Data Security & Integrity IN COMPUTER Networks Professor: Elise de Doncker BY: Lina Hussein
Security .. • Protection of information from theft or corruption, or the preservation of availability.. • Information Transfers Freely through the air. • How to secure transmission ?? • Unauthorized OR Authorized reception ! • Solution => Use Message Encryption& Decryption techniques. • ex: Cable T.V
Integrity Confidentiality S Availability Pillars of Security: Confidentiality: Who is authorized?Integrity: Is data „good?”Availability: Can one access data whenever needed? S = secure
Threats.. • Threats to data in transit: • Eavesdropping = overhearing without anyextraeffort E.g., admin anyway uses s/w to monitor network traffic to manage the network - in this way she effortlessly eavesdrops on the traffic • Wiretapping = overhearing with someextraeffort • Wiretapping technique depends on the communication medium • Solution = Cryptography ( Encryption & Decryption)
Benefits of Cryptography • Remember: There is no solution! • Improvement not a Solution • Minimizes problems • Doesn’t solve them • Adds an envelope (encoding)to an open postcard(cleartext)
original plaintext ENCRYPTION ENCODING ENCIPHERING E DECRYPTION DECODING DECIPHERING D plaintext ciphertext P C P Formal Notation • C = E(P) E – encryption rule/algorithm • P = D(C) D – decryption rule/algorithm • We need a cryptosystem, where: • P = D(C)= D(E(P)) • i.e., able to get the original message back
ENCRYPTION ENCODING ENCIPHERING E plaintext ciphertext hostile environment P C original plaintext DECRYPTION DECODING DECIPHERING D ciphertext C P Cryptography in Practice • Sending a secure message • Receiving a secure message hostile environment
Encryption Key DecryptionKey KE KD E D P C P Keyed Crypto System • C = E(KE, P) • E = set of encryption algorithms / KE selects Ei E • P = D(KD, C) • D = set of decryption algorithms / KD selects Dj D • Crypto algorithms and keys like door locks and keys • We need: P = D(KD, E(KE, P))
Ciphers • Substitution ciphers: • Letters of P replacedwithother letters by E • Outline: a. The Caesar Cipher b. Other Substitution Ciphers
The Caesar Cipher • Example [cf. B. Endicott-Popovsky] • P(plaintext): HELLO WORLD • C(ciphertext): khoor zruog • Caesar Cipher is a monoalphabetic substitution cipher (= simple substitution cipher)
Other Substitution Ciphers n-char key • Polyalphabetic substitution ciphers • Vigenere Tableaux cipher
Polyalphabetic Substitution • Flatten (difuse) somewhat the frequency distribution of letters by combining high and low distributions • Example – 2-key substitution: A B C D E F G H I J K L M Key1: a d g j m p s v y b e h k Key2: n s x c h m r w b g l q v N O P Q R S T U V W X Y Z Key1: n q t w z c f i l o r u x Key2: a f k p u z e j o t y d i • Examples • Question: How Key1 and Key2 were defined?
... • Example: A B C D E F G H I J K L M Key1: a d g j m p s v y b e h k Key2: n s x c h m r w b g l q v N O P Q R S T U V W X Y Z Key1: n q t w z c f i l o r u x Key2: a f k p u z e j o t y d i • Answer: Key1 – start with ‘a’, skip 2, take next, skip 2, take next letter, ... (circular) Key2 - start with ‘n’ (2nd half of alphabet), skip 4, take next, skip 4, take next, ... (circular)
Example 1: A B C D E F G H I J K L M Key1: a d g j m p s v y b e h k Key2: n s x c h m r w b g l q v N O P Q R S T U V W X Y Z Key1: n q t w z c f i l o r u x Key2: a f k p u z e j o t y d i • Plaintext: TOUGH STUFF • Ciphertext: ffirv zfjpm use n (=2) keys in turn for consecutive P chars in P • Note: • Different chars mapped into the same one: T, O f • Same char mapped into different ones: F p, m • ‘f’ most frequent in C (0.30); in English: f(f) = 0.02 << f(e) = 0.13
Note: Row A – shift 0 (a->a) Row B – shift 1 (a->b) Row C – shift 2 (a->c) ... Row Z – shift 25 (a->z) Vigenere Tableaux • P
>> • Example Key: EXODUS Plaintext P: YELLOW SUBMARINE FROM YELLOW RIVER Extended keyword (re-applied to mimic words in P): YELLOW SUBMARINE FROM YELLOW RIVER EXODUS EXODUSEXO DUSE XODUSE XODUS Ciphertext: cbxoio wlppujmks ilgq vsofhb owyyj • Question: How derived from the keyword and the Vigenère tableaux?
