CP4P_Security.pptx

Full Transcript

COMPUTER
PRINCIPLES FOR
PROGRAMMERS
Secure Computing:
Passwords, PINs, Problems, and Privacy.
Credentials > Authentication > Authorization
News of the Week i
News of the Week i
https://www.youtube.com/watch?v=juQcZO_WnsI
NEWS TO SET UP LECTURE, from 2011 but still current.
 Challenges in Secure
Computing
Lecture:
1. Credentials, Authentication, Authorization
2. Secure computing and networking
3. Passwords, PINs, and problems
 Challenges in Secure
Computing
Activity: Security issues
What are you going to do about your passwords?
Are Facebook, Google, SnapChat, InstaGram, and a
host of others, really free?
or
Would a real digital identity free us from bots and trolls?
Would being held responsible with legally enforceable
accountability fix things?
 Challenges in Secure
Computing
Privacy and our big fat online lie
"I agree to the terms and conditions"
of the EULA for ever and ever. Amen.
Simplified Summary
We can do whatever we want
with your data and behaviour,
with our services and features,
without notice or consent.
 What is the Price of Free?
If you don't buy the product,
you are the product.
Are free sites really free?
Who owns the content?
Is the benefit worth the bargain?
Credentials
On the Internet,
nobody knows
you're a dog.
Peter Steiner
The New Yorker
July 5, 1993
Credentials
I miss the
days when
the Internet
did NOT
know I was
a dog.
Credentials and Authentication

Credentials:
Identification
Association

Authentication:
Verifying the identity
implies valid association
 Authorization after Authentication
Authorization: “giving someone permission to do or to access something.”
e.g. access to a system/network, a directory/folder, to read and/or write a file.
“principle of least privilege” grants only the minimum authority needed
Role Based Access/Auth. Control (RBAC) for job functions, not individual users
Enterprise security apps simplify management

Permissions for ICT developers:
All for developer's PC
Specific for testing/staging server
Read Only for production server
Separate profile for admin and security roles
be SuperUser (sudo) or root only when necessary
– mistakes can be fatal to your career and company
What is “Authorization”?
Permission = access rights =
Authorization
*unix > chmod (change mode)
Permissions: read, write, execute
Classes: user, group, others
Security-Enhanced Linux
OS security controls what users
can view, change, navigate, or
execute
 Internet & Browser Security
DNS Domain Name System translates name.tld to IP address
for security and blocking of malware, botnets, malicious domains:CIRA
Canadian Shield Quad9 CISCO OpenDNS Cloudflare 1.1.1.1
Domain Validation (DV) certificate. Where did you arrive?
Iogitech.com rnicrosoft.com G00GLE.com Domain Checker
Always use a VPN from public access points
HTTPS needed for sign on
EFF anti-tracking: Privacy Badger blocks, Panopticlick tests
see Increase Your Privacy Online and this and test browser
What's the password?
Marx Brothers - Password Scene
- Horse Feathers - Chico and Groucho
https://www.youtube.com/watch?v=p0Gwe5gKgjo

Who loves passwords?
What if someone else knows your password?
#1 most common cracking method
Weak Passwords
guessable or reused across sites
password is weak if it's not unique
Breached admin & cloud app passwords
Top three: 123456, admin, 12345678
25 passwords used in 10% accounts
10,000 passwords used by 30% users
Credential Stuffing and Cracking
Forget / Recover your password
“I forgot my password” – relies on the strength of
your email account’s security and its password
Answer Security Questions
"knowledge-based authentication" easy to hack
Google you, social media exposure, stolen wallet | bag
Security Questions Defence: never tell the truth
But how do you keep track of the lies? (see below)
 Password Edit Rules
Enter new password: Password!
Password
p
pa
pas
pass
passw
passwo
passwor
password
Password!2
Password!1
Too short; minimum 8 characters.
Must have an UPPERCASE character.
Must have a special character.
Must have a number.
Expired. Must be changed.
 Password Edit Rules
Rules that are BAD rules:
Length: min – max  both too short
Strength: alphA + digits + 5?#80!$ [symbols]
 too complex
Not in Dictionary  not memorable
Expiry: periodic change  too often
 Long, Long
Strong,
andand
Strong
INSECURE
13qeadzc@$WRSFXV
Satisfies all edit rules
Is easy to remember
Keyboard walk algorithm
will find the pattern
easy to remember
= easy to crack
 Password Defense
memorable Length instead of complex Strength
j3ArQk+B0! (10) time to crack: 3 years
mylongpassword (14) time to crack: 3 years
LongPassWord (12) time to crack: 19 years
long strong is not much longer than complex strong
PassPhrase can be long, memorable, and satisfy the bad rules
*Opal1Quizzical2Dreamlike3and_So_On
Generate a long random passphrase. Check strength entropy
 Password Defense
Check if previously breached / leaked / hacked
';--have i been pwned? email passwords
API https://www.passwordping.com/docs-password-strength-meter-example/
Full service such as Specops Password Security Tools

