Topic1 CIA concepts:

Computer Security: The protection afforded to an automated information system in

order to attain the applicable objectives of preserving the integrity, availability, and
confidentiality information system resources
Vulnerability: A weakness in the system.
Threat: A set of circumstances that has the potential to cause loss or harm.
Control: A countermeasure or security mechanism to counter threats.
A threat is blocked by control of a vulnerability

Why important?
Protection of Sensitive Information: prevent identity theft, financial loss, etc
Risk Mitigation: organization can prevent data breaches, DoS, etc
Regulatory Compliance: adhere to strict govt regulation
Competitive Advantage: help maintain customer trust and loyalty
Adaptation to Evolving Threats

CIA
Confidentiality: Assures that private or confidential information is not made available or
disclosed to unauthorized individuals.
Sometime privacy is also grouped under confidentiality.
Privacy: Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may be
disclosed.
Integrity: Assures that the data has not been altered or tampered with by unauthorized
users-Modifying
Availability: Assures that systems work promptly, and service is not denied to
authorized [Link], DDoS
Non-Repudiation (digital signature): The ability of a system to confirm that a sender
cannot convincingly deny having sent something
Source Authenticity: The ability of a system to confirm the identity of a sender

Why is it difficult to be secure?

Ease-of-use: Security mechanisms interfere with working patterns users originally
familiar eg, 2FA more effort
Performance: Security mechanisms consume more resources and lowers performance.
Cost: Security mechanisms are expensive to develop and manage.
Security not considered: Many systems do not consider security during the early design
stage.
Difficult to formulate requirements: Designers not aware of many possible attack
scenarios (e.g., many side-channel were discovered recently).
Difficult to Design: System most vulnerable at its weakest point, and there are many
constraints. (e.g., we understand email spoofing very well. But there is no practical
foolproof design.)
Implementation bugs: Even if the design is secure, the system may not be properly
implemented, especially for large, complex systems. Also, it is difficult to verify whether
an implementation is correct.
Difficult to operate/manage Human in-the-loop. Complexity leads to configuration
errors, mismanagement of patches, credential, etc. (e.g., developers’ accounts remain
in production system)

Symmetric Key encryption Scheme

Encryption is the process of converting a message (plaintext) into a meaningless
message (ciphertext).
Decryption is the reverse process.

system for encryption and decryption is called a cryptosystem.

Properties:
Correctness: For any plaintext x and key k, Dk(Ek(x)) = x
Security: from the ciphertext, the eavesdropper is unable to derive useful information of
the key k or the plaintext x, even if the eavesdropper can “probe” the system. The
ciphertext should be “indistinguishable” from a random stream. Probabilistic:
Encryption could be probabilistic. That is, for the same plaintext, there could be
different ciphertext. Yet they all can be decrypted to the same x.

Attack model:
class of attacks that it can prevent, 1) the attacker’s goals 2) attacker’s capabilities
If some attacks are successful on S1, whereas S2 can prevent all possible attacks
(within the class of attacks formulated by the attack model), then S2 is more secure
than S1 with respect to the attack model.

Goals:
Total Break: The attacker wants to find the key
Partial Break: Want to decrypt a ciphertext but not interested in the secret key,Or simply
want to extract some information about the plaintext.
Distinguishability: Most modest goal, With some “non-negligible” probability more than
half, the attacker can correctly distinguish the ciphertexts of a given plaintext (say, “Y”)
from the ciphertext of another given plaintext (say, “N”). if not indistinguishability or the
scheme is semantically secure.
Total break is the “most difficult” goal, Distinguishability is the “weakest” goal.
If an attacker can achieve total break, the attacker also can achieve partial break and
distinguishability.

Attacker’s Capability

Ciphertext-only attack (CTO): The attacker is given a collection of ciphertext, c and may
know some properties of the plaintext, The attacker will analysis of the ciphertext itself,
generally applying various statistical tests to it, Weakest attacker capability because it
provides the least amount of information

Known plaintext attack (KPA): The attacker is given a collection of plaintext m and their
corresponding ciphertext c (the attacker can’t choose the plaintext.) The attacker may
be able to capture one or more (plaintext, ciphertext) pairs. The attacker may know that
certain plaintext patterns will appear in a message. example, a file that is encoded in
the Postscript format always begins with the same pattern or standardized header such
html. With this knowledge, the attacker may be able to find the key based on the way
the known plaintext is transformed.

