Computer Security and Encryption E-Book

Cryptography and system security may be the fastest growing technologies in our culture today because of the rapid growth of cybercrime. This book describes various aspects of cryptography and system security, with a particular emphasis on the use of rigorous security models and practices in the design. The first portion of the book presents the overall system security and provides a general overview of the features such as object models and inter-object communications. The objective of this portion is to provide an understanding of the cryptography underpinnings on which the rest of the book is based. The whole text has been divided into nine chapters:

Chapter 1. This chapter attempts to provide answers to the basic questions, the principles of any security mechanism, for the security and security models, Denial of Service (DoS) and type of active attacks, Virus, Worms, Trojan Horse, Java Applets, Java Security, and Applet and Active X Controls.

Chapter 2. In this chapter, we provide One-Way Functions, Digital Signature, Authentication Method, Hash Function, Digital Certificates, Challenge Handshake Authentication Protocol, Biometrics and Mutual Authentication.

Chapter 3. This chapter provides discussions of Internet Service Providers (ISP), the Network Access Point (NAP), Routers, Addressing, ATM, Ethernet, Fiber Distributed Data Interface (FDDI), Multi-Protocol Label Switching (MPLS), Point-to-Point Protocols (PPP) and High-level Data Link Control (HDLC).

Chapter 4. This chapter covers Firewalls and their purpose. In this chapter we present Protective Device, Denial of Service, Spies (Industrial and Otherwise), Network Taps, Host Security, How A Firewall Can Log Internet Activity Efficiently, Buying Versus Building, and Why A Firewall Can’t Fully Protect Against Viruses.

Chapter 5. This chapter provides answers to understanding the types of attacks that may be used by hackers to undermine network security; understand the types of vulnerabilities that may be present in your network; learning to classify the different types of networks and users that may interact with your own; and evaluate their risk factors; learn to evaluate your network topology and requirements; developing a suitable security policy for implementation; and becoming familiar with the tools available for protecting confidential information and your network.

Chapter 6. In this chapter, exchange of information and commerce to be secured on any network; securing information on a network; plaintext to produce a stream of secrets, block ciphers, plaintext attack, Public Key Cryptosystems, Symmetric Key Encryption, Data Encryption Standard (DBS), and Secrete Key Exchange have been discussed.

Chapter 7. This chapter provides information and commerce; identify different types of wireless technologies; identify different wireless solutions; introduce quadrated amplitude modulation; explain wireless systems, and discuss the benefits of using wireless technologies for communications.

Chapter 8. IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPSec provides security for transmission of sensitive information over unprotected networks – such as the Internet comparison of IPsec to Cisco Encryption Technology, IPsec protocols, IKE Protocol, Internet Engineering Task Force (IETF), NAT-Traversal, Gateway-to-Gateway Architecture, Virtual Private Networking (VPN), Encryption Processes, End-To-End Encryption, and ESP v.3.

Chapter 9. This chapter discusses the security protocols and processes involved with emerging technologies. The chapter covers topics such as Big Data Analytics, Cloud Computing, Internet of Things (IoT), Smart Grid, Supervisory control and data acquisition (SCADA) Control Systems, Wireless Sensor Network (WSN).

Chapter Goals

•The principles of any security mechanism

•The need for the security

•Security models

•Denial-of-Service (DoS) and other types of active attacks

•Viruses, Worms, Trojan horses, and Java Applets

•Java Security

•Applet and ActiveX controls

This is a book on network and Internet security. As such, before we embark on our journey of understanding the various concepts and technical issues related to security, it is essential to know what we are trying to protect. What are the dangers of using computers, computer networks, and the biggest network of them all, the Internet? What are the likely pitfalls? What happens if we do not implement the right security policies, frameworks, and technology? This chapter attempts to provide answers to these basic questions.

