Summative Assessment Brief
Task 1 (50%)
A new cryptography start-up, Super Secure Networks (SSN), announces a new product: Cryptography as a Service (CaaS). The basic idea is that CaaS acts as a trusted intermediary, ensuring that messages exchanged between two participants are encrypted with One-Time Pad (OTP) encryption. This also means their clients do not have to rely on any traditional public key infrastructure (PKI), which SSN attests have demonstrated weaknesses in the past.
Figure 1 shows an example of how this product will work, where Alice and Bob wish to exchange messages, and have agreed to use SSN’s CaaS solution:
Alice will connect to CaaS via a TLS session (arrow #1), specifying that they wish to communicate with Bob.
CaaS then generates a new OTP for their connection and sends it back to Alice (arrow #2) in the same session.
CaaS also sends the same OTP on to Bob, via a separate TLS session (arrow #3).
Now Alice and Bob have both received the OTP key, they can then use it to directly exchange encrypted messages (arrow #4).
Figure 1: Alice using CaaS to communicate with Bob
The TLS connections from and to CaaS use TLS version 1.2, with 256-bit elliptic curve points for a Diffie-Hellman handshake, signed with 1024-bit RSA keys (issued/signed by SSN itself, aka self-signed) and a SHA256 hash function. The encryption uses the 128-bit AES GCM cipher suite, and sessions are also signed with the SHA256 hash function. The messages between Alice and Bob are encrypted with the OTP using the exclusive-or (XOR) function.
Describe three differences between encryption with a one-time pad with XOR and AES encryption, and compare the security guarantees the two encryption techniques offer, if any.
Comment on the RSA key size and discuss the advantages/disadvantages of it.
SSN argue that using CaaS requires no more trust than the existing certificate authority model used by TLS connections today.
Explain how public key cryptography signing works to preserve integrity and authenticity, using the context of Alice signing a message that they can then send to Bob, and Bob verifying that the message came from Alice and has not been altered. You may assume that both Alice and Bob have access to a cryptographic hash function, and a signing and verification function. If it helps, you may assume these are: SHA256 and RSA respectively.
Describe the traditional hierarchical PKI, as used by TLS, and explain how key signing in the above system works, using the context of a server S who provides a secure service via TLS, a client C that intends to access the service from S, and a single certificate authority CA who they both trust and have the public key for, including a description of how C can validate they have received an encryption key from S.
Compare the traditional hierarchical PKI to the CaaS solution – is their assertion correct? Why or why not?
SSN claims that CaaS enables perfectly secure communications.
ii) Using your answer to part (i) suggest ways of making the current CaaS service more secure
(Task 1 approximately 1500 words)
Task 2 (20%)
For this task, you should discuss the benefits of using a VPN and explain the uses of both remote access and site-2-site VPNs. You should implement the following VPN shown in the topology below and explain how this can keep online transactions safe.
Using Packet Tracer 7.1 or a real network kit with Cisco Routers and Switches, if you have approved access to it, use IPsec to create a VPN tunnel from Router A to Router B and a separate VPN tunnel from Router X to Router Y. You should use the provided IP addressing table to fully configure the given network topology.
As part of your submission, you must provide justification of how you accomplished this task, details of the IPsec tunnel configurations and proof that they are working, along with a copy of the Packet Tracer file fully configured and saved as StudentName.pkt (e.g. JohnSmith.pkt if your name is John Smith).
(Task 2 Approximately 500 words – not including tables or screen shots)
Task 3 (15%)
Review the current top 3 OWASP application Vulnerabilities. For each one. Describe the attack vector, list any vulnerability that is exploited and explain any countermeasures that may mitigate the risk of exploitation. Draw on knowledge from your workplace where practicable and appropriate.
(Task 3 Approximately 500 words – not including tables or screen shots)
|One-Time Pad encryption||AES encryption|
Both one-time pad encryption and AES encryption guarantees security in their respective algorithm. We will discuss the comparison between security guaranteed by One-Time Pad and AES encryption:
AES (Advanced Encryption Standard) is supposed to be most secure encryption algorithm. It uses symmetric encryption algorithm to protect the data. In symmetric encryption method, the same key is used for encryption and decryption. This method encrypts 128-bit data and uses keys of 128-bit, 192-bit and 256-bit sizes. The computation in AES is performed on bytes rather than bits. Initially the data was encrypted with a 56-bit key size that was vulnerable to attack and easy to crack. But AES offers large key sizes, with which data can be encrypted in a more secure way.
One-Time Pad Encryption:
One-Time Pad Encryption uses XOR operation to encrypt the data or message. The key generated is random and is of the size of message. The generated key is used only one time, after this the key will get automatically discarded. To ensure security in One-Time Pad Encryption method, the generated key must be random, and the size of key must be as long as the message. This is how security in One-time Pad encryption method has been guaranteed.
While creating an RSA key pair, you need to specify the size of the key according to your requirement. The RSA key is of different lengths and each length key is used according to the level of security. RSA key size of 1024 bits is used for medium security purpose where not high security is required. To secure high confidential data, the higher key size is required. For this 2048-bit key should be considered. The data encrypted with 2048-bit key size could be kept confidential for more than 1 year. However, the data encrypted with larger key size is more secure as compared to small key size but the issue with long size key encryption is that the decryption of data becomes slower and takes more time for decryption. (Javamax, n.d.)
Advantages of RSA key size:
The strength of encryption depends on the key size. The larger the key size, stronger is the encryption. Increase in key size, increases the strength of encryption. The data with strong encryption is more secure as compared to data encrypted with small key size. The data can be secured for more than one year with larger key encryption.
