PAGE NO. Bie ATHARVA EDUCATIONAL TRUST’S —DATE. Aqwagva, ATHARVA COLLEGE OF ENGINEERING, MUMBAI Assignment 2 O-4 t)llwrite a mote oo Maer authemticari —|luser cutnemtreation 3 ine process of yerylurng on. Jemtity ef oe vier atiemmpting $0 occers a aystem eo Peelication. 34 plays a eritigal wale in essemsuring tre pecuvity amd integrity of sigitor assets ond semsisive informations = !sevewot meivods of user auinentication i. Parsword 2. Mutt factor nuthemsication cmrn) 2. niomeswic utnemicasio 4: tomers vosed ourmemsicasi Ss single sign-on Catoy —errective user auinemtication seguives a gotenced laporomch met comaiters Pactors auch as security wsebiiiiy scatasitity Hequiatory compuemece, Zillwnot is password toced autnensication = ecssword pored auinemtecation iy a common meined waed 46 vevily sme wentivy of @ user mcceasing o system , application, ox omtine service, am ane proach users provide a secret sspovese or password + prove tmeix jaensity = lerccess of possword authentication: da User pegintration 2. Pascword storage. B+ Authentication A. Password potictes. 5. tossword recovery. = llotsasvantages* a. Password weaunes 2. Password reuse. 3. Prigning.PAGE NO. Sie ATHARVA EDUCATIONAL TRUST'S = DATE —___________ AqHanva, ATHARVA COLLEGE OF ENGINEERING, MUMBAI ZEWwret i. ehotlemge based eutnemtication. —|lenanege cared authensicetion also & cratiernge esponse ouihemticost is a metnod used to verily tne iemtity of a uo wesemting a enottenge ond expecting a epecific response pre tne user, Ilse is core wapleyed in scemavic here resi esSwersd bared outnemsication is not Seasine or heve gdditional security measures ore ~wequived. |e JA. chantenge genewation. 2. chanenge presemration. Jas Response cateutation j@. pespomse submission. IS. verification Fexms of chatenged based aurnensication: ome stmre passwords 2. chattenge ~esconse protocot 3. captena. TW ||wret is dreitel signature la _a:gitel signature is « eruptogragnic techmigue used 4 ensure ane cutnenticity integrity omd nem vepudcation of digitel messages | yocuments ow yromsaction = Ilz+ previges way ef tne sender of o 2 meceage + reve tes demsit mdtnet tre mescage nas wot fem etteved since jt wos signed. = [oiaiie! signatures ofrer a icqntweignt J _ePeiciems wa Jeo #urG am¢ security of uigital sommunicaneng land tramsa ction Inout requiring prysicat igmotures or paper document, = loigitat stqnatures ore wilely used in verviou ae inctudimg electromic documents j emai} communication , entine i~omsaction Pirtbasige enerPAGE NO. whe ATHARVA EDUCATIONAL TRUST'S ——DATE ATHARVA, ATHARVA COLLEGE OF ENGINEERING, MUMBAI aital pomtrocts so previde secuvity omd 4rust im Yigttet pmteractiong. wow kimg of Jigita\ signature, Mey generation. 2. signing 3. verification. what Yo yous mean vy bullew overtiow attack. A eutfer overfiow atiack is a type of secuvity PWwlemabitity sat cecurg whem @ progrom or proce jztes so grove mene sate in vurrer snort wo WWeviqneg so Hold frmrs com heppem wh imput Jatg ror om external source hos user input or metwevk gate,+s mot ~ope~t tideted o+ samitized vefove veimg cored to a burre~. Working of bulrer everllow attack. as amput vata. Bs gutter overliow + Exploitotion. 4. Execution. a0 Pew~ over tiow ttacks se signi frecant secures wises com nave seriou emieguemces inciuding system crashes sas cowvupsion unauthorized @ceess to sensitive intormation and comngememnic compre mise of tires ystersPAGE NO. Sie ATHARVA EDUCATIONAL TRUST'S —DATE AqHanva, ATHARVA COLLEGE OF ENGINEERING, MUMBAI Vil ipiffeventiate vetween worms ond viruses virus worms 4. tne ~novicieuy code while Aste moreteus pregrom wilt destroy sme fumetiening pret wit copy tseit oxnd ef ine computer sewn and spread from ome md trons few from one sustew 9° the computer $0 _amotmer system. to omeoiner. h. virus is creates BD poern+ need Huma nurene wees As Speed of spreasing Bi tre speed of spreadin frus ie svow. werms se fact 4s nost is needed rer spreading. vealwrire a mote on sar injection, HESS miection is a commen type of eyver atiack mat dergets tne security vuimerayitiiies im web opplicat sen lam d setovaces s+ ecurs whem on attacker menipulctes input gata te expioit weaum Im SQt stetememts ured ey - one application +o interact with tne garabasc, = HSGL injection ettecks cam stead to unouiherized acces Ssemsittve seta, Jota monipuiation end even complete compromise of sre ocected gustem, = Ilwerning of sou injection: As amsection point twentisication. a. Maticious input. 