Cryptography
This topic is intended to introduce
you to cryptography.
Topics to Be Covered:
- Introduction
to Cryptography and encryption algorithms.
- Public
key infrastructure (PKI) and digital certificates.
- Cryptographic
protocols.
- Secure
email and file encryption.
Types of Cryptographic Algorithm
Cryptography involves various
algorithms to perform the encryption and decryption processes.
The main types include:
Symmetric-Key Cryptography:
With this approach, both sender and
recipient share one secret key used to encrypt and decrypt their message,
keeping their identities hidden from third parties.
A widely known example is Data Encryption Standard as well as its upgraded
variant AES which use this technique.
Asymmetric-Key Cryptography:
More commonly referred to as public
key cryptography, this approach utilises two keys - one public and the other
private.
A sender uses their recipient's public key for encryption while their private
key decrypts it; an algorithm such as Rivest-Shamir-Adleman can often be seen
being utilised within this form.
Hash Functions:
Hash functions
offer another alternative to encryption techniques that doesn't involve keys -
instead generating a fixed length hash value from plaintext that makes
retrieving its original message nearly impossible. MD5 and SHA-1 are two
commonly-used hash functions.
Key Terms in Cryptography
- Cipher: An algorithm designed for
performing encryption or decryption.
- Key: Information used by the
cipher that only knows by the sender and recipient in order to encrypt and
decrypt messages.
- Plaintext: The original, readable
message.
- Ciphertext: The encrypted message
which is not readable or understandable until it is decrypted.
Cryptography plays an integral part
of modern data protection systems. While cryptography studies can be complex,
they play an essential part in cybersecurity education and must be included as
such in all student curriculums.
Public Key Infrastructure and
Digital Certificates
What is Public Key Infrastructure
(PKI)?
PKI refers to a set of roles,
policies, hardware, software and procedures needed for creating, managing,
distributing, using, storing and revoking digital certificates. Asymmetric
cryptography relies on two keys for encryption and decryption - public for
public key encryption while private for decryption.
PKI provides a framework that facilitates functions like digital signature,
encryption and authentication - essential capabilities that verify data
integrity and source, providing secure transactions and communications online.
Key Components of PKI:
- Digital
Certificates: These
are electronic 'passwords' that allow a party receiving certain
information to decode content encrypted by the party who originally sent
the info.
- Certificate
Authorities (CAs): Certificate
Authorities provide trusted third-party digital certificates by verifying
identity and associating cryptographic keys to users who apply for them.
- Certificate
Store: This
is a storage space for digital certificates.
- Key
Pair (Public and Private Keys): These
mathematically related keys must remain secret, while their public
counterpart can be freely made accessible for anyone to use.
What are Digital Certificates?
Digital certificates are electronic
documents created using digital signature technology to link a public key with
its identity, providing proof that an individual owns them.
Under most PKI schemes, a certificate authority (CA), often an organisation
charged by customers to issue them certificates, is the issuer of certificates
for them.
Digital Certificates typically
contain:
- Owner's
public key.
- Owner's
name.
- Expiration
date of the public key.
- Name
of the issuer.
- Serial
number of the Digital Certificate.
- Digital
signature of the issuer.
Applications of PKI and Digital
Certificates
- Secure
Email: PKI is used to secure email communication, providing assurance that
the message came from a known sender and that it wasn’t tampered with.
- Secure
Network Access: PKI provides secure remote access to global information
over untrusted networks.
- Document
Signing: Digital signatures use PKI technology to secure and authenticate
the data.
Public Key Infrastructure and
digital certificates play an vital role in secure online communication and
transactions, enabling verification of authenticity and integrity for data sent
over networks, thus becoming essential components of modern cybersecurity
solutions.
Cryptographic Protocols
Now we will discuss cryptographic
protocols like TLS/SSL and IPsec that facilitate secure communications over
networks - fundamental elements in maintaining online security.
Cryptographic protocols, or security protocols, use
cryptography to secure electronic communications over networks.
Such cryptographic protocols often offer key agreement, entity authentication,
data integrity protection, confidentiality guarantees and non-repudiation to
their clients.
ransport Layer Security, like its predecessor Secure
Sockets Layer, are cryptographic protocols designed to provide
communications security on computer networks. Websites use TLS in order to
encrypt all communication between their server and web browsers and users of
their site. Here's an outline of it function:
- Hello: The client and server establish a connection, and the client proposes
encryption options.
- The server chooses the highest level of encryption both can manage and sends
the client its public key certificate.
- Clients compare a server certificate against its list of trusted CAs; if a
match exists, they generate a symmetric session key, encrypt it using its
public key and send it back.
- A server decrypts its session key with its private key and sends back an
acknowledgment encrypted with this session key to initiate an encrypted
session.
