470 likes | 649 Views
MODELLING PERSISTENT DATA: CS27020. Cryptography & Cryptanalysis Nitin Naik. What is Encryption. What is Encryption.
E N D
MODELLING PERSISTENT DATA: CS27020 Cryptography & Cryptanalysis Nitin Naik
What is Encryption.. • Encryption is the conversion of data form Plaintext (Readable) to Ciphertext (Unreadable Text) that cannot be easily understood by unauthorized people. Readable Text Unreadable Text Plain Text Cipher Text
Encryption Example Readable Text Unreadable Text Plain Text Cipher Text abc def Encryption Key = 3 a+3 d b+3 e c+3 f (This encryption technique is called Caesar Cipher)
What is Decryption • Decryption is the opposite process of Encryption means conversion of data form Ciphertext (Unreadable Text) to Plaintext (Readable) that can be easily understood by anyone. Unreadable Text Readable Text Cipher Text Plain Text
Decryption Example Unreadable Text Readable Text Cipher Text Plain Text def abc Decryption Key = -3 d-3 a e-3 b f-3 c (This encryption technique is called Caesar Cipher)
What is Cryptography(Encryption + Decryption) • Cryptography is the principle and method of transforming messages (plain text) into ciphers or codes, and then retransforming that messages back to its original form. • Cryptography word came from Greek where crypto (kryptos/ kryptós) means secret or hidden and graphy (graphia/ gráphō) means writing.
Cryptography Terminology.. • Plaintext:The original intelligible readable text (message) is known as plaintext which is being used for encryption. • Ciphertext :The transformed or encrypted text (message) produced after the encryption. • The term Cipher is sometimes used as a synonym for Ciphertext, but it more properly means the method of encryption rather than the result.
Cryptography Terminology.. • Cipher:A Cipher is any method (algorithm) for transforming Plaintext to Ciphertext. • It is generally transposition and/or substitution methods used for encrypting the text (means concealing its readability and meaning). • Key:A Key is a sequence of symbols or bits, which control the operation of a cryptographic algorithm to transform (encrypt) Plaintext into Ciphertext or vice versa (decrypt). • The Key should be the only part of the algorithm that it is necessary to keep secret. • The strength of encryption algorithm depends upon the length (like 64, 128, 256 bits etc) of encryption Key. • The more bits in the key, the more the number of possible combinations of binary numbers that makes the code more difficult to break.
Cryptanalysis / Codebreaking.. • Cryptanalysis word came from Greek where crypto (kryptos/ kryptós) means secret or hidden and analysis (analýein) means to loosen or to untie. • Cryptanalysis is the study of principles and methods of transforming an unreadable message back into a readable message without knowledge of the Key and Algorithm which is normally required to do so. • It is the breaking study of Ciphers, Ciphertexts, or Cryptosystems (secret code systems) for finding the weaknesses in them through that will permit retrieval of the Plaintext from the Ciphertext. • The aim of Cryptanalyst is to recover or forge cryptographically secured information without necessarily knowing the key or the algorithm.
Cryptanalysis / Codebreaking.. • Today, cryptanalysis is practiced by a broad range of organizations. • Governments try to break other governments' diplomatic and military transmissions. • Companies developing security products send them to cryptanalysts to test their security features and to a hacker or cracker to try to break the security of Web sites by finding weaknesses in the securing protocols. • It is this constant battle between cryptographers trying to secure information and cryptanalysts trying to break cryptosystems that moves the entire body of cryptology knowledge forward.
Types of Classical Cryptanalysis • There are two simple approaches for cryptanalysis: 1. Brute Force Attack (Password Attack) 2. Frequency Analysis Attack (Text Attack)
1. Brute Force Attack • A Brute Force attack is a technique of trial and error that does not attempt to decrypt any plaintext (information) but used to guess a user's cryptographic key, password, username, or credit-card number. • Which is further used to break an encryption or authentication system by trying all possibilities, one-by-one. • While brute force techniques are highly popular and often successful to gain access to a cryptographic key or password eventually, they can take hours, weeks or years to complete. • The amount of time it takes to complete these attacks is dependent on how long and complicated the password is.
1. Brute Force Attack Example • In a brute force attack, the program tries to guess user’s cryptographic key or password by trying every single combination of characters until the key or password is found. • If a user has chosen 8 characters key or password, then program might follow a sequence like this: “aaaaaaaa", “aaaaaaab", “aaaaaaac", “aaaaaaad" etc until the key or password is found. • Obviously, this method will take time, for an eight character lowercase alphabets password there are many Billion combinations to be checked.