Chosen plaintext attack (CPA): The attacker can choose arbitrary plaintexts to be
encrypted and obtain the corresponding ciphertexts. Model this by considering attacker
has access to encryption oracle, e.g. smart card, protocol

Chosen ciphertext attack (CCA2): Same as chosen plaintext attack, but here, the
attacker chooses the ciphertext and the black-box outputs the plaintext. We call the
black-box a decryption oracle.

many systems employ cipher that is only secure against CPA but not CCA2.
It make sense to assume that the attacker has access to the decryption oracle.
We want a cipher that can protect against the attacker with the highest capability,
lowest goals
Topic 2 Modern ciphers:
Kerckhoffs’s Principle: A system should be secure even if everything about the system,
except the secret key, is public knowledge.
Security through Obscurity: To hide the design of the system to achieve security.
A cipher is an algorithm or a series of well-defined steps used in cryptography to
encrypt and decrypt data.
Substitution Cipher:
Plaintext and ciphertext: a string over a set of symbols U.
Let U = {"a", "b", "c", ..., "z", "_"}
Key: a substitution table S, representing an 1-1 onto function from U to U E.g., S(a) = g,
The inverse of S => 𝑆 −1 (g) = a

substitution cipher is not secure under known plaintext attack.

Brute force Attack:
Given X(plain text), C(cipher text)
For each s in S (key space)
Compute X’ = Ds(C); (decrypt)
If (X’== X) then break
end-for
Display ( “The key is ”, s );
Substitution cipher is vulnerable to frequency analysis attack, not secure under
ciphertext only attack.

Permutation Cipher:
The encryption first groups the plaintext into blocks of t characters and then apply a
secret “permutation” to each block by shuffling the characters. The key is the secret
“permutation”, is a 1-1 onto function, Permutation cipher fails under known-plaintext
attack, Permutation cipher is broken under ciphertext-only, if plaintext is English text
Performing substitution twice using two tables does not increase difficulty of attack. It
simply reduces to one table, interlacing them, attacks become more difficult. modern
encryption scheme (e.g. AES) is designed using rounds of S and P.

Exhaustive Search: Goal is to find the key or to obtain some information of the plaintext.
exhaustively search the keys, examine all possible keys one by one. For a cipher to be
secure, exhaustive search must be computationally infeasible.

The key space is the set of all possible keys, key space = { 000, 001, 010, 011, 100, 101,
110, 111}
The key space size or size of key space is the total number of possible keys. For a 3-bit
key, key space size = 8 (23 )
The key size or key length is the number of bits required to represent a key. oFor a 3-bit
key, key length = 3

One-Time Pad
1. Commutative: A ⊕ B = B ⊕ A
2. Associative: A ⊕ (B ⊕ C) = (A ⊕ B) ⊕ C
3. Identity Element: A ⊕ 0 = A
4. Self-Inverse: A ⊕ A = 0
5. Mathematical Definition: A ⊕ B = (A + B) mod 2

Encryption: plaintext ⊕ key = ciphertext

Decryption: ciphertext ⊕ key = plaintext
Correctness Proof (x ⊕ k) ⊕ k = x ⊕ (k ⊕ k) = x ⊕ 0 = x

It is a pure substitution cipher. Practical, the name comes from an encryption method in
which a large, non-repeating set of keys is written on sheets of paper, glued together
into a pad.
Property of the key: The key cannot be re-used. That is, a key can only be used once. Key
size should be as long as the plaintext. E.g., a 1GB plaintext would need a 1GB key to
encrypt.

Leaks no information of the plaintext, hence called “unbreakable one-time

However, OTP is secure only if these rules are followed: The OTP should consist of truly
random characters (noise), The OTP should have the same length as the plaintext. Only
two copies of the OTP should exist. The OTP should be used only once. Both copies of
the OTP are destroyed immediately after use. Not Practical to use.