We start with a discussion of the fundamental point: Why is security required in the first place? People sometimes say that security is like statistics: what it reveals is trivial, what it conceals is vital. In other words, the right security infrastructure opens up just enough doors. We will discuss a few real-life incidents that should prove beyond any doubt that security is important. Now that critical business and other types of transactions are being conducted over the Internet to such a large extent, inadequate or improper security mechanisms can destroy a business or play havoc with people’s lives.

We will also discuss the key principles of security. These principles will help us identify the various areas that are crucial while determining the security threats and possible solutions. Electronic documents and messages are now considered the equivalent to paper documents in terms of their legal validity, and we will examine the implications of this new view of information.

Most of the first computer applications had no or at best, very little, security. This lack of security continued for a number of years until the importance of data was truly realized. Until then, computer data was considered useful, but not something that needed to be protected. When computer applications were developed to handle financial and personal data, the real need for security was felt like never before. People realized that the data on computers is an extremely important aspect of modern life, and various areas in security began to gain importance. Two typical examples of security mechanisms are as follows:

•Provide a user id and password to every user, and use that information to authenticate a user

•Encode information stored in the databases in some fashion so that it is not visible to users who do not have the right permissions.

Organizations employed their own mechanisms to provide security. As technology improved, the communication infrastructure became extremely mature, and newer applications were developed to meet various user demands and needs. Soon, people realized that the basic security measures were not enough.

The Internet is used globally, and there were many examples of what could happen if there was insufficient security built into the applications developed for the Internet. Figure 1.1 shows such an example of what can happen when you use your credit card for making purchases over the Internet. From the user’s computer, the user’s details, such as the user id, order details, such as the order id and item id, and payment details, such as the credit card information, travel across the Internet to the merchant’s server. The merchant’s server stores these details in its database.

There are various security holes in this process. First, an intruder can capture the credit card details as they travel from the client to the server. If we somehow protect this transit from an intruder’s attack, it still does not solve our problem. Once the merchant receives the credit card details and validates them to process the order and obtain payments, the merchant stores the credit card details in its database. An attacker can simply access this database and gain access to all the credit a card numbers stored therein! One Russian attacker (called Maxim) managed to hack a merchant’s Internet site and obtain 300,000 credit card numbers from its database. He then attempted extortion by demanding protection money ($100,000) from the merchant. The merchant refused to oblige. Following this, the attacker published about 25,000 of the credit card numbers on the Internet. Some banks reissued all the credit cards at a cost of $20 per card, and others warned their customers about unusual entries in their statements.

Such attacks can obviously lead to great losses, both in terms of finances and goodwill. Generally, it takes about $20 to replace a credit card. Therefore, if a bank has to replace 300,000 such cards, the total cost of such an attack is about $6 million. Had the merchant in the example employed proper security measures, he would have saved money and bother.

Of course, this is just one example. More cases have been reported, and the need for proper security is increasing with every attack. In another example, in 1999, a Swedish hacker broke into Microsoft’s Hotmail Website and created a mirror site. This site allowed anyone to enter any Hotmail user’s email id and read the user’s emails.

Also in 1999, two independent surveys were conducted to invite people’s opinions about the losses that occur due to successful attacks on security. One survey pegged the losses at an average of $256,296 per incident, and another found the average was $759,380 per incident. In the following year, this figure rose to $972,857.

The last twenty years have witnessed a major development in a formal methods used to improve security protocols. The design of such protocols has so far been largely an empirical and ad-hoc procedure, giving rise to various approaches. These methods are now being systematically applied to develop a system that is both efficient and can comply with strong security requirements.

An organization can take several approaches to implement its security model:

•No security: In this simplest case, the approach could be a decision to implement no security at all.

•Security through obscurity: In this model, a system is secure simply because nobody knows about its existence and content.

•Host security: In this scheme, the security for each host is enforced individually. This is a very safe approach, but the trouble is that it cannot scale well. The complexity and the diversity of modern sites/organizations make the task even harder.

•Network security: Host security is difficult to achieve as organizations grow and become more diverse. In this technique, the focus is to control network access to various hosts and their services, rather than the individual host’s security. This is an efficient and scalable model.

