Computer Security

SEHS4515
Lesson One

Understanding Core Security Principles

Dr. Umair Mujtaba Qureshi

Note: Most of the teach materials has been taken from the lectures of Dr. Adam Wong
Assessment ? 50% Continuous Assessment
50% Examination
Continuous Assessment Percentage

Mid-term test* 15%

Assignment(s) 25%

Participation** 10%

Examination 50%

Total 100%

* Mid-term test will include multiple choices, short questions and structured questions. The assignment will
be used to assess students’ ability to explain the use and design of policies and technologies for security
solutions.
** Participation is calculated based on the tutorial and in-classes exercises submitted
Text Book, Professional Exam
• The text book covers principles and practices that apply to most other
operating systems as well.
• Good for preparing for
• Microsoft Technology Associate (MTA)
• Exam 98-367 Security fundamentals
• Other references will be used whenever necessary
• CISSP® - Certified Information Systems Security Professional
Understanding Core
Security Principles
Understanding Core Security
Principles
• Every digital device presents a certain risk – Cannot be
eliminated
• Understanding core security principles – Guide the protection of
information technology system and data!
• Understanding risk
• Exploring the security triad – Confidentiality-Integrity-Availability (CIA)
• Implementing a defense-in-depth security strategy
• Enforcing the principle of least privilege
• Hardening a server
Understanding Risk
• Risk is unavoidable. You can't eliminate it. However, it's
possible to minimize risk by first understanding it and then
taking steps to mitigate it.
• Minimizing risk is also known as risk mitigation.
Understanding Risk

“Risk is a function of the likelihood of a given threat source’s exercising a particular

potential vulnerability, and the resulting impact of that adverse event on the
organization”

• The above definition is given by The National Institute of Standards and

Technology (NIST) in the U.S.

“Risk is a function of the likelihood/possibility such that a given threat may explore
vulnerability, and what could be the resulting impact of that adverse event on the
organization”

• It can be found in NIST's Special Publication 800-30 (SP 800-30), which is titled
"Risk Management Guide for Information Technology Systems."
Understanding Risk
• Risk occurs when threats exploit vulnerabilities.
Adversary, Attack and Countermeasure
• An adversary is an entity that attacks, or can cause a threat, to
a system.
• An asset is some valuable resource you are trying to protect.
• An attack is an attempt by an adversary to cause damage to
valuable assets, by exploiting vulnerabilities.
• A countermeasure is an action, device, procedure, or technique
that reduces a threat, a vulnerability, or an attack by preventing
it or by minimizing the harm that it may cause.
Threats
• A threat is a set of circumstances that could possibly
cause violation of rules or even damage.
• Man-made threats are any threats from people.
• Intentional threats
• These include theft, fire, vandalism, malware distribution, access,
modification, or deletion of data.
• Unintentional threats
• The accidental deletion of data because of carelessness.
• Natural threats include weather events such as
hurricanes, foods, tornadoes, and lightning.
• Environmental threats include long-term power
failures or the inadvertent release of hazardous
chemicals
Vulnerabilities
• Vulnerabilities are weaknesses.
• Vulnerabilities in your software or hardware:
• E.g. bugs in the code or faulty power supplies.
• Vulnerabilities in security configurations:
• E.g. Unneeded services or protocols are left running on a system.
• Vulnerabilities in physical security
• Unauthorized personnel access to servers or network devices.

• Every step you take to reduce weaknesses reduces your risks.

Exploring the Security Triad
• The security triad includes three key security principles that are
at the core of all security practices.
• Any study of IT security requires an understanding of these
basic principles.

•It is also known as the the CIA triad,

using the first initials of each principle.
Exploring the Security Triad:
Confidentiality
• Confidentiality ensures that only authorized people are able
to access data. The loss of confidentiality occurs when
unauthorized individuals access data.
• Brother-Sister Problem
• Countermeasures against loss of confidentiality:
• – E.g. Usernames and passwords, assign permissions to specific files and folders,
encryption
Exploring the Security Triad:
Availability
• Availability that systems and data are available when needed.
• Loss of availability simply means that systems or data aren't available
when the user needs them.
• Some systems need to be up and operational 24 hours a day, 7 days a week.
• Other systems only need to be available from 9 a.m. to 5 p.m. Monday
through Friday.
• Backups, fault tolerance and redundancies are some measures to
ensure availability.
• E.g. Separate geographic location for backups, Redundant Arrays of
Independent Disks (RAID)
Exploring the Security Triad: Integrity
• Integrity prevents the unauthorized modification of data and
ensures that unauthorized modification is detected. The loss of
integrity occurs when data is modified without authorization.

@Note: Malicious users may

bypass the access controls, or
the controls may fail. Audit
logging can show if anyone
accessed data and may
include details such as who
they are, what they did, and
when they did it.

https://www.youtube.com/watch?v=rwigKjEsdTc
Threats, Vulnerabilities, Security
Principle, Countermeasure
• Case 1
• Threat: Adversaries might install key loggers in the computers in our
Personnel Department for stealing business secrets.
• Vulnerability? Security Principle? Countermeasure?
• Case 2
• Threat: Thieves could break into our facility and steal our equipment.
• Vulnerability? Security Principle? Countermeasure?
• Case 3
• Threat: Employees (insiders) might release confidential information to our
competitors
• Vulnerability? Security Principle? Countermeasure?
Security Measures to Achieve CIA
(They will be covered later in the course)
• Confidentiality
• Access controls
• Encryption
• Availability
• Backups
• Fault tolerance and redundancies
• Integrity
• Access controls and audit logging
• Hashing algorithms
Defense-in-Depth Security Strategy
• It is a strategy employed by
security professionals that
includes multiple layers of
security.

• Also, you must treat security as

an on-going process. Security is
never “done”.
Defense-in-Depth Security Strategy
• This strategy often slow down or deter an attacker. This delay
can provide extra time to detect the attack and respond to it.
Enforcing the Principle of Least
Privilege
• Give the absolute minimum rights and permissions to users,
resources, and applications to perform necessary tasks and
nothing else.
• When damages occur, it'll take a lot of time and energy to get
things back in order, and some of the damages may be
irreversible.

@Note: Some administrators may be tempted to give

everyone administrator access instead of managing
the permissions.
Enforcing the Principle of Least
Privilege
• Avoid privilege escalation
• Give administrators two accounts
• One for regular use
• One for administrative use

• Limit privileges for service accounts

(refer to figure on the right)
Hardening a Server
• In computer science, a server is a piece of computer hardware or
software (computer program) that provides functionality for other
programs or devices, called "clients".
• Hardening a server indicates that you're making changes to the
default configuration in order to enhance the system's security.
• You can take multiple steps to harden a server. These include the following:
• Reduce the attack surface.
• Keep the operating system up to date.
• Enable firewalls.
• Install and update antivirus software.
Hardening a Server: Reduce the Attack
Surface
• You reduce the attack surface of a computer by ensuring that
only necessary services and protocols are running or installed
on the system. If a protocol isn't installed on a system, it can't
be attacked.
• Protocol: Is a set of rules to run a procedure in a system
Hardening a Server: Security
Configuration Wizard
• It is one of the methods to automate
the hardening process.
• The Security Configuration Wizard
(SCW) is a software utility and is built
into Microsoft Windows Server.
• It can analyze a system and
recommend more secure settings for
services, firewall rules and more.
Hardening a Server: Security
Configuration Wizard
• The SCW can export the security policy as an XML file in
• C:\Windows\security\msscw\Policies\Test
• The XML file can be applied to a computer.

You can copy this .xml file to

another computer and apply it. For
example, if you have five identical
web servers in a web farm, you
can create one security policy, test
it, and then apply it equally to all
the servers.
Hardening a Server: Security
Configuration Database
• The SCW includes an extensive database that you can
browse for different security settings.
• It includes security settings for just about all the possible server
roles, client features, administration options, service settings,
and Windows Firewall settings.
Note: The database
helps you to focus
on a specific server
role to determine
what the most
secure settings are.
Hardening a Server: Keep the Operating
System Up to Date
• Patches and hotfixes
• Computer vendors routinely investigates bugs
and flaws in released operating systems. They
regularly writes and releases patches and
hotfixes to correct the problems. A patch, or
hotfix, is a small amount of code that corrects a
problem.
• Concept of pre-release or beta versions of the
software – it is an entire field
• Patch Tuesday
• Microsoft releases security updates on the
second Tuesday of every month, known as Patch
Tuesday.
Automate updates with WSUS or
SCCM
• Windows Server Update Services (WSUS) or Microsoft System
Center Configuration Manager (SCCM) can test and manage
the deployment of updates to the many computers in an
organization.
Note: Sometimes a patch that is intended to fix
one problem may create another.