Internet Protocol Security (IPsec)
IPsec is a set of protocols used
together to establish secure connections between devices. IPsec can help create
authenticated and confidential IPv4 and IPv6 packets through authentication
between agents before each session begins and negotiation of cryptographic keys
used during sessions.
IPsec can be used in two modes:
- Transport
Mode: IPsec's Transport Mode protects transport-layer protocols by only
encrypting/authenticating its payload (your data) of an IP packet.
- Tunnel
Mode: IPsec tunnel mode provides an IP packet encapsulation mechanism
designed to protect packets routed between networks. In tunnel mode,
entire IP packets are encrypted or authenticated before being wrapped back
up into new IP packets with unique headers and then sent on their
journeys.
TLS/SSL and IPsec are foundational
to the secure operation of internet communications. They protect sensitive
information from interception and tampering, ensuring that our online
transactions and communications are confidential and authentic.
Secure Email and File Encryption
Secure Email
Secure email involves encrypting an
email and its attachments for delivery only to its intended recipients, using
encryption keys that only they possess can unlock it back to its original form.
Essentially, secure emails turn plaintext emails into unintelligible scrambled
ciphertext that only people possessing said encryption key can reverse back
into plaintext form.
There are several methods to secure email:
1. Transport Layer Security (TLS)
TLS secures communication between
mail servers and clients by encrypting connections while in transit, protecting
email while on its way - yet may remain vulnerable at rest on servers or
recipients devices.
2. Pretty Good Privacy (PGP) and
GNU Privacy Guard (GPG)
Pretty Good Privacy (PGP) and GNU
Privacy Guard (GPG) both employ end-to-end encryption that secures email
messages sent out until decrypted by their intended recipients. The senders use
public keys of recipients while recipients decrypt them using private keys
corresponding to themselves.
3. Secure/Multipurpose Internet
Mail Extensions (S/MIME)
S/MIME has become part of most
modern email software and uses a central authority to select certificate
recipients, providing users with more robust encryption and digital signing
than just SSL/TLS can offer. It enables email encryptors and users to digitally
sign their emails providing users with added layers of protection than just
SSL/TLS provides.
File Encryption
File encryption is a security
measure in which individual files or folders can be encrypted by either their
users or system administrators to safeguard sensitive information from being
exposed unknowingly to third-parties. Encryption encases it all within an
encrypted structure preventing unwarranted access by anyone not
authorised. Two main types of file encryption exist:
- Symmetric
encryption: This
type employs symmetric keying for file encryption and decryption,
providing quicker encryption with more security in its distribution of
keys. While faster, however, safe distribution remains key.
- Asymmetric
Encryption: Also
referred to as public-key encryption, this approach employs two keys: one
public and one private when creating encryptions with public keys; only
corresponding private keys can decrypt them back. As with asymmetric
encryptions, however, this process tends to be more secure due to its
complexity; yet may take more time in terms of speed and convenience.
Common file encryption methods
include using file archiving programs like 7-Zip or WinZip that offer password
protection and file encryption capabilities, while many operating systems also
include built-in file protection features like Windows' BitLocker or macOS'
FileVault for convenient file protection.
As technology becomes ever more pervasive, security of email communications and
files becomes ever more crucial in today's increasingly digital environment.
Learning how to protect this sensitive data through encryption techniques such
as emails or files is vital in maintaining cybersecurity.
Web Application Security
This topic is intended to introduce
you to Web Application Security.
Topics to Be Covered:
- Common
vulnerabilities in web applications.
- Web
application security frameworks and best practices.
- Secure
coding principles.
- Web
application penetration testing.
Common Vulnerabilities in Web
Applications
What are Web Application
Vulnerabilities?
Web application vulnerabilities are
security weaknesses or flaws in an internet-facing application that an attacker
could exploit to compromise it and gain entry to steal information or engage in
other illegal acts, including poor input validation, incorrect configuration
settings or outdated components among many other sources of vulnerability.
SQL Injection is an attack method utilised by
malicious actors to exploit weaknesses within a web application's database
layer.
The technique involves injecting SQL statements that execute, providing
attackers access to view, modify or delete records within their target
database.
An example of SQLi would be entering "' OR '1'='1" into a login field
without
using proper filtering
capabilities; otherwise, this can fool an application into providing access
without valid username and password credentials.
Cross-Site Scripting attacks take place when an
attacker exploits web apps as an entryway to deliver malicious scripts to other
users without bypassing access controls and gaining entry to sensitive data.
There are three primary forms of Cross-Site Scripting attacks:
1. Stored XSS: The malicious script is permanently stored on the
target servers.
2. Reflected XSS: The malicious script is embedded in a URL and
reflected off the web server.
3. DOM-Based Cross Site Scripting: This vulnerabilities present in
client-side code rather than server-side code.Cross-Site Request Forgery
CSRF attacks aim at tricking victims into making
malicious requests by persuasion or persuasion of some sort, typically by
loading up pages with such requests on them and tricking the victims into
clicking them in order to submit malicious requests on their behalf.