2. $4. query manipulation.PAGE NO. Sie ATHARVA EDUCATIONAL TRUST'S — DATE ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI SQL injections ariacks com have sevicus security implications end pore significant viges +0 ee an somfiemtiatity y integrity end ovatlabiity of data emg cyctems werte mote om asp. —||RSac rivese- snamir- Adieman) is a wisely used puviic bey erupro system for secure communication ond Joigival scgmatuves. werking™ A. key cemeratiens SRSA uses a pair of Keys puvice Key ond private Key. ehecie 4wo large pvime numbers Pend - + Com puie projuct oD inesre. m= erg. scompute culer's setiemt Sunction Q cmd = ce~t ye carn theese an integer @ such seat te < Gen? onde is coptime witn Gens ¢ rss tne pubic exponent. + compute a, sre modular muttipiicative invewse of & modulo Gin). 4 is sre private exponent. 2. enery pticn: Te enevy p+ Message using RSA, ane sender wees an aecépient+ public key Cn.€1 +0 perform mosutor expenenstiotion + © =MNe Cmod nd Bs ceery prion Te _seerypt tne cipher text ©, ane weeipent us sneer private key (mid) to pewferen moduian snpomenmtiation: mM = cAd (mod md wecoveving original message Mese ATHARVA EDUCATIONAL TRUST'S ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI PAGE NO. DATE List sre attacks om digital signatures. Forgery otiacn. key compromise smpersonation attack B. Known message atvace 4. chosen message attace. Ss Girtndey attract. G. Repay atrack Ts Mam im yee miggre. GQ: 2 lexpiaim eer pretocot fev email security: Pretty Good privacy Crap) i ox email that wos developed ‘9g1.ae security progr aro is vesed ery ptograph ebiic ey 3m Public Key crvplogrophy sysiom inot depends upon a bmind = periy certificate Authoriites go estabinsh wuss there fg mn vival srust omongst tne user = |[Eoch- ern_dvusis a ~eputed cA ond anus ca piay s_ersdominant role im establishing ane 4rust so” net communication can noppen between users, —|38 snewve is mo CR tne trust relationship is not estovished emd snus ine communication may not Inappem. = |lpee services: Encvy ption : fa) senier creaies a message. cb) PGP generos mendom number that is used SS sumymerrie Key +0 encrypt it. G0) ensign tthe wed emevypted using receivers public Key. cd) Eneryeted message on Jitne encrypted symmetric hey ore sem+ 40 the recewe-r. ce) Tre receiver decrypts tne key using her private emery pred Ayn etric keysPAGE NO. Se ATHARVA EDUCATIONAL TRUST'S —DATE. ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI CF) once receiver gets ime symmetric vey after Seeryption ame Key con be used +o yeerypt tre message. 2. vigiiol sigmotures The digitol signature uses a hash cole or message digest atgovithen, awd a public Key signature atgort tm. 3. compression: PGP compresses tne message after appiyimg me Signature but befere encryption. compression has tne adsed site effect that some sypes of attacks o™ be avoided by +e fact trat even ne Iightiy attered. 4s @adix G4 conversion: Radix G4 conversion is useful for compatiitity of emaiig ecwoss varied sysiems. PGP's underiying mative representation Sov emevrypsed message. Explain 9st protocol. A_secure Socwet tayer e8st) is a cryptographic setoeo! designed +0 protect communication between two entitres. SSL_+vecord Protocol je the sst~eeccyd protocol ss tast protccol nat wecelves 4ne raw dato from +ne higner eeplication teyers ond orhew ssi protocols such os howd shane. Imupes of records: 4. hamdsnake records: 2+ change cipher spec record. Bs vler+ records. 4: Application deta record. SSL_chonge cipher spec protocol: othe change cipher spec protocol notifies about nePAGE NO. ke ATHARVA EDUCATIONAL TRUST'S —_DATE. || ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI TRE changeS im ciprer porameters Tne protocol consists of a singie message which 65 emery pied ond compressed. rne change cipher Spee pretocet motes tne commu Seating Rewties bout omy chomge is tne previcusty negotiated tee SSt_atev+ protocol: specificatiens or neys- etre sst octer+ prcieco! signat problems with on SSt_session. sme cf sre centent 4 pes supperted by sst recerg layer is sre oleri supe Alew+ message mosify mre Sevevity of 4ne ators ond A descrvieticn of tne otert. SStL_nomdshake p~ctocot- Tre eryptcgraphic porameders of tne session states w@__preduced ey ane ssh nomdshane protocol. Processes pewformed im sSt homdshane protocol: 4. Agree cn a pretocet version. 