Authentication
The process of verifying that you really are the person allowed to access a given computer.
(1) What you know (such as username and password) (2) What you have (such as key/phone muti-factor authentication) (3) What you are (such as fingerprint or iris scanner)
Authentication is authenticating user to let them IN.
Found in Lecture 9 Part 1 - Security
Does a computer store passwords in text?
NO
Stored passwords are encrypted, typically via hashing.
Found in Lecture 9 Part 1 - Security
Password cracker
computer program used to discover passwords from a hashed password file
Found in Lecture 9 Part 1 - Security
Suppose you created a 6-character password, using only the letters a-z and 0-9. How many different passwords are possible?
Is this secure?
36 x 36 x 36 x 36 x 36 x 36 = 36^6 = 2,176,782,336 (over a billion possibilities!).
A 6-character password, even if RANDOM, is NOT a good password
Found in Lecture 9 Part 1 - Security
What are good password practices when CHOOSING a specific password?
Use long password (at least 8 chars)
Use a mixture of uppercase and lowercase letters, digits, and special symbols.
Consider using the first letter of some long phrase that is meaningful to you, mixed with some digits or special symbols.
Avoid personal info such as name, userID, pet's name, or birth date.
Avoid common dictionary words.
Avoid obvious choices like "abcde", "123456"...
Found in Lecture 9 Part 1 - Security
What are good password practices for USING passwords?
Change your password often (many systems require this), DO NOT reuse old passwords.
Use different passwords for different applications.
Don't tell anyone your password.
Don't write your password down.
Use a password manager (password vault), a central cite that securely stores all your passwords in encrypted form.
Be very careful about entering a password over an unencrypted wireless network.
Found in Lecture 9 Part 1 - Security
Authorization
governs what an authenticated user is allowed to do
Authorization is deciding what user can do once IN.
Found in Lecture 9 Part 1 - Security
Access control lists (RWX)
Lists kept by the operating systems keeps that specify exactly what a user is allowed to do and disallows any action where the user does not have the proper privilege.
RWX = Read-Write-eXecute
Found in Lecture 9 Part 1 - Security
Computer security
prevention of unauthorized computer access
This includes viewing, changing, or destroying a computer or data
Found in Lecture 9 Part 1 - Security
Computer breach
a case of unauthorized computer access
Found in Lecture 9 Part 1 - Security
Hack
a malicious computer breach
the most common computer breach
Found in Lecture 9 Part 1 - Security
Security hole
an aspect of a computer that can be used to breach security
Most of the security holes are in the OS (remember, the OS is 40+ million LOC)
Found in Lecture 9 Part 1 - Security
Malware
MALicious softWARE
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
Virus
program/file that can copy itself when activated
works like a biological virus ... embeds itself into program/file ... when program/file activated, the virus is copied
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
worm
standalone program that can replicate itself
similar to virus, but can send copies of items to other computers ... does NOT need to embed in a file
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
Trojan horse
pretends to do legitimate task while breaching security
appears to do a legitimate task but also doing something nasty e.g., catching credit card keystrokes
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
denial of service
authorized user's access interrupted due to malicious action
tons of traffic to some site shuts down site to legitimate users, as site can't handle the # of requests
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
botnet
herd of computers controlled to perform task w/o user's knowledge
Botnets can cause new attacks to get more infected computers
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
phishing
An attempt to obtain sensitive information by disguising as a trustworthy entity in an electronic communication
Phishing is NOT malware.
Example: Sending an email for a mandatory training at a company, but linking to a malicious site where the user must enter their company credentials
Found in Lecture 9 Part 2 - Security and zyBooks chapter 9
Social Engineering
The "psychological manipulation of people into performing actions or divulging confidential information"
Examples: -Leaving an infected thumb drive in an employee parking lot -Calling customer support claiming you are someone else and cannot remember your password -Wearing a suit and confidently walking into a large corporation, discretely plugging in a small device on the network -Sending an email for a mandatory training at a company, but linking to a malicious site where the user must enter their company credentials
Found in Lecture 9 Part 2 - Security
Caesar cipher
Also known as Shift cipher.
Simplest form of encryption.
Shift letters by a certain amount. To decrypt: Unshift by the same amount (backwards!).
SYMMETRIC encryption algorithm. Substitution cipher.
Clearly NOT that secure ... only have to try at most 25 combinations to break
KEY POINT: simple one character substitutions are NOT very secure
Found in Lecture 9 Part 2 - Security
Symmetric Encryption Algorithm
requires one secret key known by BOTH sender and receiver
Found in Lecture 9 Part 2 - Security and Crash Course Cryptography video
Asymmetric Encryption Algorithm
requires two secret keys: -1 public key known by BOTH sender and receiver -1 private key known by ONLY receiver
no way to transmit a single shared key electronically; instead, better to have asymmetric algorithm with public and private keys
Found in Lecture 9 Part 3
Data Encryption Standard (DES)
Block cipher
64-bit block going in
56-bit secret key
Uses simple operations (substitutions, reductions, expansions, and permutations)
16 rounds
DES is a SYMMETRIC algorithm
Found in Lecture 9 Part 3 - Security
Advanced Encryption Standard (AES)
A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES. A key length can be 128, 192 or 256 bits!
Found in Lecture 9 Part 3 - Security
RSA
most common public-key encryption algorithm today
RSA = Rivest, Shamir, Adleman (The authors of the public-key encryption algorithm)
Steganography
the practice of hiding the very existence of a message
can conceal a file/image/message/etc. in another file
Found in Lecture 9 Part 3 - Security
Block cipher
operates on input characters in groups (or blocks). It encodes block of characters together.
Three steps:
Apply S Mapping (A=1, B=2, etc).
Multiply S result with matrix X (wraparound using modular arithmetic).
Apply S' to multiplication result (aka convert the digit output to characters).
algorithm "scatters" the plaintext throughout the ciphertext w/matrix multiplication
Found in Lecture 9 Part 3 - Security
How to decode Block cipher?
Use same step/algorithm as block cipher but you multiply the encrypted message by the invertible matrix X' instead!
Found in Lecture 9 Part 3 - Security
Cryptographic agility
How quickly software can support new cryptographic algorithms
Found in Post Quantum Cryptography reading