>> • Example ... Extended keyword (re-applied to mimic words in P): YELLOW SUBMARINE FROM YELLOW RIVER EXODUS EXODUSEXO DUSE XODUSE XODUS Ciphertext: cbxoio wlppujmks ilgq vsofhb owyyj • Answer: c from P indexes row c from extended key indexes column e.g.: row Y and column e ‘c’ row E and column x ‘b’ row L and column o ‘z’ ...
Integrity .. • Data transmitted is same to data received. I heard from your brothel in NewYork. I heard from your brother in NewYork. ASCII : r => 1110010 l => 1101100 • Allow altering messages= undesirable system! • System MUST deliver accurate messages. • System MUST detect changes in Transmission (Error Detection) mechanism.
Link Layer Services (more) • flow control: • pacing between adjacent sending and receiving nodes • error detection: • errors caused by signal attenuation, noise. • receiver detects presence of errors: • signals sender for retransmission or drops frame • error correction: • receiver identifies and corrects bit error(s) without resorting to retransmission 5: DataLink Layer
Examples:: • Error detection Techniques • Parity Checking. • Cyclic Redundancy Checks (CRC). • Error Correction • Hamming Codes.
1. error detection.. • The ability to detect when a transmission change. • Discard message • Notify user • Message send again • Fixing message with out Retransmission => (Error Correction)
>> • EDC= Error Detection and Correction bits (redundancy) • D = Data protected by error checking, may include header fields • Error detection not 100% reliable! • protocol may miss some errors, but rarely • larger EDC field yields better detection and correction otherwise 5: DataLink Layer
Parity Checking Two Dimensional Bit Parity: Detect and correct single bit errors Single Bit Parity: Detect single bit errors 0 0 5: DataLink Layer
Sender: treat segment contents as sequence of 16-bit integers checksum: addition (1’s complement sum) of segment contents sender puts checksum value into UDP checksum field Receiver: compute checksum of received segment check if computed checksum equals checksum field value: NO - error detected YES - no error detected. But maybe errors nonetheless? Internet checksum Goal: detect “errors” (e.g., flipped bits) in transmitted packet 5: DataLink Layer
Checksumming: Cyclic Redundancy Check • view data bits, D, as a binary number • choose r+1 bit pattern (generator), G • goal: choose r CRC bits, R, such that • <D,R> exactly divisible by G (modulo 2) • receiver knows G, divides <D,R> by G. If non-zero remainder: error detected! • can detect all burst errors less than r+1 bits • widely used in practice (Ethernet, 802.11 WiFi, ATM) 5: DataLink Layer
CRC Example Want: D.2r XOR R = nG equivalently: D.2r = nG XOR R equivalently: if we divide D.2r by G, want remainder R D.2r G R = remainder[ ] 5: DataLink Layer
What ?? • Security & Integrity of data inside the computer. • Less of a Network Problem • O.S security Hole • User careless behaviour.
Computer Virus .. • A peace of code with a collection of instructions attached to an executable file does what the original file was not designed to do! • PC ---> .EXE or .COM • MAC---> Resource • ONE GOAL ..Damage System Security!
Mass Mailing Viruses Macro Viruses “Back Doors” a.k.a. “Remote Access Trojans” Cell phone viruses Home appliance viruses MP3 player viruses Viruses • Virus • A hidden, self-replicatingsection of computer software, usually malicious logic, that propagates by infecting(i.e., inserting a copy of itself into and becoming part of)another program.A virus cannot run by itself; it requires that its host program be run to make the virus active • Many kinds of viruses: [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
how?? Infected Software Request to execute some processes branch Process code DO nothing Usual Virus branch Memory
Virus Duplicate It self Memory Resident.. Process code Memory = Executable file such as an .EXE or .COM
Virus Evolution.. • 1949 John Von Neumann wrote paper “ Theory and organization of Complicated Data” describe that computer programs could in fact multiply. • 1980s computer viruses exist and increase in number and complexity. • There for ... • Elimination Methods • started toexist -->> (ANTI VIRUS).
Solution..! • Anti Virus programmers designed their software based on things they noted : • Viruses are short length programs • They place them self at beginning and end of program. • Then S.W focus on searching beginning and end of such files. • But... ! was that enough ?