Stream Cipher and IVs:

more practical to use, uses PRG, pseudo random generator to generate pseudorandom
key streams using short keys, PRG is deterministic
Stream cipher encrypts plaintext 1 byte at a time Also may be designed to operate on 1
bit at a time or on units larger than a byte at a time
If two messages are identical and if the same keystream is used to encrypt the
message, the corresponding ciphertext is going to be identical.
Can lead to keystream reuse attack: If an attacker intercept multiple ciphertexts
generated with the same key and identical keystreams, they could potentially derive
information about the plaintexts or even recover the encryption key.
Plaintexts: X and Y
Ciphertexts: U and V
Key: K (The same key is used for both)
Encryption Formulas:
U=X⊕K
V=Y⊕K
Attacker's Computation:
U ⊕ V = (X ⊕ K) ⊕ (Y ⊕ K)
By associative and commutative properties of XOR:
U ⊕ V = (X ⊕ Y) ⊕ (K ⊕ K)
Since K ⊕ K = 0 (Self-Inverse property):
U⊕V=X⊕Y

IV is random value used as additional input to generate the keystream

Ensures that even if the same key is used for multiple encryptions, the generated
keystream will be different if unique IV is used.
Pseudo-random generator (PRG or G) to generate keystream from a seed (i.e., IV)
Encryption: use shared key k and initialization vector IV for the seed.
ciphertext = plaintext ⊕ PRG( k, IV)

Example: RC4 (Rivest’s Cipher 4, 1987) A5/1 (used in GSM, 1987),

Block Cipher
Data Encryption Standard (DES): Block size: 64 bits ; Key size: 56 bits.
Advanced Encryption Standard (AES): AES block length is 128, and key length can be
128, 192 or 256 bits, 256 most secure
A block cipher has fixed size input/output. For large plaintext (say 10 MB), first divide
into blocks, and then apply block cipher. The method of extending encryption from a
single block to multiple blocks to encrypt is called mode-of-operation.

Electronic Code Book (ECB): Divides plaintext into blocks and then applies block
cipher to each block, all with the same key. Same plaintext always corresponds to same
ciphertext
Encryption: CTⱼ = Eₖ(PTⱼ) Decryption: PTⱼ = E⁻¹ₖ(CTⱼ)

Cipher Block Chaining (CBC): semantic security, encryption cannot be parallelized,

decryption can be parallelized.
Encryption: CTⱼ = Eₖ(PTⱼ ⊕ CTⱼ₋₁) Decryption: PTⱼ = E⁻¹ₖ(CTⱼ) ⊕ CTⱼ₋₁
Initialization: CT₀ = IV called initialization vector
Counter Mode (CTR): Semantic security, Can be parallelized, similar to stream cipher,
difference is that stream cipher used PRG to generate key stream, counter mode uses
encryption algorithms like AES.
Initialization: X₁ = IV called initialization vector Counter Update: Xⱼ = X₁ + j - 1 Encryption:
CTⱼ = Eₖ(Xⱼ) ⊕ PTⱼ Decryption: PTⱼ = Eₖ(Xⱼ) ⊕ CTⱼ

DES is not secure: meet in the middle attack, 2-DES improves to 2^57, 3-DES is 2^112
Use triple encryptions, but 2 keys. Ek1(Ek2(Ek1(x))) Or Ek1(Dk2(Ek1(x)))
Both are believed to have the same level of security. choosing k1 = k2, is same as single
encryption, The storage requirement dropped by a factor of 2s, but the number of
cryptographic operations increased by a factor of 22s.

Encryption Oracle. On query a plaintext x, the oracle outputs the ciphertext Ek(x) where
the key k is a secret key.
Decryption Oracle. On query a ciphertext c, the oracle outputs the plaintext Dk(x) where
the key k is a secret key.
GCM mode (Galois/Counter): It is an “Authenticated-Encryption”, secure in the
presence of decryption oracle.

