appendix a 7-bit ascii code978-3-540-79698...appendix c data compression using zip zip is a simple...
TRANSCRIPT
Appendix A
7-bit ASCII code
000 001 010 011 100 101 110 1110000 nul soh stx etx eat enq ack bel0001 bs ht nl vt np cr so si0010 dIe del de2 dc3 dc4 nak syn etbVVll can em SUD esc LS gs rs us0100 space ! " # $ % &
,
0101 ( ) * + , - /0110 0 1 2 3 4 5 6 70111 8 9 : ; < = > ?
1000 @ A B C 0 E F G1001 H I J K L M N 01010 P Q R S T U V W1011 X Y Z [ \ ]
A
- --1100 ,
a b c d e f g1101 h i j k 1 ill n 0
1110 P q r s t u v w1111 x y z { I ) - - del
Row numbers represent the 4-bit prefix, and the column numbers represent the 3-bit suffix. The first 32 ASCII codes and the last ASCII code are control codes, whIch are notdisplayable.
Appendix B
SMA-512 Constants (in hexadecimal)
i Ki i Ki i Ki0 428a2f98d728ae22 1 7137449123ef65cd 2 b5cOfbcfec4d3b2f':l ,~Q1 o o--u-a-, A -v rv c v- _0C r-'~Qh~-'Q r:; ~Qf'11 f'1hhn~r1n1Q
6 923f82a4afl94f9b 7 ablc5ed5da6d8118 8 d807aa98a30302429 12835b0145706fbe 10 243185be4ee4b28c 11 550c7dc3d5ffb4e212 72be5d74f27b896f 13 80deblfe3b1696bl 14 9bdc06a 725c7123515 c19bfl74cf692694 16 e49b69c1gef14ad2 17 efbe4786384f25e318 Ofc19dc68b8cd5b5 19 240calcc77ac9c65 20 2de92c6f592b027521 4a7484aa6ea6e483 22 5cbOa9dcbd41fbd4 23 76f988da831153b524 983e5152ee66dfab 25 a831c66d2db43210 26 b00327c898fb213f27 bf597fc7beefOee4 28 c6eOObf33da88fc2 29 d5a 7914 793 Oaa 72530 06ca6351e003826f 31 142929670aOe6e70 32 27b70a8546d22ffc33 2elb21385c26c926 34 4d2c6dfc5ac42aed 35 53380d139d95b3df36 650a73548baf63de 37 766aOabb3c77b2a8 38 81c2c92e47edaee639 92 722c851482353b 40 a2bfe8a14cfl 0364 41 a81a664bbc42300142 c24b8b70dOf89791 43 c76c5la30654be30 44 d192e819d6ef521845 d69906245565a910 46 f40e35855771202a 47 106aa07032bbdlb848 19a4cl16b8d2dOc8 49 le376c085141ab53 50 274877 4cdf8eeb9 951 34bObcb5e19b48a8 52 391cOcb3c5c95a63 53 4ed8aa4ae3418acb54 5b9cca4f7763e373 55 682e6ff3d6b2b8a3 56 748f82ee5defb2fc57 78a5636f43172f60 58 84c87814alfOab72 59 8cc702081a643gec60 90befffa23631e28 61 a4506cebde82bde9 62 bef9a3f7b2c6791563 c67178f2e372532b 64 ca273eceea26619c 65 d186b8c721cOc20766 eada7dd6cdeOeble 67 f57d4f7fee6ed178 68 06f067aa72176fba69 Oa637dc5a2c898a6 70 113f9804bef90dae 71 Ib710b35131c471b72 28db77f523047d84 73 32caab7b40c72493 74 3cgebeOa15c9bebc75 431d67c49cl00d4c 76 4cc5d4becb3e42b6 77 597f299cfc657e2a78 5fcb6fab3ad6faec 79 6c44198c4a475817
Appendix C
Data Compression using ZIP
ZIP is a simple matching algorithm using two sliding windows, called the base window and the look-ahead window. These two windows are placed side-by-side on thedata file, where the look-ahead window goes ahead of the base window. ZIP scansthe entIre file by slIdmg these two wmdows and encodmg data on the fly. In partIcular, ZIP finds the longest prefix s of the data stnng contamed in the look-aheadwindow that also appears in the base window. This string in the look-ahead window(if found) is a copy of s in the base window, and so it can be uniquely identified bytwo attributes: (1) the distance between the location of the first character of s in thebase wmdow and the locatIOn of the first character m the look-ahead wmdow and(2) the length of s. If the space needed to hold the values of these two attnbutes ISsmaller than the space needed to hold s, we obtam a savmg of space.
