Saturday, March 6, 2010


Cryptography is the study of hidden information. An application of cryptography includes ATM cards, computer passwords, Electronic commerce etc.
It is nothing but encryption. A cipher is a pair of algorithms which create the encryption and the decryption. The detailed operation of cipher is controlled by both algorithm and keys. The key is secret parameters without which cipher can easily break.

History: Cryptography was concerned with message confidentiality (i.e., encryption). It is nothing but conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message).

Authentication: It is the process by which you can verify that someone is who they claim they are. This usually involves a username and password. It also include other method of identity such as a smart card, retina card, voice recognition, finger prints etc.

Authorization: it is the process of finding out if the person, once identified is permitted to have the resource. It can be known by finding out whether that person is a part of a particular group, if that person has paid admission or has a particular level of security clearance.

TEMPEST: TEMPEST is a codename referring to investigations and studies of compromising emanations. Compromising emanations are defined as unintentional intelligence bearing signals which if intercepted and analyzed, may disclose the information transmitted, received, handled or otherwise processed by any information processing equipment.

Worm: computer worms are developed by Robert Morris in 1988. worm is send to a computer by mail. It then copies itself and then send copy after copy on to other computer. Initially the worms were designed for good intent. The worms try to download and install patches from Microsoft’s website to fix problems in the host computer. They download patches and install it and reboot the host without help of computer’s user.
Worms work without user intervention. It does not attach itself to an existing program. Worms almost always cause at least some harm to network by consuming bandwidth. Whereas viruses always corrupt or modify files on targeted computer. Worms are designed to spread and don’t attempt to modify systems, but ‘Morris worm’ and ‘my doom’ showed that network traffic can often cause major disruption.
‘Payload’ is a worm code designed to do more than spreading. It might delete files on a host system. It can also encrypted files & send via email. Worm writers can get a list of IP addresses of infected of infected machines.

Trojan Horse: A Trojan horse is a non self replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the users computer system.
Purpose and operation: Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations. The operations that a hacker can perform are limited by user privileges on the target computer system and the design of the Trojan horse. Operations could be performed by a hacker on a target computer system include:
1) Use of the machine as part of a botnet (i.e. to perform spamming or to perform Distributed Denial-of-service (DDoS) attacks)
2) Data theft (e.g. passwords, credit card information, etc.)
3) Installation of software (including other malware)
4) Downloading or uploading of files
5) Modification or deletion of files
6) Keystroke logging
7) Viewing the user's screen
8) Wasting computer storage space
Trojan horses require interaction with a hacker to fulfill their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. In fact, it is possible for hackers to scan computers on a network using a port scanner in the hope of finding one with a Trojan horse installed, that the hacker can then use to control the target computer.

Installation and distribution: Trojan horses can be installed through the following methods:
1) Software downloads (i.e. a Trojan horse included as part of a software application downloaded from a file sharing network)
2) Websites containing executable content (i.e. a Trojan horse in the form of an ActiveX control)
3) Email attachments
4) Application exploits (i.e. flaws in a web browser, media player, messaging client, or other software that can be exploited to allow installation of a Trojan horse)
Some compilers also contain Trojans.

Multilevel Security [MLS]

It is the application of a computer system to process information with different sensitive or security levels, permit simultaneous access by users with different security clearances & needs to know & prevent users from obtaining access to information for which they lack authentication.

1) MLS as a Security Environment or Security mode:
A community whose users have differing security clearances may perceive MLA as a data sharing capability. A system should not be operated in a mode for which it is not worthy of trust.

2) MLS as capability:Developers & products or systems intended to allow MLS data sharing tend to loosely perceive it in terms of a capability to enforce data sharing restrictions or a security policy. A system is MLS capable if it is shown to robustly implement a security policy.

Types of Cryptographic functions:

1) Symmetric Key Cryptography:Symmetric key cryptography refers to encryption methods in which both the sender & receiver share the same key. The Modern study of symmetric key ciphers relates mainly to the study of block ciphers & stream ciphers.
a) Block Ciphers: It takes an input a block of plain text & a key and output a block of cipher text of the same size. E.g. DES [Data Encryption Standard], AES [Advanced Encryption Standards].
b) Stream Ciphers: It creates an ordinary long stream of key material, which is combined with plaintext bit-by-bit or character-by-character. In stream cipher output stream is created based on a hidden internal state, which changes as the cipher operates.

c) Cryptographic Hash Functions: They take a message of any length as input & output a short fixed length hash which can be used in digital signature.
Good Hash Functions: An attacker can’t find 2 messages that produce same hash.
E.g. MD4, MD5

2) Public Key Cryptography:Symmetric key cryptosystems use the same key for encryption & decryption of a message, though a message or a group of messages may have a different key than others.
In public key cryptosystems the public key is typically used for encryption, while the private or secret key is used for decryption. It is also used for a digital signature. They are easy for a user to produce & different for anyone else to break.
Hash Function: A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable sized data into a small datum, usually a single integer that may same as an index or array.
The values returned by hash function are called, “ hash values”, “hash codes”, “hash sums”, or “hashes”.
Hash functions are used to finding items in a data table, detecting duplicate or similar records in a large file, finding similar stretches in DNA sequences etc.


1) Hash Tables: used to quickly locate a data record given its search key.

2) Caches: used for large datasets stored in slow media.

3) Finding duplicate records: these are the same records with different key.

4) Finding similar records: Records are not identical but key is identical.