• Both WSUS and SCCM allow administrators to test updates before

deploying them.
• WSUS is a free product from Microsoft.
• SCCM is an add-on server product and it has more capabilities than
WSUS. E.g. Scheduling.
Windows Server Update Services
(WSUS)

The administrator
can choose which
group of computers
to apply the update.
Hardening a Server Enable Firewalls
• Since Windows XP Service Pack 2 (SP2) and Windows
Server 2008, the Windows Firewall is enabled by default.
• When you're hardening a server, it's important to ensure that a
host firewall is enabled.
Note: A host firewall is
installed on the client or
server. A network
firewall is installed at a
network boundary, such
as between the
Internet and an internal
network
Hardening a Server: Install and Update
Antivirus (AV) Software
• Antivirus (AV) software can detect and block known malware,
and it can often detect suspicious activities by unknown
malware.
• Malware can spread through email or through many other
methods such as USB drives or by visiting infected websites.
• AV signatures must be regularly updated.
Note: Different systems need
different protections. For
example, the AV software
installed on an email server is
different from AV software
you'd install on a database
server or an end user's
computer.
The Windows OS has more
vulnerabilities?
• Macs are so secure that antivirus software and updating aren't
needed? Not true.
• For example, in November 2010, Computerworld published an article titled
"Apple Smashes Patch Record with Gigantic Update“. It mentions that Apple
fixed 134 flaws with Mac OS X. Mac OS X is based on a version of Unix known
as Snow Leopard.
• More than 90 percent of the systems in use are Microsoft based, so Microsoft
systems get more press.
• The only way to ensure that an operating system stays as secure as
possible is to keep it current with system updates.
Today’s world is different!
• What is the most popular OS today?
• We have different markets
• For smartphones and other pocket-sized devices, Android leads with 73%
market share, and Apple's iOS has 27%.*
• For desktop and laptop computers, Windows is the most used at 75%,
followed by Apple's macOS at 16%, and Linux-based operating systems,
including Google's Chrome OS, at 5% (thereof "desktop Linux" at 2.35%).*
• With tablets, Apple's iOS has 55% and Android has 45%.*

*https://gs.statcounter.com/os-market-share#monthly-202012-202112-bar
Question

What are security advantages of the latest Windows Version, latest

MAC OS and latest Android
Summary
• Understanding risk
• Exploring the security triad
• Implementing a defense-in-depth security strategy
• Enforcing the principle of least privilege
• Hardening a Server
 Computer Security
SEHS4515
Lesson Two
Understanding Malware and Social
Engineering
Dr. Umair Mujtaba Qureshi

Note: Most of the teach materials has been taken from the lectures of Dr. Adam Wong
Understanding Malware
and Social Engineering
What will we learn today?
• The most common threats to computers is MALicious SoftWARE aka
MALWARE
• Comparing different malwares
• Protecting against malware
• Thwarting social engineering attacks
• Protecting emails
 What is Malware?
• Malicious software (malware) is software that is installed
on a system without the user's knowledge or consent. It
includes:
• Viruses,
• Worms,
• Trojan horses,
• Spyware, and more.
• Malware attempts to gather as much data as possible,
and then attackers use that data for monetary gain. This
is sometimes done by stealing identities, stealing financial
data, and clearing out bank accounts.
• Sometimes attackers are willing to collect small amounts
of data at a time from millions of users. Another purpose
of malware is espionage—both corporate espionage and
government espionage.
Botnets and Malware
• Much of today's malicious software has the primary purpose of taking
over a computer and having it join a botnet (or roBOT NETwork). The
computers act as clones or zombies and do the work for the attacker.
• A server known as a command-and-control server controls the clones within a
botnet, and an attacker controls the server.
• Clones check in periodically with the command-and-control server for
instructions on what to do. They can be instructed to launch denial of service
(DoS) attacks or send massive amounts of infected spam. This is all completely
unknown to the user.
• The best protections are up-to-date and active AV software and educated
users.
 https://www.youtube.com/watch?v=6V5BeXypd6U&t=163s
https://www.techtarget.com/searchsecurity/definition/botnet
Common Malware Types
• Note: Spam is unwanted or unsolicited email. It often includes malware as an
attachment, embedded scripts that can cause damage, or links to malicious
websites.
 Understanding Malware
Viruses
• A computer virus is an executable program that spreads
with a computer or from one computer to another.
• One of the key functions of a virus is to replicate itself.
Damages that a virus can cause includes the following:
• Join your computer to a botnet
• Corrupt or delete data on your system
• Email itself to other computers using your address
list
• Erase everything on your hard disk
 Understanding Malware
Virus Delivery Methods
• Attachment in Unwanted Email
• Spam is the most popular way to transmit viruses.
Such messages may look like greeting cards, audio
files, video files, or images. When the user double-
clicks the attachment to open it, the virus installs itself
on the computer.
• Script in Unwanted Email
• Some email messages have scripts embedded within
them. When the user opens the email, the script runs
and installs the virus.
• Some email programs (such as Microsoft Outlook)
block the scripts by default.
 Understanding Malware
Virus Delivery Methods
• Installed on USB Drives
• Viruses sometimes look for a USB drive and automatically infect the
drive when it's plugged into a system. When the user inserts the drive
into another system, the virus infects this system too.

• Embedded in Downloaded Files

• Files available as free downloads are sometimes infected.
• This can include both freeware and shareware.
• Note: Freeware is software available at no cost. Shareware is software available
at no cost for a trial period; the user is obligated to pay if they continue to use it
after the trial ends
 Understanding Malware
Worms
• A worm is a software program that copies itself from
computer to computer over a network. After a worm
installs itself on a computer, it can do many of the
same types of damage as a virus.

• The biggest difference between a worm and a virus is

that a virus must be executed through some type of
human interaction but a worm doesn't require any
human interaction at all.

https://www.youtube.com/watch?v=oyUsZu6ygq8
 Understanding Malware
Worm Spreading Methods
• Worms can spread themselves over the network through
one of several methods.
1.A worm can identify IP addresses of other computers on
the network and then look for open ports. When it finds an
exploitable port, it infects the other computer.
2.Worms can also read email addresses stored in a user's
address book and then send themselves via email.
• Because the worm spreads over the network, it has the
potential to slow down network performance. Some worms
food the network with so much traffic that the entire
network slows to a crawl.
 Understanding Malware
Famous Worms
• Morris
• It exploited vulnerabilities in Unix programs, such as Sendmail and Finger, and cracked weak
passwords. It consumed system resources until eventually the infected system became
inoperable or simply crashed.

• Conficker
• It attacks unpatched Windows systems. It's estimated to have infected more than 7 million
computers, each of which is controlled in a massive botnet spread over 200 countries.

• Sasser
• The worm component searches for other systems on the network that have port 445 open and
then starts the buffer-overflow attack on this port. Infected systems randomly crash and reboot.
This worm has caused X-ray machines in a hospital to shut down
 Understanding Malware
Trojan Horses
• Trojan horse malware is software that looks like one thing but is actually
something else.
• For example, a user may be enticed into downloading a game or utility. However, in addition
to the game or utility, the download includes malicious software embedded within it. When the
user installs the application, the Trojan horse is also installed.
 Understanding Malware
Trojan Horses
• A popular type of Trojan horse today
is rogueware.
• Rogueware is a fake program that
advertises a specific function, such as
AV. The program will alert the user that
their computer is infected and will then
ask for payment in order to remove the
threat. The program's intention is to
solicit the payment, and whether or not
a threat exists on the machine is never
actually checked.
 Understanding Malware
Trojan Horses
• If the user clicks the Scan System Now button
shown in the figure, it starts the download and
installation of the malicious software.
• Some rogueware confuses the user by using
names that are similar to genuine software from
reputable companies. For example, one version of
rogueware is named Security Essentials 2010. This
isn't the valid Microsoft Security Essentials program
created and published by Microsoft.
• The attackers are sophisticated and create
very realistic-looking programs. The best
defenses are up-to-date AV software from a
reliable source and educated users.
 Understanding Malware
Buffer-overflow attacks
• Buffer-overflow attacks take advantage of known
vulnerabilities/Weakness within operating systems and
applications.
• Applications use areas of memory (buffers) to store temporary data.
For example, when you fill out a form on a web page, your
information is stored temporarily in a program buffer.

• A buffer overflow occurs when an application receives

unexpected data that it can't handle, resulting in an error.

• The error then causes the application to write more data to a

buffer than the buffer can handle and the unexpected data
then overflows to other memory.
 Understanding Malware
Buffer-overflow attacks
• Normally, application only have access to memory allocated to them by the operating
system as a program buffer. The application can use this buffer but won't have access to
other memory.

• When attackers discover data that causes a buffer overflow, they then add code to the
end of the data. This data causes the buffer overflow, and their code is inserted into the
exposed memory. In other words, they write malicious code and insert it into the system.
 Understanding Malware
Countermeasure against buffer-overflow attacks
• Input Validation
• The application developer should validate all data
before using it.
• For example, if a number between 1 and 100 is
expected, the program should verify that the inputted
data is a valid number between 1 and 100.
• Application Testing
• For example, if a number between 1 and 100 is
expected, the numbers 0, 1, 2, 99, 100, and 101 are
entered to see how the program handles data at the
edge of accepted input.
• Up-to-Date Patching
• When buffer-overflow vulnerabilities are discovered,
the vendor or application developer typically releases a
patch to correct the problem. Of course, this patch is
only useful if it's applied.
 Understanding Malware
Spyware
• Spyware is software that installs itself on a system without
the user's consent, or without giving the user any notice or
control. Spyware may not display any symptoms because
it's largely passive. It sits in the background collecting
information and doesn't want to be discovered.

• Spyware is often looking to gather personal information

about a user and a user's online habits. More malicious
spyware tries to discover personally identifiable
information (PII) about the user. This PII can be used for
identify theft or to hack into a user's online financial
accounts.

https://www.youtube.com/watch?v=ZgXw3WCNXc8&list=PL5OdmBrO1Lpl8He9T19jKsWLUKiFIIkYc&index=52
 Understanding Malware
Spyware Example: Keylogger
• A keylogger is a program that records all
keystrokes on a system. The keystrokes
are recorded into a log, which the attacker
later views. The log includes everything
that a user types, including URLs,
usernames, and passwords.

The attacker can later impersonate the user

by using the same credentials.

https://www.youtube.com/watch?v=L8169DHNeQ0&list=PL5OdmBrO1Lpl8He9T19jKsWLUKiFIIkYc&index=40
https://www.mdpi.com/1424-8220/20/11/3015/htm
 Understanding Malware
Malware Example: Stuxnet
• It is the first known malware that has shown it is capable of having an
impact on industrial control system hardware. Stuxnet has successfully
penetrated even networks that are isolated from the Internet.

• Stuxnet doesn't damage the Windows systems but instead uses a worm
component to seek out a specific type of hardware.

• Hardware used in a nuclear power plant in Iran was affected by Stuxnet.

 Protecting Against Malware
Antivirus Software
• The primary protection against most malware is
the use of antivirus (AV) software. Although the
name implies that it only protects against viruses,
most AV software also protects against most, if not
all, types of malware.
• Email servers use databases that require
specialized AV software. This software can scan
email within the databases and also strip off
malicious attachments or embedded scripts from
valid email messages. Email servers can also
delete or quarantine spam before it reaches a
user's mailbox.
Other Countermeasures Against Malware
• Method 1. Use firewalls
Other Countermeasures Against Malware
• Method 2. Keep Systems Up to Date
• As software vulnerabilities are discovered, vendors release
updates to address the vulnerabilities. These are only
effective if the systems have the updates installed.