Good security management practices always include a security policy. Putting a security policy in place is actually quite difficult. A good security policy and its proper implementation go a long way in ensuring adequate security management practices. A good security policy generally takes care of four key aspects.

•Affordability: How much money and effort does this security implementation cost?

•Functionality: What is the mechanism of providing security?

•Cultural Issues: Does the policy take into consideration people’s expectations, working style, and beliefs?

•Legality: Does the policy meet the legal requirements?Once a security policy is in place, the following points should be ensured:

a.Include an explanation of the policy to all concerned.

b.Outline everybody’s responsibilities.

c.Use simple language in all communications.

d.Accountability should be established.

e.Provide for exceptions and periodic reviews.

Having discussed some of the attacks that have occurred in real life, let us now classify the principles related to security. This will help us understand the attacks better and think about the possible solutions.

Let us assume that a person, A, wants to send a check worth $100 to another person, B. Normally, what are the factors that A and B think of in such a case? A will write the check for $100, put it inside an envelope, and send it to B.

•A wants to ensure that no one expects B will get the envelope, and even if someone else gets it, she does not want anyone to know about the details of the check. This is the principle of confidentially.

•A and B would like to make sure that no one can tamper with the contents of the check (such as its amount, date, signature, or name of the payee). This is the principle of integrity.

•B would like to be assured that the check has indeed come from A, and not from someone else posing as A (as it could be a fake check). This is the principle of authentication.

•What will happen tomorrow if B deposits the check into her account, the money is transferred from A’s account, and then A claims to have not written/sent the check? The court of law will use A’s signature to disallow A to refute this claim and settle the dispute. This is the principle of non-repudiation.

These are the four chief principles of security. There are two more, access control and availability, which are not related to the particular message, but are linked to the overall system as a whole.

The principle of confidentiality specifies that only the sender and the intended recipient(s) should be able to access the content of a message. Confidentiality gets compromised if an unauthorized person is unable to access a message. An example of compromising the confidentiality of a message is shown in Figure 1.2. The user of a computer A sends the message to the user of a computer B. (From here onwards, we use “A” to mean the user A, and “B” to mean user B, although we just show the computers of the users A and B). Another user, C, gets access to this message, which is not desired, and therefore, defeats the purpose of confidentiality. An example of this could be a confidential email message sent by A and B. This type of attack is called interception.

Authentication mechanisms help establish proof of identities. The authentication process ensures that the origin of an electronic message or document is correctly identified. For instance, suppose that user C sends an electronic document over the Internet to user B. However, the trouble is that user C is posing as user A when she sent this document to user B. However, would user B know that the message has come from user C, who is posing as user A? A real-life example of this would be the case of a user C, posing as user A, sending a funds transfer request (from A’s account to C’s account) to bank B. The bank will happily transfer the funds from A’s account to C’s account, and it would think that user A has requested the funds transfer. This concept is shown in Figure 1.3. This type of attack is called fabrication.

When the contents of a message are changed after the sender sends it, but before it reaches the intended recipient, we say that the integrity of the message is lost. For example, suppose you write a cheque for $100 to pay for some goods. However, when you see your next account statement, you are startled to see that the cheque resulted in a payment of $1,000. This is type of case is about the loss of the message’s integrity. Conceptually, this is shown in Figure 1.4. User C tampers with a message originally sent by user A, which was actually destined for user B. User C somehow manages to access it, change its contents, and send the changed message to user B. User B has no way of knowing that the contents of the message were changed after user A sent it. User A also does not know about this change. This type of attack is called modification.

There are situations where a user sends a message, and then says that she never sent that message. For instance, user A could send a funds transfer request to bank B over the Internet. After the bank performs the funds transfer as per A’s instructions, A could claim that she never sent the funds transfer instruction to the bank. Thus, A repudiates, or denies, her funds transfer instruction. The principle of non-repudiation defeats the possibility of denying something after having done it.