Properties of a Good Hash Function:

a) Low Cost: numbers of comparisons with keys are treated as cost of hash function.
b) Determination: for a given input value it must always generate same hash value.
c) Uniformity: every hash value in the output range shall be generated with roughly the same probability.
d) Data Normalization.
e) Continuity: the hash function used to search the data must be as continuous as possible. The inputs that differ by a little should be mapped to equal or nearly equal hash values.

Hash Function Algorithms:

1) Trivial Hash Function:
If the datum to be hashed is small enough, one can use the datum itself as the hashed value. For a PC having 1Gb memory 30 bits of hash values required.

2) Perfect Hashing: A hash function that maps each valid input to a different hash is said to be perfect. Direct location of desired entries is possible.

3) Minimal Perfect Hashing: A perfect hash function for ‘n’ keys is said to be minimal if its range consists of ‘n’ consecutive integers.


A cookie is also called as a web cookie, browser cookie or a HTTP Cookie. In computing , a cookie is a small piece of text stored on a user computer by a web browser. Cookie consists of one or more name value pairs containing bits of information such as user preferences, session identifier & other data used by websites.

A cookie can be used for authenticating, session tracking (session maintenance) & remembering specific information about users, such as site preferences. Coolies are simple piece of text hence not executable. As they allow users to be tracked when they visit various sites, cookies are detected by many anti-spyware products.

Uses: - 1) Session Management: Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Allowing users to log in to a website is a frequent use of cookies. Typically the web server will first send a cookie containing a unique session identifier. Users then submit their credentials and the web application authenticates the session and allows the user access to services.

2) Personalization: Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.

Many websites use cookies for personalization based on users' preferences. Users select their preferences by entering them in a web form and submitting the form to the server. The server encodes the preferences in a cookie and sends the cookie back to the browser. This way, every time the user accesses a page, the server is also sent the cookie where the preferences are stored, and can personalize the page according to the user preferences.

3) Tracking: Tracking cookie used to track internet users using the IP address of computer requesting the page. This can be done for example as follows:

a) if the user request a page of the site, but server presumes that this is the first page visited by the user, the server creates a random string & sends it as a cookie back to the browser together with the requested page.

b) from this point on, the cookie will be automatically sent by the browser to the server every time a new page from the page as usual, but also stores the URL of the requested page, the date n time of the request & the coolie in a log file

4) Third Party Cookies: websites contain advertise from different sources these are called as third party cookies. When viewing a Web page, images or other objects contained within this page may reside on servers besides just the URL shown in your browser. While rendering the page, the browser downloads all these objects. Most modern websites that you view contain information from lots of different sources. For example, if you type into your browser, widgets and advertisements within this page are often served from a different domain source. While this information is being retrieved, some of these sources may set cookies in your browser. First-party cookies are cookies that are set by the same domain that is in your browser's address bar. Third-party cookies are cookies being set by one of these widgets or other inserts coming from a different domain. Modern browsers, such as Mozilla Firefox, Internet Explorer and Opera, by default, allow third-party cookies, although users can change the settings to block them. There is no inherent security risk of third-party cookies (they do not harm the user's computer) and they make lots of functionality of the web possible, however some internet users disable them because they can be used to track a user browsing from one website to another. This tracking is most often done by on-line advertising companies to assist in targeting advertisements.

Internet Explorer stores 300 cookies of 4 kb each. Cookies with expiration date are called, ‘ Persistent’. These cookies survive across session. Cookie may also contain expiration date, a path, and a domain name whether intend encrypted connections.


1) In accurate Identification: if more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of user account, a computer & a web browser. Thus anyone who uses multiple accounts, computers, browsers has multiple sets of cookies. Cookies do not differentiate between multiple users sharing same user account.

2) Cookie Hijacking: cookie theft is the act of intercepting cookies by an unauthorized party. Session Hijacking : using programs called,’ packet sniffers’ attacker reads cookies. Cross site scripting: attacker sends a html code to the advertise or active content.

3) Cookie theft: The cookie specifications constrain cookies to be sent back only to the servers in the same domain as the server from which they originate. However, the value of cookies can be sent to other servers using means different from the Cookie header. In particular, scripting languages such as JavaScript and JScript are usually allowed to access cookie values and have some means to send arbitrary values to arbitrary servers on the Internet. These facts are used in combination with sites allowing users to post HTML content that other users can see. As an example, an attacker running the domain may post a comment containing the following link to a popular blog they do not otherwise control:

Click here!

When another user clicks on this link, the browser executes the piece of code within the onclick attribute, thus replacing the string document.cookie with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the server, and the attacker is then able to collect the cookies of other users.

This type of attack is difficult to detect on the user side because the script is coming from the same domain that has set the cookie, and the operation of sending the value appears to be authorized by this domain. It is usually considered the responsibility of the administrators running sites where users can post to disallow the posting of such malicious code.

Cookies are not directly visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/;; HttpOnly

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.

4) Cookie Poisoning: Cookie must be unchanged, but attacker modifies the value of the cookies before sending them back to the server it is called, ‘cookie poisoning’.

5) Cross site cooking: it is similar to cookie poisoning, but attacker adds code to the browsers.

Cookie expiry

Persistent cookies have been criticized by privacy experts for not being set to expire soon enough, and thereby allowing websites to track users and build up a profile of them over time. This aspect of cookies also compounds the issue of session hijacking, because a stolen persistent cookie can potentially be used to impersonate a user for a considerable period of time.