• Method 3. Reduce the Attack Surface

• Remove all unneeded protocols and disable unused
services. If a protocol or service isn't running, malware can't
compromise it. Fewer protocols and services running on a
targeted machine results in fewer successful attacks
Other Countermeasures Against Malware
• Method 4. Educate Users
• When users understand the threats, they're better able to counter them. This
includes letting users know what the threats are and providing simple
guidelines in order to help them avoid getting malware.

• Method 5. Minimize Use of Administrator Accounts

• Users should use accounts that have the least privilege for their job.
Administrators should have two accounts: one for regular work and one for
administrative work.
• Administrators should only use the administrator account when performing
administrative activities
 Social Engineering Attacks

• Social engineering is a broad term indicating that an

attacker is using techniques to trick people into giving
up sensitive information or perform actions on behalf
of the attacker.
• Social engineers use deceit and trickery to get users
to do what they want, and they succeed without using
extensive technical skills.
• Social engineering can take many forms, including
the following approaches:
• In person or via
• A phone call or use of any device
• Phishing with email
 Social Engineering Attacks
Social Engineering in Person
• Attackers can impersonate others to get information or access that they wouldn't normally
have.
• For example, an attacker can impersonate a repairman and show up at an
organization's doorsteps to "fix" a problem. The attacker may have actually
caused the problem by disconnecting a phone line. He may be welcomed and
led straight to a locked wiring closet, which workers happily unlock to give him
access.

• Then the attacker can connect a wireless access point to capture all the traffic
going through network devices in the wiring closet. He can then sit in a
parking lot next door with a wireless sniffer and capture data sent through the
network.
 Social Engineering Attacks
Social Engineering with a Phone Call
• An attacker can call the help desk, identify herself as an executive in the
company by name, and then say that she's forgotten her password.
• Important procedures to consider:
• Verifying Identity Prior to Resetting Passwords
• A verification process can be used, requiring some type of identity proofing before
the password is reset. For example, users may be required to provide specific
information that isn't publically available.

• Limiting Password-Reset Rights

• The passwords that help-desk personnel can reset should be limited. At the very
least, only high-level IT administrators should be able to reset accounts for high-
level executives.
 Social Engineering Attacks
Phishing (pronounced fishing)
• It is the practice of sending out an email and trying to trick
users into giving up their information such as usernames and
passwords.
• Common characteristics:
• It looks like an e-mail that originates from your bank or another
company that you use.
• It indicates that there is some type of problem with your account and
requests you to resend your information for validation.
• It includes a sense of urgency, indicating that if you don't validate
your information, you'll lose access to a system.
• It says "You have won!" and you need to provide your personal and
banking information to get the prize.
• It promises you a commission if you provide your banking information
to help some one to transfer their money to an overseas account.

https://www.youtube.com/watch?v=LrFarFrzbD4&list=PL5OdmBrO1Lpl8He9T19jKsWLUKiFIIkYc&index=51
 Social Engineering Attacks
Phishing email with masked URL
• A masked web address is a web link that looks like one address
in plain text, but hovering over it shows that the actual link goes
somewhere else on the Internet.
Social Engineering Attacks: Spoofing e-mail
addresses
• Email spoofing changes the email message so that the To address
makes it appear as if the email is coming from someone other than
the actual sender.
• A phishing email may appear to come from your ISP and asks you to
validate your email account. It could look something like this:
An e-mail from YAHOO.com.hk
Your mailbox has exceeded the quota set by your administrator. This
quota can be increased, but to ensure that your account has not
been taken over by spammers, you will need to validate your
account.
To validate your account, reply to this email with the following
information:
Email address: 4
Password:
Date of birth:
If you fail to validate your account, your account will be
deactivated permanently.
Thank you for your prompt attention in this matter.
Social Engineering Attacks: Spoofing e-mail
addresses
• If you click Reply on a spoofed email address, you'll see that the Reply
To address is different.
• However, attackers sometimes use typo-squatting techniques to make
the address look similar, but not quite the same.
• microsft.com (without the second o)
• mircosoft.com (with the r and c transposed)
• validate-microsoft.com
• Spear phishing is another variant of phishing. The sender's address is
forged so that it appears to come from someone within the
employee's organization.
Thwarting Social Engineering Attacks
• Never Send a Password to a Company Through Email
• Legitimate companies will never request your credentials through email.

• Don't Click Links in an Email

• Open the web browser and manually type in a URL directly
• If you're very concerned about a message you received, call the company to
verify its legitimacy.
Thwarting Social Engineering Attacks
• Never Send Sensitive Personal
Information via Email
• Credit-card data, Banking information, ID
number, Birth date, …
• If an organization really needs this data, it
will provide a web page (using HTTPS for
security) where you can enter it.
• To read more about phishing and current
Internet scams, checkout the Anti-
Phishing Working Group (APWG).
Social Engineering Attacks: Pharming
(pronounced farming)
• Pharming redirects victims to unwanted websites even if the user
types the correct URL into their web browser. It hijacks name-
resolution methods in order to redirect users to these unrequested
websites.
• E.g. c:\windows\system32\drivers\etc (on most Windows computers)
• The order of processing for name resolution is as follows:
1. If a name mapping exists in the hosts file, it's automatically placed in the
host cache and is always used first.
2. Checks the DNS cache
• This can be viewed using the command ipconfig/displaydns
3. Send a query to a DNS server
Social Engineering Attacks: Pharming Attacks
Methods
• Hosts File
• Malware sometimes modifies the hosts file to map a website to a different IP
address. For example, an attacker can modify the hosts file to map the
Windows Update site to a different IP address. The machine can no longer
reach the Windows Update site.
• DNS Server – Domain Name System Server
• In the past, attackers have used social-engineering techniques to convince
DNS administrators to modify DNS records for valid websites to IP addresses
of the attacker's website.
• DNS Cache Poisoning
• In a DNS cache poisoning attack, cached data on the DNS server is modified,
or poisoned, resulting in users being redirected to different sites.
Social Engineering Attacks: Protecting E-mail
• Antivirus Software
• This is a primary protection. Some AV software can
strip off or quarantine malicious attachments. Other
AV software uses real- time protection to detect
malware as soon as a user tries to open it. In
addition to installing AV software on the client
systems, organizations install AV software on the
email server to filter out malicious email.
• Antispam Techniques
• Spam is a major source of malware, so by filtering
out spam, the computer has an added layer of
protection. Most email programs have some type of
spam or junk filter. For example, Outlook includes a
Junk E-mail filter. Email identified by the filter as
spam is moved to a Junk E-mail folder in the user's
mailbox.
Social Engineering Attacks: Protecting E-mail

• Users can move

legitimate email from the
Junk E-mail folder into the
Inbox.

Links to graphics are

blocked, HTML links are
blocked, attachments are
blocked, and the Reply
and Reply All functionality 11

is disabled.
Social Engineering Attacks: Protecting E-mail
• Disable Automatic Display of Pictures
• This blocks images used as web beacons.
• An image used as a web beacon isn't sent in the email but is instead retrieved
from a web server using a link within the email. Embedded in the link is a
code that identifies the recipient's email address.
• When the server receives a request for the image, the web beacon identifies
the recipient's email address as a valid email address. Attackers sell valid
email addresses to other spammers, so the result of displaying images
automatically is more spam for the recipient.
• User Education
• The best protection from phishing attacks are educated users. When users
understand the scams, they're better able to detect them.

https://www.youtube.com/watch?v=n8mbzU0X2nQ&t=93s
Social Engineering Attacks: Protecting E-mail
• Understanding the threat
• 89 percent of all email is spam
• Approximately 5 million active botnets
• Over 339,600 strains of malware were detected in email
• Approximately 95.1 billion phishing emails in 2010
• Tracked phishing attacks impersonated more than 1,500 different
organizations

https://purplesec.us/resources/cyber-security-
statistics/#:~:text=98%25%20of%20cyber%20attacks%20rely,as%20being%20at%20high%20risk
Summary
• Malware • Social Engineering
ü Virus ü In Person
ü Worm ü Phone Calls
ü Trojan Horses ü Phishing
ü Buffer overflow ü Masked URL
ü Spyware ü E-mail Spoofing
ü Pharming
ü Host File
ü DNS Server
ü DNS Cache Poisoning
Reading:
ü Microsoft Windows Security: Essentials by Darril Gibson, Sybex, 2011 (Available via Books24x7.com)
Ø Chapter 2 (Second half)
Ø Chapter 10 (First half)
Movies
• The Imitation Game – About Sir Allan Turing Life’s and Work of
breaking of Enigma Machine (Father of computers and Information
Security)
• More movies – Check it out
• https://cybersecurityventures.com/movies-about-cybersecurity-and-
hacking/
 Computer Security
SEHS4515
Lesson Three
Enforcing Confidentiality with Symmetric
Encryption
Enforcing Confidentiality with Asymmetric Encryption
Dr. Umair Mujtaba Qureshi