Use an email alias for UserID
Like passwords, UserIDs should be single use across accounts
Firefox Relay, Mailfence (integrated with Thunderbird), Fastmail
Your own domain & cloud email server: create virtual email address
for each account. [email protected], [email protected]
 Password Defense – keeping
trackManagers:
Password 1Password (CDN), BitWarden (OSS), MS Authenticator (free)
unique, long, random, optionally strong passwords, per account.
Must remember one long PassPhrase.
Diceware PassPhrase: long, memorable, random
Generate a 5 digit random number using dice. Look up the word on the list.
Repeat. Good for password managers and security questions.
1Password has a Diceware feature to satisfy bad password policies
I have a User ID and Password!
End-User  sign on request  Client  OpenID Connect  Auth. Server
OpenID Connect authenticates user to many sites via a single account.
e.g. your Apple / Google / Facebook / X [twitter] / Discord account.
Read the permissions requested to the authorization account!
2nd most common cracking method
Social Engineering
You are your own security vector the more
you post your life on the internet
Spear Phishing has 35% success rate
Social media makes it easier to guess birthdays,
credentials, answer security questions, pretend to be
you when calling the help-desk,
or steal your identity
Nobody can abuse information about you that they don’t have.
There are two kinds of people:

1. Those who can extrapolate
from incomplete data
 1. GET User-ID and Pwd
Cre from user input. GEN
Random Salt value

ate 2. One-way Crypto Hash
of password and salt.
Us 3a. Hash the hashes
together n thousand
er times.
3b. STORE User-ID,
Acc hashed Salt, and Final
Pwd+Salt Hash in DB
ou
nt
 1a. LOOKUP User-ID in DB,
GET user’s Salt-Hash.

Aut 1b. One-way Crypto Hash
of entered password.

he 2. Hash the hashes
n thousand times
ntic 3. COMPARE computed
Password-Salt-Hash input to
ate Password-Salt-Hash in DB.
Attack on whole password space of
Us 8 letters / numbers / punctuation
OR 4 random Diceware words for a
er single salted 100K hashed password

by GPU @ 5M guesses/second:
32,500 years
 Two Factor Authentication – 2FA
Many organizations use two factor authentication to verify
password sign on and guard against phishing & cracking:
1. Something I know
user ID & password, PIN KNOWN & OWNED