The principle of accesscontrol determines who should be able to access what. For instance, we should be able to specify that user A can view the records in a database, but cannot update them. However, user B might be allowed to make updates, as well. An access control is broadly related to two areas: role management and rule management. Role management concentrates on the user side (which user can do what), whereas rule management focuses on the decisions taken, and so an access control matrix is prepared. A list of items is generated, including what they can access (e.g., it can say that user A can write to file X, but can only update files Y and Z). An Access Control List (ACL) is a subset of an access control matrix.

The principle of availability states that resources should be available to authorized parties at all times. For example, due to the intentional actions of another unauthorized user C, the authorized user A may not be able to contact a server computer B, as shown in Figure 1.5. This would defeat the principle of availability. Such an attack is called interruption.

Having discussed the various principles of security, let us now discuss the different types of attacks that are possible from a technical perspective.

We can classify the types of attacks on computers and network systems into two categories for a better understanding: (a) the theoretical concepts behind these attacks and (b) practical approaches used by the attackers.

The principle of security faces threats from various attacks. These attacks are generally classified into four categories. They are

•Interception: Discussed in the context of confidentiality earlier.

•Fabrication: Discussed in the context of authentication earlier.

•Modification: Discussed in the context of integrity earlier.

•Interruption: Discussed in the context of availability earlier.

These attacks are further grouped into two types: passive attacks and active attacks, as shown in Figure 1.6.

Passive attacks are those wherein the attacker indulges in eavesdropping or the monitoring of data transmissions. The attacker attempts to obtain information that is in transit. The term passive indicates that the attacker does not attempt to perform any modifications to the data. In fact, this is also why passive attacks are harder to detect, thus, the general approach to deal with passive attacks is to think about prevention, rather than detection or corrective actions.

Figure 1.7 shows a further classification of passive attacks into two sub-categories. These categories are the release of the message contents and traffic analysis.

The release of message contents is quite simple to understand. When we send a confidential email message to our friend, we only want her to access it. Otherwise, the contents of the message are released against our wishes to someone else. Using certain security mechanisms, we can prevent the release of the message contents. For example, we can encode messages using a code language, so that only the desired parties understand the contents of a message because only they know the code language. However, if many such messages are passing through, a passive attacker could try to figure out the similarities between them to come up with a pattern that provides her some clues regarding the communication that is taking place. Such attempts at analyzing (encoded) messages to come up with likely patterns are the work of traffic analysis attacks.

Unlike passive attacks, active attacks are based on the modification of the original messages in some manner or on the creation of a false message. These attacks cannot be prevented easily. However, they can be detected with some effort, and attempts can be made to recover from them. These attacks can be in the form of interruption, modification, and fabrication.

•Interruption attacks are called masquerade attacks.

•Modification attacks can be classified further into the replay attacks and alteration of messages.

•Fabrication causes Denial of Service (DoS) attacks.

A masquerade is caused when an unauthorized entity pretends to be another entity. User C might pose as user A and send a message to user B. User B might be led to believe that the message indeed came from user A.

In a replay attack, a user captures a sequence of events, or some data units, and resends them. For instance, suppose user A wants to transfer some amount to user C’s bank account. Both users A and C have accounts with bank B. User A might send an electronic message to bank B, requesting the funds transfer. User C could capture this message and send a second copy of the same to bank B. Bank B would have no idea that it is an unauthorized message and would treat this as a second, and different, funds transfer request from user A. Therefore, user C would get the benefit of the funds transfer twice: once actually authorized and once through a replay attack.

The alteration of messages involves some change to the original message. For instance, suppose user A sends an electronic message to transfer $10,000 to C’s account. The beneficiary captures this and changes it to transfer $100,000 to B’s account. Note that both the beneficiary and the amount have been changed: only one of these could have caused the alteration of the message.

Denial-of-Service (DoS) attacks make an attempt to prevent legitimate users from accessing some services that they are eligible for. For instance, an unauthorized user might send too many emails so as to flood the network and deny other legitimate users access to the network.