Note: Most of the teach materials has been taken from the lectures of Dr. Adam Wong
Enforcing Confidentiality with
Symmetric Encryption
Topic
• Confidentiality with encryption
• Ancient ciphers
• Scytale
• Caesar cipher
• Ciphering the data – Safety concern
• Modern ciphers
• Symmetric ciphers
• Common symmetric ciphers
• Problems with symmetric ciphers
• Asymmetric ciphers
• Asymmetric encryption and decryption
• RSA encryption and decryption example
• Asymmetric Encryption:
Session Key – Symmetric Encryption + Asymmetric Encryption
• Asymmetric Encryption: Securing Email
Confidentiality & Encryption
• Confidentiality ensures that unauthorized individuals are not able to
access the data. One of the methods used to prevent the loss of
confidentiality is encryption & decryption = cryptography.
• Importance of cryptography: https://www.youtube.com/watch?v=aOdxWtqibCI

https://www.youtube.com/watch?v=xT4_IRO-iRA
https://www.youtube.com/watch?v=Kf9KjCKmDcU
Confidentiality & Encryption
• Confidentiality ensures that unauthorized individuals are not able to
access the data. One of the methods used to prevent the loss of
confidentiality is encryption.
• Encryption scrambles data so that unauthorized users are unable to
read it.
• Most encryption includes an algorithm and a key.
• The algorithm provides a mathematical formula that identifies how data is to be
encrypted.
• The key is a number that provides randomization for the encryption.
• Most encryption algorithms are in one of two categories: symmetric
and asymmetric. Hash functions provide one-way encryptions of data.
• Each method is discussed in the following sections.
Ancient Encryption: Simple Ciphers
• Scytale cipher
• One of the ancient ciphers – Used by Spartans!
• Method: Keywords are broken into letters, written on
the a strip of paper (in those days on leather) by
wrapping it around a tree branch
• Example

Video: Lets check it out how it works - https://www.youtube.com/watch?v=IgHqbzjn_pQ &

https://www.youtube.com/watch?v=_vIb6Y45ERQ
Let’s Tinker with scytale cipher: https://www.dcode.fr/scytale-cipher or try https://dencode.com/en/cipher/scytale
Ancient Encryption: Simple Ciphers
• Caesar cipher: It is a code that encrypts a letter by
shifting/moving it some units (e.g., 3) to the right/left
(e.g., right) with respect to alphabetic order.
• For letter A to W, this encryption can be describe by
the following rule
𝐶𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 = 𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 + 3
• What about letter X,Y & Z?
• They are encrypted as A,B & C
• Ceasar cipher encryption can described completely by
using modular arithmetic as:
𝐶𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 = 𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 + 3(𝑚𝑜𝑑 26)
Ancient Encryption: Simple Ciphers
• Caesar cipher: It can be decrypted by shifting/moving
it some units (e.g., 3) to the right/left (e.g., left) with
respect to alphabetic order.
• For letter D to Z, this decryption can be describe by
the following rule
𝐶𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 = 𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 − 3
• The letter A,B & C are decrypted by wrapping back
around letters to X,Y & Z
• Caesar cipher decryption can described completely by
using modular arithmetic as:
𝐶𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 = 𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 − 3(𝑚𝑜𝑑 26)
Video: https://www.youtube.com/watch?v=sMOZf4GN3oc
Simulator: http://brianveitch.com/maze-runner/caesar/index.html or or https://www.dcode.fr/caesar-cipher
Ancient Encryption: Cracking Caesar
Cipher
• To crack Caesar Cipher, frequency analysis needs to be done. The
Caesar Cipher disguises letters, but does not disguise the natural
frequency of letters.
• Given a Caesar Cipher, the most frequent symbol used in the cipher
text will most often correspond to “E” in the plaintext

Video: https://www.youtube.com/watch?v=nikWSEjFCWg
Is Encrypted Data Safe from
Attackers?
• Given enough time and resources, attackers can decrypt data even if
they don't know the correct key.
• One of the goals of encryption is to make this sufficiently difficult that
it isn't worthwhile to the attacker.
• You can ensure that it costs more money than the data is worth, or
ensure that it simply takes too long.
• Think of data encrypted on the Internet, such as your credit- card
number. If an attacker devoted millions of dollars to discover the key
and get your credit information, they still wouldn't be able to discover
the key in their lifetime. And by the time that single key was
discovered, the credit card would most likely no longer be valid.
Cryptography terms
• Cryptography: Cryptography is a method of using advanced mathematical
principles and storing and transmitting data in a particular form so that only
those whom it is intended can read and process it.
• Encryption is a key concept in cryptography as a process whereby a message is
encoded in a format that can not be read or understood by an eavesdropper.
• Encryption: Encryption is a process of encoding (or locking) a message or an
information by using cryptographic techniques in such a that only authorized
parties can access the information.
• Converts information from a plaintext into an encrypted ciphertext
• Decryption: Decryption is the process of decoding (or unlocking) encrypted
message or information using cryptographic techniques is called decryption
• Coverts encrypted ciphertext back into the form of plaintext and get the
message/information
Codes & Cipher
Codes Cipher
• A system that substitutes one • A system that uses mathematical
word or a phrase for another algorithm to encrypt and
decrypt messages

• Codes are intended to provide • Ciphers encode the message and

secrecy and/or efficiency decode back to get the message
Cryptography terms
• How exactly?
• By using an algorithm, a mathematical procedure that uses ciphers or
codes to encrypt and decrypt the message or an an information.
Today's cryptographic algorithm uses keys
• Key: A secret, like a password used to encrypt and decrypt
information.
• There are two categories of encryption algorithms symmetric
algorithms which are encryption and decryption operations using the
same key and asymmetric algorithms which is encryption and
decryption operation that use different keys.
Types of ciphers
• Stream ciphers: Operate on one character or a bit of a message at a time
• Stream cipher one symbol of plaintext directly into a symbol of ciphertext

• Block ciphers: Operate on a large segments of the message at the same

time
• Block cipher encrypts a group of plaintext symbols as one block

• Substitution ciphers: Change character in a message

• Transposition ciphers: Rearrange the character in a message

Concept of encryption & decryption

Symmetric Asymmetric
Symmetric Encryption
• It uses the same single key to encrypt and decrypt data. Both parties must
know what the symmetric key is, and this key must be kept secret from
other parties.
• The key provides a randomization factor for the ciphered text. When a different key
is used, the ciphered text is completely different.

Note: When a
strong encryption
algorithm is used,
an attacker can't
decrypt the data
without the key
within a reasonable
amount of time.
Symmetric Encryption
• The strength of encryption depends on the key length.
• If you use a key of 16 bits, there are only 65,536 i.e. (2^16=65536)
possible keys that can be used. With 256 bits used for the keys, there
are over 1.e+77 possibilities (1 followed by 77 zeroes!).
• End users don't often choose the encryption algorithm. Instead,
the encryption algorithm is selected by either the software or an
administrator.
Common Symmetric Encryption
Algorithms
• Data Encryption Standard (DES)
• An older encryption protocol, DES has been cracked and isn't recommended for
use. However, some legacy applications still use it.
• 3DES (Triple DES)
• Triple DES was introduced to improve DES. However, it's processor-intensive,
resulting in slow encryption and decryption times.
• International Data Encryption Algorithm (IDEA)
• IDEA was very popular for a period of time. But it's used less today, because newer
standards (such as AES) are more efficient.
• Blowfish and Twofish
• These are two other strong encryption algorithms that are being used less in favor
of the more efficient AES.
Symmetric Encryption: DES
• In the actual DES, the input is broken into
blocks of 64-bit
• There are 16 rounds of encryption, and a 56-
bit key is used from which sixteen 48-bit
sub-keys are calculated.
Symmetric Encryption:
Advanced Encryption Standard (AES)
• It is a very strong, efficient encryption algorithm and uses less computer
resources than other algorithms. It was selected by the National Institute of
Standards and Technology (NIST). It has been adopted by multiple public
sector organizations.
• Applications of AES
• Kerberos (the primary network-authentication protocol used in Microsoft's Active
Directory)
• WPA2 (a wireless encryption protocol)
• BitLocker and BitLocker To Go
• AES can use 128-bit, 194-bit, or 256-bit keys (known as AES- 256).
Symmetric Encryption:
How Strong is AES?
• Some early algorithms used 40 bits and could sometimes be cracked within a
week.
• If a cipher text which is created by AES using a 128-bit key, it's estimated that it
would take more than two million, million, million (2,000,000,000,000,000,000)
years to crack this key and then read the data. If an attacker invested millions in
multiple supercomputers and networked them together to crack a key, the time
might be reduced.

☞ But if the data is important, you can

increase the key size. AES can also use
192 bits or 256 bits. If you use AES with
256 bits, it's estimated that it would take
more than 1051 years to crack the key.
(That's 10 with 51 zeros behind it.).
The sender and receiver must share the same secret key.
Key distribution is a must.
Disadvantage of Symmetric
Encryption
• Larger groups require more
symmetric keys
• If 1000 people want to communicate
(two and two, in all possible ways),
each must keep 999 secret keys,
and the system requires a total of
(999 x 1000) / 2 = 499500 secret
keys. This makes key management
difficult.
• No. of keys required can be
!"#
expressed as: 𝑛( )
$

https://www.hypr.com/symmetric-key-cryptography/
OpenPGP
• OpenPGP is a non-proprietary protocol for encrypting email
communication using public key cryptography. It is based on the original
PGP (Pretty Good Privacy) software. The OpenPGP protocol defines
standard formats for encrypted messages, signatures, and certificates for
exchanging public keys.
• Beginning in 1997, the OpenPGP Working Group was formed in the
Internet Engineering Task Force (IETF) to define this standard that had
formerly been a proprietary product since 1991.
• As an IETF Proposed Standard RFC 4880, OpenPGP can be implemented
by any company without paying any licensing fees to anyone.
• The software GPG4Win can be downloaded free-of-charge from
www.gpg4win.de.
Enforcing Confidentiality with
Asymmetric Encryption
Asymmetric Encryption
• Asymmetric encryption uses two matched keys
• Also known as public-key encryption.
• It uses two matched keys, a public key and a private key.
• When public key encrypts data, only the private key can decrypt it.
• When private key encrypts data, only the public key can decrypt it.

