Security

CIA Triad = Confidentiality , Integrity, Availability

Security Principles – Impact

= loss of availability – prevent users to access some or more of the system
= loss of confidentiality – disclosure of confidential information to malicious third party
= loss of integrity – changes your data / prevents you from getting correct data

Security Principles – Threat

= can be categorized as STRIDE
= Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of
privilege

Security Principles – Vulnerabilities

= security holes in your system

Security Principles – Security Policy

= Usage Policy – defines what systems user are permitted to use, and under what situation
= Authentication policy – controls how users granted access to the systems
= Legal policies – data retention, backup policies, accessibility requirements

Security Principles – Secure by Design

Requirements -> Design -> Implementation -> Testing -> Deployment

Authentication

Authentication Factors
= What you know (knowledge)
= password, pin
= What you have (ownership)
= Access cards, FOB, keys
= What you are (inherence)
= DNA, Face

= Single-factor authentication – most common and weak authentication category, where you are
asked one of those 3 above
= Multi-factor authentication – two distinct factors must pass before you are granted access
HTTP Authentication
= HTTP Basic Authentication
= HTTP Digest Authentication
= Form-Based Authentication

Third-Party Authentication – oAuth

0. Client Registers
1. User Request to Login
2. Client redirects to authentication server
3. If valid login authentication, redirect to the client containing authorization code
4. Client requests an access token using authorization code
5. User wants to access a protective resource
6. Access token grants user to access protective resources

Authorization – what rights and privilege a user has once they are authenticated

Cryptography – Symmetric Encryption – using the same key when encrypting and decrypting
= Alice encrypts a message with a key
= Alice sends the cipher
= Eve cannot understand the cipher because she doesnt have the same key
= Bob has the same key and used it to decrypt the cipher so he can understand it

Cryptography – Substitution Cipher – shifts alphabet

= if alphabet is A, shift # is 3, then cipher alphabet is D
= not recommended, because it can be easily guessed (E is the most common alphabet)

Cryptography – Vigenere

Encryption:
• Align the keyword above the plaintext:
• Plaintext: H E L L O Keyword: K E Y K E
• Convert letters to numbers (A=0, B=1, ..., Z=25):
Plaintext: 7 4 11 11 14 Keyword: 10 4 24 10 4
• Add the corresponding numbers modulo 26:
Encrypted Numbers: (7 + 10) % 26 = 17 (R) (4 + 4) % 26 = 8 (I) (11 + 24) % 26 = 9 (J)
(11 + 10) % 26 = 21 (V) (14 + 4) % 26 = 18 (S)
• Convert the encrypted numbers back to letters:
Ciphertext: RIJVS
Now, let's decrypt the ciphertext back to the original plaintext using the same keyword.
3. Decryption:
• Align the keyword above the ciphertext:
Ciphertext: R I J V S Keyword: K E Y K E
 • Convert letters to numbers:
Ciphertext: 17 8 9 21 18 Keyword: 10 4 24 10 4
• Subtract the keyword numbers from the ciphertext numbers modulo 26:
Decrypted Numbers: (17 - 10) % 26 = 7 (H) (8 - 4) % 26 = 4 (E) (9 - 24) % 26 = 11 (L)
(21 - 10) % 26 = 11 (L) (18 - 4) % 26 = 14 (O)
• Convert the decrypted numbers back to letters:
Decrypted Plaintext: HELLO

Cryptography – Public Key Cryptography

= asymmetric cryptography
= solves the problem using two distinct keys, public and private key

Cryptography – Public Key Cryptography – Diffie Hellman

1. Setup:
• Alice and Bob agree on prime number p = 23 and primitive root g = 5.
2. Key Generation:
• Alice chooses her secret key a = 6.
• Bob chooses his secret key b = 15.
3. Partial Key Exchange:
• Alice calculates and sends A to Bob: A = g^a mod p = 5^6 mod 23 = 8
• Bob calculates and sends B to Alice: B = g^b mod p = 5^15 mod 23 = 19
4. Shared Secret Calculation:
• Alice receives B = 19 from Bob and calculates the shared secret s: s = B^a mod p
= 19^6 mod 23 = 2
• Bob receives A = 8 from Alice and calculates the shared secret s: s = A^b mod p
= 8^15 mod 23 = 2

Cryptography – Digital Signatures

= mathematically secure way of validating that a particular digital document was
= created by the person claiming that he created it (authenticity)
= was not modified in transit (integrity)
= cannot be denied (non repudiation)
= secure internet communication
= secret key (sk), public key (pk)
= if you want to receive a message
= Sender: Encrypt(message, pk) – encrypted message
= Receiver: Decrypt (encrypted message, sk)
= if you want to send a message
= Sender: Encrypt(message, sk) – digital signature
= Receiver: Decrypt(message, digital signature, pk) – True / False
HTTPS – Hyper Text Transfer Protocol Secure

Security Best Practices – Data Storage

= Secure Hash
= Salting the Hash

Common Threat Vectors – Brute-Force Attacks

= throttle login attempts
= Limit number of guesses
= Captcha

Common Threat Vectors – Denial of Service

= Each computer in this bot army is running the same program or script that is
bombarding the server with requests. These users are probably unaware that this is happening
Common Threat Vectors – SQL Injection
= When a hacker enters a delete table query during input
Common Threat Vectors – Cross-Site Scripting
= hackers can create scripts on the url : index.php?name=<script>...</script>
Common Threat Vectors – Stored Cross-Site Scripting
= hackers can create scripts on an input box

Common Threat Vectors – Security Misconfiguration – Virtual Open Mail relay

= hacker can modify query and make spam to different emails
Common Threat Vectors – Security Misconfiguration – command line pass through
= hacker can input commands and get private data using input box

Blockchain Database
= a network of computers sharing the same ledger of all transactions that have taken place on
the network:

How Does Blockchain work?

Encryption
• Internet Communication:
• Private/Secret Keys (sk) and Public Keys (pk)
• If you want someone to send you a message:
Sender: Encrypt(Message,pk) -> Encrypted Message
Receiver (you): Decrypt(Encrypted Message,sk) -> Message
• If you want to send a message to someone:
Sender (you): Encrypt(Message, sk) -> digital signature
Receiver: Decrypt(Message, digital signature, pk) -> T/F
Hashing
A hash function is any function that maps an input of arbitrary size into data of a fixed size

SHA-256( Hello World!) =

7f83b1657ff1fc53
b92dc18148a1d65d
fc2d4b1fa3d67728
4addd200126d9069

SHA-256( Hello Warld!) =

1d22e58656f194f9
b3fbb3bf550f75a4
af4ab38d239ed48c
6fc15214a12df698

Cryptocurrency
= a ledger of all currency transaction that have taken place on the network
LEGER:
A has given D $10
C has given G $30

Cryptocurrency: mining

• If the transaction is valid, all miners on the network will start work on
finding an answer to a very time-consuming problem to harden the
transaction “block”.
• Once an answer is found, the new block is added to the block chain
including a “proof of work”, and the miner is rewarded for their efforts

• A valid block in the blockchain must contain a proof of work.

• A proof of completing a computationally intense problem (in
this case that can only be solved using brute force).
• When a proof of work is established for a transaction, it
becomes a block, eligible to be added to the chain.