The attacks discussed earlier can come in a number of forms in real life. They can be classified into two broad categories: application-level attacks and network-level attacks, as shown in Figure 1.9.

•Application level attacks: These attacks happen at an application level in the sense that the attacker attempts to access, modify, or prevent access to information of a particular application or the application itself. Examples of this are trying to obtain someone’s credit information on the Internet or changing the contents of message to change the amount in a transaction.

•Network level attacks: These attacks are generally aimed at reducing the capabilities of network. These attacks make an attempt to either slow down, or completely bring to halt, a computer network. Note that this automatically can lead to application level attacks, because once someone is able to gain access to a network, she is able to access/modify at least some sensitive information, causing havoc.

These two types of attacks can be attempted by using varies mechanisms. These attacks are not encompassed in the above two categories, since they can span across application as well as network levels.

One can launch an application-level attack or a network level attack using a virus. A virus is a piece of program code that attaches itself to legitimate program code and runs when the legitimate program runs.

It can then infect other programs in that computer or programs that are on other computers but on the same network. This is shown in Figure 1.10. After deleting all the files from the current user’s computer, the virus self-propagates by sending its code to all users whose e-mail addresses are stored in the current user’s address book.

Viruses can also be triggered by specific events (e.g., a virus could automatically execute at 12 p.m. every day). Viruses cause damage to computers and network systems, but this damage can be repaired, assuming that the organization deploys good backup and recovery producers.

Similar in concept to a virus, a worm is actually different in implementation. A virus modifies a program (i.e., it attaches itself to the program under attack). This is shown in Figure 1.11. The replication grows so much that ultimately the computer or the network, on which the worm resides, become very slow, finally coming to a halt. Thus, the basic purpose of a worm attack is different from that of a virus. A worm attempts to make the computer or the network under attack unusable by consuming all its resources.

A worm does not perform any destructive actions, but instead only consumes system resources to bring it down.

A Trojan horse is a hidden piece of code, like a virus. However, the purpose of a Trojan horse is different. The main purpose of a virus is to make modifications to the target computer or network, whereas a Trojan horse attempts to reveal confidential information to an attacker. The name (Trojan horse) is taken from the secret attack executed by Greek soldiers, who hid inside a large hollow horse that was pulled into the city of Troy by its citizens, unaware of its contents. Once the Greek soldiers entered the city of Troy, they opened the gates for the rest of their army.

In a similar fashion, a Trojan horse could silently sit in the code for a login screen by attaching itself to it. When the user enters the user ID and password, the Trojan horse captures these details and sends this information to the attacker without the knowledge of the user who entered the ID and password. The attacker can then use the user ID and password to gain access to the system.

Applets and ActiveX controls were born through the technological development of the World Wide Web (WWW) applications. In its simplest form, the Web consists of the communication between client and server computers using a communications protocol called the Hyper Text Transfer Protocol (HTTP). The client uses software called a Web browser. The server runs a program called a Web server. In its simplest form, a browser sends an HTTP request for a Web page to a Web server. The Web server locates this Web page (actually a computer file) and sends it back to the browser, again using HTTP. The Web browser interprets the contents of that file and shows the results on the screen to the user. This is shown in Figure 1.13. Here, the client sends a request for the web page www.yahoo.com/info, which the server sends back to the client.

Many Web pages contain small programs that get downloaded on to the client along with the Web page itself. These programs then execute inside the browser. Sun Microsystems created Java applets for this purpose, and Microsoft’s technology makes use of ActiveX controls for the same purpose. Both are essentially small programs that get downloaded along with a Web page and then executed on the client. This is shown in Figure 1.14. The server sends an applet along with the Web page to the client.

Usually, these programs (applets or ActiveX controls) are used to either perform some processing on the client side or to automatically and periodically request information from the Web server using a technology called client pull. For instance, a program can get downloaded on to the client along with the Web page showing the latest stock prices on a stock exchange, and then periodically issue HTTP requests for pulling the updated prices to the Web server. After obtaining this information, the program displays it on the user’s screen.

