WEEK 3 :

Cryptology

Cryptography – using and making codes in order to secure information

Cryptanalysis – changing cipher text to plaintext without the keys use to encrypt the original
message
Cryptology – scientific study on cryptography and cryptanalysis

Obfuscate – unclear or render obscure

Plaintext
Ciphertext
Cipher
Key
Enciphering
Deciphering

Cryptography

Meaning ‘secret writing’ in Greek. Now it points to encryption ( converting plaintext to

ciphertext). Encryption focus on confidentiality

Now it expanded beyond confidentiality concerns. It need to include: integrity checking,

identity authentication, digital signatures, etc.

Important to focus on cryptography. It will improve the information security.

C.I.A + A.N = confidentiality, integrity, availability + Authentication, Non-repudiantion

Cryptography can help with threats:

Fabrication (Authencicity Attack)
Interference ( Integrity Attack)
Eavesdropping ( confidentiality Attack)

Cipher
Symmetric – SINGLE KEY use for both encrypt and decrypt.
Block cipher – can encrypt a block a plaintext at a time ( 128 bit usually)
Stream cipher – can only encrypt data one bit/byte at a time
Asymmetric Cipher – DIFFERENT KEYS use to encrypt and decrypt

Symmetric Cipher

Sender/Recipient has the same key

Encryption key is calculated from decryption key, vice verca
Sender/Receiver needs to agree on a key before starting communication
Security is within the key
SAME KEY is required for both side.
This can be difficult to manage/update
Need to be exchanged
Manually and Electronically can be compromised,
KEY need to be changed periodaically.
REQUIREMENTS for Chipher
Confusion – interceptor won’t be able to predict the next move by changing one
character in the plaintext.
Difussion – distribution of a single plaintext over the entire ciphertext

CLASSICAL Cipher
Substitution cipher – replace each elements with another element (confusion)
Transposition(permutation) cipher – different arrangement of order on the elements of
plaintext
Product cipher – we have to use multiple stages of substitutions and transpositions

CAESAR cipher
Earliest substitution cipher
Replace each letter by three positions further down the alphabet
Confusion cipher and vulnerable to brute-force attack

MONOALPHABETIC SUBSTITUTION CIPHER

Shuffle the letters and the it would map each plaintext letter to a different random ciphertext
Secure against brute-force attacks
Not secure against cryptanalytic attacks

POLYALPHABETIC Substitution Cipher

Sequence monoalphabetic ciphers is used in turn to encrypt letters
Key needed to determines which sequence of cipher to use
This make cryptanalysis harder, because letter frequency distribution will be flatter

VIGENERE CIPHER
Advance type of substitute cipher. This one uses a simple polyalphabetic code. Made of 26
distinct cipher alphabets.

BOOK-BASED CIPHER
It uses a predeterminded book as a key to decrypt a message
BOOK cipher - consist representaing page, line, word numbers of plaintextword
RUNNING key cipher – using book to pass the key and similar to Vigenere cipher. Sender will
provides encrypted message with sequence of numbers from predetermined book to be used
as an indicator block
TEMPLATE cipher – has hidden message in the book, letter, other message. Will require a page
in a book with holes cut into it (specific number)
ROW TRANSPOSITION CIPHER (diffusion cipher)
Plaintext - written row by row in a recangle
Ciphertext – write out the columns in the order specified by a key

Cryptanalysis

Cryptanalysis – study of cipher, cipher text, cryptosystems, finding weakness in this study and
it will permit retrival of the plaintext from the ciphertext, and without knowing the key or
algorithm
Objective – recover the secret key
KERKOFF’s principle – the adversay will knows all the details about a cryposystem except the
secret key
2 general APPROACHES –
Brute-force attack
Non-brute-force attack (cryptanalytic attack)

CRYPTANALYTIC ATTACKS
Ciphertext-only – they use statistic and any other information in order to decrypt intercepted
ciphertext
Known-plaintext – when some of the plaintext is known then someone could uncover some of
the plaintext-ciphertext
Chosen-plaintext – the intruder can choose the ciphertext message and receive the plaintext

LANGUAGE STATISTIC and CRYPTANALYSIS

Human languages are not random.
Letters are not equally frequently used.
E is the most common

HASH FUNCTIONS
SHA-2 – widely used
SHA-3 – Future government standard

STEGANOGRAPHY
Sending sensitive info and hide the fact that sensitive info is being sent
All The Tools Are Carefully Kept – ATTACK
Other example
Invisible ink
Hidden images
Least significant bit of image pixels
Modifications to image to image not noticeable by an observer
Recipient can check for modifications to get message
Going beyond Texts and Images
Operating System
Unused memory
 Hidden partition
Network
Unused bits in packet headers
spread spectrum, frequency shifting

CONVERT_TCP
Why needed? Needed to communicate covertly, but typical encryption is not possible or limited
Why not just encrypt? When ebcryption is outlawed and when people are suspicious of what
you are doing

Steganography vs cryptography

BLOCK CIPHERS VS STREAM CIPHERS

MODERN SYMMERTRIC_KEY cryptosystems

Data excryption standard (DES)
Adopted in 1976
Block size = 64bits
Key length = 56 bits
Advanced encryption standard (AES)
Adopted in 2000
Block size = 128, 192 or 256 bits
Key lengths = 128, 192 or 256 bits

ENCRYPTION AND DECRYPTION (DES)

Data encryption standard use a block cipher with 64bit block size. It also use 56-bit key with 64
bit and 8 bits reserved for parity. As long there’s 56 bit string, then it can be the DES key. It has
2^56 keys which is a lot of keys. It can test one trillion keys per second and needs 2 hours to
find the key. It has a very small number of ‘weak keys’.

