...Unit 2 Assignment 2 Vulnerability of a Cryptosystem What this vulnerability is doing is creating a rogue CA certificate, creating an MD5 collision on your next work. According to Microsoft this threat is not a major issue will no reports of this attack being used. Form the rewind that I have doesn’t I did not see any tools that were used to create this attack. I thin g that the system that they currently have still can be used by making some changes. N the system cannot be changed easily based on the size of the infrastructure. The exploit has not been released due to the fact that there are no reports of this attach being used. The likely hood of this being used is very small. I do not think that attacks would be conducted and the results would be crashing of sites and resources. This system is widely used for the University, and if it would become attacked the system its self would still be trustworthy you just need to change the algorithm to SHA-1. The information for eh technical audience is what is conveyed via the links. They need to know about the issues and be informed in order to determine if the change from MD5 to SHA-1 needs to be made. The nontechnical audience doesn’t really need to know anything about this attack. If the university is making the change the impacts will be very minimal and not affect them. If you are talking to management all you need to say is that you found a vulnerability and it can be taken care of with very minimal...
Words: 275 - Pages: 2
...Unit 2 Assignment 2: Vulnerability of a Cryptosystem 09-27-2014 ITT Technical Institute Unit 2 Assignment 2: Vulnerability of a Cryptosystem This assignment gives us a job at a University as a Security analyst. One of the first things that was placed on our plate as a responsibility was getting the cryptosystem up to date. A high risk vulnerability has been identified and they have asked me to make recommendations on how to remedy the situation. There is a few websites that I have been advised to read as they may assist in my decision making process. After reading further I have been asked a large number of questions. I am planning to read up so I know about the cryptosystem then go into answering the provided questions. When we think about MD5 hashing we have to consider the hash and its long history of collisions on the network. When we were doing the practice labs in class the other night we say a number of student using the MD5 hashing and getting the same hash out of different text documents. This is not a good sign that this is the best type of hashing algorithm to use. I would advised using the latest greatest out with a known history of being secure. Asking if the threat is significant is an easy question to answer. Any organizations documentation at some level needs to be protected so it is not used in the wrong way. Yes, of course the cryptosystem being vulnerable is something that needs to be addresses right away. Modifying the hardware and software to...
Words: 1643 - Pages: 7
...Vulnerability of a Cryptosystem The assignment asks that the student portray a newly hired IT person at a University. It is told to you by a supervisor that the University cryptosystem and would like research done on the vulnerability. Once the research is complete, come up with things that the University should do to handle the problem. The University used the Message-Digest algorithm 5 (MD5) in most of the areas at the University. It provides the hashes to check for file integrity of downloaded files by using MD5 based certificates that have been approved by and internal Certificate Authority. The University uses Cisco ASA firewall devices that create and sign digital certificates that authenticate the users and the systems. In addition, the default setting for the Cisco ASA devices in the MD5. It was discovered back in 2008 that the MD5 based systems have a problem; there is the feasibility of collision attacks. This means that attackers could generate extra digital certificates with different content but have the same digital signature as the original certificate. This basically means that if an attacker can get a hold of a digital certificate, they might be able to gain access to information by creating a replica of the certificate but adding different information or contents to it. According to the research, the likeliness of this vulnerability is very little due to the fact that most attackers do not know how to obtain rogue certificates. There does...
Words: 380 - Pages: 2
...On Implementation of Elliptic Curve Cryptography and Self-Certified Public Key Cryptosystems in Wireless Mesh Networks A B.Tech Project Report submitted in fulfilment of the requirements for the Degree of Bachelor of Technology Submitted by K Bharadwaj Sharma 07010219 M Krishna Chaitanya 07010228 Under the Guidance of Dr.Ratnajit Bhattacharjee Department of Electronics and Electrical Engineering Indian Institute of Technology Guwahati Guwahati-781039, Assam i Candidate’s Declaration I hereby declare that the work which is being reported in this thesis entitled “ On Implementation of Elliptic Curve Cryptography and self-certified public key cryptosystems in Wireless Mesh Networks “ in partial fulfilment of the requirements for the award of the Degree of Bachelor of Technology, submitted in the Department of Electronics and Communication Engineering, Indian Institute of Technology Guwahati, is a record of my own work carried out during my thesis work under the supervision of Dr.Ratnajit Bhattacharjee, Associate Professor, Department of EEE, IIT Guwahati. The matter entitled in this thesis has not been submitted elsewhere for the award of any other degree. Place: Guwahati Date: 21st April, 2011 This is to certify that the above statement made by the candidate is correct to the best of my knowledge. April,2011 IIT Guwahati ` Supervisor: Dr. Ratnajit Bhattacharjee Associate Professor Dept. of EEE IIT Guwahati ii ACKNOWLEDGEMENT First and foremost...
