Authentication and Computer Security
Date of Submission:
When most people are asked about the government involvement in mining private data from its citizens, most people respond by saying that they don’t care because they have “nothing to hide”. However, this is a major threat to privacy and such surveillance is beyond the normal view of people regarding security and privacy issues (Bergen, Hoffman and Tiedemann, 2011). In most countries, the governments have already installed a million surveillance cameras that are connected to close circuit display television that leaves the citizens with no privacy at all. In most countries, the government has a bad believe which become more of a slogan that “if you have nothing to hide then you have nothing to fear”. However, the surveillance is at time helpful as the majority of terrorist activities especially in America has been halted using phone records.
On one side of the lateral thinkers, the “nothing to hide” argument is quite obvious for them but for me, I dismiss it with a witty retort. Of course, everyone has something to hide from the other and ideally; everyone can be accused of some offense at any given time. This means that everyone has something that they feel needs to be concealed. When a situation is looked at critically and hard enough, there are high chances that a crime can be seen to have occurred and charges can be filled. In fact, those who say that they have nothing to hide, can they send their nude photos to their friends and allow them to show them to their neighbors?
Providing security to the process of generating random high-quality number is notoriously difficult when using cryptographic systems. The only means of providing security is by use of the non-deterministic behavior in the process of random number generations since the attacker is rarely able to predict. A weak random number generator uses quantum effects that are simple, and although the noise from the quantum can be amplified using a suitably biased diode to deliver an entropy source that is of high-quality, it can compromise an otherwise secure system. To have ideal security measures, digital and analog circuits should be mixed but this increases the designing cost (Bernstein, Chang and Cheng, 2018). This makes the designers look for other option of unpredictability such as the use of gate metastability or the gate propagation delays that have inherent randomness brought about by a ring of oscillations that are made to be free-running.
By the use of higher dimension lattices, errors exceeding ½ of the bits can be found. This means that flawed components may obfuscate further weakness since moving close to the bound in an experimental setup in order to design a solution can be expensive but adding dimensions greater than 3 is possible (Liaperdos, Arapoyanni and Tsiatouhas, 2016). If such an experiment is made, it shows clearly that in order to prevent further weakness beyond those the flawed components are responsible for, the circuits should be equipped with the intelligence of handling errors in the bottom and top positions unless the attacker uses erroneous bits as portions of the top bits. Thus in such a case, the designers have no other option but to mix the digital and analog circuits to counter the attacker at a high cost.
Diffie Hellman allows two parties to agree on a shared secret key in the presence of an eavesdropper (Valenta et al., 2017). Although this protocol is considered among the strongest shared key protocols, there are numerous known attacks on this protocol. The protocol is primarily used to negotiate session keys over an insecure channel. According to Raymond & Stiglic (2002), attacks against the Diffie Hellman protocol come in different flavors. The first approach is the denial of service attacks. The attacker attempts to stop successful communications between the two communicating parties. The second approach is the outsider attacks in which the attackers attempt to disrupt the protocol to gain access to confidential information. Finally, the attacks may take the form of insider attacks in which one of the communicating parties creates a breakable protocol run on purpose (Raymond & Stiglic, 2002).
A common attack of the Diffie Hellman attack is the man in the middle attack. This happens when a powerful attacker, who is capable of capable of replacing the arguments involved tricks the legitimate users of a successful shared secret key. This violates the privacy and confidentiality of the messages exchanged between the two parties. Another attack, the simple substitution attack, is based on number theory (Raymond & Stiglic, 2002). In this attack, the adversary forces the protocol parameters to equal 1 and as such makes the protocol vulnerable to further attackers. A modern form of attack on the Diffie Hellman protocol is the logjam vulnerability. This attack allows the adversary to downgrade the protocol used in TLS connection to a 512-bit export grade cryptography. This allows the adversary to read and modify any form of data that is passed through the connection (Adrian et al., 2015). In each of these attacks, the success of the attacks depends primarily on the strength of the parameters entered into the protocol. As such, the most appropriate approach to curbing these attacks is the application of strong protocol parameters.
Attackers only need to know one weakness in the firewall infrastructure that has not been patched and it acts as the main point to direct the attack through. The security of the firewall depends on many component`s abilities to provide security and not just one component. Firewall attacks take many forms such as DNS attacks, the man in the middle attacks, attack through the use of content or attacks through the external system (Liu, 2016). The above possibilities will be discussed in the following paragraphs and the countermeasures that can be deployed to eliminate such attacks to the firewall system.