Disadvantages of RSA key size:
The larger key size impact the performance of encryption and decryption. With longer key, the encryption and decryption become slower. The larger key size has more impact on decryption as compared to encryption because decryption become much slower than encryption as the exponent of decryption is large as compared to encryption. The data encrypted with smaller key size is less secure as compared to data encrypted with large key size. (Rouse, 2019)
Bob will decrypt the message with its own private key and make sure that the message was send by Alice by verifying the digital signature with the public key shared by Alice. Hence, verifying the digital signature ensures that the message was send by Alice. Hence, Public key encryption preserves the authenticity. After verifying the signature, Bob checks the content of the message whether the received message matches the send message. If there is a change in message found even a slight change, the decryption process fails. Hence, integrity is also preserved in the public key cryptography. (SURVEILLANCE SELF-DEFENSE, 2018) (Globalsign, 2019)
ii) Traditional hierarchical PKI
Public Key infrastructure consists of mainly five components: Digital certificate, CA (Certification authority), Private key tokens, Registration authority and certificate management system.
CA (Certificate authority) will assign the digital certificate to both client C and server S. Public keys are stored in digital certificates that are digitally signed by CA with its own private key and assigned to client and server. Then the assigned public keys are exchanged between client and server where client C wants to access some data from Server S.
CA (Certificate Authority) is responsible for generating Key pair either individually or with client. Digital signatures ensure that the content in the certificate is not modified. Before, getting started the communication, Server S will share its public key assigned by certificate authority with Client C along with digital signature. Client C will verify the public key by verifying the digital signatures with its own public key that was also assigned by Certificate authority. Once the keys were shared, client can access the data from server.
iii) In Public key infrastructure, certificate authority assigns the digital certificate that contains public key along with digital signature to both the actors participating in communication. These digital signatures are digitally signed by CA with its private key. The sender will send the message with digital signature so that receiver will identify that the message was send by the authorised sender.
In CaaS (Cryptography as a service), sender will ask for a shared key to CaaS and in return of this CaaS will provide the One-Time pad to Sender and the same One-Time pad will be given to receiver. After, receiving One-time Pad both sender and receiver can directly communicate with each other.
SaaS claims that One-Time Pad is the secure method for communication between two parties but before transmitting the message, the keys need to be shared and if during the process of sharing the keys, if the keys gets revealed the message can be deciphered easily.
ii) The current CaaS service can be secured by using Hash algorithm on the plain message and this hash output along with message will be then send to recipient. In this way, the person with correct hash function will be able to decrypt the message and hash function. Once the message will be received by the recipient, it can be checked by matching the hash value from the received message.
Another issue with One-Time Pad is the distribution of keys. As each key can be used only once, so it is difficult to share a large number of different unique keys securely. For this, mass key distribution should be used in which many Terabytes of key bytes can be exchanged at one time by bundling them into mass storage version of briefcase. (Rijmenants, 2019)
A VPN or Virtual Private Network is a secure connection between user or device and servers. A secure VPN tunnel is created between two users, using the VPN service, and the communication between the users is encrypted, so that any third person or unauthorized person cannot eavesdrop the network traffic. VPN allow the user to work remotely by accessing their company’s server or secure internal network. This service is widely used in corporates where home users use this secure service to connect to the company’s network. This service is provided by the VPN service provider where a VPN server is installed. The client needs a VPN client to establish a secure connection to the server. When the connection is established, a secure encrypted VPN tunnel is created between server and user. (Advantages of VPN, 2019)
There are several benefits of using a VPN. Some of them are listed here –
What are remote access and site to site VPN?
Remote access VPN – This VPN service allow an individual user to connect to the remote company’s secure network and use the secure resources of the company by the VPN connection. Two components are needed to create a remote access VPN. One is “Network or Remote access server” and another is “Remote access VPN client” application. The VPN client software is required to make the connection request to the server. Now the remote access server will authenticate the client request by checking its credentials and create a secure VPN tunnel. (Remote Access VPN, 2019)
Site to Site VPN – This type of VPN connection allows multiple office locations to connect via a VPN connection using internet. This will extend company’s resources and make them available at another location by a secure means. Site to Site VPN are o two types – intranet and extranet based. (Site to Site VPN, 2019)
Implementing VPN topology
How VPN can keep online transaction safe?
A VPN is one of the most secure mean of using internet banking. It adds an extra layer of security and restrict hackers from eavesdropping into our network traffic. It creates a secure tunnel between the user and server so any unauthorize user can’t steal our confidential information.
Configuration of IPsec tunnel
Configuration on router A
# conf t
# int tunnel 10
# ip add 10.0.0.1 255.0.0.0
# tunnel source fa0/1
# tunnel destination 184.108.40.206
# no shut
# show interface tunnel 10
Configuration on router B
# conf t
# int tunnel 20
# ip add 10.0.0.2 255.0.0.0
# tunnel source fa0/1
# tunnel destination 220.127.116.11
# no shut
# show interface tunnel 20
Configuration on router X
# conf t
# int tunnel 100
# ip add 18.104.22.168 255.0.0.0
# tunnel source fa0/1
# tunnel destination 22.214.171.124
# no shut
# show interface tunnel 100
Configuration on router Y
# conf t
# int tunnel 200
# ip add 126.96.36.199 255.0.0.0
# tunnel source fa0/1
# tunnel destination 188.8.131.52
# no shut
# show interface tunnel 200
Proof of working – using ping and tracert to check the tunnel connectivity between PCs.
Task 3 OWASP Application Vulnerability
The top three OWASP application vulnerabilities are (OWASP Vulnerabilities, 2019) –