# 2: Authentication & Encryption

Assalamualaikum..

=)

Today i would like to share some knowleges about authentication and encryption..

sounds interesting,huh?

hehe~~

What is authentication?

---------------------------

Based on httpd://apache.org , authentication is any process by which you verify that someone is who they claim they are. In other word, authentication is verification of identity of someone who generated some data.

Identity verification can be classified by:

* something known, e.g: password

* something possessed, e.g: passport

* by physical character, e.g: finger,retina, voice.

We need to make sure that the message comes from apparent or known sources or author, and the content have not been altered at all.

Okay, now let's talk about password. I think most of you are familiar with password, right?

Usually, before we want to log in to other websites such as blogger.com, myspace, facebook or others, we need to insert username and password for security.

That is the most important purpose of password which provide protection to our data. Thus, do not ever keep your password to anybody!

To get a good protection, we need to have a good password which it is hard to guess but easy to remember.

Characteristics of good password:

* not shorter than six character.

* not patterns from the keyboard.

If we have a good password, it is hard for other persons to crack our password.

Do you want to know about time taken to crack password?

If number of characters is One, the total combination of character should be 36 and time taken by human to crack the password is 3 minutes.

If number of characters is four, the total combination of character should be 1700000 and the time taken by human to crack the password is 3 month.

and what about if the number of character is 10 or 12..? count yourself..hehe~~

That is the reason why the password should be in six character and you are encourage to have a combination between number and character in one password so that it will be more secure.

Do You Know?

-----------------

Keylogger allows you to find out what other users do on your computer in your absence. It is designed for the hidden computer monitoring and the monitoring of the computer activity. Keylogger is capable of catching all keystrokes, capturing the screen, logging the programs being run and closed, monitoring the clipboard contents.

Strategies To Select Password

------------------------------------

* User education

* Computer-generated passwords

* Reactive password checking ( occur when user generate a password, then the system will check whether the password exist or not)

* Proactive password checking ( the system will check how strong the password that has been generated.)

Cryptography

----------------

Cryptography is, traditionally, the study of ways to convert information from its normal, comprehensible form into an obscured guise, unreadable without special knowledge.

Encrypted document does not prevent unauthorized people gaining access to it but rather ensures that they cannot understand what they see.

Here, we use idea of cipher system which disguise information in such a way that its meaning is unintelligible to an unauthorized person.

In encryption, we need to be familiar with some terminologies such as plain text, ciphertext, cipher, key, encipher and decipher.

plaintext = original message

ciphertext = coded message

Cryptoghraphy Algorithms

Do you know about this kind of operation?

Cryptography algorithms is a type of operations used for transforming plaintext ( original message) to ciphertext (coded message).
The number of keys used is symmetric (single key or private-key encryption) and asymmetric (two-keys, or public-key encryption).This is the way in which the plaintext is processed.

Methods use in Cryptography Algorithm

Substitution

There are two types:

** Monoalphabetic substitution.
It formed by shifting the letters of the original alphabet.

**Polyalphabetic substitution
Extension of monoalphabetic substitution system which use Vigenere Tableau.

Transposition

This method also has two types:

** Unkeyed transposition
Rearrange letters by using matrix
**Keyed transposition
Rearrange letters by using matrix where the size of matrix is determined by the length of the key used.

Caesar Ciphers

In this cipher each of the letters A to W is encrypted by being represented by the letter that occurs three places after it in the alphabet. Although Caesar used a ‘shift’ of 3, a similar effect could have been achieve using any number from 1 to 25.

The encryption key and decryption key are both determined by a shift but the encryption and decryption rules are different.

For example: : Encryption with shift 8 is the same as decryption with shift 26 - 8 =18.

This enable us to use the same rule for encryption and decryption with the decryption key 18 corresponding to the encryption key 8.

Let's Play!

Find The message behind this cipher text:

YMJ KPJQ UWNHJ BNQQ NSHWJFXJ YT WH KTZW GD SJCY BJJP

=)

-------------------------------------------------------------------------------------------------Simple Substitution Ciphers

For a Simple Substitution Ciphers (or monoalphabetic ciphers), we write the alphabet in a randomly chosen.

The encryption and decryption keys are equal.
The encryption rule is ‘replace each letter by the one beneath it’ while the decryption rule is the opposite procedure. For example:

A B C D E F G H I J K L M
D I Q M T B Z S Y K V O F

N O P Q R S T U V W X Y Z
E R J A U W P X H L C N G

The number of keys for a Simple Substitution Cipher is equal to the number of ways in which the 26 letters of the alphabet can be arranged.

Vigenere Cipher

The Vigenere Cipher (the best known of the manual polyalphabetic cipher) uses a Vigenere Square to perform encryption.
The left-hand (key) column of this square contains the English alphabet and for each letter, the row determined by that letter contains a rotation of the alphabet with that letter as the leading character.
So each letter in the left-hand column gives a Caesar Cipher whose shift is determined by that letter.
Example: the letter g gives the Caesar Cipher with shift 6.