☞ Asymmetric encryption
uses matched key pairs of a
public key and a private key.
These two keys work only
with each other.
Example of Asymmetric Encryption:
Can such keys exist in reality?
Asymmetric Encryption:
Common Algorithms
• Two common asymmetric encryption algorithms
• RSA
•Named after Rivest, Shamir, and Adleman, the three individuals who
first described it
• Diffie-Hellman
• Named after Diffie and Hellman
• Modern encryption is heavily based on mathematical theory.
• We will cover the basic mathematics that is used in the RSA aymmetric
encryption algorithm.

https://www.youtube.com/watch?v=AQDCe585Lnc
Random Number
• It is crucial to security that keys are generated with a truly random or
at least a pseudo-random generation process
• Otherwise, an attacker might reproduce the key generation process
and easily find the key used to secure a specific communication
Pseudo-random Number Generations
• A pseudo-random bit generator is an algorithm which, given a truly random
binary sequence of length k (“seed”), outputs a binary sequence of length
m >> k which “appears to be random ".
• The seed for pseudo-random number generators, may be based upon
processes as:
• The system clock
• Elapsed time between keystrokes or mouse movement
• Content of input/output buffers
• User input, and
• Operating system values such as system load and network statistics
Primes
• All integer numbers (except 0 and 1) are made up of primes.
• Prime numbers are integers that have divisors of 1 and itself. In other
words, they cannot be written as a product of other numbers.
• Facts about primes:
• 1 is prime, but is generally not of interest
• 2, 3, 5, 7 are prime
• 4, 6, 8, 9, 10 are not prime
• List of prime number less than 200 is: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107,
109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181,
191, 193, 197, 199
The Greatest Common Divisor (GCD)
• A common divisor of two integers a and b is a positive divisor of
both a and b.
• The Greatest Common Divisor (GCD) refers to the greatest of
all the common divisors of a and b, denoted by gcd(a,b)
Example: To find gcd(60, 24)
• Divisors of 60: 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30, 60
• Divisors of 24: 1, 2, 3, 4, 6, 8, 12, 24
• 60 and 24 have the common divisors 1, 2, 3, 4, 6, 12
• gcd(60, 24) = 12
Modular Arithmetic
• a mod n means the remainder when a is divided by n
• That is a = q x n + r where q is the quotient and r is the remainder
Note: n is called modulus
• Examples:
• 73 mod 7 = 3
• -11 mod 7 = 3
• The clock has a modulus of 12!
Asymmetric Encryption:
RSA Encryption
• Choose two distinct prime numbers p and q. (The integers p
• and q should be chosen at random, similar in size, and large.)
• Compute n = p x q
• The size of n, when expressed in bits, is the key length.
• Computer f = (p-1) (q-1). Find an integer e such that
• 1 ≤ e < f , and
• gcd (e, f ) = 1
• Find d such that
• d x e mod f = 1
• Public key: n, e - This is to be released to everyone
• Private key: d - This must be kept private.
Asymmetric Encryption:
RSA Encryption and Decryption
• Encryption:
• When someone wants to send you a message, they
• Break the message into blocks of length k, where k=log2n
• Convert each message block into a number in a simple agreed upon way such as a =
1, b = 2, c = 3, …

• Compute the ciphertext c = me(mod n)

• Send ciphertext c
• Decryption:
• To decrypt their message you:

• Compute m = cd(mod n)
• Convert their message back into letters and words
• Assemble the blocks back to a single message
Asymmetric Encryption:
RSA Example
• Generate key pair
• Choose p = 3,q = 11
• Compute n = p x q = 3(11) = 33
• Compute f = (11 – 1) x ( 3 – 1 ) = 20
• Now, select e = 7
• Compute d such that d x 7 mod 20 = 1
• d = 3 ( since 3 × 7 mod 20 = 1 )
• Make n = 33 and e = 7 public.
Asymmetric Encryption:
RSA Example
• Encryption:
• For simplicity, let’s say the message is m. And m = 2.
• Compute c where c = me(mod n).
• 27 = 128, so c = 128 (mod 33) = 29
• because 128 = 29 + 3 x 33
• Your friend will send you the ciphertext c = 29
• Decryption:
• You just received c = 29 from your friend
• Use your private key, d = 3, to compute their message m
• m = cd = 293 = 24389 = 2 (mod 33)
• because 293 = 24389 =2 + 739 x 33
• So your friend sent you the message m = 2
Asymmetric Encryption:
RSA Key Lengths
• In practice, the keys used in asymmetric encryptions are
much longer than our examples.
• For example, in RSA-768, a 768-bit RSA modulus has a 232-
digit decimal representation
• 1230186684530117755130494958384962720772853569595334792197322452151
726400507263657518745202199786469389956474942774063845925192557326
3034537315482685079170261221429134616704292143116022212404792747377
94080665351419597459856902143413.

• Ref: http://eprint.iacr.org/2010/006.pdf
Asymmetric Encryption:
The RSA Challenge (Discontinued)
• It was a challenge put forward by RSA Laboratories on March 18, 1991 to
demonstrate the practical difficulty of factoring large integers and cracking
RSA keys.
• They published a list of the RSA numbers, with a cash prize for the
successful factorization of some of them. The smallest of them, a 100
decimal digit number was factored by April 1, 1991.
• The RSA challenges ended in 2007.
Asymmetric Encryption:
Speed Matters
• Asymmetric encryption is about 1,000 times slower than symmetric
encryption.
• For example, it may take only one second to encrypt a file using
symmetric encryption, such as AES. How much time will it take to
encrypt the same file using asymmetric encryption such as RSA?

☞ So it is typically only
used to privately share a
session key.
Then the session key used in
symmetric encryption to
encrypt data.
Asymmetric Encryption:
Session Key – Symmetric Encryption + Asymmetric
Encryption
 Asymmetric Encryption:
Encrypt a session key with asymmetric encryption
• Imagine that Maria's computer is trying to establish a secure session with the
server. The server has a private key matched with a public key shared with
Maria's computer.
• Maria's system creates the session key and then encrypts it with the server's
public key. The encrypted session key is then sent to the server that holds the
matching private key.
• If anyone intercepts the encrypted session key, it is not useful to them because it
can only be decrypted with the matching private key, which is kept private.

☞ The session key will actually be much

longer, but it's shortened to 1A2B here for
brevity. Similarly, the public and private
keys are much longer.
.
Asymmetric Encryption:
Encrypt a session key with asymmetric encryption
Asymmetric Encryption:
Encrypt data using the session key with symmetric
encryption
• When the server receives the encrypted session key, it uses
the private key in the matched key pair to decrypt the session
key. At this point, both parties know what the session key is, but
no one else knows what it is. The data that is to be transferred
between the two machines, can then be encrypted and
decrypted with the session key using symmetric encryption.
• See next slide.
Asymmetric Encryption
Decrypting a session key with asymmetric
encryption
 Asymmetric Encryption:
Using certificates to share public keys
• Certificates are digital files that include several pieces of key data
used with public key encryption. Certificates are used for a wide
variety of purposes including sharing a public key.
• Next slide shows a certificate with the public key selected.
• You can access it from the Personal certificate store on a Windows
system. Notice that the public key is 4,096 bits long and the
algorithm is RSA.
Asymmetric Encryption:
Using certificates to share public keys

Click Personal to
see public keys in
the personal store

Click "Advanced"
to see the details
of the certificate
Asymmetric Encryption:
Securing Email
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
• It is the underlying standard used for most email security.
• It uses public and private keys to encrypt and digitally sign email.
• The sender must have a certificate with a public key embedded that
matches a private key that only the sender can access.
• Within an Active Directory domain, administrators often create a
certification authority (CA) to issue and manage certificates.
• Additionally, public CAs issue and manage certificates that are
commonly used on the Internet and elsewhere.
Asymmetric Encryption:
Securing Email
1) The sender generates a session key for symmetric encryption.
2) The sender encrypts the email using the session key and
symmetric encryption.
3) The sender retrieves the recipient's certificate, which contains the
recipient's public key.
4) The sender encrypts the session key with the recipient's public key.
5) The sender sends both the encrypted email and the encrypted
session key.
6) The recipient receives the encrypted email and the encrypted session
key.
7) The recipient decrypts the session key using the recipient's private key.
8) The recipient uses the decrypted session key to decrypt the contents
of the email.
Asymmetric Encryption:
Securing Email

Encrypting
email
 Asymmetric Encryption:
Securing Email

Decrypting
email
Asymmetric Encryption:
Securing Email
• Encrypting email with Microsoft Outlook
Key lifecycle Management
Summary
• Encryption • Strength of AES • Disadvantage of Asymmetric
• Ancient Ciphers • Disadvantage of Symmetric Encryption
• Caesar Cipher Encryption • Slow
• Algorithm + Key • Key Distribution • Session Key
• Symmetric Encryption • Asymmetric Encryption • Encrypted with asymmetric
• DES (obsolete) • Matched Key Pair encryption
• AES (US government + • Private Key • Encrypts the main message
Windows) • Public Key
• Encryption Software • Example: RSA
• OpenPGP •Encryption
•GPG4Win • c = me(mod n)
•Decryption:
• m = cd(mod n)
Reading
• Microsoft Windows Security: Essentials by Darril Gibson, Sybex, 2011 (Available via
Books24x7.com)
• Chapter 2 (Second half)
• Chapter 10
 Computer Security
SEHS4515
Lesson Four

Understanding Hashing, Applications of Hashing and EFS

Understanding Certificates and PKI
Dr. Umair Mujtaba Qureshi

Note: Most of the teach materials has been taken from the lectures of Dr. Adam Wong
Topics to be covered in today’s lecture
• Understanding Hashing,
• Applications of Hashing
• Encrypting File System
• Understanding Certificates and
• Public Key Infrastructure
Understanding Hashing
How are your secrets/passwords saved?

Plain Text Encryption Hash

How are your secrets/passwords saved?

User Password

Bob 123abc

ALICE Ilove---myself

EVE iKnowyourSecr8s Information is hacked

Encryption Key Decryption

Database Server
Hashing
• A hash or hashing is a technique (uses a hashing algorithm) that takes
an input such as a secret/password or a plaintext and it converts it
into a string of text/numbers that always has a same length.
• The resultant is called as a hash or a digest
Understanding Hashing:
Hashing Algorithms
• A hashing algorithm is a mathematical calculation that can be applied
to a file or a message to create a number, called the hash or digest.