Words: 7761 - Pages: 32
...funny jokes to Hillary. He does not care about confidentiality of these messages but wants to get credit for the jokes and prevent Bill from claiming authorship of or modifying them. How can this be achieved using public key cryptography? 3) Question C-1.15 (p. 51) Describe a method that allows a client to authenticate multiple times to a server with the following requirements. a. The client and server use constant space for authentication. b. Everytime the client authenticates to the server, a different random value for authentication is used (for example, if you have an n different random value, this means that sharing a key initially and using it for every round of authentication is not a valid solution. Can you find any vulnerability for this protocol? 4) Question C-2.2 (p.107) For safety reasons, external locked doors on commercial buildings have mechanism for people on the inside to escape without using a key or combination. One common mechanism uses an infrared motion detector to open an electronic lock for people moving toward a door from the inside. Explain how an air gap under such an external door could be exploited to open that door from the outside? 5) Question C-2.6 (p.108) A thief walks up to an electronic lock with a 10 digit keypad and he notices that all but three of the keys are covered in dust while the 2,4,6 and 8 keys show...
Words: 762 - Pages: 4
...Assignment Cover Sheet Student Name: xxxxxxxxxxxx sssssssssssss Student No: xxxxxxxxxx Subject Name: Computer and Network Security Subject Code: ITC359 Lecturer: Peter Smith Assignment No: 1 Penalty on late assignments Penalty for late submission of assignment without obtaining lecturer’s approval for an extension will be 10% deduction per day, including weekends, of the maximum marks allocated for the assignment, ie 1 day late – 10% deduction, 2 days late – 20% deduction. Plagiarism The University treats plagiarism very seriously. Plagiarism is included under the Student Academic Misconduct Rule as published in the Rules and Regulations section of the academic handbook. I am aware of the University’s requirement for academic integrity (http://www.csu.edu.au/division/studserv/learning/ plagiarism/) and I declare that my assignment is my own work and conforms with these requirements. I certify that the attached assignment is solely my work, based on my personal study and research. I also certify that appropriate and full acknowledgment has been made of all sources used in the preparation of this assignment. Assessment Feedback | Additional sheet attached | -------------------------------------------------...
Words: 779 - Pages: 4
...Cloud Computing Security Mohamed Y. Shanab, Yasser Ragab, Hamza nadim Computing & Information Technology AAST Cairo, Egypt {myshanab, yasseritc, hamzanadim }@gmail.com Abstract-- In the past two decades, data has been growing in a huge scale making it almost impossible to store, maintain and keep all data on premises , thus emerged the idea of cloud computing and now it’s becoming one of the most used services used by firms, organizations and even governments. But its security risks are always a concern and a major setback. In this paper we talk about those risks and the most feared ones and what are the latest techniques to overcome them, we also discuss a solution on cloud computing based on a fully homomorphic encryption Key Words -- Cloud computing , Cloud computing security, Challenges, Privacy, Reliability, Fully homomorphic encryption. interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models." [1] II. TOP BENEFITS OF CLOUD COMPUTING Achieve economies of scale. increase volume output or productivity with fewer people. Your cost per unit, project or product plummets. Reduce spending on technology infrastructure. Maintain easy access to your information with minimal upfront spending. Pay as you go (weekly, quarterly or yearly), based on demand. Globalize your workforce on the cheap.People worldwide can access the cloud, provided they have an Internet connection....
Words: 4691 - Pages: 19
...Essay 1 What Is There to Worry About? An Introduction to the Computer Security Problem Donald L. Brinkley and Roger R. Schell This essay provides an overview of the vulnerabilities and threats to information security in computer systems. It begins with a historical presentation of past experiences with vulnerabilities in communication security along with present and future computer security experiences. The historical perspective demonstrates that misplaced confidence in the security of a system is worse than having no confidence at all in its security. Next, the essay describes four broad areas of computer misuse: (1) theft of computational resources, (2) disruption of computational services, (3) unauthorized disclosure of information in a computer, and (4) unauthorized modification of information in a computer. Classes of techniques whereby computer misuse results in the unauthorized disclosure and modification of information are then described and examples are provided. These classes are (1) human error, (2) user abuse of authority, (3) direct probing, (4) probing with malicious software, (5) direct penetration, and (6) subversion of security mechanism. The roles of Trojan horses, viruses, worms, bombs, and other kinds of malicious software are described and examples provided. In the past few decades, we have seen the implementation of myriads of computer systems of all sizes and their interconnection over computer networks. These systems handle and are required to protect...
Words: 13185 - Pages: 53
...SECURITY ISSUES AND PRINCIPLES STEGANOGRAPHY [n. stə nóggrəfi] Steganography (literally meaning covered writing) dates back to ancient Greece, where common practices consisted of etching messages in wooden tablets and covering them with wax, and tattooing a shaved messenger's head, letting his hair grow back, and then shaving it again when he arrived at his contact point. Steganography comes from the Greek steganos, or "covered," and graphie, or "writing". Synonymous to abstraction, the art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography takes cryptography a step farther by hiding an encrypted message so that no one suspects it exists. Ideally, anyone scanning your data will fail to know it contains encrypted data by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images. Steganography sometimes is used when encryption is not permitted or, more commonly, is used to supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen. In modern digital steganography, data is first encrypted by the usual means and then inserted, using a special algorithm, into redundant (that is, provided but unneeded) data that is part of a particular...