CONCERN FOR D.E.S

56-key bit is too short.
Broken in average 2^55 = 3.6 *10^trials
Moore’s law – with the speed of processor doubles per 1.5 (easier and faster to crack)
In 1999 – distributed.net broke DES in 23 hours
Week 4

OWASP
Open Web Application Security Project
Attackers can possibly use many different paths. Each path may not or may cause serious risk.
Threat Agents > Attack > Weakness > Control > Function > Impact

OWASP risk rating methodology

Risk Severity = Likelihood * Impact
1. Identify a RISK
2. Factors for estimating LIKELIHOOD
3. Factors for estimating IMPACT
4. Determining SEVERITY of the risk
5. Deciding what to FIX
6. Customizing the Risk Rating Model

OWASP RISK RATING METHODOLOGY

STEP 1 – identifying the RISK

The security risk must be rated. Tester needs to gather information on threat agent,
attack, vulnerability, impact of a successful exploit on the business
STEP 2 – LIKELIHOOD
Once the risk is identified, tested needs to figure out how serious it is. Measure of how
likely this weakness to be uncovered and exploited by and attacker.
Use low, medium, or high
FACTORS need to be taken in : threat agent involved and the vulnerability.
STEP 3 – Estimate IMPACT
Two kind of impact:
Technical impact – on the application , the data it will uses and the functions it provides
Business impact – on the business and company operating the application
FACTORS – loss of confidentiality, integrity, availability, accountability.
STEP 4 – determine the SEVERITY
Put together impact and likelihood together. Put together their estimate to see the
severity of the risk
Use business impact instead of the technical impact information. Because the business
it the one loosing the money. If there’s none then use the technical impact
Risk severity = likelihood * impact

FURTHER STEP
STEP 5 – deciding on what to FIX
Not all risk worth fixing
STEP 6 – CUSTOMIZE risk rating model
Adding factors
 Customizing options
Weighing factors

CLASSIFICATION AND PRIORITIZATION

Threat vectors are not only TIME and MONEY

Owasp top ten – a tool that help with priorities
Threat classification and ranking system
STRIDE
Classify general threats
CWE – common weakness enumeration
Classify a specific threat
CVSS – common vulnerability scoring system
Rank the threats
S.T.R.I.D.E
Spoofing – allows attacker to impersonate another user
Tampering – involve an attacker changing data they shouldn’t have access to
Repudiation – attacks are allowed to deny the given action (hard to tell who did it)
Information disclosure – an attacker able to read data they shouldn’t have access to
Denial of service – prevents valid user from accessing the application
Elevation of privilege – allow attacker to take action with high privilege such as admin
CWE – common weakness enumeration
CVE – common vulnerability and exposures
Maintained by MITRE corporation ( more specific than STRIDE)
Naming convenction for weakness
SQL injection (CWE – 89)
Cross Site Request Forgery ( CWE -352)
CVSS – common vulnerability scoring system
Maintained by FIRST – forum of incident response and security teams
Ranks vulnerability from 1 to 10
3 factors to determine score
- Base score – inherit characteristic of vulnerability
- Temporal score – characteristic changes over time
- Environmental score – character specific to your organization

OWASP: TOP 10

Threat agents – where these attacks will come from

Attack vector – how easy to perform attack
Weakness prevalence – how common is the weakness
Weakness detectability – how easy to detect weakness
Technical impact – how severe will the attack be on the infrastructure
Business impact – what will be the cost on the business when an attack is successful
A1 Injection
Command injection -CWE77
SQL injection CWE-89
Hibernate injection -CWE 564
Expression language injection – CWE917

A2 Broken Authentication
Memorize Secrets – NIST 800-63b
Improper Authentication – CWE287
Session Fixation – CWE384

A7 Cross-Site Scripting (XSS)

Improper neutralization of user supplied input – CWE-79
PortSwigger – Client-Side template injection

XSS and CRRF

(cross-site scripting & cross-site request forgery)

3 forms of XSS, usually targeting users browsers

Reflected XSS – there’s an unvalidated an unescaped user input as part of HTML output.
Allows attacker to execute arbitrary HTML and JavaScript in the victim’s browser

Stored XSS – The application stores unsanitized user input that is viewed at a later time
By another user or admin.

DOM XSS - JS frameworks, simple-page applications. APIs that dynamically include

attacker-controllable data to a page are vulnerable to DOM XSS

Input Validation
Blacklist validation – listing input that should not come from a user then block it
Whitelist validation – listing input that should come from a user, then allowing it.

WEEK 4 : INJECTION

Boolean – blind injaction

Inband, out of band, blind – 3 classes of sql injection

Xp_cmdshell – arbitrary commands

‘, “ and – and ; is malicious
IDS intrusion detection system

ORM object relational mapper

XSS tries to get sensitive data while CRFS tries to use it. The aim of XSS is to insert malicious
code in the browser

CSRF needs victiom to be authenticated on targeted site

Possible to store csrf on the site itself