Adama Science and Technology University

Department of CSE

 Computer Networks and Information Security (SE 4205)

Chapter one lecture three

1
Malicious Software

Trapdoors
Viruses.
Trojan Horses
Logic Bombs.
Worms.
Malicious Software
 Trapdoors
 Secret entry point into a program
 Allows those who know access bypassing usual security
procedures
 Have been commonly used by developers
 A threat when left in production programs allowing exploited by
attackers
 Very hard to block in O/S
 Requires good s/w development & update
 Logic Bomb

 One of oldest types of malicious software

 Code embedded in legitimate program
 Activated when specified conditions meet
 eg presence/absence of some file
 particular date/time

 particular user

 When triggered typically damage system

 modify/delete files/disks
 Trojan Horse

 Program with hidden side-Effects

 Which is usually superficially attractive
 eg game, s/w upgrade etc
 When run performs some additional tasks
 allows attacker to indirectly gain access they do not have
directly
 Often used to propagate a virus/worm or install a
backdoor or simply to destroy data
 Zombie

 Program which secretly takes over another networked computer,

then uses it to indirectly launch attacks

 Often used to launch distributed denial of service (DDoS)

attacks, Exploits known flaws in network systems
 Viruses
 A piece of self-replicating code attached to some other
code
 C.g biological virus
 Both propagates itself & carries a payload
 carries code to make copies of itself as well as code to
perform some covert task
 Virus Operation

 virus phases:
 dormant – waiting on trigger event

 propagation – replicating to programs/disks

 triggering – by event to execute payload

 execution – of payload
 Types of Viruses

 Can classify on basis of how they attack

 Parasitic virus
 Memory-resident virus

 Boot sector virus

 Stealth

 Polymorphic virus

 Macro virus
 Macro Virus
 Macro code attached to some data file
 Interpreted by program using file
 eg Word/Excel macros
 esp. using auto command & command macros

 code is now platform independent

 is a major source of new viral infections
 blurs distinction between data and program files making task of
detection much harder
 classic trade-off: "ease of use" vs "security"
 Email Virus

 Spread using email with attachment containing a macro virus

 cf Melissa
 triggered when user opens attachment
 or worse even when mail viewed by using scripting features in mail
agent
 usually targeted at Microsoft Outlook mail agent & Word/Excel
documents
 Worms
 Replicating but not infecting program
 Typically spreads over a network
 cf Morris Internet Worm in 1988
 led to creation of CERTs
 Using users distributed privileges or by exploiting system
vulnerabilities
 Widely used by hackers to create zombie PC's, subsequently used
for further attacks, esp DoS
 Major issue is lack of security of permanently connected systems,
esp PC's
 Worm Operation
 worm phases like those of viruses:
 dormant
 propagation
 search for other systems to infect
 establish connection to target remote system
 replicate self onto remote system

 triggering
 execution
 What is authentication?
15

 Kerberos,
 CHAP,
 Certificates,
 Username/Password,
 Tokens,
 Multi-Factor,
 Mutual Authentication,
 Biometrics
 What is authentication?
16

 Positive verification of identity (man or machine)

 Verification of a person’s claimed identity
 Who are you? Prove it.
 Three factors:
1. something you have key, card
 can be stolen

2. something you know passwords

 can be guessed, shared, stolen, eToken ,smart cards,RFID

3. something you are biometrics

 costly, can be copied (sometimes)
 What you know
17

 Password
 Passphrase
 PIN
 What you have
18

 Digital authentication
 physical devices to aid authentication

 Common examples:
 eToken

 smart cards

 RFID
 E-Token
19

 Can be implemented on a USB key fob or a smart card

 Data physically protected on the device itself
 On the client side, the token is accessed via password
 Successful client-side authentication with the password invokes
the token to generate a stored or generated passcode, which is
sent to the server-side for authentication.
 eToken
20
 May store credentials such
as passwords, digital
signatures and certificates,
and private keys
 Can offer on-board
authentication and digital
signing
 RFID
21

 RFID - Radio Frequency IDentification

 Integrated circuit(s) with an antenna that can respond to
an RF signal with identity information
 No power supply necessary—IC uses the RF signal to
power itself
 Susceptible to replay attacks and theft
 Examples:
 Smart Tag, EZPass
 Garage parking permits
 Who you are
22

 Biometric authentication
 Use of a biometric reading to confirm that a person is who
he/she claims to be
 Biometric reading
 A recording of some physical or behavioral attribute of a
person
 Physical Biometrics
23

 Fingerprint • Smell
 Iris • Thermal Face
 Hand Geometry • Hand Vein
 Finger Geometry • Nail Bed
 Face Geometry • DNA
 Retina • Palm Print
 Behavioral Biometrics
24

 Signature
 Voice
 Keystroke
 Gait
 1. What is Kerberos?
25

 Trusted third-party authentication service

 Based on Needham and Schroeder key distribution algorithm
 Ticket = {server, client, address, timestamp, lifetime, Ks,c}Ks

Database
Name Private key ExpireDate -
Kerberos

…
…

…
…
Private key Private key
(encrypted password) (at registration)

Session key

password
user Service

Service
user user Service

Service
…

Client Server
…

Kerberos client program

 Kerberos components
26

 Key Distribution Center (KDC)

 Principal
 Authentication Service (AS)
 Ticket Granting Service (TGS)
 Ticket Granting Ticket (TGT
 Resource
 Trust relationship
 Repository
 Realm
 Ticket
 Kerberos Software Component
27