Conclusion-Brute Force Attack • Brute Force attack is very difficult to implement with slow computer or manually as shown in the given tables. • The tables show the time required for Brute Force Attack depending on the cryptographic key or password length and used character set. • Remember that the time shown in the table is the worst possible time. • Brute Force Attack tries all cryptographic key or password combinations and you don’t know which one of them is correct. • If you’re lucky enough, the first combination will succeed. If not, the correct combination will be tried last.
Brute Force Attack (Window Server OS) • A hacker only needs to know two pieces of information (a user name and a password) to be able to access anything on your entire network. • Microsoft was kind enough to provide the hackers with the user name for you; Administrator. • That means that hackers only need to figure out the Administrator's password in order to gain access to your network. • Microsoft has long recommended that you change the name of the Administrator account so that hackers won't know what it is. • The problem is that even if you change the account name, the account's SID (Security IDentifier ) remains the same. • Since Microsoft uses a specific SID for the Administrator account, it's fairly easy to figure out what the account has been renamed to, just by examining the SIDs.
Brute Force Attack (Window Server OS).. • In fact, there are even GUI utilities that can automatically tell you what name the Administrator's account is using. • Hackers would then simply need to figure out the password. • This is where the brute force attack comes into play. • Windows is designed so that the Administrator account can't be locked out. • This means that a hacker is free to perform a brute force crack against the password without fear of locking out the account.
Solution-Brute Force Attack (Window Server OS) • Normally, your defences against such an attack are frequent password changes and reviews of the audit logs. • The idea is that it takes so long to crack a complex password that you change the password before the hacker has the chance to try every possible password. • If you've got auditing enabled, you would also notice a very high number of unsuccessful login attempts.
Renaming Administrator (Dangerous Technique) • Windows Server 2003 and more advanced versions allow you to manually disable the Administrator account. • Server 2008 now also offer you a group policy setting which can be used to rename all the local administrator accounts automatically. • The name of the policy setting is Accounts: Rename Administrator Account. The change will be propagated to all of the machines for which the group policy applies. • You can therefore set other users up with administrative privileges and then disable the Administrator account. • That way, if a hacker does figure out the name of the Administrator's account, it is useless because the account is disabled.
Renaming Administrator(Dangerous Technique).. • The reason why this technique is so dangerous is because if you don't set up your alternate administrative accounts just right, you may find yourself permanently unable to perform essential tasks. • You must also keep in mind that your alternate accounts can be locked out by incorrect password attempts. • Someone could lock you completely out of your network by purposely entering incorrect passwords for your alternate administrative accounts. • If that happened, the only way that you could get back into your network would be to perform an authoritative Active Directory restore, and you might not even be able to do that if your backup software requires authentication.
Security Accounts Manager (SAM)- (Dangerous Technique) • How hacker can steal your password. • If a server is to authenticate user's logins, the server must know the user's password so that it can compare the password that has been entered against the stored password. • Any computer that's running Windows 2000, XP, 2003, 7, or 2008 stores user's passwords within the Security Accounts Manager. • Actually, SAM doesn't contain the passwords themselves. • The password is hashed, and then the hash is encrypted and stored within the SAM. This sounds like a most strong technique, but there are few problems with the storage method. • For example, the encryption key is stored on the server right along with the hashes that the key encrypts and the hashing algorithm is fairly well known to everyone.
Security Accounts Manager (SAM)- (Dangerous Technique).. • Initial security must be provided by locking the server room physically. • Then you can move the encryption key off of the server. This can be done in two manners: • You can export the encryption key to a CD/DVD. Once you kept it in CD/DVD then it will ask for CD/DVD every time when you boot the server. • If you lose the CD/DVD or it becomes damaged or unreadable, the server will be rendered unbootable. • Another problem is that you lose the ability to remotely reboot the server because you can't boot the server without physically inserting a disk.
Security Accounts Manager (SAM)- (Dangerous Technique).. • Secondly, you can encrypt the encryption key. This method involves assigning a password to the encryption key. • When you boot the server, you will be prompted to enter the password. • Upon doing so, Windows decrypts the encryption key, which allows Windows to access the SAM database. • It is a little safer than exporting the encryption key to a CD/DVD but it still has risks. • If you were to forget the password, the server will be unbootable. • Likewise, you could potentially lose the ability to remotely reboot the server depending on how your remote control software works.
Dual authentication • This is another way to achieve much greater security by using at least two authentication methods for users. • Since Windows already uses something that the user knows (which is of course a username / password combination). • You might add something that the user is (such as biometrics) or something that the user has (such as a smart card).
Active Directory • Active Directory keeps most of the security related information. • Although Active Directory isn't the easiest thing in the world to hack. • But the Active Directory database does make a tempting target because it consists of easily recognizable files (NTDS.DIT, EDB.LOG, and TEMP.EDB) and those files reside in a predictable location (usually C:\Windows\NTDS). • You can make a hacker's job just a little bit more difficult by moving the Active Directory database to an unexpected location.