Figure 1: Vigenere Table - Vigenere Tableau

Virtualization & VMWare

Assalamualaikum..
=)


Virtualization
------------------

Dear friends...
Do you know about Virtualization?
Let's start our lesson...

Hardware was the first part to be designed in a computer system. It is followed by the software
part. Each hardware was specially designed with its own instruction set and developed with its own specific software.

The need of software that is compatible with any hardware becomes an important consideration in developing a new computer system.

This can be achieved by producing hardware that has a standard feature. One way to achieve this is by defining and controlling the interface between hardware and software. This is where the concept of Instruction Set Architecture (ISA) was introduced.

A new problem arises following the introduction of ISA. The operating system developed was only compatible with the hardware from the same vendor. Due to this reason many operating systems were developed for particular system architecture only and cannot be implemented in other machines that have different architecture. For example, Windows application binaries will not directly execute on PowerPC processor.

Virtualization eliminates these constraints and enables a much higher degree of portability and flexibility. Software is added to an execution platform to produce virtualization to give it the appearance of a different platform.

Virtualization supports an operating system, instruction set, and computational resources which differ from those available on the underlying software. One of virtualization environment created by such software is called virtual machine.

Virtual Machine -----------------------

Virtual machine is defined as an efficient and isolated duplicate of a real machine. This environment is created by using Virtual Machine Monitor (VMM) which provides a second layer on a machine for another operating system to run on it.

VMM reproduces everything from the CPU instruction to the I/O devices in software of operating system which it run on. Virtualization in VM involves mapping of virtual resources, for example, the register and memory to real hardware resources and it also use the host machine instruction to carry out the actions specified by VMM. This is done by emulating the host ISA.

The underlying operating system is called the host operating system. VMM runs on top of the host operating system, thus it can hold a second or more operating system on it. The operating system which runs on VMM is called the guest operating system.

The host operating system and the guest operating system can either be of the same or different type of operating system. For example, Windows can runs as the host operating system and Linux as the guest operating system.

VMWare, Connectix, UMLinux and Xen are some examples of a more recent VMM that has been developed. Another close environment which also provides virtualization is called emulator. The difference it has when compared to VMM is that it only let one guest operating system to run on the host system.

Installation of VMWare -----------------------------

VMware Workstation can be downloaded from http://www.vmware.com/download/ws/

1. Double Click on the VMware launcher to start the installation Wizards.

2. Click on [Next].

3. Choose Typical setup type.

4. Choose the location for VMware Workstation installation, example: C:\Program Files\WMware\VMware Workstation\

5. Click on [Next].

6. Configure the shortcuts for the VMware Workstation and click [Next].

7. Click on [Install], this will take several minutes to finish.

8. Enter the Serial Number for the VMware workstation.

9. Click [Finish], and restart the Computer.

VMware Workstation makes it possible for PC user to use Multiple Operating Systems concurrently on the Same PC.
User can create and run multiple virtual machine on desktop or laptop computer. VMware Workstation let you create a virtual machine that can be installed with different kinds of Operating System.

Virtual machine residing on a disk image that can be cloned and copy from one host to another host by simply drag and drop thus providing mobility to user.

Another advantage of VMware Workstation is that on the same host user can run multiple virtual machines containing different OS side by side and by just a click of a mouse you can switch to different OS and share files by just drag and drop. User can even create their own Local Area Network (LAN) inside the VMware Workstation by using several virtual machines.

The ability to preserves the state of virtual machine by taking a “snapshot” make it easier for user to do testing on virtual machine without worrying that the system will crash or corrupt. The snapshot ability let user to revert back to the OS previous state if there is any crash or corrupt occur during the testing.

Creating Disk Image -------------------------

How to create disk image in virtual machine?

1. From the home tab click on [New Virtual Machine], to open the virtual machine wizard.

2. Click [Next] to continue.

3. Choose the typical configuration, click [Next]

4. Choose the type of OS to be installed on the virtual machine. As the next task the virtual machine will be installed with Windows Server 2003, select [Microsoft Windows] as the guest. In the version list, select Windows Server 2003 Standard Edition. Click [Next].

5. Name the virtual machine and specify the location where the disk image for the virtual machine will be stored in the hard disk. Name the virtual machine as winserv03.

6. For the network type select [Use host-only Networking], this selection will create LAN between the other virtual machine. In order to make the virtual machine connected to the real
network select [Use bridged networking]. This setting can be changed once the virtual machine is created. Click [Next].

7. Specify the disk capacity of the virtual machine. This option will let user to specify the maximum storage capacity of the virtual machine. Select [Allocate disk space now] and click
[Finish] to start creating your virtual machine. This will take several minutes.

How to Install Window Server 2003 on virtual machine? -------------------------------------------------------------------

1. Place the Windows Server 2003 installer CD in your cdrom drive.

2. Click on [start the virtual machine] or you can click on the start button on the toolbar, your virtual machine is starting and will be booting from your cdrom drive.

3. Once the winserv03 booting you will see the familiar windows server 2003 installation page, from this point onward you can follow the windows server 2003 installation step.

