Information Security Tools PDF

Information Security Tools Authentication; Access Control; Encryption; Firewalls; Intrusion Detection System; INFORMATION SECURITY TOOLS AUTHENTICATION ACCESS CONTROL FIREWALLS INTRUSION DETECTION SYSTEM AUTHENTICATION ACCESS CONTROL FIREWALLS INTRUSION DETECTION SYSTEM 3 Message authentication & Integrity AUTHENTICATION Entity authentication (Digital signatures)  Integrity using Modification Detection Codes (MDC) Message  Unsigned hash functions Authentication  Message authentication & Integrity codes (MAC)  Signed hash functions  A hash function H maps a string (message or document) D of arbitrary length to an integer d = H(D) with a fixed number of bits called the digest of D. d is a short bit string compared to Hash arbitrarily long bit string of D  Hashing overcomes a significant functions restriction of public-key schemes which stipulates that the message, D must be less than the modulus, n The digest, d satisfies the following properties: - Given a string D, the digest of D can be computed quickly; - Given the digest d of D, but not D, it is Hash computationally infeasible to find D; - Hash H should be collision resistant i.e functions hard to find two documents whose hash functions are the same  Most hash functions use a mixing algorithm, M that transforms a bit string of Hash length n into another bit string of length n; functions -  Break a long document into algorithm blocks and successively use M to combine each block with the previously processed material.  To compute H(D):  append extra 0 bits to document, D so that the length of D is an even multiple of n bits  D is written as a concatenation of Hash bit strings of length n D = D1D2 D3 D4 - - - DK functions -  H(D) is computed with an initial bit string H0 and performing algorithm repeated operation as follows Hi = Hi-1 xor M(Di) for 1 ≤ i ≤ k e.g H1 = H0 xor D1  The hash function, H(D) is the final output value Hk MODIFICATION DETECTION CODES (MDC) The MD5 algorithm is as follows:  A message of arbitrary length is padded into a multiple of 512 bits Message  A buffer of 128 bits is then initialized to a given value Digest 5  At each step, the content of the buffer is modified according to the next 512-bit (MD5) block  When the process is completed, the buffer holds the 128-bit “hash” code  The SHA-1 works with a Secure block size of 512 bits and a hash size of 160 bits Hashing  It was developed for use with the Digital Signature Algorithm Standard 1 (SHA-1)  Its algorithm is similar to that of the MD5 MESSAGE AUTHENTICATION CODES (MDC) Message authentication code (MAC) MAC aims to provide assurances regarding the source of a message and its integrity MAC uses two independent variables: a message input and a secret key MAC algorithms are essentially keyed hashed algorithms Hashed message authentication code (HMAC) is a general method for increasing strength of the hash function. Its algorithm using MD5 as an example is as follows: 1/ Shared secret key is padded HMAC with zeros to 512 bits. The result is XORed with 64 repetitions of 00110110 2/ The message is padded to a multiple of 512 bits 3/ Concatenation of the blocks in the first two steps is applied to the MD5 algorithm to obtain a 128-bit hash. 4/ The shared secret is padded again with zeros to 512 bits and HMAC the result XORed with 64 repetitions of 01011010 5/ The blocks in steps 3 and 4 are again applied to the MD5 algorithm to produce the final 128-bit hash HMAC INPUT: data, x of 64-bit length and key, k of 56-bit length OUTPUT: 64-bit MAC on x Algorithm: DES MAC - Message is padded to a multiple of 64 bits - Establish 64-bit blocks denoted as x1, - - -, xt - Perform DES encryption, Ek of message using k  Compute Ht as follows: H1 ← Ek (x1) DES MAC Hi ← Ek (Hi-1  xi);  The MAC is the n-bit block Ht. ENTITY AUTHENTICATION (Digital Signatures) Digital signature set-up & Nomenclature M = {m1, m2, m3} and S = {s1, s2, s3} M=message; S=signature; SA=signing; VA=verifying Digital Signatures Schemes RSA SCHEME - synopsis Key generation Digital Signature Signing Algorithm (DSA) Verification DSA-KEY GENERATION Select two primes p and q such that q divides (p – 1) Select an element, g such that 1  g  p and compute  = g(p-1)/q mod p. If  = 1, select another value of g Select a random integer, d such that 1  d  q – 1 Compute y = d mod p A’s Public key is (p, q, , y) and private key is d A random integer k from interval Select [1, q − 1]; Compute k−1 mod q; DSA- SIGNING Compute r = (αk mod p) mod q; s = k−1{h(m) + d r} mod q. h is the hash function implemented using Compute SHA-1: (r, s) is A’s signature of message m; Verify that 1 ≤ r ≤ q − 1 and 1 ≤ s ≤ q − 1 Compute h(m) and w = s−1 mod q DSA- VERIFYING Compute u1 = h(m) · w mod q and u2 = r · w mod q Compute v = (αu1 yu2 mod p) mod q Accept if and only if v = r. Key generation EC Digital Signature Signing Algorithm (ECDSA) Verification  Entity A selects a random integer d from the interval ECDSA KEY [1, n − 1] as the private key, and publishes Q = dG as the GENERATION public key. ECDSA-SIGNING Select Select a random integer k from interval [1, n − 1] Compute kG = (x1, y1) and r = x1 mod n. If r = 0 Compute goto step 1 Compute Compute k−1 mod n Compute e = h(m), where h is a hash function Compute implemented using SHA-1 Compute Compute s = k−1{e + dr} mod n. If s = 0 goto step 1 (r, s) is A’s signature of message m Verify that r and s are integers in [1, n − 1]; Compute e = h(m); Compute w = s−1 mod n; ECDSA- Compute u1 = ew mod n and u2 = rw mod n; VERIFYING Compute u1G + u2Q = (x1, y1); Compute v = x1 mod n; Accept