PKCS:

Padding Oracle: decrypts and check if padding format is correct,

IV'7 = IV7 ⊕ 0x03 ⊕ 0x04 = IV7 ⊕ 0x07
New IV’ is just current plaintext xor with required padding.
Cryptographic pitfalls:
Wrong choices of IV. Reusing one-time-pad, IV’s must not be the same for two different
ciphertext
Predictable secret generation
Designing your own cipher

Topic 3 PKC AND DATA INTEGERITY:

A symmetric-key encryption scheme uses the same key for encryption and decryption
Many schemes: Substitution, Permutation, one-time pad, stream cipher,
Block cipher: AES and DES
Data Integrity and Data Authenticity: Assures that the data has not been altered or
tampered with by unauthorized users. Ensures that the source of the data is who it
claims to be. Many documents use the term “integrity” to mean authenticity.
A public key (aka asymmetric-key) scheme uses different keys for encryption and
decryption.
kₑ: public key => known to all
kᴅ: private key => kept secret
<kₑ, kᴅ>: key pair (or decryption key)
Note: We often write “using private key to decrypt” and write Decryption: E⁻¹(kᴅ, CT)
Security Requirement: Given the public key and the ciphertext (but not the private key),
it is difficult to determine the plaintext. The requirement implies that it must be difficult
to get the private key from the public key

O(n^2) vs O(n): need n(n-1) keys for symmetric, n keys for public

Public Key setting: Secure broadcast channel, Each entity publishes its public key and
keeps its private key secret, Total number of public keys: n, Total number of private keys
is n
Advantages: No need to establish secure channel, Fewer keys, Entities don’t need to
know each other before broadcasting the keys.
Based on the mathematical properties of large prime numbers and modular arithmetic
Computational difficulty to factor the product of two large prime numbers
Three phases:
Key Generation: using two large prime numbers
Encryption: modular exponentiation using public key
Decryption: modular exponentiation using private key
Formula
n=p*q
φ(n) = (p - 1) * (q - 1) , φ(n) is the Euler's totient function
Choose an encryption exponent e such that:
gcd(e, φ(n)) = 1
Find the decryption exponent d: (d * e) mod φ(n) = 1
Publish the Public Key: (n, e)
Encryption Public Key: <n, e>
Encryption Formula: c = mᵉ mod n
Decryption Key: <n, d>
Decryption Formula: m = cᵈ mod n
Correctness Proof Formula: (mᵉ)ᵈ mod n = m

The security of RSA is based Integer factorization problem, RSA remains secure
when using sufficiently large key sizes (e.g., 2048 bits or more).

An IV is required so that encryption of the same plaintext at different time would give
different ciphertext.
Classroom RSA has an interesting “homomorphic” property:
c1 = m1ᵉ mod n c2 = m2ᵉ mod n c1 * c2 = (m1 * m2)ᵉ mod n
RSA is malleable, smartly change what PT means when decrypted if we smartly multiply
cipher text by another value

following NIST recommendation, 128-bit AES and 3072-bit RSA has the equivalent
key strength.

With only 6 bits of entropy, there are only 64 possible values for the secret.
Offline Attack is possible for RSA (midterm, exponent e was fixed)
RSA encryption/decryption is significantly slower than AES.
To encrypt a large plaintext using PKC, it is typically carried out in this way:
1. Chooses a random AES key k;
2. Encrypts k using PKC to get y;
3. Encrypts F using AES (with suitable mode, say GCM, CBC or CTR) with k as the key to
get C.
4. Output the (y, C) as the ciphertext.
To decrypt,
1. Decrypts y to get k using the PKC private key;
2. Decrypts C using k to get F.

Unkeyed Hash(needs secure channel to transfer hash): achieves integrity is using

cryptographic hash functions. A (cryptographic) hash is a function that takes an
arbitrary large message as input, and outputs a fixed size (say 160 bits) digest. If the
message is altered, the hash will not match.

Requirement of the Hash Function:

Collision Resistance: It is computationally infeasible to find such that F’≠ F and H(F’) =
H(F)
two different input values should not generate the same hash value.

