provide hardware support for AES with such low processors. Hence, AES implementation on these devices resulted in poor user experience, long app launch time and the device generally feels too slow. To change this scenario and to empower all devices with encryption abilities, the need for new encryption form was soon felt, which further originated in the form of Adiantum. Adiantum has been designed to provide efficient storage encryption without hardware acceleration, empowering the devices with much more security than their predecessors. It will also guarantee data security to next billion people coming online for the 1st time. Now, let’s get to know how this concept solves our issues? In HTTPS (Hypertext transfer protocol secure) encryption, ChaCha20 stream cipher is used since it executes much faster than AES without compromising with security in the unavailability of hardware acceleration. The main reason behind such fast execution is because of its reliance mainly on native CPU support: addition, rotation, and XOR operations. Hence, in 2014 Google selected ChaCha20 along with the poly1305 authenticator, which is also fast in software for a new TLS cipher suite to secure HTTPS connections. ChaCha20-Poly1305 has been standardized as RCF7539, and it greatly improves performance on the devices that lack AES instructions. But, the main challenge is faced with disk and file encryption where the data is organized in sectors on storage devices. With every request by Filesystem to read/write a sector on the device, the encryption layer intercepts the request which involves the conversion of 4096-byte plaintext to 4096-byte ciphertext and vice-versa. However, for implementing RCF7539 i.e., ChaCha20-poly1305 an additional amount of space is required for cryptographic nonce (an arbitrary number that can be used just once in a cryptographic communication) and message integrity information. There are software techniques for finding places to store this extra information, but they reduce efficiency and can impose significant complexity on filesystem design. According to Google, Adiantum allows us to use the ChaCha stream cipher in a length-preserving mode, by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH. On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages at 10.6 cycles per byte, over five times faster than AES-256-XTS, with a constant-time implementation. This is evident from the below-given graph: - In Android Q, Adiantum will be part of the Android platform, the successor to Android Pie that’s due later this year. Moreover, Google says AES is still the faster encryption standard when hardware support exists and will continue to be a requirement for phones that support it, which means AES must still be used where its performance is above 50 MiB/s. “Our hope is that Adiantum will democratize encryption for all devices,” Eugene Liderman, Director of Mobile Security Strategy at Android Security and Privacy Team says”. Just like you would not buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance.”
Ashutosh Aneja
Information Security and cryptography Notes
Notes from 6th semester 2019 REVA University 2019 of subject Information security and cryptography. contains reference about: OSI Model DES Cryptography Cyber attacks Encryption Encryption algorithms Cipher text types of cyber attacks firewall network security virus types of virus cloud security
Aditya Sethi
current affairs pdf in hindi - June 2nd week (2019)
Download current affairs pdf in hindi - June 2nd week (2019)
cryptography
Introduction to cryptography
Aarish 1224
current affairs pdf in hindi - June 3rd week (2019)
Download current affairs pdf in hindi - June 3rd week (2019)
Electronic Commerce(E-Commerce)
E-commerce is the activity of buying or selling of products on online services or over the Internet. Topics Provided:- Overview B2B B2C Advantages Disadvantages Security EDI The content will cover all the topics related to E-Commerce
Muskan Mehrotra