the signature if and only if v = r. USER ID & PASSWORDS AUTHENTICATION METHODS MULTI-FACTOR AUTHENTICATION Fixed password schemes - techniques Lower bound on password length (e.g. 8 or 12 characters) Contain at least one character Fixed from each of a set of categories (e.g. uppercase, password numeric, non-alphanumeric) schemes - Password is not found on- line or available rules dictionaries Not composed of account- related information such as userid etc  Exhaustive password search: Trying passwords one at a time;  Entropy (uncertainty in a password) should be Fixed increased, password  If all passwords are equally probable then schemes - Entropy = log2 N where N = number of possible attacks passwords Password entropy for 7-bit ASCII characters are shown in table below Dr. SONE EKONDE'S NOTES ON COMPUTER SECURITY Personal Identification Numbers (PINs)  PINs fall under the category of fixed (time-invariant) passwords.  It is often used in conjunction with a possessed token such as a chipcard. Entry of the correct PIN is required when the token is used.  PINs are typically short and numeric e.g. 4 to 8 digits  To prevent exhaustive search through such a small key space, additional constraints are available Personal Identification Numbers (PINs)  A constraint could include invalidating the physical device when more than a pre-defined number of incorrect PINs are attempted  In an on-line system, the user-entered PIN may be verified by comparison to the PIN stored for that identity in a system database  In an off-line system, the PIN may be defined to be a function of a secret key and the identity of the user associated with the PIN  Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such Multi-Factor as an application, online Authentication account, or a VPN (MFA)  Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. Dr. SONE EKONDE'S NOTES ON COMPUTER SECURITY AUTHENTICATION ACCESS CONTROL FIREWALLS INTRUSION DETECTION SYSTEM 41 ACCESS CONTROL Once a user has been authenticated, the next step is to ensure that they can only access the information resources that are appropriate. This is done using access control. Access control determines which users are authorized to read, modify, add, and/or delete information. Dr. SONE EKONDE'S NOTES ON COMPUTER SECURITY The ability to allow only authorized users, programs or processes system or resource access WHAT’S The granting or denying, according to a ACCESS particular security model, of certain permissions to access a resource CONTROL An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules. Access control is the heart of security Access Control Matrices ACCESS Access Control List CONTROL (ACL) MECHANISMS Role-based access control (RBAC) ACCESS CONTROL MATRICES  Access control matrix is a two-dimensional matrix representing subjects on the rows and objects on the columns  Each entry in the matrix contains the access attributes, specifying the access privileges held by subject S to object O Example of access control matrix File Test.txt c_compat Sys_clk printer User_1 ORW R X R W User_2 R R X R W admin - ORW OX ORW O Subjects: user 1, user 2, admin (administrator) Objects: File, test.txt (text file), c_compat (C compiler), sys_clk (system clock), printer Privileges: R (read) W (write), X (execution), O (owner) ACCESS In a large system, the CONTROL matrix will be enormous in MATRICES size and mostly DISADVANTAGE sparse  For each information resource that an organization wishes to manage, a list of users who have the ability to take specific actions can be created.  For each user, specific ACCESS capabilities are assigned, such as read, write, delete, or add. CONTOL  Only users with those LIST (ACL) capabilities are allowed to perform those functions.  If a user is not on the list, they have no ability to even know that the information resource exists. ACL EXAMPLE  Advantages  Easy to determine who can access a given object  Easy to revoke all access to an object  Disadvantages  Difficult to know the access right of a given ACL PROS subject  The primary drawback is that each information & CONS resource is managed separately, so if a security administrator wanted to add or remove a user to a large set of information resources, it would be quite difficult. And as the number of users and resources increase, ACLs become harder to maintain. This has led to an improved method of access control, called role-based access control, or RBAC Role-based  Instead of giving specific users access rights to an information resource, users are assigned access to roles and then those roles are assigned the access. control  This allows the administrators to manage (RBAC) users and roles separately, simplifying administration and, by extension, improving security COMPARISON OF ACL AND RBAC Discretionary Access Control ACCESS (DAC) CONTROL POLICY MODELS Mandatory Access Control (MAC) Definition: An individual user can set an access control mechanism to allow or deny access to an object. DISCRETIONAL Strength of DAC: Flexibility: a key ACCESS reason why it is widely known and implemented in main- stream CONTROL operating systems. (DAC) Relies on the object owner to control access, hence widely implemented in most operating systems Definition: A system-wide policy decrees who is allowed to have access; individual user cannot alter Mandatory that access. Access Relies on the system to control Control access. (MAC) Examples: The law allows a court to access driving records without the owners’ permission.

Information Security Tools PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue