Documente Academic
Documente Profesional
Documente Cultură
Cryptology
Cryptography
Cipher
Symmetric – SINGLE KEY use for both encrypt and decrypt.
Block cipher – can encrypt a block a plaintext at a time ( 128 bit usually)
Stream cipher – can only encrypt data one bit/byte at a time
Asymmetric Cipher – DIFFERENT KEYS use to encrypt and decrypt
Symmetric Cipher
CLASSICAL Cipher
Substitution cipher – replace each elements with another element (confusion)
Transposition(permutation) cipher – different arrangement of order on the elements of
plaintext
Product cipher – we have to use multiple stages of substitutions and transpositions
CAESAR cipher
Earliest substitution cipher
Replace each letter by three positions further down the alphabet
Confusion cipher and vulnerable to brute-force attack
VIGENERE CIPHER
Advance type of substitute cipher. This one uses a simple polyalphabetic code. Made of 26
distinct cipher alphabets.
BOOK-BASED CIPHER
It uses a predeterminded book as a key to decrypt a message
BOOK cipher - consist representaing page, line, word numbers of plaintextword
RUNNING key cipher – using book to pass the key and similar to Vigenere cipher. Sender will
provides encrypted message with sequence of numbers from predetermined book to be used
as an indicator block
TEMPLATE cipher – has hidden message in the book, letter, other message. Will require a page
in a book with holes cut into it (specific number)
ROW TRANSPOSITION CIPHER (diffusion cipher)
Plaintext - written row by row in a recangle
Ciphertext – write out the columns in the order specified by a key
Cryptanalysis
Cryptanalysis – study of cipher, cipher text, cryptosystems, finding weakness in this study and
it will permit retrival of the plaintext from the ciphertext, and without knowing the key or
algorithm
Objective – recover the secret key
KERKOFF’s principle – the adversay will knows all the details about a cryposystem except the
secret key
2 general APPROACHES –
Brute-force attack
Non-brute-force attack (cryptanalytic attack)
CRYPTANALYTIC ATTACKS
Ciphertext-only – they use statistic and any other information in order to decrypt intercepted
ciphertext
Known-plaintext – when some of the plaintext is known then someone could uncover some of
the plaintext-ciphertext
Chosen-plaintext – the intruder can choose the ciphertext message and receive the plaintext
HASH FUNCTIONS
SHA-2 – widely used
SHA-3 – Future government standard
STEGANOGRAPHY
Sending sensitive info and hide the fact that sensitive info is being sent
All The Tools Are Carefully Kept – ATTACK
Other example
Invisible ink
Hidden images
Least significant bit of image pixels
Modifications to image to image not noticeable by an observer
Recipient can check for modifications to get message
Going beyond Texts and Images
Operating System
Unused memory
Hidden partition
Network
Unused bits in packet headers
spread spectrum, frequency shifting
CONVERT_TCP
Why needed? Needed to communicate covertly, but typical encryption is not possible or limited
Why not just encrypt? When ebcryption is outlawed and when people are suspicious of what
you are doing
Steganography vs cryptography
OWASP
Open Web Application Security Project
Attackers can possibly use many different paths. Each path may not or may cause serious risk.
Threat Agents > Attack > Weakness > Control > Function > Impact
FURTHER STEP
STEP 5 – deciding on what to FIX
Not all risk worth fixing
STEP 6 – CUSTOMIZE risk rating model
Adding factors
Customizing options
Weighing factors
OWASP: TOP 10
A2 Broken Authentication
Memorize Secrets – NIST 800-63b
Improper Authentication – CWE287
Session Fixation – CWE384
Stored XSS – The application stores unsanitized user input that is viewed at a later time
By another user or admin.
Input Validation
Blacklist validation – listing input that should not come from a user then block it
Whitelist validation – listing input that should come from a user, then allowing it.
WEEK 4 : INJECTION
XSS tries to get sensitive data while CRFS tries to use it. The aim of XSS is to insert malicious
code in the browser