Authentication and Cryptography Concepts

Questions and Answers

What is the primary purpose of authentication mechanisms in applications?

To verify the identity of a user by matching their credentials against stored credentials.

Explain the difference between authentication and authorisation.

Authentication validates a user's identity, while authorisation determines if the authenticated user has permission to access resources.

What are the two traditional components of login credentials?

A unique identifier (like username or email) and a secret known only by the user (like a password).

Why might some applications require re-authentication for certain actions?

To enhance security by ensuring that the user is still authenticated before performing critical actions.

Can a user be authenticated but not authorised? Provide an example.

Yes, a user can be authenticated but not authorised, for example, if they log in but try to access an admin-only resource.

What happens if an application's authentication process fails?

If authentication fails, the user is denied access to the application and its protected resources.

What does it mean for a user to have validated identity in an application?

It means the user's credentials have been successfully matched with those stored in the database.

How does the authentication process fit into overall application security?

Authentication is the first step in securing an application, ensuring only legitimate users can interact with it.

What is the main purpose of cryptography?

The main purpose of cryptography is to hide or code information so that it can only be read by authorized individuals.

What are the two main forms of data in cryptography?

The two main forms of data in cryptography are plaintext (readable form) and ciphertext (encrypted form).

How does hashing differ from encryption?

Hashing is a one-way process that converts data into a fixed-length value, while encryption is reversible and uses keys for encoding and decoding.

What is a hash value and what is its purpose?

A hash value is a unique, fixed-length representation of data created by a hash function, used for data integrity and verification.

Why is hashing important in data transmission?

Hashing is important because it allows verification that the data sent has not been tampered with during transmission.

What role do cryptographic libraries play in programming?

Cryptographic libraries simplify the implementation of cryptographic functions by abstracting complex mathematical concepts.

Give an example of how hashing is used in file sharing.

Hashing is used to ensure file integrity by allowing users to verify that files have not been altered during sharing or downloading.

What is the significance of using fixed-length values in hashing?

Using fixed-length values in hashing ensures uniformity and consistency, making it easier to compare hashes.

What are the two main purposes of security logging and monitoring?

The two main purposes are the detection of security breaches and event reconstruction.

Why is downtime considered costly for organizations?

Downtime is costly because it leads to loss of productivity and potential revenue.

How can audit trails assist security personnel after a breach?

Audit trails assist by providing a clear record of events leading to the breach.

What is the primary function of cryptography?

The primary function of cryptography is to scramble or encode data to prevent it from being read.

What security issue arises from storing data in plain text in a database?

Storing data in plain text poses a major security vulnerability, as it can be easily read by hackers.

In what scenario are logs useful for data recovery?

Logs are useful for reconstructing data files that were lost or corrupted.

What role does event logging play in the context of internal security breaches?

Event logging helps guard against internal misuse of information.

What is meant by making sensitive data 'unreadable'?

Making sensitive data unreadable means encrypting it so that it cannot be accessed or understood without proper decryption.

What is the primary advantage of using rainbow tables in hash cracking?

Rainbow tables allow hackers to quickly look up precomputed hashes instead of having to compute them on the fly.

What is a significant limitation of rainbow tables?

They can require a lot of storage space and are specific to certain hashing algorithms and character sets.

Explain the purpose of a salt in the hashing process.

A salt adds a unique, randomly generated string to each password, resulting in different hash values even for identical passwords.

How does peppering enhance the security of hashed passwords?

Peppering adds an additional layer of protection by encrypting hash values, making them harder to crack if accessed.

What differentiates hashing from encryption in terms of functionality?

Hashing transforms data into a fixed-length string and is one-way, whereas encryption scrambles data using keys and can be reversed.

Why is salting considered a best practice in secure hashing?

Salting makes each hash unique, even for identical passwords, thereby defending against attacks like rainbow tables.

What role do modern hashing algorithms play in salting passwords?

Modern hashing algorithms automatically generate and apply unique salts during the hashing process.

What is the primary function of encryption?

The primary function of encryption is to scramble data into an undecipherable format, known as ciphertext.

What are two potential negative impacts of injection attacks?

Data theft and denial of service.

Name one type of injection attack besides SQL injection.

Cross-site Scripting.

What is SQL used for in web applications?

SQL is used for storing and processing information in a relational database.

How can a hacker exploit an SQL query that uses string concatenation?

By injecting malicious data that alters the query outcome.

What SQL command would return all columns from the User table?

SELECT * FROM User;

In the context of SQL injection, what does 'OR 1=1' accomplish?

It makes the WHERE clause always evaluate to true.

What does the query 'SELECT firstname, lastname FROM User WHERE email = john@email' reveal if exploited?

It reveals the first and last names of all users in the User table.

What SQL command can be used to insert new data into a database?

INSERT INTO.

What role does asymmetric encryption play in SSL/TLS?

Asymmetric encryption is used to encrypt a single-use symmetric encryption key for securing the contents of an Internet browsing session.

Identify two types of attacks associated with symmetric key encryption.

Brute force attacks and known plaintext attacks are two types of symmetric key encryption attacks.

Explain the concept of breaking encryption.

Breaking encryption refers to cryptography analysis techniques that are used to defeat cryptographic systems and access the underlying data without having the key.

How does differential cryptanalysis work?

Differential cryptanalysis involves deducing how a key is generated by observing how differences in key generation input affect the key generation output.

What strategy should be employed to strengthen encryption against attacks?

Utilizing the longest possible encryption keys is one strategy recommended to enhance encryption strength.

Describe a side channel attack in the context of asymmetric key encryption.

A side channel attack exploits physical implementation information, such as timing information or power consumption, to reveal secret keys.

What is a layered approach to encryption?

A layered approach to encryption involves encrypting data at multiple levels, such as encrypting each column and table in a database, followed by encrypting the entire database.

Why is key management critical in encryption systems?

Key management is critical because secure management of the encryption keys is necessary to maintain the overall security of the encrypted data.

Study Notes

Exam Revision Slides

• CSC2031 Security Programming revision slides cover topics related to security programming.

Topic 1 Security Foundations

• Computer security, also called cybersecurity, protects computer systems and information from harm, theft, and unauthorized use.
• Key aspects include protecting computer systems and networks from attacks involving malicious actors that lead to unauthorized information disclosure, hardware/software/data theft or damage, and service disruptions or misdirection.
• Computer security is about protection from "bad stuff".
• Protection includes preventing, detecting, and reacting to unauthorized actions by computer system users.

Why is computer security important?

• The UK's National Cyber Security Centre (NCSC) highlights the importance of cybersecurity in modern life, given the fundamental role of smartphones, computers, and the internet.
• Taking steps to prevent cybercriminals from accessing accounts, data, and devices is crucial.
• Cybercrime targets valuable data such as bank account numbers, credit card information, passwords, work documents for financial and personal gain.
• Cybercrime, including data theft, is the most expensive and fastest-growing segment of cybercrime.

Why is computer security important?

Computer Systems are Valuable Targets

• Sensitive data stored includes bank account numbers, credit card information, passwords, work documents and this data affects wellbeing.
• Wellbeing includes comfort, safety, health, welfare, prosperity, success, contentment.
• Data relates to protected health information (PHI), intellectual property, government, industry, and university.

Why is computer security important?

Computer Systems have many Security Threats

• Data present in a computer may be stolen or altered by unauthorized intrusion.
• Malicious users can modify programs, use others' accounts for malicious content (fake, misleading, and offensive), crash systems, or use computers for attacks.

THREAT: Using computers to attack other computers

• A bot is a software application that runs automated tasks (scripts) over the Internet.
• A botnet is a network of malware-infected computers running one or more bots, often acting as a tool to carry out tasks.
• A distributed denial of service (DDOS) attack happens when botnet computers are used to overwhelm a server causing it to become slow or even crash, thereby hampering legitimate access.

Why is computer security important?

Cybercrime is Growing

• Without security, computer systems (individual, organizations, nation-states) cannot defend themselves against data breaches
• Data theft is the most expensive and fastest-growing segment of cybercrime.
• In 2019, the average cost of cybercrime for an organisation increased to $13 million, with data breaches increasing 11% to 145 incidents.
• Cybersecurity Ventures predicted $8 trillion in cost of cybercrime in 2023, growing to $10.5 trillion by 2025.

Why is computer security important?

Cybercrime Comes With a Cost

• Cost includes theft of intellectual property, corporate information, trade disruption, and repair costs for damaged systems.
• Loss of consumer trust, loss of customers to competitors and poor media coverage comprise reputational cost.
• Regulatory costs result from non-compliance with regulations such as GDPR for data protection, resulting in large regulatory fines or sanctions.
• Examples include Meta (fines of $1.3 billion), Amazon ($823 million), WhatsApp ($248 million), and British Airways (£20 million).

What is it we are really trying to protect?

• The fundamental purpose of a computer system is to input, output, store, and process data.
• Data/information is the most crucial aspect of computer systems. Data is protected by computer security measures to protect input, output, storage and processing.

How can data be compromised?

• Unauthorized disclosure, modification, or withholding of data are main ways that data can be compromised or breached.

What are the Key Properties of Computer security?

• Confidentiality - protects data from unauthorized disclosure.
• Integrity - protects data from unauthorized modification.
• Availability - protects data from unauthorized withholding.
• These properties are called the CIA triad.

The CIA Triad

• Confidentiality, integrity, and availability of data is crucial to the secure operation of computer systems.
• Ideally, all three properties are met so security profile of a computer system is stronger and better equipped to handle security threats.

Confidentiality

• Confidentiality is maintained when data is kept private and restricted as intended.
• Only authorized users can access specific data and users without authorization should be prevented from accessing confidential data.
• The value of data is often dependent on access restrictions (e.g., proprietary company data, personal/financial customer information).

Integrity

• Integrity is maintained when data is authentic, accurate, and reliable.
• Only authorized users should modify data when needed.
• Access by unauthorized users should be prevented against data tampering.
• Integrity is typically an important concern for financial data such as banking systems.

Availability

• Availability means that data can be used or obtained when needed by authorized users.
• Data needs to be available to authorized users when needed, even if it is kept confidential and its integrity maintained.
• Unauthorized access should be prevented from withholding data and should be crucial especially during urgent government press releases or medical emergencies.

Unavailability – Ransomware Attacks

• Ransomware is malware that prevents access to devices and the data stored on them.
• Criminal groups often demand a ransom from victims to decrypt the data.

More Security Properties

• Authentication determines whether a user/something is who/what it says they are, only once authenticated can access be granted.
• Non-repudiation ensures that the sender/recipient of data can confidently confirm their actions (delivery evidence) and cannot later deny having processed data.

Repudiation - It Wasn't Me

• Repudiation is the denial of the truth or validity of something.
• The Tab and Financial Times articles discuss cases of denial or disputed responsibility in regards to activities like sending emails, and managing data (witness denial and data removal before police questioning).
• A hacker claims to have leaked 87 million strong database from Temu

What are threats, vulnerabilities, and risk?

• Threats are potential negative actions or events that could harm a computer system.
• Vulnerability is a weakness in a computer system that a threat can exploit.
• Risk is the potential loss or damage when a threat exploits a vulnerability (Risk = Threat x Vulnerability)

How do we do Computer Security?

• Many aspects exist to computer security including network security, endpoint security, information security, cloud security, IoT security, mobile security, application security.
• Computer security also takes many forms: physical, security processes and policies, and technical methods
• Computer security involves controlling physical access to hardware, controlling user actions (malpractice, accidents, or tricks) to secure procedures, and protection from network, poor data or code injection attacks

Topic 2 Authentication

• Authentication is the process of verifying a user's identity.
• Users must present evidence to prove their identity.
• Types of authentication factors are knowledge factors(what you know), possession factors(what you have), inherence factors (who you are).

Authentication in Applications

• Applications may include public and protected areas.
• All users should authenticate before accessing protected areas.
• Authentication mechanisms compare user credentials to stored credentials in a database.
• User authentication is often enforced only once for interaction with the application (or may require re-authentication for actions like bank transfers).

Authentication vs Authorisation

• Authentication validates user identity, while authorization verifies that the authenticated user has permission to access requested resources. The authorisation process comes after authentication.

Authenticating Users

• Users must be authenticated before taking any action on the application.
• A common way to authenticate users is to require login credentials, a unique username and a secret password.

Authentication Vulnerabilities

• Authentication can be broken if an attacker's login credentials can be guessed, are exposed through leaks or are worked out from other knowledge.
• Often, usernames are public (email addresses).
• Most often, passwords are typically the weak spot

Brute Force Attacks

• Brute force attacks involves trying all possible passwords until a successful one is identified.

Guessing Passwords

• Users often choose weak passwords that are easy to remember (e.g., common passwords, personal details like names, places, or dates).

Logically Guessing Passwords

• Users frequently base passwords on personal details such as names, places, or dates.
• Social media content may also reveal details about the users that aid in password identification.

Automated Brute Force Attacks

• Hackers can use software tools to automatically try a range of passwords, making manual attack time-consuming and less effective.
• Automated attacks may involve sending a stream of login requests to servers with potential passwords to attempt authentication against user accounts.
• The simplest form of automatic attack is a dictionary attack which tries all words from a dictionary to find a match.

Exposing Passwords

• Users might record passwords in unprotected formats and places, leading to easy exposure to misuse.
• Simple passwords are more exposed to guesses/brut force compared to complex passwords.