Kerberos Encryption Database

application Library Library
library (DES) (DB management)

Administrative Authentication
Server Server
(KDBM server) (Kerberos server)

Database Database End-user

Administration Propagation Programs Applications
programs Software
 Kerberos Name
28

 primary_name.instance@realm

The name of an administrative entity

that maintains authentication data in domain
Usually the name of
the machine on which the server runs
The name of the user or the service

 Example
 [email protected]
How Kerberos Authentication Works?
29

Authentication
Authen- server Ticket
tication granting
service service
1. Request
for TGS ticket

2. Ticket for TGS

(Session Key)
4. Ticket for rlogin
3. Request
(Session Key)
Login ftp
session setup for rlogin ticket

Server telnet http

session setup

DoOperation 5. Request for service

rlogin
6. Reply
User/Client Server

Encrypted
 2. Certificates
30

 A certificate (i.e., digital certificate) acts as a trusted third party

to allow unknown parties to authenticate with each other
 Issued by a Certificate Authority (CA)
 Digital certificates used in modern systems conform to the
ITU X.509 standard
 Public-Key Authority 31

Figure . Public-Key Distribution Scenario

 PUa-public key of user A, PUb-public key of user B, E-Encryption
 PR auth – Authority private Key, IDA-Identifier A, N1 – AS Nonce,N2-BS Nonce
 32
1. A sends a time stamped message to the public-key authority containing a
request for the current public key of B.
2. The authority responds with a message that is encrypted using the authority's
private key, Prauth.
The message includes the following:
1. B's public key, PUb which A can use to encrypt
messages destined for B
2.The original request
3. The original timestamp.
3. After storing B's public key, A uses it to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
 3. Token-Based Authentication
33
 A form of multifactor authentication
 Two methods of token-based authentication
 Hardware (for example, token card)
 Software

 Strengths and weaknesses

 Token-card-based authentication combines something-you-
have authentication with something-you-know authentication
—consequently, it provides more security
 Inconvenience and still password-based
 Challenge Handshake
Authentication Protocol (CHAP)
34

 The secret is shared between two systems, but is never sent

across the network wire.
 CHAP requirements.
 The CHAP handshake.
 5. Biometrics
35

 Biometric-based authentication uses a person's physical

characteristics as a basis for identification
 Strategies
 Fingerprints  Iris scans
 Hand geometry  Face recognition
 Voice recognition  Vascular patterns
 Retinal scans
 Biometric implementations and standards
 Benefits and drawbacks
 6. Extensible Authentication Protocol (EAP)
36

 Allows multifactor authentication over Point-to-Point-Protocol

and wireless links
 Capable of supporting authentication by way of various methods,
including:
 RADIUS

 CHAP

 Token cards

 Digital certificates, using EAP-tunneled TLS (EAP-TLS)

 A Kerberos server
7. PASSWORD

A SIMPLE TWO-WAY HANDSHAKE PROTOCOL FOR ESTABLISHING PEER

IDENTITY .
THE PROTOCOL:
At LCP phase, the authenticator requests PAP authentication.
At authentication phase, the peer transmits, in plain text, a username and
password.
The authenticator responds with a configure-ack or configure-nak.
 38

Peer Authenticator

Configure-request,
auth-protocol=PAP

Configure-ack

Time
Authenticate-request,
name=username,
password=userpassword
Authenticate-ack (or nack)
with text message
 Characteristics of strong passwords
39

 Strong Passwords
 contain at least one of each of the following:
 digit (0..9)
 letter (a..Z)
 punctuation symbol (e.g., !)
 control character (e.g., ^s, Ctrl-s)
 are based on a verse (e.g., passphrase) from an obscure work
where the password is formed from the characters in the verse
 e.g., “ypyiyp” derived from the title of this module
 sometimes referred to as a virtual password
 are easily remembered by you but very difficult (preferably
impossible) for others to guess
 Strong password practices
 Strong Password Practices 40
 never recycle passwords
 never record a password anywhere
 exceptions include use of encrypted password “vaults”
 use a different password for each system/context
 be aware Trojan horse programs can masquerade as login prompts so always reset the system as
appropriate to obtain a trusted login prompt
 check for keyboard buffer devices/software that intercept keystrokes (including password
capture)
 change password occasionally
 change your password immediately if you suspect it has been “stolen”
 “passwords should be protected in a manner that is consistent with the damage that could be
caused by their compromise.”
 monitor for possible eavesdroppers during entry of password
 do not use the "Remember Password" feature of applications (e.g., Microsoft ® Internet
Explorer®).
 inquire about proactive password checking measures with your system administration
 Characteristics of weak passwords
41
 Weak Passwords:
 based on common dictionary words
 Including dictionary words that have been altered:
Reversed (e.g., “terces”)
 Mixed case (e.g., SeCreT)
 Character/Symbol replacement (e.g., “$ecret”)
 Words with vowels removed (e.g., “scrt”)
 Based on common names
 Based on user/account identifier
 Short (under 6 characters)
 Based on keyboard patterns (e.g., “qwerty”)
 Composed of single symbol type (e.g., all characters)
 Resemble license plate values
 Are difficult for you to remember
 Weak password practices
42

 Weak Password practices

 recycling passwords
 recording (writing down) passwords
 use of previously recorded passwords (combination of above
practices)
 use of password on two or more systems/contexts
 Especially risky when passwords are reused in low-trust systems (e.g.,
online gaming) since increased exposure