To implement this idea, we will need to distinguish the binary values of the twoattributes from normal encodings of characters. Suppose the data file is encodedusmg the 8-blt ASCII code set. If the first bIt IS used as a panty bIt, then It could beeIther 0 or 1. The first bIt of the bmary strmg representmg the two attnbutes can alsobe eIther 0 or 1. Thus, to make a dlstmctIon, we add an extra bIt of 1 m front of eachASCII code to yield a 9-bit extended ASCII code and add an extra bit of 0 in frontof the binary string representing the two attributes. This simple encoding uniquelyidentifies the original data file.
In partIcular, let W1 denote the number of characters the base wmdow can hold,where 2d -1 < Wj < 2d for some d > 1. Let W2 denote the number of characters thelook-ahead window can hold, where 21- 1 < W2 ::; 2/ for some l with 1 ::; l::; d. Thisproduces a (d + l + 1)-bit binary encoding for s, where the first bit is 0 (used asan indicator), the next d bits represent the distance, and the last l bits represent thelength. For convenience, we will call this (d + l + 1)-bit code a location code.
A locatIOn code IS easIly dlstmgUlshable from any 9-blt extended ASCII codebecause a locatIOn code has a fixed length and an mdlcator 0 dIfferent from theindicator in a 9-bit extended ASCII code. In other words, given a compressed fileusing this encoding method, it can be uniquely and easily "uncompressed" back toits original ASCII format. The proof is left to the reader (see the Exercise). Thus, aslong as d +l + 1 < 8k, where k = lsi, ZIP may save space. ZIP then shifts both of the
354 C Data Compression using ZIP
base window and the look-ahead window to the right max{I, k} times and repeatsthe same procedure until the look-ahead window is shifted out of the data file.
For example, let WI = 18 and Wz = 7. Then d = 5 and I = 3. Let us consider thefollowing text string:
"a loop containing a loop is a nested loop"
Denote by nb, the binary representation of positive integer n. Running ZIP on thischaracter string produces the following output (see Fig. C.l ):
where each letter and space in the output string is encoded by a 9-bit extended ASCIIcode. For clarity, we do not spell out the location code in binary. The length of the"compressed" string in binary is therefore equal to 18 x 9 + 9 + 11 x 9 +9 = 279bIts, and the length of the ongmal character stnng encoded m the 8-blt ASCII codeset IS equal to 41 x 8 = 328 bIts. Thus, ZIP has compressed the ongmal data stnngto a shorter bmary string,
inputbase window look-ahead
a loop containing a loop is a nested loop
711
basewindQw
a loop containing a loop is a nested
16
output a loop containing 017b7b is a nested 016b5"
Fig. C.I A demonstration of a ZIP process
To decode a compressed file, ZIP scans It from the begmnIng, removes the leadmg 1 from each 9-blt extended code, and replaces each 9-blt code WIth leadmg 0 bythe correspondmg character substrmg using the dIstance and length attnbutes.
Exercise
Show why the IO-bit code defined in Section C is easily distinguishable from theextended 9-bit ASCII code. That is, given a compressed file using this encodingmethod, show it can be uniquely and easily "uncompressed" back to its originalASCII format
AppendixD
Base64 Encoding
Base64 encoding represents a 6-bit binary string using a printable character (seeTable D.l), where a 6-bit value of 0 to 25 represents a upper-case letter A to Zcorrespondingly; a 6-bit value of 26 to 51 represents a lower-case letter a to z correspondingly; a 6-bit value of 52 to 61 represents a digit 0 to 9 correspondingly;and the last two 6-bit values of 62 and 63 represent H+" and HI" respectively. Transmitted in ASCII format, this means that every 6-bit string is replaced with an 8-bitstring.
Table D.I Base64 encoding
6-bitvalue 0 I 2 3 4 5 6 7 8 9 10 II 12 13 14 15 16 17 18 19character encoding ABC D E F G H I J K L M N 0 P Q R S T6-bit value 20 21 22 23 24 25 26 27 28 29 31 31 32 33 34 35 36 37 38 39character encoding U V W Z Y Z abc d e f g h i j k I ill n6-bit value 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59character encoding 0 p q r stu v w z y z 0 I 2 3 4 5 6 76-bit value 60 61 62 63character encoding 8 9 + /
In addition, Base64 encoding uses character "-" as a special indicator. UsingBase64 encoding, a binary string is converted to a character string as follows:
Case I: The binary data consists of only one byte. Pad it at the end with 16 O'sto extend it to a 24-bit string. This 24-bit string is then converted to a Base64 stringof four characters, wIth "==" beIng the last two characters. ThIS IndIcates that onlythe first two characters are to be decoded, and the suffix 0000 IS dIscarded.
Case 2: The binary data consists of only two bytes. Pad it at the end with eightO's to extend it to a 24-bit string. This 24-bit string is then converted to a Base64string of four characters, with "=" being the last character. This indicates that onlythe first three characters are to be decoded, and the suffix 00 IS dIscarded.