Leaking Passwords

• Shared passwords (e.g. passwords for streaming accounts shared amongst friends) reduce cost but increases security risk as someone not authorized might gain access.
• Account issues and other problems (e.g., own login credentials not working) which leads to seeking solutions which may not be in compliance or security best practices.

Strengthening Authentication

• Methods to strengthen authentication include password strength (policy) verification (humans only), limit login attempts (locking user accounts), multi-factor authentication, and notifications for unauthorised logins or access attempts.

Password Security

• Password policies set rules like password length and characters allowed (and not) to improve password security.
• Blacklisting is a password policy method that disallows specific terms.
• Strong password policies include length, character type specifications (min/max), and disallowing particular common terms.

Password Policies

• Minimum and maximum length constraints for passwords, character restrictions (e.g., including numbers, uppercase letters, special characters), password reuse frequency.

Password Policies

• Passwords should be sufficiently long and complex so that it is not easy to crack.

Regular Expressions (Regex)

• Regular expressions (regex) define patterns for validating strings, often used to ensure characters in a string match specific patterns.
• Regex literals often defines a process for checking if one or more character types exist in a string.

Validating Character Existence

• Validating character existence in strings is used to enforce security policies, ensuring strings are in compliance (e.g., passwords contain a number, an uppercase letter).
• Validating character existence using regex is useful for testing if one or more character types exist (or don't exist) in a string.

Regex Lookaheads

• A regex generally matches from left to right.
• Lookaheads look to the right, so a character existence check can be done without caring about positions.

Regex Lookaheads

• The formal syntax for lookahead is: (?=pattern)
• Lookaheads can be used to find patterns or sequences of characters when validating strings

Automatically Create Strong Passwords

• Modern browsers can automatically generate secure passwords.
• Generated passwords are complex passwords.
• Password managers facilitate saving passwords for accounts/details.

Consideration

• Generated passwords may not meet password policy.
• Users may bypass password choices (choose their own password choices rather than generated ones).
• Generated passwords may be hard to remember/users may forget them/or user may end up with multiple passwords.

Password Strength Checkers

• Password strength checkers are used to assess the complexity and security strength of a password.
• They analyse password strength against a set of criteria (including length and character types).
• Passwords that don't meet all rules may still be valid but may still be considered "weak"

Password Recovery

• Web applications offer a "forgotten password" link for password recovery.
• Instructions are usually sent to the user's email account for password reset, and authentication/recovery issues.

Changing Passwords

• Web applications often require user passwords to be changed at regular intervals (e.g., every 30,60 or 90 days).

Changing Passwords

• Enforced Password changes for security.
• User should be reminded to change passwords after accounts have been compromised or the password has been changed.
• Users can also change passwords whenever they need to.

Re-entering Passwords

• Re-authentication may be required when accessing a particular protected part of the application or after a defined time interval (e.g., for sensitive actions like banking transfers).

CAPTCHA

• CAPTCHAs are automated tools used to verify a user is human rather than an automated program, to prevent brute force attacks

reCAPTCHA

• reCAPTCHA is a widely used CAPTCHA software program by Google, and is often the standard for web applications.
• It has two types: asking users to select images matching a theme and checking a checkbox

Limiting Authentication Attempts

• Limiting authentication attempts can mitigate brute-force attacks.
• Account lockouts can be implemented after a defined number of incorrect attempts, and can restrict access for a defined time (e.g., one hour or longer)

Tracking Authentication Attempts

• Client requests and server responses are typically stateless.
• Session objects are used to track user state across requests for web applications.

Limiting Authentication Attempts

• Rate limiting slows brute-force attacks by limiting the number of authentication attempts within a timeframe (e.g., 5 per minute).

Rate Limiting Breach

• Rate limiting violations can trigger 429 Too Many Requests error.
• This error, if encountered, usually disallows further user attempts, often to prevent large-scale attacks.

Multi Factor Authentication

• MFA (Multi Factor Authentication) is a security measure that requires multiple factors of identification from a user to protect their account from unauthorized access.
• Requiring additional factors (such as code/letters from words/a device) in addition to a username/password provides more assurance that the user is who they say they are, and helps to mitigate risks against hacker attempts through identity verification.

Numerical Code Generators

• Numerical authentication codes generated through various methods (text messages/personal code generators/authenticator applications) are frequently a component of MFA solutions

Additional Authentication Factors

• Varying types of authentication factors (One-time passwords/Digital PKI certificates/Biometrics) added to increase security to provide authentication beyond username/password.

