Chapter 9 - Security

Authentication

The process of verifying that you really are the person allowed to access a given computer. (1) What you know (such as username and password) (2) What you have (such as key/phone muti-factor authentication) (3) What you are (such as fingerprint or iris scanner) Authentication is authenticating user to let them IN. Found in Lecture 9 Part 1 - Security

Does a computer store passwords in text?

NO Stored passwords are encrypted, typically via hashing. Found in Lecture 9 Part 1 - Security

Password cracker

computer program used to discover passwords from a hashed password file Found in Lecture 9 Part 1 - Security

Suppose you created a 6-character password, using only the letters a-z and 0-9. How many different passwords are possible? Is this secure?

36 x 36 x 36 x 36 x 36 x 36 = 36^6 = 2,176,782,336 (over a billion possibilities!). A 6-character password, even if RANDOM, is NOT a good password Found in Lecture 9 Part 1 - Security

What are good password practices when CHOOSING a specific password?

- Use long password (at least 8 chars) - Use a mixture of uppercase and lowercase letters, digits, and special symbols. - Consider using the first letter of some long phrase that is meaningful to you, mixed with some digits or special symbols. - Avoid personal info such as name, userID, pet's name, or birth date. - Avoid common dictionary words. - Avoid obvious choices like "abcde", "123456"... Found in Lecture 9 Part 1 - Security

What are good password practices for USING passwords?

- Change your password often (many systems require this), DO NOT reuse old passwords. - Use different passwords for different applications. - Don't tell anyone your password. - Don't write your password down. - Use a password manager (password vault), a central cite that securely stores all your passwords in encrypted form. - Be very careful about entering a password over an unencrypted wireless network. Found in Lecture 9 Part 1 - Security

Authorization

governs what an authenticated user is allowed to do Authorization is deciding what user can do once IN. Found in Lecture 9 Part 1 - Security

Access control lists (RWX)

Lists kept by the operating systems keeps that specify exactly what a user is allowed to do and disallows any action where the user does not have the proper privilege. RWX = Read-Write-eXecute Found in Lecture 9 Part 1 - Security

Computer security

prevention of unauthorized computer access This includes viewing, changing, or destroying a computer or data Found in Lecture 9 Part 1 - Security

Computer breach

a case of unauthorized computer access Found in Lecture 9 Part 1 - Security

Hack

a malicious computer breach the most common computer breach Found in Lecture 9 Part 1 - Security

Security hole

an aspect of a computer that can be used to breach security Most of the security holes are in the OS (remember, the OS is 40+ million LOC) Found in Lecture 9 Part 1 - Security

Malware

MALicious softWARE Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

Virus

program/file that can copy itself when activated works like a biological virus ... embeds itself into program/file ... when program/file activated, the virus is copied Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

worm

standalone program that can replicate itself similar to virus, but can send copies of items to other computers ... does NOT need to embed in a file Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

Trojan horse

pretends to do legitimate task while breaching security appears to do a legitimate task but also doing something nasty e.g., catching credit card keystrokes Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

denial of service

authorized user's access interrupted due to malicious action tons of traffic to some site shuts down site to legitimate users, as site can't handle the # of requests Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

botnet

herd of computers controlled to perform task w/o user's knowledge Botnets can cause new attacks to get more infected computers Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

phishing

An attempt to obtain sensitive information by disguising as a trustworthy entity in an electronic communication Phishing is NOT malware. Example: Sending an email for a mandatory training at a company, but linking to a malicious site where the user must enter their company credentials Found in Lecture 9 Part 2 - Security and zyBooks chapter 9

Social Engineering

The "psychological manipulation of people into performing actions or divulging confidential information" Examples: -Leaving an infected thumb drive in an employee parking lot -Calling customer support claiming you are someone else and cannot remember your password -Wearing a suit and confidently walking into a large corporation, discretely plugging in a small device on the network -Sending an email for a mandatory training at a company, but linking to a malicious site where the user must enter their company credentials Found in Lecture 9 Part 2 - Security

Caesar cipher

Also known as Shift cipher. Simplest form of encryption. Shift letters by a certain amount. To decrypt: Unshift by the same amount (backwards!). SYMMETRIC encryption algorithm. Substitution cipher. Clearly NOT that secure ... only have to try at most 25 combinations to break KEY POINT: simple one character substitutions are NOT very secure Found in Lecture 9 Part 2 - Security

Symmetric Encryption Algorithm

requires one secret key known by BOTH sender and receiver Found in Lecture 9 Part 2 - Security and Crash Course Cryptography video

Asymmetric Encryption Algorithm

requires two secret keys: -1 public key known by BOTH sender and receiver -1 private key known by ONLY receiver no way to transmit a single shared key electronically; instead, better to have asymmetric algorithm with public and private keys Found in Lecture 9 Part 3

Data Encryption Standard (DES)

- Block cipher - 64-bit block going in - 56-bit secret key - Uses simple operations (substitutions, reductions, expansions, and permutations) - 16 rounds DES is a SYMMETRIC algorithm Found in Lecture 9 Part 3 - Security

Advanced Encryption Standard (AES)

A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES. A key length can be 128, 192 or 256 bits! Found in Lecture 9 Part 3 - Security

RSA

most common public-key encryption algorithm today RSA = Rivest, Shamir, Adleman (The authors of the public-key encryption algorithm)

Steganography

the practice of hiding the very existence of a message can conceal a file/image/message/etc. in another file Found in Lecture 9 Part 3 - Security

Block cipher

operates on input characters in groups (or blocks). It encodes block of characters together. Three steps: 1) Apply S Mapping (A=1, B=2, etc). 2) Multiply S result with matrix X (wraparound using modular arithmetic). 3) Apply S' to multiplication result (aka convert the digit output to characters). algorithm "scatters" the plaintext throughout the ciphertext w/matrix multiplication Found in Lecture 9 Part 3 - Security

How to decode Block cipher?

Use same step/algorithm as block cipher but you multiply the encrypted message by the invertible matrix X' instead! Found in Lecture 9 Part 3 - Security

Cryptographic agility

How quickly software can support new cryptographic algorithms Found in Post Quantum Cryptography reading