2. Something I have
FIDO2 Universal 2nd Factor
(U2F), phone Authenticator
(OTP), bank | credit | access
card, YubiKey
Seneca students must use a
2FA Authenticator app to sign on.
 Three Factor Authentication – 3FA
Most secure
1. Something I know
user ID & password,
PIN
2. Something I have
YubiKey, access card,
Authenticator, device
3. Something I am
Nymi
fingerprint, facial band
recognition, ECG
heartbeat pattern
PIN: Probably Insecure Number
4 digit PINs used by banks and credit cards as 2FA
Ten thousand possibilities, right?
Most people use a date to make it memorable.
12 mos * 31 days = 372
13 – 31 days * 12 mos = 228
1924 – 2023 years * = 100
Total = 700 PINS or 7% of the range
* 2001 – 2024 years already included in day/month combos
 Better Password Policies
User ID: Impersonal -- not an email address
PassPhrase is 8 10 12 15 – 64+ characters in length
No complexity rules: allow all characters including space
Password expiration: based on risk, not time. Cannot reuse.
Block simple dictionary, commonly used, previously breached
NOT common topology, a keyboard pattern, Pi NCC-1701-x
IT experts name Mb2.r5oHf-0t as world’s safest password (kidding)
Require two-factor ID, e.g. Microsoft Authenticator, U2F
Digital Identity Guidelines, NIST SP 800-63B Appendix A p.67
Better Password Policies
Storage
In a salted and hashed format using a standard library with
Argon2id or PBKDF2 properly implemented. See OWASP Cheat Sheet
Do not invent your own. Obscurity ≠ Security
Even better: just say no to passwords
Use a passkey instead. Start with Microsoft or Google.
FIDO2
hardware + biometric
or YubiKey & hardware
Security protects Privacy
Authentication: MFA (Multi-Factor Authentication)
esp. for administration, security, VPN access
Authorization: Least Privilege Principle
Enterprise SSO with IdP and MFA via SAML
Single Sign On, Identity Provider, Security Assertion
Markup Language for authentication and Authorization
IBM Future of Identity DIACC Ontario-DID
Security protects Privacy
Systems: Zero Trust Architecture
Only Trusted Applications can run on OS
Application’s users: “never trust, always verify”
Includes server to server inside intranet
IaC = Infrastructure as Code
Encrypt both local and backup data
So data exported by Ransomware cannot be read for
double extortion. Then rebuild from backup.
NOTES
…not on the quiz but here
for further information
and explanation.
 PIN: Probably Insecure Number
Input pad at a Toronto
ATM. Panel is on a
sidewalk open to busy
street. Dirt reveals:

1,2,5,7 used most.
1,5,7,1 could be a
pattern PIN.
1,2,3,4 worth a try
to crack password.
6,8,9 used least.
Safe Payment Practices
Minimize reveal of financial credentials
Make 'contactless purchases'
Use Apple Pay or Google Wallet on smartphone
Use prepaid card: Seneca OneCard, Mastercard, Visa, gift cards
Tap payment card to avoid exposing PIN
eCommerce
Use ShopPay, PayPal, Visa Secure,
Click to Pay (Mastercard) – with 2FA
Never save credit card at merchant
What happens when free social media
meets inadequate security management:
Dear Art Lovers, [ from a professional artist ]
So sad to lose contact with so many of you online.
It has been a crazy few weeks - I have been going down the rabbit hole
trying to find a way to get my social media accounts back. From what I have
heard, it could take 5 or 6 months...if I am even able to get my accounts
back at all. This includes my personal and business Facebook page, my
Instagram page, the ArtAlchemyEast Instagram page, as well as the Art
Alchemy studio pages.
Between all these accounts, over 9,000 people shared my art journey…
Obsolete Sun Life
practices doesn't
are still read the
in ICT
practice. news.
2013 analysis of 2M
intercepted logins
from real humans.
Security Architecture
Multi-factor authentication is a mandatory requirement
Web serving uses micro-services architecture with
security baked in.
Zero Trust model: never trust, always verify.
segregate client processes from internal resources via
highly constricted view of internal network. e.g. only to a
switch, or to a port, or to specific services – not to the
actual resources themselves such as a DB or file location
or to IP addresses of other machines on the network
SQL Injection Attacks

INSERT INTO Students (name) VALUES ('Robert');DROP TABLE Students;--');
Do not run dynamic SQL statements that include outside data.
Defence: Use SQL Prepared Statements or parameterized SQL calls. E.g.
INSERT INTO Students (name) VALUES ('?');
Local and backup security
Device encryption, e.g. Windows BitLocker or VeraCrypt
Works on local drives and/or USB drives.
The defence against any ransomware is to have backed
up your system yesterday.
Backups mean your data has left your system’s control
and its security and authorization controls. Encrypt all
backups.
Safe Online Banking & Finance
Tinfoil Hat: cold boot computer (from powered off state)
Use one browser only to access financial accounts.
Ensure that browser has no add-ins or extensions.
Open browser with NO TABS, only a plain local page.
Go into private / incognito mode.
Do your banking.
Empty all caches, close browser.
Tinfoil Hat: then cold boot to return to normal tasks.
In Windows, this means Restart instead of Shutdown.
 45