Note: As long as the input data

stays the same, a hashing
algorithm will always produce
the same hash (or the same
number). If the data changes,
the hashing algorithm will
produce a different hash
indicating the data has changed.
 Understanding Hashing:
Example of a Hash: Passwords and HK ID
• Use of password to login
User Password Hash Function

Bob first time 123abc Computes

Computed Hash1
login
Matches
Bob logins
123abc Computes Hash1

Note: The hash is used by the

HK SAR Government in HK IDs,
& by many others
Bob is happy that he logged in
Understanding Hashing:
Hashing Algorithms – MD5, SHA-1
• A good hashing algorithm should result in hashes of the same length.
• The Message Digest 5 (MD5) creates 128 bit hashes.
• Secure Hashing Algorithm (SHA-1) creates 160 bit hashes.
• Secure Hashing Algorithm – 256 (SHA -256) creates 256 bit hashes and much
more.
Understanding Hashing:
Hashing Algorithms – MD5, SHA-1
• They are available online on some web sites.
• For example, the web site OnlineMD5 at:
http://www.miraclesalad.com/webtools/md5.php or
http://onlinemd5.com
• Hashing is also available in the freeware called GPG4Win.
• Demo: Calculate the hash for
• You must be the change you wish to see in the world
• Note7
•1
Understanding Hashing:
Properties of Hashes
• As long as the content of the data is not modified, the hash will
always be the same. It doesn't matter how many times the algorithm
is executed against the data.
• Difference between hashing & encryption.
• A hash function doesn't use a key. Instead, the calculation is always the same
and never randomized with a key.
• Also, a hash function is one-way. You can use a hash function to create a hash,
but you can't re-create the original data from the hash.
• A hash created by the same hashing algorithm is always of the same length. In
encryption, the length of a cipher text depends on the clear text
Application of Hashing:
Ensuring Integrity
• Hash is often used to verify the integrity of data or
verify that some data hasn’t been changed.
• Examples:
• Contracts and Treaties
• Important contracts and treaties has hashes generated to
ensure it hasn’t been changed since they are signed.
• Software Downloads
• Verify the software that you download or obtain on a USB
drive or CD is in fact the same as the one released by the
vendor.
• Email signing
• Asymmetric encryption and hashing can be used to ensure
that an email that a person receives hasn’t been modified
since it was sent
Application of Hashing
Ensuring Integrity: Software Download

You can calculate the hash of

the downloaded file and
check against this hash
Application of Hashing
Ensuring Integrity: Signing Email
Note: Note that in signing, sender encrypts the hash with the private key. The receiver decrypts the hash with
your public key.

• The next slide shows the signing process.

1. The sender creates the email.
2. The email content is hashed.
3. The hash of the email is encrypted with the sender's private key.
4. The unencrypted email and the encrypted hash (the digital signature) are
sent to the recipient.
Application of Hashing:
Signing Email
Application of Hashing
Ensuring Integrity: Verifying the digital signature
• The next slide shows the process of the recipient validating the digital
signature.
1. The recipient receives both the message and the digital signature.
2. The recipient retrieves the sender's public key from the sender's certificate
(refer to previous lecture ).
3. The recipient decrypts the received hash with the sender's public key.
4. The received message is hashed.
5. The decrypted hash is compared against the recalculated hash. If they're
both the same, it verifies that the message hasn't lost integrity. In other
words, it verifies that the message hasn't been modified.
Application of Hashing
Ensuring Integrity: Verifying the digital signature
Application of Hashing:
Integrity and Non-repudiation

Nonrepudiation is the assurance that someone cannot

deny something. In our context, nonrepudiation refers
to the ability to ensure that a party cannot deny the
sending of a message that they originated.

• If the public key can't decrypt the encrypted hash, this indicates it wasn't encrypted with the
sender's private key.
• However, if the public key can decrypt the encrypted hash, it proves that the hash was encrypted
with the sender's private key. This authenticates the sender identified in the certificate.
• Also, the sender can't later deny sending the message, because the sender's private key was used
to encrypt the hash. Thus, nonrepudiation is provided.
Understanding Hashing:
Integrity and Non-repudiation
• The digital signature process
occurs with very little user
interaction. E.g. In Microsoft
Outlook, you simply select a
check box to add a digital
signature to a message.
• When the email is received, the
other user opens it, and the
digital signature is verified. If
there are any problems, the user
that received the message is
notified.
Your first participation exercise
• Can you create a message that has the same hash?
Understanding Encrypting
File System (EFS)
Application of Encryption:
Understanding EFS
• Almost all drives used in a Microsoft environment use the New
Technology File System (NTFS). NTFS manages the files on the drives,
helps maintain file integrity, and provides security.
• One of the most important benefits of NTFS is security. The EFS
(Encrypting File System) of NTFS provides confidentiality by
encrypting NTFS files and folders.
• While a file is encrypted with EFS, only specific users can access it.
Understanding EFS
• To encrypt a file/folder, right-click the file/folder, and select
Properties.

Note: You should encrypt folders instead of

individual files. All files within the folder are
automatically encrypted.
Application of Encryption:
Understanding EFS
• EFS Encryption
It uses a combination of both symmetric and asymmetric encryption to encrypt
files. It creates a different symmetric secret key for each file it encrypts.

1. EFS creates a symmetric secret key to encrypt the file.

2. EFS retrieves the user’s public key.
3. EFS encrypts the symmetric secret key with the user’s public key.
4. The encrypted symmetric secret key is included in the header of the
encrypted file.
Application of Encryption:
Understanding EFS
• EFS Decryption
When a user double-clicks a file to open it, EFS takes the following steps:

1. Encrypted symmetric secret key is retrieved from the file

2. User’s private key decrypts the symmetric secret key
3. EFS decrypts the file with the decrypted symmetric secret key

Note: EFS is only as secure as the user's password. If the user's

password is discovered, an attacker can log on as the user and
open encrypted files.
Application of Encryption:
Understanding EFS
• End users will rarely
manipulate their secret key.
• However, if the password for a
local user (not a domain user)
is reset, the private key Reset Password

associated with the account is

lost. The user won't be able
to decrypt any files encrypted
with the previous password.
This doesn't occur if a user
changes their password.
Reset Password…
Application of Encryption:
Recovery Agent in EFS
• If the user's private key is lost or becomes corrupt, the user can no longer
decrypt the files. But EFS includes a recovery procedure to mitigate the risk
of lost data.
• The designated recovery agent (DRA) for EFS can decrypt files that are
encrypted by other users.
• By default, the Administrator account is the designated recovery agent
(DRA) for EFS. However, other accounts can be assigned the role of DRA.
• The DRA capability can be disabled if the risk of the DRA account being
used to access encrypted data is greater than the risk of losing data due to
lost keys.
Application of Encryption:
When encrypted files are moved or copied
• The one rule to remember with EFS is “encryption always wins”.
• If the file started encrypted, it remains encrypted.
• If target folder has encryption enabled, the file will be encrypted.
• For example, if the C:\Encrypted folder has the encrypted attribute
enabled, then all files moved or copied into this folder will be
encrypted. If an encrypted file is moved or copied from this folder to
any other location on an NTFS file system, it will stay encrypted.
• It doesn't matter if the file is moved or copied. The result is always
the same: encryption wins.
Application of Encryption:
Understanding EFS
• Understanding behavior when encrypted files are moved or copied

Original State of Target Location Result

encryption Encryption Setting
Encryption enabled Encryption enabled Encrypted
No encryption Encryption enabled Encrypted
Encryption enabled No encryption Encrypted
No encryption No encryption No encryption
Understanding FAT & FAT32
FAT or FAT32 Folder Properties NTFS Folder Properties
Application of Encryption:
Moving / copying from EFS to FAT/FAT32
• FAT (or FAT32) doesn't support any of the security features of NTFS.
FAT doesn't have the header of an NTFS file, so it can't store the keys
needed to decrypt the file.
• If you're an authorized user of the file and you move it or copy it to a
FAT drive, EFS decrypts it and stores it in unencrypted format.
• However, if an unauthorized user moves or copies an encrypted file
to a FAT drive, the file is copied in the encrypted format. Also,
because FAT doesn't store the encryption keys, the encryption keys
for the file are lost, and the file will stay encrypted forever.
Understanding a (Digital)
Certificate
Understanding a Certificate
What is a certificate?
• A digital certificate often referred to as certificate are like electronic
passports for exchanging information or the internet using public key
infrastructure.
• A certificate is a file often used to transfer public keys but other than
that they are used for a variety of security purposes. The information
in a certificate includes:
• Who it was issued to
• Who issued it
• Its purpose(s)
• Validity dates (including an expiration date)
• Its unique serial number
• Public key
Understanding a Certificate:
Example of a Certificate
Understanding a Certificate:
Certificate Administration
• The certificate can be issued to a person and associated with a user
account. The certificate file can be embedded into a smart card. It
can also be issued to a server, workstation, or mobile phone.
• Within a domain, certificates are normally issued to users
automatically with little, if any, user interaction. However,
administrators often request and install certificates on servers
manually.