Time Based Pins

• Time-Based Pins are used in multi-factor authentication.
• PIN numbers are generated and expire in a short timeframe(e.g., 30-60 seconds), as opposed to being static passwords for continuous use.

Time Based Pin Generation

• Random keys and timestamps for generating time-based PIN numbers, enabling independently generated codes (on the user's device and the server) that match.
• Consideration whether MFA (multi-factor authentication) should be enforced or left to the user's preference.

Topic 3 Authorisation

• Authorisation ensures users only access resources they are permitted to, based on rules/roles.
• The process involves validating whether an authenticated user have been granted access permission for the required resources.
• Authorisation must follow authentication to validate the identity of the user first, before authorisation can take place.
• Users that are not authenticated are commonly referred to as "anonymous users".

Authorisation Process

• Authorisation is broken into 2 phases: definition phase (defining rules and circumstances/privileges/permissions) and the enforcement phase (ensuring rules are followed)

Authorisation Definition

• Authorisation policies define the access rules.
• Policies include details regarding company data confidentiality.
• Policies should ensure no access by unauthorized users.
• Examples: a user cannot edit another user's post; only anonymous users can register accounts, or admins accessing the DB admin page.

Authorisation Enforcement

• A system-wide reference monitor validates access requests against authorisation policies.
• A reference monitor needs to follow NEAT guidelines (Non-bypassable, Evaluable, Always-invoked, and Tamperproof) to ensure the process robustness.

Authorisation Vulnerabilities

• Authorisation schemes may lack robust implementation which can leave vulnerabilities open to hackers to exploit.
• Access to sensitive functions within an application, or data theft, or takeover of site administration might be possible after exploitation if the authorisation scheme is incorrectly implemented.

Missing Authorisation

• Anonymous users (users not authenticated) may access web-pages/blog content outside of their privileges.
• Admin/other higher-lever roles may cause issues if access control is not properly managed over the website.
• Path Traversal allows unauthorised access to files, folders or other resources outside of designated areas of the web-page.

Path Traversal

• Path traversal attacks alter resource locations on URL to access areas outside of the expected web document root.
• Alternative encodings (e.g., %2e%2e, ..%2f) might bypass default security restrictions in bypassing web/file systems through the URL.

Path Traversal

• Web applications typically have a "web document root" area, designed for accessing functionality/files.
• Use of '..' or similar characters/commands may navigate to locations beyond this root area, accessing otherwise inaccessible files/content.

Authorisation Issues

• Web applications often have inadequate authorisation mechanisms, leading to vulnerabilities in access control.
• Hackers might be able to access sensitive functions, data or take over site-administration by exploiting the vulnerabilities.

Managing User Access

• Applying authorisation rules over different states (e.g., anonymous vs authenticated).
• Anonymous users might have limited access compared to authenticated

Adding Authorisation

• Modifying or adding "if" statements that specify how different user classes should be authorised (e.g., allowing authenticated users access to sensitive data but denying it to anonymous logins) for access to particular parts of the application.

Adding Authorisation – Menu Links

• Implementing authorisation controls often involves "if" statements to restrict specific menu links based on user type

Missing Authorisation – View Functions

• Using decorators (e.g., @login_required).
• Redirect anonymous users to login page (preventing direct access to pages) if they do not have authentication

Role Based Access Control

• Role-based access control (RBAC) assigns access rights based on user roles in an IT system/application.
• Roles determine the resources/tasks a user is allowed to carry out, to mitigate risks and improve security.

Role Based Access Control

• System/application roles (e.g. end user, administrator, security, IT technician, programmer, student).
• Users may hold multiple roles, and there could be issues or conflicts related to overlapping privileges.

RBAC Benefits

• RBAC enhances operational efficiency, increases visibility for administrators, reduces costs (resource utilization decrease) and mitigates breaches, data leaks.
• RBAC implementation should be broken up into steps (understanding business needs, planning implementation, defining roles, and finally implementation).

Implementing RBAC – Roles Decorator

• Implementing custom decorators to enforce the RBAC (Role Based Access Control) rules for restricting views.
• Often, the standard Flask-Login package does not have a decorator to directly define role-based access restrictions.
• Wrapper functions can be implemented to do this.

RBAC Issues

• Role explosion (creating too many/excessive roles due to high granularity).
• Rigid implementation for difficulty in adapting to ongoing security threats and risks, especially with new employees joining the application/role access/updates.
• Scalability and dynamism (difficulty in updating roles related to organizational change)
• Costs/time for complex implementation may make enforcement prohibitive.