Preimage resistance: Given h, it is computationally infeasible to find F such that H(F) =

h. (i.e., H is one-way)
given a hash value h, it should not be easy to find an input value F that generates this
hash h

Second-preimage resistance: Given F, it is computationally infeasible to find F’≠ F

such that H(F’)=H(F)
it should not be easy to find a second input value, F’, that generates the same hash as
input value F
SHA-0 : Published by NIST in [Link] a 160-bits digest. 2005, Wang Xiaoyun gave
attack that can finds collision in 2^39 operations.
SHA-1 : Revised version. It produces 160-bits message digest. Xiaoyun Wang et al gave
a method of finding collision of SHA-1 using 2^69 operations, which was later improved
to 2^63. A collision was found in 2017. It took 110 GPU years, completed 2^63 SHA1
operation
SHA2: NIST published SHA-224, SHA-256, SHA-384, SHA-512, collectively known as
SHA 2. The number in the name indicates the digest length. No known attack on full
SHA-2 but there are known attacks on “partial” SHA-2
SHA-3 : NIST standardized it in 2015 SHA-3 includes several hash function variants:
SHA3-224, SHA3-256, SHA3-384, and SHA3 512.
MD5: Designed by Rivest. MD, MD2, MD3, MD4, MD5, MD6. MD5 was widely used: It
produces 128-bit digest. In 2006, Klima give an algorithm that can find collision within
one minute on a single notebook. In 2008, MD5 was officially declared
“cryptographically broken”
SHA-256: Different file sizes, the hash digest length is the same. A small change in the
input should result in a large change in the hash output(diffusion)

Attacker’s goal: makes Alice accepts a file other than F (e.g., forged .exe file).
To trick the user, the attacker need to have a F’ such that H(F’) = H(F) and F’ != F
The above is an example of 2nd pre-image problem
No Authentication: Provide integrity verification but not authentication, since unkeyed
Vulnerability to Collision Attacks/ 2nd preimage

Birthday Attack:

A keyed hash is a function that takes an arbitrary large message and a secret key as
input, and outputs a fixed size (say 160 bits) MAC (message authentication code).
How is data origin authenticity achieved? Secret key shared between sender and
receiver

Keyed hash Does not need secure channel, we can protect the digest, In the symmetric
key setting, it is called the MAC.

Assumption: After seen multiple valid pairs of messages and their corresponding mac,
it is still difficult for the attacker to forge the mac of a message not seen before.

Possible to use the private key, d to encrypt, and then the encryption key, e to decrypt,
designing signature scheme.

Digital Signature: The PKC version of MAC, owner uses the private key to generate the
signature, only the owner has the private key, only he can generate the signature.
The public can use the public key to verify the signature. Everyone knows the public key,
anyone can verify the signature. So, anyone can verify the authenticity of the data, but
only the person who know the private key can generate the signature.

Sign the hash, not directly the file, RSA inefficient, hashing reduces size of the data
Hash and encrypt: Special property of RSA for signature (hash-and-encrypt).

• ElGamal Encryption: based on a “Discrete Logarithm Problem”, whereas RSA is

“factorization problem”
• Elliptic Curve Cryptography (ECC) Based on Elliptic curve discrete logarithm problem
Offers greater security per bit compared to RSA, allowing for smaller key sizes
• Paillier Encryption is also discrete log based.
• If an algorithm can efficiently solve the Discrete-Log Problem, then the algorithm can
easily break the discrete-log based encryption such as Paillier and ElGamal.

Encryption is designed to provide confidentiality. It does not necessary guarantee