These apparently innocuous programs can sometimes cause havoc. What if such a program performs a virus-like activity by deleting files on the user’s hard disk, by stealing some personal information, or by sending junk e-mails to all the users whose addresses are contained in the user’s address book?

To prevent these attacks, Java applets have strong security checks as to what they can and cannot do. ActiveX controls have no such restrictions. A new version of applets called signed applets allows accesses similar to those of ActiveX. Of course, a number of checks are in place to ensure that neither applets nor ActiveX controls can do a lot of damage; even if they somehow manage to do it, the damage can be detected. However, at least in theory, they pose a security risk.

Cookies are the result of a specific characteristic of the Internet. The Internet uses the HTTP protocol, which is stateless.

Suppose that the client sends an HTTP request for a Web page to the server. The Web server locates that page on its disk, sends it back to the client, and completely forgets about this interaction. If the client wants to continue this interaction, it must identify itself to the server in the next HTTP request. Otherwise, the server would not know that this same client had sent an HTTP request earlier. Since a typical application is likely to involve a number of interactions between the client and the server, there must be some mechanism for the client to identify itself to the server each time it sends a HTTP request to the server. For this, cookies are used. Cookies are perhaps the most popular mechanism of maintaining the state information. Actually, a Web server sends the Web browser a cookie and the browser stores it on the hard disk of the client computer. The browser then sends a copy of the cookie to the server during the next HTTP request. This is used for identification purposes, as shown in Figure 1.15(a) and 1.15(b).

A cookie works as follows:

a.When you interact with a Website for the first time, the site might want you to register yourself. Usually, this means that the Web server sends a page to you wherein you have a form to enter your name, address, and other details, such as date of birth and interests.

b.When you complete this form and send it to the server with the help of your browser, the server stores this information in its database. Additionally, it also creates a unique ID for you. It stores this ID along with your information in the database and also sends the ID back to you in the form of a cookie.

c.The next time you interact with the server, you do not have to enter any information, such as your name and address. Your browser automatically sends your ID along with the HTTP request for a particular page to the server.

d.The server now takes this ID and tries to find a match in its database. When it finds it, it knows that you are a registered user. Accordingly, it sends you the next page, which could contain a simple welcome message. This can also be used for other purposes.

People perceive that cookies are dangerous. Actually, this is generally not true. Cookies can do little, if any, harm to you. First, the Web server that originally created a cookie can only access the cookie. Second, cookies can contain only text-based information. Third, the user can refuse to accept cookies.

A Web page is constructed using a special language called Hyper Text Markup Language (HTML). It is a tag-based language. A tag begins with <> and it ends with </>. The boundaries of these tags contain the information for how things should be displayed on the user’s computer. As an example, let us consider how the tag pair <B> and </B> can be used to change the font to boldface.

When a browser comes across this portion of the HTML document, it realizes that the portion of the text embedded within the <B> and </B> tags needs to be displayed in boldface. Therefore, it displays this text in boldface.

In addition to HTML tags, a Web page can contain client-side scripts. These are small programs written in scripting languages like Java Script, VBScript, or JScript, that are executed inside the Web browser on the client computer. For instance, let us assume that a user visits the Website of an online bookshop. Suppose that the Website mandates that the user must place an order for at least three books. Then the Web page uses a small JavaScript program that ensures that this condition is met before the user can place the order. Otherwise, the Java script program does not allow the user to proceed. Note that HTML cannot be used for this purpose, as its sole purpose is to display text on the client computer in a pre-specified format. To perform dynamic actions, such as the one discussed here, we need scripts.

Scripts can be dangerous. Since scripts are small programs, they can perform actions on the client’s computer. Of course, there are restrictions as to what a scripting program can and cannot do. However, security breaches related to scripts have been reported.

In this section we will discuss, Java security issues.

For Java to become successful, it needed to avoid the security problems that had plagued other models of software distribution. Therefore, the early design of Java focused mainly on these concerns. Consequently, Java programs are considered safe as they cannot install, execute, or propagate viruses, and because the programs cannot perform any action that is harmful to the user’s computer.

One of the key attributes of Java is the ability to download Java programs over a network and execute these programs on a different computer within the context of a Java-enabled browser. Developers were attracted to Java with different expectations. As a result, they had different ideas about Java security. Simply put, if we expect Java to be free from introducing viruses, any release of Java should satisfy our requirements. However, if we require special functionalities such as a digital signatures, authentication, and encryption in our program, we need to use at least release 1.1 of Java.

Interestingly, Java security discussions are centered on the idea of Java’s applet-based security model. This security is contained inside Java-enabled browsers. This model was envisaged for use on the Internet.

Java’s security model is closely associated with the idea of sandbox model. A sandbox model allows a program to be hosted and executed, but there are some restrictions in place. The developers/end users may decide to give the program access to certain resources. However, in general, they want to make sure that the program is confined to the sandbox. The overall execution of a Java sandbox protects a number of resources, and it performs this task at a number of levels, as described below:

•A basic sandbox is one in which a program can access the CPU, screen, keyboard, mouse, and its own memory. It contains just enough resources for the sandbox.

•The default state of the sandbox is one in which a program can access the CPU and its memory, as well as access the Web server from which it was downloaded.

•A sandbox can exist in which a program can access the CPU, its memory, its Web server, and a set of resources (such as files computers) that are local.

•An open sandbox is one in which the program can access whatever resources the host machine can.

There are some broad aspects of Java security.

•The byte code verifier: The byte code verifiers ensure that the Java class files obey the rules of the Java programs. However, not all files are required to go through byte code verification.

•The class loader: The class loader loads classes that are located in Java’s default path (called CLASSPATH).

•The access controller: The security manager is the chief interface between the core Java API and operating system.

•The security manager: The security manager is the chief interface between the core Java API and the operating system. It has the ultimate responsibility for allowing or disallowing access to all operating system resources. The security manager uses the access controller for many of these decisions.

•The security package: The security package (that is, the classes in the Java security package)

•The key database: The key database is a set of keys used by the security manager and access controller to validate the digital signature that comes along with a signed class file. In the Java architecture, it is contained within the security package, although it may be an external file or database, as well.

From version 1.2, the Java platform itself comes with a security model built for the applications it runs. The classes that are found in the CLASSPATH may have to go through a security check. This allows the running of the application code in a sandbox defined by a user or an administrator. The following points are salient:

•Access methods are strictly adhered to.

•A program cannot access an arbitrary memory location.

•Entities that are declared as final must not be changed.

•Variables may not be used before they are initialized.

•Array bounds must be checked during all array accesses.

•Objects cannot arbitrarily be casted into other object types.

The program simply declares a character pointer, and without allocating any memory, accepts user input in that pointer. This can cause havoc if an attacker finds intelligent ways to exploit such code. This is not possible in Java.

On the Internet, computers exchange messages with each other in the form of small groups of data, called packets. A packet is like an envelope that contains the actual data to be sent and the address information. Attackers target these packets as they travel from the source computer to the destination computer over the Internet. These attacks take two main forms: (a) packet sniffing (also called snooping) and (b) packet spoofing. The protocol used in this communication is called the Internet Protocol (IP). Other names for these two attacks are (a) IP sniffing and (b) IP spoofing.

a.Packet sniffing: Packet sniffing is a passive attack on a conversation. An attacker need not hijack a conversation, but instead, can simply observe (i.e., sniff) the packets as they pass by. To prevent an attacker from sniffing packets, the information that is passed needs to be protected in some ways. This can be done at two levels: (i) The data that is traveling can be encoded in some way or (ii) the transmission link itself can be encoded. To read a packet, the attacker needs to access it in the first place. The simplest way to do this is to control a computer that the traffic goes through. Usually, this is a router. However, routers are highly protected resources. Therefore, an attacker might not be able to attack it and instead attack a less-protected computer on the same path.

b.Packet spooling: In this technique, an attacker sends packets with an incorrect source address. When this happens, the receiver (i.e., the party who receives these packets containing a false source address) would inadvertently send replies back to this forged address (called the spoofed address), and not to the attacker. This can lead to three possible scenarios:

(i.)The attacker can intercept the reply: If the attacker is between the destination and the forged source, the attacker can see the reply and use that information for the hijacking.