Attacks through the external system are done by first establishing the machine that links a given system to the rest of the network. Next, the vulnerability in the system is exploited by the attacker on the client software such as SecureCRT or FTP or by using X screen grabbing where the attacker stills sensitive information from the client (SinghArneja and Sachdev, 2015). Ideally, the malicious person generates a code that bypasses the firewall and is executed on the client’s machine. If the attacker wants to attack through content, they can send an executable file, a word document that interferes with the macros of Microsoft that is usually vulnerable or by sending an HTML mail that is in a package that explores the vulnerability in the browser.
Security of a network is extensive and is not tied to the LAN or the firewall only but other aspects such as routes security and DNS service that also influences the general security of a network. A malicious person can virtually own a client’s server or spoof DNS replies to it and thereafter be able to connect to the host through the HTTP channel as a man in the middle. For DNS spoofing to be successful the attacker targets the birthday. All these attacks can be prevented through various measures that are designed dairy as the attackers explore new vulnerabilities now and then and therefore, even today, there are so many computers that are vulnerable to buffer overflow attacks such as cached SIG record.
Intrusion Detection Systems (IDS) have in the recent past been used extensively to supplement security systems such as the firewall. In layman language, IDSs are used in the digital world to act as alarms to trigger an alarm in case of intrusion. Sad for them, just like a mare alarm, attackers have found ways to navigate around the detection systems and access information without detection which means that the system at some cases does not provide the return on invested and what’s more, it at the time provides false positive alerts. There are many intrusion detection systems that can be looked depending on a given setting and the purpose of such a system but in the following paragraphs, Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS) shall be discussed in details. The discussion will include four ideas about evasion and the countermeasures that can be put in place.
Attackers aim at the weakness of an IDS and NIDS is not left behind. In ideal operation of this system, it passively or intrusively monitors the traffic in a network protecting a vast system containing the same segment of the network. NIDS provides protection through abnormality or the matching of the signature. However, the detection system can be manipulated in a number of ways such as through overloading, obfuscation, encryption or fragmentation. Obfuscation influences data such that the packet signature does not much the IDS that allow the device receiving the packet to interpret it properly. Fragmentation breaks down the packet into many packets that make the host to arrange the multiple pieces in the wrong order which infiltrates the intelligence of the IDS. IDS systems especially those used in networks such as NIDS examines every packet payload but when IPSec, SSH, and SSL encrypted tunnels are introduced, the system is crippled (Wang, 2017). IDS can also be overloaded to increase the traffic that leads to denial of service and at that time, the attacker can launch a malicious act.
Bernstein, D., Chang, Y. and Cheng, C. (2018). online Smartfacts.cr.yp.to. Available at: https://smartfacts.cr.yp.to/smartfacts-20130916.pdf Accessed 9 Jan. 2018.
Raymond, J. and Stiglic, A. (2014). Security Issues in the Diffie-Hellman Key Agreement Protocol. Available at: https://www.researchgate.net/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol Accessed 10th Jan 2018
SinghArneja, P. and Sachdev, S. (2015). Detailed Analysis of Antivirus based Firewall and Concept of Private Cloud Antivirus based Firewall. International Journal of Computer Applications, 111(4), pp.16-23.
Valenta, L., Andrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman, J. & Heninger, N. (2017). Measuring small subgroup attacks against Diffie-Hellman. Available at: https://eprint.iacr.org/2016/995.pdf Accessed 10th Jan 2018
Wang, L. (2017). Big Data in Intrusion Detection Systems and Intrusion Prevention Systems. Journal of Computer Networks, 4(1), pp.48-55.
Bergen, P., Hoffman, B. and Tiedemann, K. (2011). Assessing the Jihadist Terrorist Threat to America and American Interests. Studies in Conflict & Terrorism, 34(2), pp.65-101.
Liaperdos, J., Arapoyanni, A. and Tsiatouhas, Y. (2016). State reduction for efficient digital calibration of analog/RF integrated circuits. Analog Integrated Circuits and Signal Processing, 90(1), pp.65-79.
Liu, C. (2016). Actively boosting network security with passive DNS. Network Security, 2016(5), pp.18-20.