@Most certificates are files with an extension of .cer. The files

are formatted in a special X.509 format.
Understanding a Certificate:
Purposes of Certificates
1. Authentication
• When a certificate is issued to a
person or a server from a trusted
entity, any system utilizing the
certificate as a source of
authentication has assurances that
the other party is who they claim
to be. E.g. Amazon.com
2. Encryption
• The certificate may be used to
encrypt and decrypt data at rest
and during transmission.
Understanding a Certificate:
Purposes of Certificates
3. Digital Signatures
• A digital signature can be added to an email to provide proof to the recipient
of who sent the email. It provides authentication, integrity, and
nonrepudiation.
4. Code Signing
• Active content used on Internet web pages can be digitally signed to identify
the author and verify that the code hasn't been modified
• Attackers don't want to be identified, so they won't sign their malicious code.
However, legitimate companies use code- signing certificates to sign active
content and add legitimacy to the code.
• It's possible to block all unsigned code from running within a web browser
such as Internet Explorer.
Understanding a Certificate:
Creating an HTTPS session
Understanding a Certificate:
Creating an HTTPS session
1. The client clicks a link or types in a URL to initiate the HTTPS session. E.g.
Amazon.com
2. After receiving the request, the server sends the client its certificate with the public
key embedded. As a reminder, the public key is matched with a private key kept
private on the server.
3. The client creates a session key, which will be used to encrypt the session data.
4. The client encrypts the session key with the server's public key. This means only the
server's private key can decrypt it.
5. The client sends the encrypted session key to the server. If anyone on the Internet
captures the encrypted key safely.
6. The server receives the encrypted session key, and then decrypts the key with the
server's private key. Now, both the client and the server know what the session key is,
but no one else knows it.
7. The HTTPS session is encrypted and decrypted with the session key.
Understanding a Certificate:
Certificate Revocation List (CRL)
• Several checks can occur to verify that a certificate is valid before it's
accepted for its intended usage by a machine. These checks are
typically automatic, but the user often sees an error if one of the
checks fails.
• For example, each time a certificate is passed to a client, the client may check
with the CA to ensure that the certificate hasn't been revoked. The CA
publishes a certificate revocation list (CRL). The CRL includes the serial
number of all revoked certificates and the date of revocation.
• A CRL is always published in a special certificate format known as a version 2
certificate.
Understanding a Certificate:
Certificate Revocation List (CRL)
Understanding a Certificate:
Checking the validity of a certificate
Understanding a Certificate:
Understanding Certificate Errors
• When there is a problem with the server's certificate, you will see an error
message as shown here, and you should not continue.
• If you do continue to visit the website, you shouldn't enter any private
information. If attackers are fraudulently using the certificate, they will be able to
view any private information you submit, even if an HTTPS session is established.
Understanding a Certificate:
Understanding Certificate Errors
• "The Certificate has been Revoked"
• This indicates that the private key has been compromised or the certificate is being
used fraudulently. If it's revoked, the original certificate owner wouldn't use it, but a
malicious attacker may be fraudulently using it.
• "The Certificate is Out of Date"
• This indicates that the certificate has expired. Expired certificates aren't validated by
CAs, so they shouldn't be trusted.
• "The Certificate ISN'T from a Trusted Source"
• This indicates that the certificate hasn't been issued from a trusted CA. It's common
to see this error from malicious phishing attempts.
• "This is a Problem with This Website's Security Certificate"
• Miscellaneous problems will trigger this error. For example, if the certificate was
modified, tampered with, or is unreadable, this error occurs.
Understanding a Certificate:
Viewing Certificate Properties
• You can view a certificate and its properties with the following
steps in Internet Explorer.
1. Start Internet Explorer.
2. Click Settings (the gear wheel), then Internet Options.
3. Select the Content tab.
4. Click the Certificates button.
5. Select the Trusted Root Certification Authorities tab.
• Your display will look similar to the next slide.
@You can also view the certificate properties using other
browsers, although the steps are slightly different.
Understanding a Certificate:
Viewing Certificate Properties
Understanding a Certificate:
Viewing Certificate Properties
Understanding a Certificate:
Viewing Certificate Properties
Public Key Infrastructure
(PKI)
Understanding a Certificate:
Components of a PKI (Public Key Infrastructure)
• A PKI includes all the components necessary to issue, manage, verify, and
use certificates for different purposes. A PKI includes the following
components.

• Public/Private Key Pairs

• The public/private key pair is a matched set of keys used for encryption and
decryption of data.
• Certificates
• A certificate is an electronic file. It includes details such as who issued it, who it was
issued to, validity dates, and the public key.
• Certification Authority (CA)
• The CA issues and manages certificates.
Understanding a Certificate:
Components of a PKI (Public Key Infrastructure)

• Root CA
• The first CA in a certificate chain is
called the root CA.
• The root CA can issue certificates to
subordinate CAs, and these CAs are
considered to be in the same
certificate chain.
• If a computer trusts the root CA, it
trusts all certificates issued by any
CAs in the certificate chain. Microsoft
systems store certificates from many
public root CAs in the Trusted Root
Certification Authority store.
Understanding a Certificate:
The Certificate Chain
The root CA issues itself a
self-signed certificate. It
can then issue certificates
to intermediate CAs.

The intermediate CAs can issue

certificates to subordinate CAs.
Certificates are issued to clients
from the subordinate,
intermediate or root CAs.
Understanding a Certificate:
Comparing Certificate Services
• You can add Microsoft's Active Directory Certificate Services (AD CS)
to create a CA.
• AD CS is added to Windows Server 2008 as a role. It can be added as either an
enterprise CA or a standalone CA.
• An enterprise CA is used to issue certificates only within the organization,
whereas a standalone CA can be used to issue certificates in or out of the
organization.
• Standalone CA
• The CA can be used to issue certificates within an organization or publicly. The
CA isn't required to be a member of a Microsoft Active Directory domain, but
it can be. Certificate requests are submitted manually and are manually
approved.
Understanding a Certificate:
Comparing Certificate Services
• Enterprise CA
• This is used within a Microsoft domain and requires Active Directory Domain
Services (AD DS). An enterprise CA is used to issue certificates only within the
company or enterprise.
• Administrators can configure auto-enrolment for the certificates so that
certificates are automatically issued for authorized users in the Active
Directory.
• You can create a CA on a Windows server by adding the Active Directory
Certificate Services role.
Understanding a Certificate:
Viewing Certificate Properties
Standalone CA

Enterprise
CA

Certificate requests are

submitted manually and
manually approved. Each member of the
Domain gets certificate
automatically

Each member of the

Domain gets certificate
automatically
Summary
• Hashing
• Same algorithm, same length • Purposes of Certificates
• One-way function
• Creating an HTTPS session
• No keys used
• – MD5, SHA-1, SHA-256 • Certificate Revocation List (CRL)
• Application of Hashing • Understanding Certificate Errors
• Contracts & Treaties • Components of a PKI (Public Key
• Software downloads Infrastructure)
• E-mail signing
• Non-repudiation
• Enterprise CA
• EFS (Encrypting File System) • Standalone CA
• In NTFS, but not FAT/FAT32
• Designated recovery agent (DRA)
• Moving or copying
• Encryption always wins
Reading
• Microsoft Windows Security: Essentials by Darril Gibson, Sybex, 2011 (Available via
Books24x7.com)
• Chapter 10 (Second half)
• Chapter 11
Participation Exercise 01
• What is a hash collision?
• How is the problem of hash collision solved/handled?
Search for the method online and explain the method or
the approach to handle hash collision in detail and
include an example. (Hint: The method is called S & P)
• The submission system will be setup online at Moodle.
The deadline will Sunday 9:00 PM
• The submitted answer should be in PDF file!
• I expect 1 page to 2 page of explanation and not more.
• Heading: Participation Exercise 1 & then
• Write your Student ID and Name properly on each page.
 Computer Security
SEHS4515
Lesson Five

Understanding User Authentication

Dr. Umair Mujtaba Qureshi
Note: Most of the teach materials has been taken from the lectures of Dr. Adam Wong
User Authentication
Authentication? User Authentication
• Authentication is a security process of verifying an entity based on
the entity’s credentials or given information.
• User authentication: It is a security process of verification a user
through its credentials i.e., given information.
Authentication? User Authentication
• User authentication is important for every human-computer
interactions
User Authentication: Email account
• When a user registers for an
account, they must create a
unique ID and key that will
allow them to access to
millions of applications and
services
• Generally, a username and
password are used as the ID
and key, but the credentials
can include other forms of
keys as well such as ?
User Authentication
• Authentication occurs when an entity presents
credentials, and the credentials are verified as
valid.
• For example, when a user logs on with a username Note:
and password, the system checks to ensure that the There is a difference between
username and password are valid and, if so, authentication and authorization. Just
authenticates the user.
because a user can prove their identify by
• Essentially, the user authentication process logging on doesn't necessarily mean they
provides users to access to their own accounts have the authority to access resources on
(in case of email) while attempting to block a system. However, authentication is the
any unauthenticated users from gaining access first step in the process.
• This means that User A can log in to their own
account, while User B would be denied access.
Conversely, User B could access their own
account, while User A would be unable to.
Four Means of User Authentication
* Difference between password & PIN
• A PIN is by definition a number
• To authenticate user, the user must provide a • A password may be a word or a number
piece of information that can be used to verify
user’s identity
• The four means of authenticating user identity are
based on
• Something the individual knows
• e.g., Password*, Personal Identification Number (PIN)*,
answers to pre-arranged questions
• Something the individual has (token)
• e.g., Smartcard, electronic keycard, physical key
• Something the individual is (static biometrics)
• e.g., Fingerprint, retina, face
• Something the individual does (dynamic
biometrics)
• e.g., Voice pattern, handwriting, typing rhythm, gesture
recognition and geo-trapping
User Authentication Significance
• A user authentication is a key step in the different processes (such as
transmission, reception of data, accessing applications and services and
much more) that keeps unauthorized users from gaining access to sensitive
information
• A strengthened authentication process ensures that User A only has access
to the information they need and can’t see the sensitive information of
User B.
• When your user authentication isn’t secure, however, cybercriminals can
hack the system and gain access, taking whatever information the user is
authorized to access.
• Websites like Yahoo, Equifax, and Adobe have fallen victim to data breaches in the
past and are prime examples of what happens when organizations fail to secure their
websites.
Authentication factor for authorization
• To confirm their user identity, the user must provide a piece of information that
only the user and the server knows. This information is called an authentication
factor, and there are three types:
• Knowledge factors. Factors the user must know in order to log in are considered
a knowledge factor. This can be anything from a username, password, or pin
number. The challenge with these factors is that they can be weak in terms of
security because they can be shared or guessed.
• Possession factors. Anything that the user must have in order to log in is known
as a possession factor. One-time password tokens such as a Magic Link™, key
fobs, ID cards, and physical tokens are all considered possession factors.
• Inheritance factors. Using a person’s biological characteristics is known as an
inheritance factor. Any biometric authentication process, such as fingerprint
scanning and facial recognition, would fall into this category.
Something the individual knows
Password Authentication Something the individual knows

