Summative Assessment on Cryptography: Cyber Security Assignment Answer
- Difference between Encryption with a one-time pad with XOR and AES encryption:
|One-Time Pad encryption||AES encryption|
Both one-time pad encryption and AES encryption guarantees security in their respective algorithm. We will discuss the comparison between security guaranteed by One-Time Pad and AES encryption:
AES (Advanced Encryption Standard) is supposed to be most secure encryption algorithm. It uses symmetric encryption algorithm to protect the data. In symmetric encryption method, the same key is used for encryption and decryption. This method encrypts 128-bit data and uses keys of 128-bit, 192-bit and 256-bit sizes. The computation in AES is performed on bytes rather than bits. Initially the data was encrypted with a 56-bit key size that was vulnerable to attack and easy to crack. But AES offers large key sizes, with which data can be encrypted in a more secure way.
One-Time Pad Encryption:
One-Time Pad Encryption uses XOR operation to encrypt the data or message. The key generated is random and is of the size of message. The generated key is used only one time, after this the key will get automatically discarded. To ensure security in One-Time Pad Encryption method, the generated key must be random, and the size of key must be as long as the message. This is how security in One-time Pad encryption method has been guaranteed.
- RSA key size
While creating an RSA key pair, you need to specify the size of the key according to your requirement. The RSA key is of different lengths and each length key is used according to the level of security. RSA key size of 1024 bits is used for medium security purpose where not high security is required. To secure high confidential data, the higher key size is required. For this 2048-bit key should be considered. The data encrypted with 2048-bit key size could be kept confidential for more than 1 year. However, the data encrypted with larger key size is more secure as compared to small key size but the issue with long size key encryption is that the decryption of data becomes slower and takes more time for decryption. (Javamax, n.d.)
Advantages of RSA key size:
The strength of encryption depends on the key size. The larger the key size, stronger is the encryption. Increase in key size, increases the strength of encryption. The data with strong encryption is more secure as compared to data encrypted with small key size. The data can be secured for more than one year with larger key encryption.
Disadvantages of RSA key size:
The larger key size impact the performance of encryption and decryption. With longer key, the encryption and decryption become slower. The larger key size has more impact on decryption as compared to encryption because decryption become much slower than encryption as the exponent of decryption is large as compared to encryption. The data encrypted with smaller key size is less secure as compared to data encrypted with large key size. (Rouse, 2019)
- i) Public key cryptography uses two different keys for data encryption and decryption. Before starting the transfer of data, the key pair is generated by both the sender and receiver participating in the communication. In this scenario, Alice want to communicate with Bob through public key encryption. For this, initially both Alice and Bob generate a key pair of public and private key. RSA is used to generate key pair with SHA 256 algorithm. From which, the public key of Alice is transferred to Bob and Bob’s public key is transferred to Alice. These public keys will be used to encrypt the message. From the pair of public private keys, private keys will be kept by Alice and Bob respectively. Alice send a message by encrypting the message with Bob’s public key given to Alice and the message is digitally signed by Alice’s private key. The signing of the message helps the receiver to identify the sender of the message. The receiver that is Bob will verify the signature with the public key of Alice that was already shared with Bob.
Bob will decrypt the message with its own private key and make sure that the message was send by Alice by verifying the digital signature with the public key shared by Alice. Hence, verifying the digital signature ensures that the message was send by Alice. Hence, Public key encryption preserves the authenticity. After verifying the signature, Bob checks the content of the message whether the received message matches the send message. If there is a change in message found even a slight change, the decryption process fails. Hence, integrity is also preserved in the public key cryptography. (SURVEILLANCE SELF-DEFENSE, 2018) (Globalsign, 2019)
ii) Traditional hierarchical PKI
Public Key infrastructure consists of mainly five components: Digital certificate, CA (Certification authority), Private key tokens, Registration authority and certificate management system.
CA (Certificate authority) will assign the digital certificate to both client C and server S. Public keys are stored in digital certificates that are digitally signed by CA with its own private key and assigned to client and server. Then the assigned public keys are exchanged between client and server where client C wants to access some data from Server S.
CA (Certificate Authority) is responsible for generating Key pair either individually or with client. Digital signatures ensure that the content in the certificate is not modified. Before, getting started the communication, Server S will share its public key assigned by certificate authority with Client C along with digital signature. Client C will verify the public key by verifying the digital signatures with its own public key that was also assigned by Certificate authority. Once the keys were shared, client can access the data from server.
iii) In Public key infrastructure, certificate authority assigns the digital certificate that contains public key along with digital signature to both the actors participating in communication. These digital signatures are digitally signed by CA with its private key. The sender will send the message with digital signature so that receiver will identify that the message was send by the authorised sender.
In CaaS (Cryptography as a service), sender will ask for a shared key to CaaS and in return of this CaaS will provide the One-Time pad to Sender and the same One-Time pad will be given to receiver. After, receiving One-time Pad both sender and receiver can directly communicate with each other.
SaaS claims that One-Time Pad is the secure method for communication between two parties but before transmitting the message, the keys need to be shared and if during the process of sharing the keys, if the keys gets revealed the message can be deciphered easily.
- i) CaaS claims that Its One-Time pad encryption method is highly secure, but some vulnerabilities have been noticed in CaaS’s one-Time Pad encryption system. One-Time Pad uses random keys along with messages that are used to encrypt the message and the same key will be used by receiver to decrypt the message. The keys can be used only once after this key are automatically discarded. One-Time Pad does not offer message integrity and authenticity. There is no method to verify the authenticity of message if the message got corrupted, no one can identify whether the message was corrupted by transmission errors or by an interceptor. If the same key is used for more than once, the data could be compromised.
ii) The current CaaS service can be secured by using Hash algorithm on the plain message and this hash output along with message will be then send to recipient. In this way, the person with correct hash function will be able to decrypt the message and hash function. Once the message will be received by the recipient, it can be checked by matching the hash value from the received message.