Logging User Events

• Logging all user activity helps during security incidents. Every activity should be documented.

Event Logging and Monitoring

• Security logging and monitoring capture and record all activities in a system.
• These logged events help security teams identify and respond effectively during security incidences.

Critical Event Examples

• Reconnaissance (adversaries performing research)
• Weaponisation (intrusion into computing environment)
• Exploit delivery (implementing an exploit against a vulnerability)
• Installation of malware (adversary modified native functionality)
• Command and Control (criminal hackers gaining access).

Benefits of Event Logging and Monitoring

• Improves efficiency of security breaches detection, monitoring and response time, and can guard against internal misuse of information during security issues.
• The logging and monitoring process facilitates incident reconstruction and helps determine how to correct any vulnerabilities.

Benefits of Event Logging and Monitoring

• Downtime from systems can be reduced through faster incident recovery.
• Audit logs are helpful for reconstructing data lost or corrupted in security incidents.

Topic 4 Cryptography

• Cryptography is the process of hiding or coding information to only be accessible to authorised parties.

Cryptography Basics

• Data stored in a database should be unreadable if compromised or leaked.
• Data needs to be scrambled or encoded to be only readable by authorised individuals.

Cryptography Basics

• Concepts like plaintext (readable data), ciphertext (unreadable data), encryption (process of converting data to ciphertext), decryption (converting data to plaintext) and hashing (converting data into one irreversible fixed-length value) are defined.

Hashing

• Hashing creates a fixed-length random value from an input to generate a hash/hash value/message digest.
• Hashing is one way, so it cannot be directly reversed

Hashing

• Hashing is used to check data integrity (Ensuring whether data has been altered/modified).
• Hashing process is encapsulated in a hash function.

Examples of Hash Usage

• Hashing is used in file integrity checks (ensuring files have not been tampered with), digital signatures (authenticating messages), and preventing the attacks and abuses of Distributed Denial of Service (DDoS) attacks.

Hashing Process

• Hashing uses algorithms to turn data into fixed-length hash values.

Cracking Hashes

• Hackers can attempt to find the original value/data from a given hash through various methods like brute force or rainbow table pre-computation.
• Brute force entails trying various passwords/data until a match is found .

Rainbow Tables

• Rainbow tables are pre-computed large databases of hashes.
• They aid hackers in cracking hashes much faster than traditional methods, due to the pre-computation of the hashes/data to make comparisons/matching much quicker.

Strengthening Hashes

• Salting involves adding a unique randomly generated string to each password before hashing for added security.
• Peppering adds a randomly generated string (pepper) to encrypt hash values for an additional layer of security

Encryption

• Encryption is a process of scrambling data into an unreadable format (cipher text) using keys.
• Unlike hashing, encryption uses keys that need to be kept secret, making encrypted data unreadable to other. The process can be reversed with the correct key (Decryption).

Encryption Keys

• Encryption uses keys for converting the plaintext into cipher text and vice-versa.
• Keys are typically generated using random number generators, or computer algorithms.

Encryption Methods

• Different keys are used in symmetric (same key) and asymmetric (different keys) encryptions. Each method has its advantages and disadvantages related to security and speed.

Symmetric Encryption

• A single cryptographic key is used for encrypting and decrypting data

Asymmetric Encryption

• Two different, mathematically related keys are used for encrypting and decrypting data. One key is public and one is kept secret.

Symmetric vs Asymmetric Encryption

• Symmetric encryption (faster) often prioritizes speed for data handling and security.
• Asymmetric encryption (more secure) prioritizes security , and is useful when the receiving key isn't shared with the encrypting party directly.

Use Cases: Symmetric or Asymmetric

• Symmetric encryption is typically used in scenarios requiring speed, like banking/data storage, where data needs to be handled quickly rather than security first.
• Asymmetric encryption protects data security/identity checks instead of speed/efficiency, making it suitable for tasks like digital signatures or verifying the identity of parties.

Breaking Encryption

• Security depends on the secrecy of keys in both symmetric and asymmetric encryption.
• To break encryption, including brute-force attacks is a common way for hackers to attempt to find the correct key.

Strengthening Encryption

• Employing the longest possible encryption keys, encrypting data in layers, and securing key management systems to prevent the disclosure of keys to improve security.

Topic 5 Software & Web Security

• Software and web security protect the security of applications through various coding components.

Output Generation

• Methods of generating outputs for securely processing user-supplied/dynamic data.