2+ select cruptograpthic algorithm B+ opiomally ouihenticaie each ciner. 4: Use public bey emevuption +ecnmiques ze generate shaved secrets.PAGE NO. She ATHARVA EDUCATIONAL TRUST'S ——DATE ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI G.4 lex plain zpsec protocol. sr stonds for smiernes eretocol. sP sefines o set of _pretecsts that com be Used fer communication between amy two Jeviceg or ine network. — mietwerk pyetocol is siendovd set of rules peat dedew mines hew system wilt communicate ocro lm ed wouks Rl sec is @ suite of preioccts snot protects 2P +rarcic. ——I|neaes of operasien: A. tramsper+ move: len snis moze, onty ane ulead cvate) port of sre wnfosmetion is protected, rne addvetsing end Weusing information is mot protected 2. Tunnel! mode: Sj]Hm nis mode cotn ine paytoad os wel a: one eddvessing imfermation is protected. am amis mode tee emtive packet is protected jand a new =P headey is cused vy sp vec, —jsecuviig Pretecots| services previded ty ap sec. 2. Auinemtication Headey (au). 2: Emcapmsulating security peytoad casps. Bs amierne} security assoctation omd ney mnomagement protocol. ¢zsaKme). 4+ Bntewnet key exchomge CrKeD. @-5 llexpiaimn arp spoofing and ap sp00 fing: ARP spoofing: SARE spoofing is a dechmique by wnrch ane attacker associol@s her Hac addvess witn sue ZP_addvesS of a tegittmate vevice.PAGE NO, bie ATHARVA EDUCATIONAL TRUST'S ——DATE ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI 3s is aise caved AP cache poisiemimy ov ARP poision weuting. During netwovk communication ,a sevice , wren wishe +o imberact with omoiner sovge+ yevice , veguires mmupping wre Te audvess of an@ +arge+ +0 tne MAC addvess of ane +orge+ JB. ARP spoofing, sre Otiackew mancicusty previses MAC oaddvecs of new device so treat tne wremg mopping of +orge+ 2P address 4 o tne +orge+ mac is created. lomnce tne attackers mac oudvess is linked 40 tre +orge+ IZP oddvess, sne aiiacker witt beqim receiving any data trot is intended for t+not se addvess JP spoofing’ EP spoofing 1s atechnique wreveby on attacker ima pewsomas e moines snechine by smemiputeting BP pacuets Teaco! ef ortocker is 40 get unouthovized access ie¢_commumication ty momiputatimg ner 2° adver oS whe actual 4dorge+ © otdves lcommmomn Attacks: S-st@al sensitive infermotion by impersonating SS +e \eaitimate addvers. S- au poss eutnenticaiion im networks wneve mmachime€S ove ivusted by sreir address B. corry #O2mial oC service c908) eitachs oy moni puleting +nat tne wrarsic ts coming from» legitimaie source.PAGE NO. Sie ATHARVA EDUCATIONAL TRUST'S —DATE. ATHARVA ATHARVA COLLEGE OF ENGINEERING, MUMBAI @-6 |lwerte a note om 00s amd 900g attacks. —loenra: of service coos) is om aitock Ovrom a single source cm 4mat ane wescurces ore exnausted om sne aexget beyond its seving capacity: —=loestribuied oental of service ¢p00s) is on attack from mmulsipte sources Such snot +e vescurces gre exhausted om ane +orget veyord its sevving capacity: Ikrypes of opos oss acus: AiHtte flood: ge is similar +o yeu nitting refresh om your brewser eeveral dimes. st is just inat rt is dome a4 much large seol@ 10 crasy ine web cover. PB Pimg C2CMP) fioediam snis attack, sre sorget machine ig sent so omy ping requesis snot it 1s overwhelmed and falls +o ~vespomd. 8: Ping of Yeath Bry snis eitack , sre +o~get machine: Bent maiPermed packet Such that the system is MmOble 40 understand +e process tren vesutting imto ovach. 4: erotef attack: me victims 30 address is used as 4ne ~eipient fer ~eeeiving responses from troadeast mmmunmication + IS. OWS Amplification: ons Server resolves ane demain mOmn€ tc om ZF adivess. tre atiacker crate a ONS ~wegues+ such +not tre ONS sevvew se vespowd wiin a lerge amcum+ of Jota amd crashes +ne target. &.SyYN fiood: nm SYN Pioed atiacks ame attacker exploits tne way « Tee commection ft estavtisneg APier pending tre SYN pocket 46 tne torget, tne atiacher does mot respond with ace pocket.