4. After the installation process is finish, you will see the windows server 2003 login page.

------------------------------------------------------------------------------------------------

I hope you will get some informations from my page. If you have any questions, please leave me some comment then.
I pen off now..Thank you..
=)

#1 : Intro~Information Security

Assalamualaikum..
=)

My name is Saufidatul ailin Binti Rusli
just call me ailin..
I am very excited to have this blog because I can share some information with all of you about IT security..
sounds interesting,right?
but I hope all my readers will get some knowledges from this blog..
Thank You!

--------------------------------------------------------------------------


Why We Study Computer Security?
------------------------------------------

Dear friend..
Do you know why we should study computer security?

For your information, being an IT security specialist is not only to protect the system from hackers but they also need to understand about cryptography and firewall which these tools used by them to protect information systems.
Moreover, as the IT technology is growing fast from time to time, IT security is very important to protect the system.
Besides, this industry will offer new career opportunities to people who interest in IT security.

What is Security?
----------------------
Security is the quality or state of being secure or to be free from danger and to be protected from adversaries and from those who would do harm intentionally.

What is Information Security?
------------------------------------
Information Security is the protection of information and the systems and hardware that use, store, and transmit that information.
( by Mr.Zaki )

How does it differ from IT security?
------------------------------------------

IT Security is a term which is more concerned with the protection of hardware, software and a network of an organization and external attacks.

It is more to do with the electronic data and is covered in the IT policy of an organization, whereas Information security policy goes beyond the network and applies to the organization as a whole.

There are three security area:
1) Detection - scanner such as virus scanner, internet scanner and Web server scanner.
2) Prevention - proxy or firewall.
3) Recovery - cryptography techniques and proper planning.

Security Architecture
---------------------------

Security Architecture is defined by ITU-T Recommendation X.800 that called OSI Security Architecture.
For your information, Recommendation X.800 was prepared by Study Group VII and was approved under the Resolution No. 2 procedure on the 22nd of March 1991.

It is useful for a managers as a way of organizing the task of providing security.
It is more focuses on security attacks, security mechanisms and security services.

Security Principle
-----------------------
There are three principles involved that is confidentality, integrity and availability.

Confidentality is prevention of unauthorized disclosure of information, Integrity is
prevention of unauthorized modification of information whereas Availability is
prevention of unauthorized with holding of information or resources.

Security Policy
-------------------

Policy is a set of rules to apply to security relevant activities in a security domain,
Level of security policy involves objectives, organizational and system whereas
Key aspects of security policy includes authorization, access control policy, accountability.

Security Attack
--------------------

There are two types of security attack that is passive and active attack.

What is Passive attack?
Passive attack is eavesdropping or monitoring the transmissions. Its goal to obtain information that is being transmitted and its type is to release of message contents & traffic analysis.
What is active attack?
Active attack is involve some modification of the data stream or the creation of a false stream
and its goal is to obtain authorization which divided to some categories that is masquerade, replay, modification of messages & denial of service.

Let's learn first about Passive Attack!
---------------------------------------------
There are 3 persons who involve in this situation: Alex, Halim and Anita.

Release of Message Content
Situation 1: Alex send message to Anita through Internet and in this situation, Halim will read content of message that has been sent by Alex to Anita without permission by Anita and Alex.

Traffic Analysis
Situation 1: Alex send message to Anita through Internet and in this situation, Halim will observe pattern of message that has been sent by Alex to Anita without permission by Anita and Alex.

Let's Learn about Active Attack then!

Masquerade

Situation 1:Halim send a message to Anita which the message will show that Alex sent it.Message from Halim that appears to be from Alex.

Replay

Situation 1: Alex wants to send a message to Anita, than Halim capture the message from Alex which later Halim will replay the message to Anita.

Modification of Message

Situation1: Alex wants to send a message to Anita then Halim will capture and modifies the message from Alex then send it to Anita.

Denial of Services

Situation 1: Halim will disrupt services provided by server and Alex can''t send message anymore!

Different Between Passive And Active Attack ---------------------------------------------------

Passive Attack
◦Very difficult to detect.
◦Feasible to prevent the success of these attacks.
◦Emphasis in dealing with passive attacks is on prevention rather than detection.

Active Attack
◦Quite difficult to prevent active attacks.
◦Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.
◦If the detection has a deterrent effect, it may also contribute to prevention.

Method of Defense -----------------------

We can deal with harm that occurs when a threat is realized against a vulnerability in several ways:

◦Prevent it, by blocking the attack or closing the vulnerability.
◦Deter it, by making the attack harder, but not impossible.
◦Deflect it, by making another target more attractive.
◦Detect it, either as it happens or some time after the fact.
◦Recover from its effects.

There some methods involved:

-Encryption
-Software Controls - access limitations in a data base, in operating system protect each user from other users
-Hardware Controls –smartcard
-Policies - frequent changes of passwords
-Physical Controls

-------------------------------------------------------------------------------------------------
Okay, I pen off first..
Hope you get some knowledges from this blog.
Thank You!
=)





More Informations: C.P. Pfleeger, S. L. Pfleeger (2003). Security in computing 3rd Ed., Prentice Hall International.









My lecturer: Encik Zaki