Data Input Threats

• Data integrity is crucial for web applications.
• Dynamic data often comes from outside the application and its integrity and safety needs to be considered.
• Malicious data can be processed with security issues unless it is filtered for validity/checked.
• Ensuring validation of user/client-supplied data is critical for security.

Injection Attacks

• Injection attacks are dangerous and common, and are often used by attackers to insert malicious code/data into application inputs.
• Injecting malicious code into systems or web applications can compromise data security.

SQL Injection

• SQL injection is a coding technique to modify legitimate SQL queries (often string concatenation based) to compromising commands

SQL Injection

• Exploiting SQL Injection often involves creating SQL commands that evaluate to true, to retrieve protected information(or to modify/delete content/data which they should not be able to).

SQL Injection Demo

• Demonstrating how hackers can exploit sensitive information stored in SQL queries by injecting malicious statements that evaluate to True.
• This manipulation allows to retrieve or modify/delete data

Preventing SQL Injection

• Input validation and the use of prepared statements(parameterised queries instead of string concatenations) are important measures to prevent SQL injection.

Cross Site Scripting

• Cross site scripting (XXS) attacks inject malicious scripts into a web application by modifying legitimate code inputs
• These malicious scripts are included within dynamic content meant to be displayed in the web-page and can be executed when the victim (the person visiting the website) accesses the website

XSS Demo

• Demonstrating the impact of exploiting XSS through malicious code injected into an application, including execution of JavaScript/other commands

Preventing XXS

• Input validation preventing injection of malicious scripts is essential for security

Format Strings

• String formatting in some programming languages allows inserting data/values into text strings (e.g. C's printf method), by using special parameters/patterns such as %x or %d, for displaying formatted/converted data/information.

Format String Attack

• Formats strings are vulnerable to attackers who can exploit security holes and modify format strings.
• The printed string is parsed by the functions as if it were a program command or request instead of formatting data.
• Exploiting this, access to memory areas or arbitrary code execution is possible (e.g., reading memory/data or executing malicious code from memory).

Format String Attack Prevention

• Providing security through preventing malicious string parameters.
• Avoid injecting user input directly into format functions; otherwise, such inputs might be parsed as commands or requests

Input Validation

• Insufficient/improper input validation is a major cause of injection vulnerabilities.
• Validate all input(e.g. numbers, ages, dates, email addresses, URLs, and other parameters) especially coming from untrusted sources or users/clients.
• Input validation is the checking and testing of any data/input supplied (by user, or another system) to ensure it follows a prescribed format, validation, or other criteria.

Whitelisting and Blacklisting

• Whitelisting allows only explicitly permitted user inputs while blocking all else
• Blacklisting only rejects explicitly defined inputs while allowing anything else.
• Whitelisting is preferred to mitigate the errors/issues when creating a blacklisting policy, as errors resulting from incorrect blacklisting may permit malicious data.

Implementing Input Validation

• Implementation of proper input validation (checking and testing inputs) is critical to preventing injection vulnerabilities.
• Input validation can be implemented in many ways: client-side (using HTML/JavaScript) or server-side (within view functions) or through using validators/filters.

Memory Management

• Memory management and bounds checking are important for avoiding security vulnerabilities against buffer overflow or similar memory issues.

Bounds Checking

• Preventing programs from accessing/writing/reading past memory boundaries in a buffer (e.g., arrays) to prevent security flaws like buffer overflow attacks, ensuring only data allocated/permitted exists within the buffer's boundary/contents.

Buffer Overflow Attack

• Buffer overflow attacks are security vulnerabilities that result when programs write data past the allocated buffer space into adjacent memory areas which can compromise/damage the application's data integrity .
• The buffer overflow attack is the most critical cause of security vulnerability within certain programming languages and may expose critical data, execute malicious code and allow arbitrary code execution or access to memory areas.

Integer Overflow Attack

• Integer overflow/wraparound occurs when an integer value is incremented to a value that exceeds the integer's maximal storage limit, and the value "wraps" around to become a low/negative number instead.
• Security implementations need to check or validate that values do not exceed the storage limits for security.

Input Validation

• Input validation is vital for security; it helps prevent many vulnerabilities that can damage user resources/data.
• Using validation can significantly lower the risks of security breaches from malicious inputs.

Hardcoding Data

• Hardcoding data embeds data/information directly into the program's source code/executable, rather than obtaining it from an external source.
• Hardcoded data (including keys, URLs, file paths, and configurations) may be useful for ease/speed of code but can expose potential vulnerabilities.
• Hardcoding fixed sensitive data/information may be less secure and can expose critical information to attackers.