They act maliciously by taking on their identity and privileges for unintended
functions on behalf of those being victimised by them.
Security misconfigurations can occur at any level of an application
stack, including the network services, platform, web server, application
server, database, and framework.
Common examples include unnecessary open ports, default account credentials, or
verbose error messages containing sensitive information.
Web Application Security Frameworks
A strong understanding of web
application security frameworks is fundamental to protecting your web
applications from various security threats.
Web Application Security Frameworks
A web application security
framework is a structure designed to promote the structured development and
deployment of secure web applications. Examples of such frameworks include:
- OWASP
(Open Web Application Security Project) Top Ten: This is a powerful
awareness document for web application security, representing a broad
consensus about the most critical security risks to web applications. The
OWASP Top Ten includes risks like Injection, Broken Authentication,
Sensitive Data Exposure, XML External Entities (XXE), and more.
- Spring
Security: This
is a powerful, highly customizable authentication and access control
framework for Java applications. It's a de-facto standard for securing
Spring-based applications.
- Django
Security Framework: Django
offers an impressively robust framework for web application security,
featuring built-in mechanisms such as CSRF protection, Clickjacking
Prevention, SQL Injection Defences and more.
Web Application Security Best
Practices
Adopting security best practices
can dramatically lower the number of vulnerabilities present in your web
application and minimise any resulting potential damages. Here are a few such
practices:
- Validate
input strictly for length, range, format, and type. Avoid any known unsafe
characters or inputs.
- Always
use HTTPS instead of HTTP to protect page authenticity, secure ongoing
communication, and keep user data safe.
- Implement
a Content Security Policy (CSP): CSP is a simple method to reduce XSS
risks on modern browsers by declaring which dynamic resources are allowed
to load.
- Use
strong hash functions to store password (bcrypt, scrypt) and enforce
password complexity that may deter password cracking attempts.
- Maintaining
an updated system and software is important in protecting a web app's
security, including updating server operating systems, databases,
frameworks and libraries used by your applications.
- Following
the principle of least privilege is key in protecting data. Each module
(process, user or program depending on subject matter) should only access
those resources essential for fulfilling its legitimate function.
Web application security should
never be treated as an afterthought; rather, it must become part of your
development life cycle and follow best practices when choosing security
frameworks to use. Doing this will guarantee your applications remain as safe
as possible.
Secure Coding Principles
Secure coding is vital because even
minor miscalculations can lead to serious security vulnerabilities, so adhering
to its principles can help developers circumvent many such problems.
1. Minimise Attack Surface Area
Every feature and functionality in
your code can potentially be exploited. Therefore, minimise your application's
attack surface by limiting the number of features, reducing code complexity,
and compartmentalising your application.
1. Minimise Attack Surface Area
Every feature and functionality in
your code can potentially be exploited. Therefore, minimise your application's
attack surface by limiting the number of features, reducing code complexity,
and compartmentalising your application.
2. Principle of Least Privilege
This principle holds that an
individual or program should only need the bare minimum privileges necessary to
perform its function, for example if writing access is unnecessary for its
function a function should only require read access, thus restricting attackers.
3. Defence in Depth
Defence in depth, or layered
security, is a principle where you use multiple layers of security controls to
protect your application. For instance, you could have an IDS (Intrusion
Detection System) as well as a firewall to protect your network.
4. Fail Securely
How your application handles errors
can greatly influence its overall security. For example, if a function fails,
it shouldn't offer more access than when it was working correctly.
Additionally, error messages should not disclose sensitive information that
could aid an attacker.
5. Don't Trust User Input
Even if an input seems harmless,
always validate it. This includes not only form data entered by users, but also
query parameters, HTTP headers, cookies, and any other input to your
application.
6. Implement Secure Defaults
Security should always be the
default setting, since having to choose between secure and insecure modes may
lead users to accidentally select one over the other. Therefore, secure
settings should always be the default choice.
7. Keep Security Simple
Aiming for simplicity in design
will aid your application's security, since complex architectures and code
bases require greater upkeep while having higher chances of harbouring
vulnerabilities.
8. Encrypt Sensitive Data
Sensitive data such as user
passwords or personal details should always be encrypted when stored at rest
and/or transmitted, including data at rest and transit. This applies both when
stored locally on computers as well as when transmitted between servers and
clients.
9. Use Security Features of Your
Frameworks and Platforms
Most platforms and frameworks come
equipped with built-in security features like encryption and input validation
that should always be taken advantage of rather than trying to implement your
own.
10. Perform Regular Updates and
Patching
It is critical that systems,
programming languages, frameworks, libraries and software applications remain
up-to-date to protect them against known vulnerabilities in applications and
websites. Incorporating regular patching is integral in protecting applications
against known security risks.