Chapter 9 - Security

Authentication

The process of verifying that you really are the person allowed to access a given computer.

(1) What you know (such as username and password)
(2) What you have (such as key/phone muti-factor authentication)
(3) What you are (such as fingerprint or iris scanner)

Authentication is authenticating user to let them IN.

Found in Lecture 9 Part 1 - Security

Does a computer store passwords in text?

NO

Stored passwords are encrypted, typically via hashing.

Found in Lecture 9 Part 1 - Security

Password cracker

computer program used to discover passwords from a hashed password file

Found in Lecture 9 Part 1 - Security

Suppose you created a 6-character password, using only the letters a-z and 0-9. How many
different passwords are possible?

Is this secure?

36 x 36 x 36 x 36 x 36 x 36 = 36^6 = 2,176,782,336 (over a billion possibilities!).

A 6-character password, even if RANDOM, is NOT a good password

Found in Lecture 9 Part 1 - Security

What are good password practices when CHOOSING a specific password?

- Use long password (at least 8 chars)

- Use a mixture of uppercase and lowercase letters, digits, and special symbols.

- Consider using the first letter of some long phrase that is meaningful to you, mixed with some digits or special symbols.

- Avoid personal info such as name, userID, pet's name, or birth date.

- Avoid common dictionary words.

- Avoid obvious choices like "abcde", "123456"...

Found in Lecture 9 Part 1 - Security

What are good password practices for USING passwords?

- Change your password often (many systems require this), DO NOT reuse old passwords.

- Use different passwords for different applications.

- Don't tell anyone your password.

- Don't write your password down.

- Use a password manager (password vault), a central cite that securely stores all your passwords in encrypted form.

- Be very careful about entering a password over an unencrypted wireless network.

Found in Lecture 9 Part 1 - Security

Authorization

governs what an authenticated user is allowed to do

Authorization is deciding what user can do once IN.

Found in Lecture 9 Part 1 - Security

Access control lists (RWX)

Lists kept by the operating systems keeps that specify exactly what a user is allowed to do and disallows any action where the user does not have the proper privilege.

RWX = Read-Write-eXecute

Found in Lecture 9 Part 1 - Security

Computer security

prevention of unauthorized computer access

This includes viewing, changing, or destroying a computer or data

Found in Lecture 9 Part 1 - Security

Computer breach

a case of unauthorized computer access

Found in Lecture 9 Part 1 - Security

Hack

a malicious computer breach

the most common computer breach

Found in Lecture 9 Part 1 - Security

Security hole

an aspect of a computer that can be used to breach security

Most of the security holes are in the OS (remember, the OS is 40+ million LOC)

Found in Lecture 9 Part 1 - Security

Malware

MALicious softWARE

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

Virus

program/file that can copy itself when activated

works like a biological virus ... embeds itself into program/file ...
when program/file activated, the virus is copied

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

worm

standalone program that can replicate itself

similar to virus, but can send copies of items to other computers ...
does NOT need to embed in a file

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

Trojan horse

pretends to do legitimate task while breaching security

appears to do a legitimate task but also doing something nasty
e.g., catching credit card keystrokes

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

denial of service

authorized user's access interrupted due to malicious action

tons of traffic to some site shuts down site to legitimate users, as site can't handle the # of requests

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

botnet

herd of computers controlled to perform task w/o user's knowledge

Botnets can cause new attacks to get more infected computers

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

phishing

An attempt to obtain sensitive information by disguising as a trustworthy entity in an electronic communication

Phishing is NOT malware.

Example:
Sending an email for a mandatory training at a company, but linking to a malicious site where
the user must enter their company credentials

Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

Social Engineering

The "psychological manipulation of people into performing actions or divulging confidential information"

Examples:
-Leaving an infected thumb drive in an employee parking lot
-Calling customer support claiming you are someone else and cannot remember your password
-Wearing a suit and confidently walking into a large corporation, discretely plugging in a small device on the network
-Sending an email for a mandatory training at a company, but linking to a malicious site where the user must enter their company credentials

Found in Lecture 9 Part 2 - Security

Caesar cipher

Also known as Shift cipher.

Simplest form of encryption.

Shift letters by a certain amount.
To decrypt: Unshift by the same amount (backwards!).

SYMMETRIC encryption algorithm.
Substitution cipher.

Clearly NOT that secure ... only have to try at most 25 combinations to break

KEY POINT: simple one character substitutions are NOT very secure

Found in Lecture 9 Part 2 - Security

Symmetric Encryption Algorithm

requires one secret key known by BOTH sender and receiver

Found in Lecture 9 Part 2 - Security and Crash Course Cryptography video

Asymmetric Encryption Algorithm

requires two secret keys:
-1 public key known by BOTH sender and receiver
-1 private key known by ONLY receiver

no way to transmit a single shared key electronically; instead, better to have asymmetric algorithm with public and private keys

Found in Lecture 9 Part 3

Data Encryption Standard (DES)

- Block cipher
- 64-bit block going in
- 56-bit secret key
- Uses simple operations (substitutions, reductions, expansions, and permutations)
- 16 rounds

DES is a SYMMETRIC algorithm

Found in Lecture 9 Part 3 - Security

Advanced Encryption Standard (AES)

A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES. A key length can be 128, 192 or 256 bits!

Found in Lecture 9 Part 3 - Security

RSA

most common public-key encryption algorithm today

RSA = Rivest, Shamir, Adleman (The authors of the public-key encryption algorithm)

Steganography

the practice of hiding the very existence of a message

can conceal a file/image/message/etc. in another file

Found in Lecture 9 Part 3 - Security

Block cipher

operates on input characters in groups (or blocks). It encodes block of characters together.

Three steps:
1) Apply S Mapping (A=1, B=2, etc).
2) Multiply S result with matrix X (wraparound using modular arithmetic).
3) Apply S' to multiplication result (aka convert the digit output to characters).

algorithm "scatters" the plaintext throughout the ciphertext w/matrix multiplication

Found in Lecture 9 Part 3 - Security

How to decode Block cipher?

Use same step/algorithm as block cipher but you multiply the encrypted message by the invertible matrix X' instead!

Found in Lecture 9 Part 3 - Security

Cryptographic agility

How quickly software can support new cryptographic algorithms

Found in Post Quantum Cryptography reading