Reverse Engineering

• Reverse engineering involves decompiling machine code into source code, allowing attackers to inspect and possibly manipulate hardcoded information.
• This is why having proper secure coding techniques(e.g., not hardcoding security credentials) are important to protect sensitive information from hackers.

Web Source Code

• Web source code is often viewable to authorised users and may contain sensitive data, making it a potential vulnerability.
• Sensitive data directly visible in code (e.g username/passwords/secret keys) can cause security issues

Hidden Form Fields

• Hidden form fields store data that is not visible to users but gets transmitted during form submissions.
• Storing sensitive data within hidden form fields can pose a security risk if precautions are not taken or implemented

Environment Variables

• Environmental variables are variables/variables holding settings stored outside of the program code, often crucial for configuration.
• Separating configuration values from code to limit exposure of sensitive data is a key security practice

.env File

• .env files store configuration data outside of the main source code, improving security and management.
• Separate secrets/data from program code to enhance protection, and keep security configuration data separate from the code/application being developed

Handling Errors

• Error handling is crucial to mitigate application crashes or vulnerabilities, and is crucial in mitigating damage from malicious data

Accepting Malicious Data

• Thorough input validation does not always fully protect against all malicious inputs/errors.
• Malicious input might access functionality or perform actions beyond what the user input might have permitted

Handling Errors

• Handling any errors/malicious input gracefully (e.g. not crashing) is crucial in mitigating the negative impacts.

Error Page Disclosure

• Error messages may disclose sensitive information, increasing vulnerabilities and risk (e.g. exposing server information or application code via specific error messages)

Error Page Disclosure

• Developers must implement security measures (e.g. hiding sensitive details within error pages) to mitigate potential risks.
• Error messages should not include any sensitive information

Custom Error Handling

• The ability to customize error pages is a way to control how error messages/outputs are generated, to prevent attackers/hackers from gaining sensitive details.
• Using custom error pages allows control over message content, limiting disclosure of internal details.

Time-of-Check to Time-of-Use

• TOCTOU vulnerabilities arise when changes occur between checking a state or condition and taking action based on that state/condition (e.g., a file existence check performed, and then the use of those files, in a short timeframe).

Time-of-Check to Time-of-Use

• Protection against TOCTOU issues usually involves locking resources to prevent changes or using atomic transactions

Firewall Rules

• A web application firewall (WAF) filters all user/client requests before they reach the application, to ensure security guidelines are followed.
• The WAF rules decide how to approach each user request, based on predefined/defined criteria (filtering based on patterns, request size, header checks, or other parameters)

Firewalls

• The WAF monitors/filters/blocks incoming requests based on defined rules, to minimize security threats.
• Checking request patterns/payloads/behaviors within website traffic for security breaches.

Inspecting Client Requests

• WAFs typically inspect various parts of client requests (including HTTP headers, request method, URI, query string, post data and cookies) for security vulnerabilities.

WAF Rule Conditions

• WAF rules are used to detect specific malicious patterns or anomalies(e.g. large request size, suspicious patterns) in incoming requests, typically by looking for specific keywords, illegal characters, or tautologies (e.g., 'OR 1 = 1').

Detecting SQL Injection

• WAF rules can detect SQL injection. (looking for suspicious SQL/coding syntax/illegal characters within the input) and other issues(e.g. tautologies, conditional errors).

Detecting Path Traversal

• WAF rules scrutinize the client's request URL for suspicious sequences or null bytes for path traversal vulnerabilities.

Detecting Cross Site Scripting

• WAF rules scan user input, URLs or POST data for patterns indicative of XSS (cross-site scripting) attacks (e.g., script tags like <script> or <iframe> or using common script functions like alert())

WAF Rule Actions

• The WAF may either allow the request, block the request, or record the request for further investigation/analysis. If an attack is detected, appropriate actions (e.g., blocking the request, logging or reporting the attack) can be taken.

Client-Server Protocols

• Data transmission between web clients and servers uses TCP/IP protocols including HTTP and HTTPS.

Transmitting Data

• Data transmitted between servers and clients may take place on a shared/local environment (e.g., testing or development) or between multiple/separate networks that comprise a much broader trust-model/environment that includes untrusted networks (e.g. internet traffic).

Data Interception Examples

• Man-in-the-middle (MITM) attacks
• SSLStrip attacks
• Evil twin attacks
• DNS spoofing

Description

This quiz focuses on key concepts related to authentication mechanisms in applications and the fundamental principles of cryptography. It covers topics such as the differences between authentication and authorization, the role of hashing and encryption, and the importance of cryptographic libraries. Test your knowledge on these essential security measures.