(ii.)The attacker need not see the reply: If the attacker’s intention was a Denial Of Service (DOS) attack, the attacker need not bother about the reply.

(iii.)The attacker does not want the reply: The attacker could simply be angry with the host, so it may put that host’s address as the forged source address and send the packet to the destination. The attacker does not want a reply from the destination, as it wants the host with the forged address to receive it and get confused.

Another attack, which is similar to these attacks, is the DNS spoofing attack. People usually can’t identify Websites using the Domain Name System (DNS) because they are not really memorable (for example, 120.10.1.67). For this, a special server computer called as a DNS server maintains the mappings between domain names and the corresponding IP address. The DNS server could be located anywhere. Usually, it is with the Internet Service Provider (ISP) of the users. With this background, the DNS spoofing attack works as follows.

1.Suppose that there is a merchant (Bob), whose site’s domain name is www.bob.com, and the IP address is 100.10.20. Therefore, the DNS entry for Bob in all the DNS is www.bob.com.

2.The attacker (Trudy) manages to hack and replace the IP address of Bob with her own (say 100.20.20.20) in the DNS server maintained by the ISP of another user, Alice. Therefore, the DNS server maintained by the ISP of Alice now has the following entry: www.bob.com, 100.20.20.20.

3.When Alice wants to communicate with Bob’s site, her web browser queries the DNS server maintained by her ISP for Bob’s IP address, providing it with the domain name (i.e., www.bob.com). Alice gets the replaced (i.e., Trudy’s) IP address, which is 100.20.20.20.

4.Alice then starts communicating with Trudy, believing that she is communicating with Bob.

Such attacks of DNS spoofing are quite common and cause havoc. Even worse, the attacker (Trudy) does not have to listen to the conversation on the wire. She has to simply be able to hack the DNS server of the ISP and replace a single IP address with her own.

A protocol called the DNSSec (secure DNS) is being used to thwart such attacks. Unfortunately, it is not widely used.

1.Find more examples of security attacks reported in the last few years.

2.What is the key principle of security?

3.Why is confidentially an important principle of security? Think about ways of providing security. (Hint: Think about the ways in which children use a secret language.)

4.Discuss the reasons behind the significance of authentication. Find out the simple mechanism of authentication. (Hint: What information do you provide when you use a free e-mail service such as Yahoo or Hotmail?)

5.In real life, how is the message integrity ensured? (Hint: On what basis is a check honored?)

6.What is repudiation? How can it be prevented in real life? (Hint: Think what happens if you issue a cheque, and after that, tell the bank that you never issued that cheque).

7.What is access control? How different is it from availability?

8.Why are some attacks called passive? Why are others called active?

9.Discuss a passive attack.

10.What is a masquerade? Which principle of security is breached because of that?

11.What are replay attacks? Give an example of replay attacks.

12.What is a denial of service attack?

13.What is a worm? What is the significant difference between a worm and a virus?

14.Find out more about some recent worms.

15.Write a small virus-like program in plain English that accepts a file name and changes every character in the file to an asterisk.

16.Read more about computer viruses and their principles of working in detail.

17.What is a Trojan horse? What is the principle behind it?

18.What are Java applets?

19.Discuss ActiveX controls and compare them with applets.

20.Find out more about applets and ActiveX control technology.

Chapter Goals

•One-way functions

•Digital signatures

•Anatomy of a certificate

•Digital certificates

•Authentication method

•Challenge handshake authentication protocol

•Biometrics

•Mutual authentication