integrity and authenticity.
TOPIC4: PASSWORD AUTHENTICATION
Communicating Entity: Verifying the identity of communicating parties.
Data Origin: Verifying the source of the data received, ensuring that the data comes
from a legitimate source and has not been tampered with in-transit.
MAC and digital signature provide communicating entity and data origin authentication.
To attain communicating entity authentication, we need some information bound to the
owner.
Credentials: pieces of information that verify the identity of an individual. A user
provides credentials to prove their identity.
Credentials: Three types
Something the user knows: Passwords, PIN numbers, passphrases, etc.
Something the user is (biometrics): Fingerprint, the pattern of a person’s voice, or a
Something the user has: Identity badges, physical keys, a driver’s license, etc.
Password is a way to achieve communicating entity authentication
Username: you announce who you are (Identification)
Password: you prove that you are who you claim to be (Authentication)
Passwords vs Secret Key:
Similarity: Both can be used for entity authentication, Both are sensitive information, if
compromised can lead to breaches
Difference: Passwords are generated by human and can be remembered by human
Secret keys are long binary sequence that are infeasible to be remembered by human
Secret keys can be randomly generated or derived from password
Password System: Three Stages
Bootstrapping A user and the server establish a common password. The server keeps
the password file: user_id, (username) and the corresponding password.
Authentication server authenticates an entity. An entity who can convince the server
that it knows the password, is deemed to be authentic
Password reset Many reasons to reset password. E.g., User forgets the password. E.g.,
A password policy could require regular changes of password.

Bootstrapping

Bootstrapping Mechanism The server/user chooses a password and sends it to the

user/server through another communication channel.
Default password: initial password
bootstrapping mechanisms: Send mail by courier o Initial password is sent that is valid
only for a single login, user need to change immediately

Authentication Protocol

Password Reset: Only the authentic entity can reset the password. We need to
authenticate the entity before allowing the entity to change password. Eg, Anyone who
know the old password. Need another credential (other than the old password) to
authenticate.
Password Reset Methods:
Having human (i.e., admin or IT support): involved in resetting password is expensive.
Using Recovery Email Account: Users initiate a password reset request
System sends a password reset link or temporary password to the registered email
address.
Using Security Questions: User may not remember arbitrary strings (i.e., password) but
should know the answers to personal questions without needing to memorize or guess.
This mechanism was very common but less so now.
Replay attack: If the attacker has the capability to sniff the communication channel,
then the previous protocol is not secure. It is subjected to the simple “replay attack”,
information sniffed from the communicated channel by an attacker can be replayed to
impersonate the user.
Secure Password File Storage Salt "Password":
Password file never stored in clear text.
Use of hashed passwords and a fixed-length random salt value (virtually all UNIX
variants) Hash function Hash + salt
Password + salt is hashed and stored in the password file Password File
Pre-image resistance property: cannot get back the password from the hash value
A salt is a piece of randomly generated data that is unique to each password hash and
stored alongside the hash in the password file. Its main purpose is to defend against
common types of brute-force and dictionary attacks, primarily rainbow table attacks.
rainbow table is a precomputed table of common passwords and their corresponding
hash values. Attackers use them to quickly look up a stolen hash and find the original
password. Since the salt is unique for every user, the attacker cannot use a
precomputed rainbow table.
Attack the Bootstrapping:
Default Password: Attacker may intercept the password during bootstrapping. for
example, if the password is sent through postal mail, an attacker could steal the mail to
get the password. Attacker uses the “default” passwords.
There are many reported incidents on this simple attack. (for e.g. IP camera, Wi-Fi
router)
Why not remove it? Usability and logistic issue
Mitigation: Require the user to change password after first login.
Mirai Botnet:
Vulnerability: IoT devices such as IP cameras, home routers, had factory default
usernames and passwords
Attack steps: Mirai malware scans the internet for IoT devices with open Telnet or SSH
ports. Once a device is found, it attempts to log in using a list of common default
usernames and passwords (e.g., "admin/admin" or "root/123456"). Mirai successfully
logs into a device, infect it and adds it to botnet which is later used for DDOS attack
Password Reset Poisoning:
Goal: OTP (or token) that is included in the reset link ([Link]
13ac92DadvSEga5). Change the victim’s password and take control of their account.
Vulnerability: how the application constructs password reset URLs

Mitigation: Input Validation (Ensure robust validation and sanitization of HTTP headers
and user inputs), Secure URL Generation (take correct host name, and not hostname
from the user) User Awareness, Secure Communication enforce HTTPS to protect data,
2FA
Changed the host name