Encryption/Decryption Process

Encryption Note:
Key Interceptor Cannot Read
Cyphertext Without the
Decryption Key
Plaintext Encryption Ciphertext “11011101”
“Hello” Method &
Key Interceptor
Network
Decryption
Key

Party A Ciphertext “11011101” Decryption Plaintext
Method & “Hello”
Key

Party B
 Notes on Authentication
Authentication is to verify the identity of a user when they log in to a network using a
username and password. It is the process or action of “proving or showing
something to be true, genuine, or valid.” In Computing World, it is the process or
action of “verifying the identity of a user or a process” (mostly used while logging into
a computer software/network/website.)

The network administrator creates an account and assigns a username + password
to it.

The account is usually created when IT receives instruction from HR about a new
hire or a change in duties. Mostly a username is based on organization standard and
a password is a temporary password which is changed on first login by the user.
Programmer’s Perspective of Encryption
Popular symmetrical encryptions include AES and RC4. Popular
Asymmetric encryptions include RSA and EIGamal.

Many programming languages have libraries for implementing encryption
and decryption algorithms to secure data across insecure networks.

These are just some examples:
o Jasypt library: a Java simplified encryption library
o CryptoAPI:.NET encryption library
o OpenPGP: available for different platforms
What is Encryption?
Encryption is the “process of converting information or data into a code”,
especially to “prevent unauthorized access,” even while data is being
transmitted over insecure computer networks.

In other words, Encryption is a process of encoding or enciphering a
message to hide its meaning, called cyphertext, and secure it across
insecure networks such as Internet.

Encryption is the most effective way to achieve data security in transit
across insecure networks. To read an encrypted file, you must have
access to a secret key or password that enables you to decrypt it.
What is Decryption?
Decryption is the process of taking encoded or
encrypted data and “converting it back” into
something (text or other data) that either a human or
a computer program can read and understand.

In other words, Decryption is a process of decoding
or deciphering an encrypted message so as to
recover plaintext from cyphertext.
What is an “Encryption Algorithm?”
An Encryption algorithm is the sequence of data processing that goes into
transforming plaintext into cyphertext (some examples in the next slides.)

Some Encryption terminology is listed here:

o Plaintext: This is what you want to encrypt.

o Cyphertext: The encrypted output.

o Enciphering or Encrypting: Converting plaintext into cyphertext.

o Cryptosystem: A system for encryption and decryption.
An intro to some types of Encryption Algorithms
(Substitutions and Transpositions) with some
examples
An intro to some types of Encryption Algorithms
(Substitutions and Transpositions) with some
examples
All encryption algorithms use a combination of Substitution and
Transposition to create cyphertext:

o Substitutions: One letter of plaintext is replaced with another letter or
random symbol. We have Monoalphabetic substitution ciphers (like
Caesar ciphers) and Polyalphabetic substitution ciphers (the same
plaintext character is encrypted to different cyphertext along the way.)

o Transpositions or Permutations: The letters are not changed, but the
order of the letters is rearranged (e.g. NEXT = ENTX or JOHN = OJNH)
Monoalphabetic Ciphers
Monoalphabetic substitution ciphers are based on a fixed
replacement structure.