• Password authentication is widely used as a primary line of defense against

intruders
• User provides name/login and password
• System compares password with the one stored for that specified login
• Password selection strategies
• User education
• Users can be told the importance of using hard to guess passwords and
can be provided with guidelines for selecting strong passwords
• Computer generated passwords
• Users have trouble remembering them
• Reactive password checking
• System periodically runs its own password cracker to find guessable
passwords
• Complex password policy
• User is allowed to select their own password; However, the system checks
to see if the password is allowable, and if not, reject it
• Goal is to eliminate guessable passwords while allowing the user to select
a password that is memorable
How is Password Stored?
Something the individual knows

• Hash function h: strings à strings

• Given h(password), hard to find password
• No known algorithm better than trial and error
• User password stored as h(password)
How Does System Check Password?
• When user enters password Something the individual knows

• System computes h(password)

• Compares with entry in password file
Password Attacks
Something the individual knows

• Types of password attacks

• Brute force attack
• Dictionary attack
• Rainbow table attack
• Replay attack
• Phishing attack
• Key loggers
Strong Passwords
Something the individual knows
Strong Passwords
• Creating a strong password Something the individual knows
• I will be certified !W!llB3C3rtifi3d
• I love technology!Lov3T3chnology
• Start with a phrase that includes at least
14 characters
• Remove the spaces, and change the first
letter in each word to uppercase
• Convert each letter "e" to the number 3
• Convert each letter "i" to an exclamation
mark (!)
Brute Force Attack
Something the individual knows

• The first way of attack to password system is to use brute force

approach
• Brute-force attack consists of an attacker submitting many passwords
or passphrases with the hope of eventually guessing correctly. The
attacker systematically checks all possible passwords and passphrases
until the correct one is found.
• Brute force aims at trying all possible combinations in the password
space
• Conditions for success
• Direct access to the password file
• A lot of computing power
Brute Force Attack Something the individual knows
Dictionary Attack Something the individual knows

• The second way of attack is to use typical password dictionary

• A dictionary attack is an attack using a restricted subset of a key space to defeat
an authentication mechanism by trying to determine its password or phrase by
trying thousands or millions of likely possibilities often obtained from lists of past
security breaches
• 1,000,000 entries of common passwords
• People’s names, common pet names, and ordinary words
• Suppose you generate and analyze 10 guesses per second
• This may be reasonable for a website; offline is much faster
• Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average
• If passwords were random
• Assume 6-charcter password
• Upper and lowercase letters, digits, 32 punctuation characters
• 689,869,781,056 password combinations
• Exhaustive search requires 1,093 years on average
Rainbow Table Attack
Something the individual knows

• In dictionary attack, we need to spend time either sending our guess

to the real system to running through the algorithm offline
• Given a slow hashing or encryption algorithm, this wastes time. Also,
the work being done cannot be reused
• So, we have third way of attack using rainbow table
• A rainbow table is pre-computed listing, which the attacker will run
through the algorithm to get every possible output given every
possible input.
Video Tutorial

https://www.youtube.com/watch?v=SaAwW-6wV_Q&t=15s
Protect Against Attacks
Something the individual knows

• From the slide about dictionary attack, we can see the password would be more
secure if it is random
• However, random password would be difficult to memorize
• So, what to do? Use salt
• Salt is a random data that is used as additional input to a one-way function that
hashes a password
• The salt is stored somewhere for use to be hashed together with the user
password for checking
• Typically, the salt just being tacked right next to the hash, usually with some
delimiter
• Example:
• $1$oaagVya9$NMvf1IyubxEYvrZTRSLgk0
• 3 sections separated by $
• 1 means “algorithm number 1”, i.e. uses MD5
• oaagVya9 is our salt
• NMvf1IyubxEYvrZTRSLgk0 is the actual MD5 sum, base64-encoded
Password File Access Control
Something the individual knows

• Password file should be protected from illegal access

• It should only be made available to privileged users
• Possible vulnerabilities
• Weakness in the OS that allows access to the file
• Accident with permissions making it readable
• Users with same password on other systems
• Access from backup media
• Sniff passwords in network traffic
Something the individual has
Token Something the individual has

Card Type Defining Feature Example

Embossed cards Raised characters only, on front Old credit card

Magnetic stripe Magnetic bar on back, characters Bank card

cards on front

Memory cards Electronic memory inside Prepaid phone card

Smart cards Electronic memory and Biometric ID card

• Contact preprocessor inside
• Contactless • Electrical contacts exposed
on surface
• Radio antenna embedded
inside
Memory Cards Something the individual has

• Can store but do not process data

• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
• Hotel room
• ATM
• Provides significantly greater security when combined with a password or
PIN
• Drawbacks of memory cards include:
• Requires a special reader
• Loss of token
• User dissatisfaction
Smart Tokens
Something the individual has
• Physical characteristics
• Include an embedded microprocessor
• A smart token that looks like a bank card
• Can look like calculators, keys, small portable objects
• Interface
• Manual interfaces include a keypad and display for interaction
• Electronic interfaces communicate with a compatible reader / writer
• Authentication protocol
• Static
• With the protocol, the user authenticates himself / herself to the token and then the token authenticates the
user to the computer
• Dynamic password generator
• Token generates a unique password periodically , e.g. every minute. This password is then entered into the
computer system for authentication, either manually by the user or electronically via the token
• Challenge-response
• The computer system generates a challenge, such as a random string of numbers. The smart token generates a
response based on the challenge. For example: public-key cryptography could be used and the token could
encrypt the challenge string with the token’s private key
Something the individual is / does
Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• It is technically complex and expensive when
compared to passwords and tokens
• Biometric Technologies
• Facial characteristics (Static biometric)
• Fingerprints (Static biometric)
• Hand geometry (Static biometric)
• Retinal pattern (Static biometric)
• Iris (Static biometric)
• Signature (Dynamic biometric)
• Voice (Dynamic biometric) https://github.com/google/mediapipe
Comparison of Biometric Technologies
Something the individual is/does

Requirement Fingerprints Hand Retina Iris Face Signature Voice

Geometry
Ease of use High High Low Medium Medium High High
Factors Lighting,
Dryness, Dirt, Hand injury, Glasses Lighting Changing Noise, Colds
increasing error Age, Signatures
Age Age
incidence Glasses,
Hair
Accuracy High High Very high Very high High High High
User Medium Medium Medium Medium Medium High High
Acceptance
Long-term High Medium High High Medium Medium Medium
Stability
Two-factor Authentication
• Two-factor authentication is a combination of any two authentication
modes
• Example: Bankcard
• Something the user has – the card
• Something the user knows – a PIN
Security Issues for User Authentication
• Eavesdropping
• Adversary attempts to learn the password by some sort of attack that involves the physical
proximity of user and adversary
• Host attacks
• Directed at the user file at the host where passwords, token, passcodes, or biometric
templates are stored
• Replay
• Adversary repeats a previously captured user response
• Trojan Horse
• An application or physical device masquerades as an authentic application or device for the
purpose of capturing a user password, passcode, or biometric
• Denial-of-Service
• Attempts to disable a user authentication service by flooding the service with numerous
authentication attempts
Wireless Authentication Prospects
• Authentication is an important factor before two entities share
information
• Authenticating proximity is even more challenging
• Harsh environments makes wireless authentication even more problematic

Human – Device Authentication

Device – Device Authentication

Proximity Proximity

33
 Wireless Authentication Prospects: Secure
Localization
𝑭𝑷𝑹𝑷
𝑨𝑷𝟏
𝟐

𝑭𝑷𝑹𝑷 𝟐 𝑹𝑷 𝟑
𝑨𝑷𝟏 ≅ 𝑭𝑷𝑨𝑷𝟏
#" , 𝑭𝑷𝑹𝑷
𝑨𝑷𝟏
𝟑
𝑑!"!
𝑹𝑷𝟐 𝑹𝑷𝟑
#" %
𝑑!"!
𝑨𝑷𝟏
#" $
𝑑!"!
Proximity Proximity
ROOM 1 ROOM 2
𝑹𝑷𝟏
LOS 𝑭𝑷𝑹𝑷
𝑨𝑷𝟏
𝟏
NLOS

Access Point (AP) IoT Device Adversary device

Read if interested:
1.https://scholar.google.com.pk/citations?view_op=view_citation&hl=en&user=iZhnPyUAAAAJ&sortby=pubdate&citation_for_
34
view=iZhnPyUAAAAJ:PELIpwtuRlgC
Wireless Authentication Types
• There are many different possibilities for wireless proximity based
authentication mechanism
• Interest in secure localisation/authenticating proximity
• Wire based authentication mechanism
• Radio based authentication mechanism
• Sound based authentication mechanisms
• Light based authentication mechanisms
• Image based authentication mechanisms
• Gesture &Biometrics based authentication mechanisms
Read if interested:
1.https://ieeexplore.ieee.org/abstract/document/8057145?casa_token=Pi7lN8wdXhAAAAAA:kWFc377zm5WFPfiDufLxIOik2f9x
RQfR8vMdVgklHueCZrzQZZag1oX78j15VYhA_6UPk-7r
2.https://ieeexplore.ieee.org/abstract/document/7945214?casa_token=qkah-b_LhncAAAAA:TK-
yAOoCPOkEvUI35g070g35uahVLAuqBOOwkXPWeTMLY6HKFPQclX1049iieQNaPxR4WXLu
Participation Exercise 02 – Multifactor
Authentication
• What is multifactor authentication? Explain multifactor authentication with
a help of an example scenario. Make sure that the example scenario that
you develop should have more than 2 factors, used for authentication.
• Deadline: Next Thursday 17-03-22, 9:00pm. To be submitted on Moodle
• You are allowed to search online or use any resource for your example
scenario
• What is expected?
• It be 2 pages, if more that is ok, otherwise 2 pages is more than enough
• Explain in your own words with a suitable example – adding figures
• Advice: Write in simple words and straightforward such that anyone who read your
answer, after reading it he should be able to explain what is multifactor
authentication to others. For that you can try it with your parents or siblings at
home. If they understand so will I.