BUT..!! • Virus Programmers decided : • to hide the virus signature..OR • At least disguise it so it wouldn't be recognizable. • !!!!! Using Encryption !!!!! • EXE Program= (virus code + Signature+ Decryption Algorithm ) • Y=Encryption (code+ Signature) • X=Decryption Algorithm(Y) = virus program
>> • Anti Virus programmers designed S.W to look for byte patterns common to Decryption algorithms. • Problem : (decryption codes are small and similar to legitimate programs) *Q: Is this code .. Decryption algorithm OR simple array task? for (i=0; i<s ; i++) M[i]+= k *A: difficult to know ! It can be either...
Written Viruses..? • Virus use different encryption key each time it infect a new file. -->> Virus will look different each time -->> Untraceable !
X-Raying.. • X-Raying ? each suspected encrypted virus is subjected to a collection of decryption algorithms known to be used with viruses. The decryption result is examined for a virus signature. It was successful ! Until Virus programmers responded !!!!
>> • Polymorphic Virus, a virus that mutates when it infects a new file.( become resistant to treatment= biological virus). • Uses a mutation engine to change decryption code each time it infect a new file. • No use for Anti virus S.W that detect a certain sequence of bytes from decryption algorithms! Q:So, how to locate a virus without knowing what it looks like ? A:Using Generic Decryption (GD)!
Generic Decryption.. • A technique that fools the virus into revealing itself early, before it has a chance to damage. • It contains a CPU emulator, when examine the file it execute a software that simulates the execution of the file. • If the file contain a virus it will decrypt itself revealing its signature pattern. • Even If virus executed there is no harm..its a simulation. Q: What if the file do not contain a virus ? A: Simulator executes specific number of instructions and then, if no virus found ..it will terminate at some point.
>> • Unfortunately! Virus is no fool !It can contain all kind of do nothing instructions at the start . Ex: add 0 to the register .. • If simulator is short it will miss some viruses ! • If its long then = time consuming = and... No winner!!!
COMPUTER Worms • Same as viruses.. • Usually appear as a separate Program. • First worm in 1988 by Cornell, graduate student released in the Internet. • Written in C Attacked Linux OS, thousands of Sun 3 and VAX computers.
>> • The worm used a technique called Fingerd ( a software that allows one user to obtain information about other users). • Fingerd technique Accept a single line of inputs (request ) and send back output corresponding to the input. • Basically: the program input do not check for buffer overflow , then the transmitted message over flow the input buffer and over wrote parts of the system stack!
>> • Worms also attacks password file trying to decipher user password. • It simply guesses passwords , encrypted them and find matches using online dictionary!
COMPUTER Hackers • A hacker usually is someone who write programs just for the sheer of writing them.. • Exploits security holes in operating systems and determine passwords!
Attack • = exploitation of one or more vulnerabilities by a threat; tries to defeat controls • Attack may be: • Successful • resulting in a breach of security, a system penetration, etc. • Unsuccessful • when controls block a threat trying to exploit a vulnerability
Why ? • Challenge! • Game! • Still there are many hackers who is proved to be malicious!!!
Who attacks networks? • Who are the attackers? • We don’t have a name list • Who the attackers might be? • MOM will help to answer this • MOM = Method/Opportunity/Motive • Motives of attackers: • Challenge/Power • Fame • Money/Espionage • Ideology
Attacking for challenge/power • Some enjoy intellectual challenge of defeating supposedly undefeatable • Successful attacks give them sense of power • Not much challenge for vast majority of hackers • Just replay well-known attacks usingscripts • Attacking for fame • Some not satisfied with challenge only • Want recognition – even if by pseudonym only • Thrilled to see their pseudonym in media • Attacking for money/espionage • Attacking for direct financial gains • Attacking to improve competitiveness of ones com/org • 7/2002: Princeton admissions officers broke into Yale’s system • Attacking to improve competitiveness of ones country • Some countries support industrial espionage to aid their own industries (cont.)
Attacking to spy on/harm another country • Espionage and information warfare • Steal secrets, harm defense infrastructure, etc. • Few reliable statistics – mostly perceptions of attacks • 1997-2002 surveys of com/gov/edu/org: ~500 responses/yr • 38-53% believed they were attacked by US competitor • 23-32% believed they were attacked by foreign competitor • Attacking to promote ideology • Two types of ideological attacks: • Hactivism • Disrupting normal operation w/o causing serious damage • Cyberterrorism • Intent to seriously harm • Including loss of life, serious economic damage