Social engineering + password reset

Compromise: An attacker first obtains Bob's account credentials for the platform
XXXXX.
Triggering the Reset: The attacker goes to the XXXXX site and initiates the password
reset process for other members of the ABC group.
Reset Confirmation Email: XXXXX sends a legitimate password reset confirmation email
to the targeted members. This email contains a QR code—a common way for apps to
handle authentication or confirmation requests.
The Crucial Deception: The attacker predicted the format of this legitimate reset QR
code (or even posted the exact image from the email). When a victim (like the third
person in the chat) says, "I also received this," and posts their own QR code, the
attacker has achieved their goal.
Exploitation: The attacker can now scan the QR code posted by the victim. Since
scanning that specific QR code is the required step to confirm the password reset
initiated by the attacker, the victim has unwittingly given the attacker full control to set a
new password for their account.

Attacks on Password Reset Security Questions

Social media accounts expose structured information about users
Mitigation using CAPTCHAs: ask a question about an image or audio file that had been
previously specified by the user.

guess the password

Exhaustive search (brute force) – try all possible combinations of valid symbols, up to a
certain length
Dictionary attacks– search through a restricted name space by maintaining a dictionary,
pre-compiled list, password are not chosen completely random, but something
meaningful to entity
John the Ripper is for "offline" cracking (files you stole), while Hydra is for "online"
cracking (live login pages).
Offline Dictionary Attack: The attacker obtains some information, D, possibly by
sniffing the login session of the authentic user, or the “hashed” password is sent over,
and the attacker manage to obtain the hash
Example of offline dictionary attack:
1. Attacker has an AES encrypted pdf file. The AES key is derived from a password. The
attacker wants to find the password.
2. In some password authentication protocols, a “hash” of the password is sent in clear.
The attacker first obtained the hash by eavesdropping a valid login session. Next, the
attacker went offline and searched for the password. WPA2 personal is vulnerable to
this form of offline dictionary attack.
3. The password file contains hashes of password. Attacker somehow obtained a
password file, and then carryout offline dictionary attack.
4. WPA2-personal employs a protocol whereby offline dictionary attack can be carried
out.
Online Dictionary Attack: Attacker interact with the authentication system to test the
password, Step: writes an automated script that attempt to login to Canvas using
guessed passwords for each nusnet id.
mitigation is rate limiting and account lockout; strong password policy.

Other Mitigation Techniques: Limited login attempts (for online password cracking):
Add delay into login session, lock the account after a few failed attempts, Password
checker or metering (for offline password cracking): System checks for weak password
when user registers/ changes password, Password usage policy: Users must use strong
password, Password ageing: Users must regularly change passwords, 2FA:
recommended nowadays!
KDF (Key derivative function): To make offline dictionary attack more difficult, it is
desired to have a KDF that consume a lot of compute time. So, ironically, hash like SHA3
is designed to be efficient, but KDF wants it to be very slow. This is achieved by multiple
hashings, say n times. key = H ( H (… H ( password) …) ).