Words: 6118 - Pages: 25
...1. INTRODUCTION Does increased security provide comfort to paranoid people? Or does security provide some very basic protections that we are naive to believe that we don't need? During this time when the Internet provides essential communication between tens of millions of people and is being increasingly used as a tool for commerce, security becomes a tremendously important issue to deal with. There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting passwords. One essential aspect for secure communications is that of cryptography, which is the focus of this chapter. But it is important to note that while cryptography is necessary for secure communications, it is not by itself sufficient. The reader is advised, then, that the topics covered in this chapter only describe the first of many steps necessary for better security in any number of situations. This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today. I would like to say at the outset that this paper is very focused on terms, concepts, and schemes in current use and is not a treatise of the whole field. No mention is made here about pre-computerized crypto schemes, the difference between a substitution and transposition...
Words: 7926 - Pages: 32
...Fundamentals of Network Security John E. Canavan Artech House Boston • London http://www.artechhouse.com Library of Congress Cataloging-in-Publication Data Canavan, John E. Fundamentals of network security / John E. Canavan. p. cm.—(Artech House telecommunications library) Includes bibliographical references and index. ISBN 1-58053-176-8 (alk. paper) 1. Computer security. 2. Computer networks—Security measures. I. Title. II. Series. QA76.9.A25 C364 2000 005.8—dc21 00-050810 CIP British Library Cataloguing in Publication Data Canavan, John E. Fundamentals of network security.—(Artech House telecommunications library) 1. Computer networks—Security measures I. Title 005.8 1-58053-176-8 Cover design by Yekaterina Ratner Microsoft ® screen shots reprinted by permission from Microsoft Corporation. Netscape Communicator browser window © 1999 Netscape Communications Corporation. Used with permission. Netscape Communications has not authorized, sponsored, endorsed, or approved this publication and is not responsible for its content. Permission to reproduce screen shots from the PGP and Sniffer products has been provided by Network Associates, Inc. Network Associates, PGP, Pretty Good Privacy Sniffer, and Distributed Sniffer System are registered trademarks of Network Associates, Inc. and/or its affiliates in the U.S. and/or other countries. MIT screen shots used with permission. Qualcomm's Eudora screen shots used with permission. Copyright © 2001 ARTECH HOUSE, INC. 685 Canton Street...
Words: 95027 - Pages: 381
...Introduction Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information...
Words: 6195 - Pages: 25
...protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks. Security Challenges The risks to these assets can be calculated by analysis of the following issues: Threats to your assets. These are unwanted events that could cause the intentional or accidental loss, damage or misuse of the assets Vulnerabilities. How vulnerable (prone or weak) your assets are to attack Impact. The magnitude of the potential loss or the seriousness of the event. Security services Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations Develop the information security strategy in support of business strategy and direction. Obtain senior management commitment and support Ensure that definitions of roles and responsibilities...
Words: 1808 - Pages: 8
...Introduction 1 Defining Security • The security of a system, application, or protocol is always relative to – A set of desired properties – An adversary with specific capabilities • For example, standard file access permissions in Linux and Windows are not effective against an adversary who can boot from a CD 2 Security Goals Integrity • C.I.A. Confidentiality Availability 3 Confidentiality • Confidentiality is the avoidance of the unauthorized disclosure of information. – confidentiality involves the protection of data, providing access for those who are allowed to see it while disallowing others from learning anything about its content. 4 Tools for Confidentiality • Encryption: the transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key). Sender Communication channel Recipient encrypt ciphertext p ain ex plaintext int decrypt plaintext shared secret key shared secret key Attacker (eavesdropping) 5 Tools for Confidentiality • Access control: rules and policies that limit access to confidential information to those people and/or systems with a “need to know.” – This need to know may be determined by identity, such as a person’s name or a computer’s serial number, or by a role that a person has, such as being a manager or a computer security...
Words: 3091 - Pages: 13
...1. Time Based 2. What is the significance of obtaining a Non-Disclosure Agreement from third parties? To ensure the confidentiality of company data that they may have access to 3. Which two major cities have conducted full-scale simulations of bioterror and nuke attacks? New york and DC 4. What kind of facilities are specified in the physical security perimeter control? All information processing facilities 5. Which of the following best represents the principle of “economy of mechanism?” run only the services and applications necessary to perform the desired function 6. What is the primary goal of establishing incident management responsibilities and procedures? Ensuring an effective response to security investigations. 7. An organization has implemented a Windows environment with Active Directory. They have set up groups with limited access for each department, such as Human Resources and Accounting. Additional access rights needed for certain tasks within each department are assigned to specialized groups, such as Accounting_Payroll and Human Resources_Benefits. User accounts are added to the groups that have the appropriate access rights to meet their assigned responsibilities. What type of access control model is this organization using? Role Based Access Control 8. Why is it important to temper good intentions with knowledge with regard to employee awareness training? Clear and specific policies protect both the organization and the employees. 9. In addition to high-level...
Words: 1946 - Pages: 8