Using this substitution and the following cyphertext alphabet

“Toronto” encrypts to “UPSPOUP”. Note that the frequency of each
character is retained which makes simple substitution easy to crack.
 Polyalphabetic Ciphers
Polyalphabetic Substitution ciphers are based on using multiple alphabets for
each character. Let’s have an example using the following alphabets:
Plain Alphabet: A B C D E F G H I J K L M N O P Q R S T U V W X Y
Z
Cipher Alphabet #1: B D F H J L N P R T V X Z A C E G I K M O Q S U W
Y
Cipher Alphabet #2: Z Y X W V U T S R Q P O N M L K J I H G F E D C B
This
A time, “Toronto” encrypts to “MLOCMGC” (We use alphabet #1 for the first letter,
alphabet #2 for the
Cipher Alphabet #3:second
V Z Aletter,
Y B alphabet
W C T D#3 SforEthe
Q third
F J letter,
I M then
N Ocycling
P G Hfrom
K LtheXfirst
R
alphabet
U again and continue the process to the end of the phrase.)

 Note that the frequency of the characters is obscured. Even though there are repeated
characters they are coming from different alphabets and represent different characters.
The more alphabets used, the more random the output.
Overview of two types of Cryptosystems (Symmetric/Private
Key vs. Asymmetric/Public Key)

Cryptography | NIST
NIST Post-Quantum Cryptography Standardization – Wikipedia
NTRU – Wikipedia
 Symmetric Cryptosystem
Symmetric Cryptosystem uses the same key to encrypt and
decrypt the message. It is also called “Private Key Cryptosystem”.

A private or secret key is known only to the parties that exchange
secret messages and has to be kept secret for security.
Symmetric Cryptosystem (Cont’d)
Plain-text input Cipher-text Plain-text output
“The quick “AxCv;5bmEseTfid3) “The quick
brown fox fGsmWe#4^,sdgfMwi brown fox
jumps over r3:dkJeTsY8R\s@! jumps over
the lazy q3%” the lazy
dog” dog”

Encryption Decryption

Key Distribution Problem
Same key
(shared secret)
Symmetric Cryptosystem – Advantages vs.
Disadvantages

Advantages Disadvantages

Very secure if using key greater than Safely distributing key to other party
100 bits is major concern. Face to Face
exchange is best

Keys are shorter than Asymmetric The number of keys increases
encryption exponentially with the number of
users exchanging secret information

Very fast performance If compromised, cracker can decrypt
everything -- serious problem
Asymmetric Cryptosystem
Asymmetric Cryptosystem uses two different keys; one to
encrypt the message and one to decrypt the message.

The keys are mathematically related to each other so that only
a message encrypted with the public key can be decrypted with
the private key. It is also called “Public Key Cryptosystem”.

This is a system that uses a public key known to everyone and
a private or secret key known only to recipient of the message.
Asymmetric Cryptosystem (Cont’d)
For Bob to send a secure
message to Alice, he uses
Alice's public key to encrypt
the message.

Alice uses her private key to
decrypt it.
Asymmetric Cryptosystem (Cont’d)

Clear-text Input Cipher-text Clear-text Output
“The quick “The quick
“Py75c%bn&*)9| brown fox
brown fox fDe^bDFaq#xzjFr@g
jumps over jumps over
5=&nmdFg$5knvMd’r the lazy
the lazy kvegMs”
dog” dog”

Encryption Decryption

public Different keys private
Recipient’s Recipient’s
public key private key
Asymmetric Cryptosystem – Advantages vs.
Disadvantages

Advantages Disadvantages

Very secure if using key greater than Each user has one key pair and
1000 bits user’s public key is exchanged with
all users

Keys are longer because the are If private key compromised, cracker
exchanged infrequently and public can decrypt messages sent to you,
key is shared but can not decrypt messages you
send to others because encrypted
with a different key pair

Slow performance 1000 X slower Requires a key distribution infra-
than symmetric encryption structure
What is Cryptanalysis?
Cryptanalysis is the study of cryptosystems to find weaknesses in the system
which will reveal the plaintext without necessarily knowing the key or the
algorithm. This could be done via:
1. Attempt to recognize patterns in encrypted messages
2. Attempt to find general weakness in an encryption algorithm

An encryption algorithm may be breakable, meaning that given enough time
and data, a cryptanalyst could determine the algorithm.

 If there exists 1030 possible decipherments for a given cipher scheme and a
computer performs 1010 operations per second, finding the decipherment would
require 1020 seconds (or roughly 1012 years)!