Techniques for Stealing

Spoofing: disguising a communication from an unknown source as coming from a
trusted source, impersonating
Sniffing: monitoring and intercepting data packets as they travel across a computer
network. Shoulder surfing is over the look shoulder attack, side channel attack is
using physical factors like sounds made by the keyboard.
Phishing: tricking user to visit a spoofed website voluntarily sends the password, social
engineering attack, can be prevented through user training, blacklisting phishing
websites
Virus key logger: Captures the keystrokes and sends the information to the attacker.
(software) Computer viruses are designed as a key-logger. Hardware: Hardware key-
logger
Cache and Lost password file: When using a shared workstation information keyed in
could be cached, Password file can be stolen
Spear Phishing: Phishing can be targeted to a particular small group of users (for
example, NUS staff). Such attack is generally known as spear phishing, which is an
example of targeted attacks.
Pharming: redirects users from a legitimate website to a malicious, fraudulent replica
without the user's knowledge or consent. This is typically done by manipulating Domain
Name System (DNS) server records or altering the host files on a local machine.
Vishing (Voice Phishing): fraudulent practice of using voice communication to trick
individuals into giving personal and financial information
Smishing (SMS Phishing): using SMS (text messages) to trick people into clicking a
malicious link, calling a fraudulent phone number, or downloading a compromised file
visual inspection: Check that there is a padlock in the address bar (we will spend a few
weeks explaining this). Check that the domain name in the url is correct.
Typo Squatting: An attacker registered for a domain name (e.g., [Link] valid
certificate of the above name. The address bar of the victim’s browser correctly
displayed [Link] but the victim didn’t notice that and logged in using the
victim’s password
Subdomain Takeover: Attacker is the rightful owner of [Link] • Attacker creates a
sub domain: [Link] • Since attacker is the owner of [Link] , it
can get a valid certificate of [Link] or *.[Link]
PASSWORD STRENGTH
NIST password guidelines: At least 8 characters long, 15 char preferable Character
options: at least one each of uppercase, lowercase, numeric digits, and special
characters.
Proactive password checker: At the time of selection, the system checks to see if the
password is allowable and, if not, rejects it.
Key Strength: In encryption, we “quantify” the key-strength by the size of the key if best
known attack is exhaustive search. Strength of 128-bit AES key is: 128 bits, Strength of
256-bit SHA is: 128 bits due to birthday attack.
Entropy is a measurement of randomness:
H = Password Length x log₂(Symbol Set Size)
H = L x log₂(N)

RFC 4086 (Randomness Required for Security) recommends at least 29 bits of entropy
recommends at least 49 bits for higher security online dictionary attack, NIST
recommend 128 bits entropy for Offline dictionary attack.
Biometrics: Authentication by password gives a clear reject or accept, biometrics will
hardly ever match precisely. Matching algorithm measures the similarity between
reference template and current template, user accepted if the similarity is above a
predefined threshold.
False positive: incorrectly identifies an unauthorized user as an authorized user
False negative: fails to recognize an authorized user, rejecting their correct biometric
data as a non-match
By adjusting the threshold, the FMR and FNMR can be adjusted. lower threshold =>
more relax in accepting higher threshold => more stringent in accepting

Attack of Biometric System:

Presentation attacks: using some artefact to impersonate (Fake fingerprint ) Mitigation:
additional mechanism on liveness detection − This mechanism verifies that the subject
is indeed “live”, instead of spoofed materials, say a photograph. − Example of liveness
detection: temperature sensor in fingerprint scanner. − Limit the number of attempts
Replay attacks: capturing and reusing a biometric data sample
Mitigation: liveness detection o2FA

Something You Have Tokens: ATM card, mobile phone, OTP token,
Time-based: Both the user device (e.g., phone) and the server share a secret key. Using
this secret key and the current time as inputs, an algorithm generates the same OTP on
both the user's device and the server. oE.g., Google Authenticator
Sequence-based: Both the server and the user's device maintain a counter along with
the secret key. Upon each event (e.g., button press), the counter increments, and an
algorithm uses it with the shared secret to generate the OTP. E.g., hardware tokens
n-factor Authentication:
Something you know: Password, Pin.
Something you have: Security token, smart card, mobile phone, ATM card.
Who you are: Biometric.
2 different factors: It is called a 2-factor authentication if 2 factors are employed
2-Step Verification: Many online platforms use email account as the additional factor,
Both are “what-you-know” and thus cannot be called “2-factor”

List of Not Common terms:

Superuser is a special user account in a computer operating system that has all
privileges
Worm is a type of standalone malware that replicates itself to spread to other
computers,
Rootkit is a collection of malicious software designed to conceal its presence and the
presence of other malware from users and system administrators.
covert channel: is a type of attack that creates a capability to transfer information
objects between processes that are not supposed to be allowed to communicate by the
computer security policy
Semantic security in cryptography means that an encryption scheme is designed so
that an attacker cannot gain any meaningful information about the original plaintext
from the ciphertext, even if they can observe multiple ciphertexts.
MIFARE Classic is a contactless smartcard widely used in Europe. It uses a set of
proprietary protocols/algorithms. However, they are reverse-engineered in 2007. It turns
out that the encryption algorithms are already known to be weak (with 48-bit keys) and
breakable.