Thursday, March 21, 2013
Cross-Site Request Forgery
A browser sends cookies to a site when a request is made, regardless of where the request comes from. This coupled with the fact that web servers cannot distinguish between a request made from a user or from a browser allows an attacker to potentially fool the server into performing actions the user did not intentionally perform. This is known as a cross-site request forgery (XSRF). For more information about XSRF please follow the link to the official OWASP site.
Client-State Manipulation
Users interact with applications through browsers. When the user submits information, the browser has to send a request back to the web server. Since the information being sent is controlled by the user, the web application should not trust it without validation. An example of Client-State manipulation is modifying the request in a URL to gain admin access on a website. Once an attacker has admin access, he or she would be able to alter the website or gain private information that could be seen with an admin account.
Wednesday, March 13, 2013
Cross-Site Scripting
Cross-site scripting (XSS) is a vulnerability that allows a hacker inject code into areas of a website that the hacker cannot control. The code injected by the hacker executes every time the page is viewed. Because of this, the hacker can possibly gain personal information of the user related to that site.
Two types of XSS attacks are reflected XSS attacks and stored XSS attacks. Reflected XSS attacks occur when the malicious script is in the actual request and the server inserts the script in the response. It affects the user whenever he or she browses to the malicious URL. Stored XSS attacks are when the hacker stores the attack in the application itself. It's triggered when the user browses to a page on the server where the attack is stored.
For more information, please follow the link to the OWASP page regarding this topic.
Two types of XSS attacks are reflected XSS attacks and stored XSS attacks. Reflected XSS attacks occur when the malicious script is in the actual request and the server inserts the script in the response. It affects the user whenever he or she browses to the malicious URL. Stored XSS attacks are when the hacker stores the attack in the application itself. It's triggered when the user browses to a page on the server where the attack is stored.
For more information, please follow the link to the OWASP page regarding this topic.
Wednesday, March 6, 2013
Asymmetric, Symmetric, and Hybrid Encryption
One form of encryption employs the use of symmetric ciphers. These use the same key for encryption and decryption. The advantage of using symmetric ciphers is that the decryption process is usually faster, but a drawback is that the key distribution can be difficult. Symmetric ciphers are either block ciphers, which operates on blocks of a fixed size, or stream ciphers, which generate a stream of pseudo-random bits called a keystream. Two concepts related to block ciphers are confusion and diffusion. Confusion refers to the methods that are used to hide relationships between the plaintext, ciphertext, and the key. Diffusion spreads the influence of the plaintext bits and the key bits over as much of the ciphertext as possible.
Another form of encryption is asymmetric encryption. This form uses asymmetric ciphers, which use a public and a private key, as opposed to just one key. A message is encrypted using the public key, and can only be decrypted using the private key that corresponds with it. The advantages with asymmetric encryption are better key distribution and there's not a need for a out-of-band communication channel to transmit the secret key. The downside to asymmetric ciphers is that they are a lot slower than symmetric ciphers.
The final from of encryption is hybrid encryption. A hybrid cryptosystem uses and asymmetric cipher to exchange a randomly generated key to encrypt the communications with a symmetric cipher. This offers the speed of a symmetric cipher, while providing a secure key exchange.
Nowadays, hackers are not able to crack most ciphers that are used. In order to get to the information, an attacker can use a man-in-the-middle (MitM) attack to get around encryption. MitM attacks occur when the attacker is able to intercept information from both parties, while the parties think they are communicating with each other. The attacker is able to sniff and modify traffic between the two parties without their knowledge.
Another form of encryption is asymmetric encryption. This form uses asymmetric ciphers, which use a public and a private key, as opposed to just one key. A message is encrypted using the public key, and can only be decrypted using the private key that corresponds with it. The advantages with asymmetric encryption are better key distribution and there's not a need for a out-of-band communication channel to transmit the secret key. The downside to asymmetric ciphers is that they are a lot slower than symmetric ciphers.
The final from of encryption is hybrid encryption. A hybrid cryptosystem uses and asymmetric cipher to exchange a randomly generated key to encrypt the communications with a symmetric cipher. This offers the speed of a symmetric cipher, while providing a secure key exchange.
Nowadays, hackers are not able to crack most ciphers that are used. In order to get to the information, an attacker can use a man-in-the-middle (MitM) attack to get around encryption. MitM attacks occur when the attacker is able to intercept information from both parties, while the parties think they are communicating with each other. The attacker is able to sniff and modify traffic between the two parties without their knowledge.
Tuesday, March 5, 2013
Information Theory
Developed by Claude Shannon, information theory is mathematical theory that deals with the content, transmission, storage, and retrieval of information. Many concepts the relate to cryptography stem from information theory. Among these concepts are unconditional security, one-time pads, quantum key distribution, and computational security.
Unconditional security refers to a cryptographic system that cannot be broken. If somethings is unconditionally secure, then cryptanalysis would be impossible to perform and even an extensive brute force attack would not be able to determine which key is correct. The one-time pad is an example of a cryptosystem that is unconditionally secure. This system uses blocks of random data called pads. The pad has to be at least the length of the message and the data on the pad has to be truly random. When this is used, two pads are made. One pad is for the sender and the other is for the receiver. When the message is encrypted using the pad, the message is sent and that pad is destroyed to ensure it can only be used once. When the recipient receives the message, the second pad helps decipher the message and displays it for the recipient to view it.
A system being computationally secure means that the best algorithm for cracking it requires an unreasonable amount of resources and time. So technically it is possible to crack it, but it is not very feasible to attempt it. Most modern cryptosystems belong to this category and would take tens of thousands of years to crack, even with extensive computing resources. The security of cryptosystem is always measured using the current best-known algorithm.
Reference: http://dictionary.reference.com/browse/information+theory
Unconditional security refers to a cryptographic system that cannot be broken. If somethings is unconditionally secure, then cryptanalysis would be impossible to perform and even an extensive brute force attack would not be able to determine which key is correct. The one-time pad is an example of a cryptosystem that is unconditionally secure. This system uses blocks of random data called pads. The pad has to be at least the length of the message and the data on the pad has to be truly random. When this is used, two pads are made. One pad is for the sender and the other is for the receiver. When the message is encrypted using the pad, the message is sent and that pad is destroyed to ensure it can only be used once. When the recipient receives the message, the second pad helps decipher the message and displays it for the recipient to view it.
A system being computationally secure means that the best algorithm for cracking it requires an unreasonable amount of resources and time. So technically it is possible to crack it, but it is not very feasible to attempt it. Most modern cryptosystems belong to this category and would take tens of thousands of years to crack, even with extensive computing resources. The security of cryptosystem is always measured using the current best-known algorithm.
Reference: http://dictionary.reference.com/browse/information+theory
Monday, March 4, 2013
Cryptology - Introduction
Cryptology refers to the study of cryptography, which is the process of communicating through ciphers, and cryptanalysis, which is the process of cracking those ciphers. While mainly used for war purposes in the past, cryptology is also used today to encrypt secure and private information over a network. Hackers can use cryptology not only to gain access to an individual or organization's private data, but they can also use it to avoid detection.
Subscribe to:
Posts (Atom)