Another issue with One-Time Pad is the distribution of keys. As each key can be used only once, so it is difficult to share a large number of different unique keys securely. For this, mass key distribution should be used in which many Terabytes of key bytes can be exchanged at one time by bundling them into mass storage version of briefcase. (Rijmenants, 2019)
A VPN or Virtual Private Network is a secure connection between user or device and servers. A secure VPN tunnel is created between two users, using the VPN service, and the communication between the users is encrypted, so that any third person or unauthorized person cannot eavesdrop the network traffic. VPN allow the user to work remotely by accessing their company’s server or secure internal network. This service is widely used in corporates where home users use this secure service to connect to the company’s network. This service is provided by the VPN service provider where a VPN server is installed. The client needs a VPN client to establish a secure connection to the server. When the connection is established, a secure encrypted VPN tunnel is created between server and user. (Advantages of VPN, 2019)
There are several benefits of using a VPN. Some of them are listed here –
- It hides our online identity by encrypting the network traffic
- It helps us bypass geo blocks by hiding our local/real IP address
- It secures our online communication, confidential details from being stolen by the intruder
- By using VPN, we can prevent bandwidth throttling, as our ISP never investigate how and what we were used.
- By VPN we can bypass firewalls and can access restricted web sites blocked by some ISPs.
- It provides secure surfing and downloading while using torrents.
- It makes us able to use geo-graphically restricted application like online games that may be restricted in our region.
What are remote access and site to site VPN?
Remote access VPN – This VPN service allow an individual user to connect to the remote company’s secure network and use the secure resources of the company by the VPN connection. Two components are needed to create a remote access VPN. One is “Network or Remote access server” and another is “Remote access VPN client” application. The VPN client software is required to make the connection request to the server. Now the remote access server will authenticate the client request by checking its credentials and create a secure VPN tunnel. (Remote Access VPN, 2019)
Site to Site VPN – This type of VPN connection allows multiple office locations to connect via a VPN connection using internet. This will extend company’s resources and make them available at another location by a secure means. Site to Site VPN are o two types – intranet and extranet based. (Site to Site VPN, 2019)
Implementing VPN topology
How VPN can keep online transaction safe?
A VPN is one of the most secure mean of using internet banking. It adds an extra layer of security and restrict hackers from eavesdropping into our network traffic. It creates a secure tunnel between the user and server so any unauthorize user can’t steal our confidential information.
Configuration of IPsec tunnel
Configuration on router A
# conf t
# int tunnel 10
# ip add 10.0.0.1 255.0.0.0
# tunnel source fa0/1
# tunnel destination 188.8.131.52
# no shut
# show interface tunnel 10
Configuration on router B
# conf t
# int tunnel 20
# ip add 10.0.0.2 255.0.0.0
# tunnel source fa0/1
# tunnel destination 184.108.40.206
# no shut
# show interface tunnel 20
Configuration on router X
# conf t
# int tunnel 100
# ip add 220.127.116.11 255.0.0.0
# tunnel source fa0/1
# tunnel destination 18.104.22.168
# no shut
# show interface tunnel 100
Configuration on router Y
# conf t
# int tunnel 200
# ip add 22.214.171.124 255.0.0.0
# tunnel source fa0/1
# tunnel destination 126.96.36.199
# no shut
# show interface tunnel 200
Proof of working – using ping and tracert to check the tunnel connectivity between PCs.
Task 3 OWASP Application Vulnerability
The top three OWASP application vulnerabilities are (OWASP Vulnerabilities, 2019) –
- Injection – this type of vulnerability has happened when an attacker injects some malicious code in to the web application that forced it to do something different from what that application was programmed to do. The most common type of attack in this category is SQL injection where a SQL query is altered with some code by the hacker and the query generates the different results from it was designed to do. Prevention of code injection vulnerability is totally depending on the technology we are using like word press application, to write the query. The developer needs to use several security measures to develop or design a software like using minimum themes and plugins, don’t use dynamic SQL, use updated software and firewalls. (Code Injection – OWASP, 2019)
- Broken authentication – it is the type of attack where an attacker will gain access of any user account in our system what he wants to. In some worse cases he will take complete control over the system. Several web sites are prone to this type of vulnerability where the application isn’t having as much secure authentication mechanism. To prevent from this attack, one should put into practise to not leaving login page open that can be accessible publicly. Broken authentication vulnerability can be seen by using brute force attack on the login page of a web site. To mitigate this vulnerability, the developer need use some best practises to do the security audit of their web site and test the code before deploying it to the web site. Some more countermeasures that can be taken into account to avoid broken authentication are – use multi factor authentication, do not use default authentication and weak password and keep logs of any authentication failure. (Broken Authentication – OWASP, 2019)
- Sensitive data exposure – This is one of the most common type of vulnerability. It exposes the confidential data that need to be protected. Confidential data like passwords, credit card number, social security number, PIN number etc. This sensitive data is of two types – stored and transmitting. Both type of data needs to be protected. A best way to do this on a web server, is using an SSL certificate. The SSL will secure the communication between host and server and there is lesser chance of eavesdropping by an intruder. To mitigate the risk of this vulnerability we need to use some prevention mechanisms, like – identify the sensitive data that need to be protected and classify it according to the privacy laws, do no store sensitive data on the servers and online systems and make sure the data is always kept encrypted. To protect the transmitting data, use secure protocols such as TLS, HTTPS etc. (Series, A., 2019)