Active Directory.. • If your domain controller happens to have a RAID array, then the array makes an excellent choice because the database is protected from drive failure and because arrays offer better performance than a standalone hard disk. • Moving the databases is simple, although it does require a server reboot. • Boot the machine into Active Directory Restore mode and then enter the NTDSUTIL command followed by the Files command. • Now, just use the MOVE DB TO or MOVE LOGS To command to move the database and its log files to the new location.
Brute Force Attack (Linux Fedora) • SSH provides a secure remote login capability that encrypts not only the connection setup and password sequence but also the entire session. • This means that all of the data passed between the two computers is encrypted and thus very secure. • Still the brute force attack targets SSH in which script hackers run scripts that repetitively try to login to common user IDs with common dictionary passwords and variations.
Solution-Brute Force Attack (Linux Fedora ) • 1. DenyHosts – It is a tool that observes login attempts to SSH, and if it finds failed login attempts again and again from the same IP address, DenyHosts blocks further login attempts from that IP address by putting it into /etc/hosts.deny . DenyHosts can be run by cron or as a daemon. • 2. Fail2ban – It is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.
Solution-Brute Force Attack (Linux Fedora ).. • Fail2ban is similar to DenyHosts but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use iptables and /etc/hosts.deny. • You can configure fail2ban to monitor login attempts to the SSH server, the Proftpd server, login attempts to .htaccess/.htpasswd protected web sites, to Courier POP3 and Courier IMAP, and to SASL (for sending emails). • It comes with a default configuration in Fedora Linux, but unfortunately that configuration doesn't quite work for most of the aforementioned services.
Solution-Brute Force Attack (Linux Fedora ).. • Installing fail2ban yum install fail2ban Then you must create the system startup links for fail2ban and start it: chkconfig --levels 235 fail2ban on/etc/init.d/fail2ban start You will find all fail2ban configuration files in the /etc/fail2ban directory.
Solution-Brute Force Attack (Linux Fedora ).. • Configuring fail2ban • The default behaviour of fail2ban is configured in the file /etc/fail2ban/jail.conf and some of the configuration options are given here: • ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban. For example, if the computer from which you're connecting to the server has a static IP address, you might want to list it here. • bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes). • maxretry: Max. number of failed login attempts before a host is blocked by fail2ban. • filter: Refers to the appropriate filter file in /etc/fail2ban/filter.d. • action: Refers to the appropriate action file in /etc/fail2ban/action.d. • logpath: The log file that fail2ban checks for failed login attempts.
2. Frequency Analysis Attack • In cryptanalysis, frequency analysis is a technique to determine the frequency of letters or groups of letters in a ciphertext. • After knowing the percentage frequencies of all letters in ciphertext, the plaintext could easily be retrieved. • The method is used as an aid to breaking most substitution classical ciphers.
Frequency Analysis Attack.. • The frequency analysis is based on the fact that, in any given sentence or paragraph of written language, certain letters and combinations of letters occur with varying frequencies. • Moreover, there is a characteristic distribution of letters that is roughly the same for almost all samples of that language. • In English language E is the most frequent occurred letter has a frequency of 12.7% followed by T, A, O and I whereas the least frequent are Q, Z and X. Likewise, ST, NG, TH, and QU are common pairs of letters (termed bigrams or digraphs), while NZ and QJ are rare.
Frequency Analysis Attack Example.. • In the above two diagrams of plaintext and ciphertext , the plaintext letter E has the frequency of 12% while the ciphertext letter V has the frequency of 12%. • This shows that plaintext letter E is replaced by the letter V in ciphertext.
Exercise (Frequency Analysis Attack) • Apply Caesar Cipher (shifting 3 positions) on the given data and perform frequency analysis attack: Plaintext- I HAVE GOT THE BASIC KNOWLEDGE OF CRYPTOGRAPHY. Q-1: Convert into Ciphertext Q-2: There are 39 characters in the ciphertext, considering one character value nearly 2.5% calculate the total percentage values for- (1)A,E,H,I,T,R,S and (2)D,L,N,O. Q-3: Compare these two group values with original frequency spectrum and write your conclusion (keep remember the amount of data is very low).
References • Naik, N. (2010),Network Security and Cryptographic Algorithms, Kamal Publications, India. • http://www.techrepublic.com/article/tips-and-tricks-to-secure-windows-server-2003/5758155 • http://www.windowsnetworking.com/articles_tutorials/group-policy-extensions-windows-vista-windows-server-2008-part2.html • http://www.howtoforge.com/preventing-brute-force-attacks-with-fail2ban-on-fedora9 • http://www.databook.bz/?page_id=1771