Case 3: The bInary data consists of at least three bytes. Place the first three bytesof the binary data into a 24-bit buffer, where the first byte is placed in the mostsignificant eight bits of the buffer, the second byte is placed in the middle, and the
356 D Base64 Encoding
third byte in the least significant eight bits. This 24-bit string is then converted to aBase64 string of four characters. Repeat this process until there is no byte left, thereis one byte left, or there are two bytes left. The conversion is completed if thereis no byte left. If there is one byte left, apply Case 1 to this byte to complete theconversion. If there are two bytes left, apply Case 2 to these two bytes to completethe conversion.
Given in Table D.2 are several examples of Base64 conversions.
Table D.2 Examples of Base64 conversions, where boldface bits are padding bits
binary string24-bit buffer
Base64 conversionbinary string24-bit buffer
Base64 conversionbinary string24-bit buffer
Base64 conversion
10110011 (one byte)101100 110000 000000 000000 (padding of two bytes)sw==10110011 00000101101100110000010100000000 (padding of one byte)swU=10110011 00000101 01100010101100110000010101 100010 (no padding)swVi
Decoding a Base64 string back to the original binary data is straightforward andis left to the reader (Exercise D).
The Base64 encoding was first used in the Privacy-enhanced Electronic Mail(PEM) protocol for transfernng electromc data.
Exercise
Describe how to decode Base64 strings back to their original binary strings.
Appendix E
Cracking WEP Keys using WEPCrack
This appendix describes an experiment to crack a WEP protected WLAN usingWEPCrack, an open-source WEP cracking tool. WEPCrack implements the RC4weak-key attack introduced in 2001 by Fluhrer, Mantin, and Shamir. It is written inthe Perl language. Stephen Brinton designed and implemented the experiments.
E.! System Setup
The expenment uses three computers and one WEP-enab1cd LInksys wIreless routeras an AP. One computer serves as an Apache Web server, which is connected to therouter via an Ethernet cable. The second computer is a WEP-enabled wireless laptopPC connected to the router. The router and the laptop computer share a I 04-bit secretWEP key K. ThIs computer contInuously requests Web pages from the Web serverfor the purpose of generatIng a large number of frames. The thIrd computer IS also alaptop PC eqUIpped WIth a WEP-enab1ed WIrelessnetwork Interface card (NrC) thatcan monitor network traffic. This computer runs WEPCrack to crack the WEP keyK. Fig. E. I shows the system setup of this experiment.
Web server_-wir-';-<;'~ 'l:':((((~.~. •••••• user requesting Web pages
.r>;~
r<;
attacker running WEPCrack
Fig. E.! WEPCrack Experiment system setup
358 E Cracking WEP Keys using WEPCrack
The experiment uses the following AP and wireless NICs:
AP
The AP used in the experiment was a WEP-enabled Linksys Wireless-B BroadbandRouter.
User's Network Card
Device:Driver:Vendor
Belkin F5D7010 54g Wireless Network cardndiswrapper (Belkin: bcmwI5.inf)Bmadman
Attacker's Network Card
Device:Device Name:
Driver:Vendor:
AR5212 802.11 abg (Netgate)athOath_pclAtheros Communications, Inc.
E.2 Experiment Details
WEPCrack cracks WEP keys by first collecting weak initialization vectors. AftersuffiCIent InformatIon about weak InItIahzatlOnvectors IS obtaIned, WEP Crack deduces from It the WEP key used in the WLAN. It may take a number of hours tocollect information. After that, the actual cracking part may take only a few minutes.
Step 1: Initial Setup
Select a 104-bit WEP key for both the AP (the router) and the STA (the laptopcomputer that will continuously request Web pages from the Web server). In theexperiment, the WEP key is chosen as a 13-byte binary string
K = 96 6 91 24207 211 3992158724037234
Start the Apache server usmg the #rcapache2 start command. The STAstarts the requester program requester. c (see Section E.3) usmg
./reguester 172.16.1.1 80 GET /
E.2 Experiment Details 359
where 172 . 16 . 1 . 1 is the IP address of the Apache server. This produces continuous request and sending of a web page over the wireless connection.
Step 2: Attacker Setup
The attacker's laptop runs Linux. First run the ifconfig athO up commandto enable the laptop's NIC. Then run the iwconfig athO scan command tosearch for the AP within range and col1ect its MAC address, channel, and essidinformation. The iwconfig athO scan command returns the fol1owing out-put:
athO Scan completedCell 01 -- Address: 00:II:F5:ID:98:04ESSID: "Gates"Mode' MasterFrequency: 2.442 GHz (Channel 7)Quality = 43/94 Signal level = -52 dBmNoise level = -95 dBmEncryption Key: onBlt Rate'
Final1y, configure the NIC using the fol1owing commands:
lfconflg athO downlwconflg athO channel 11lwconflg athO ap 00:06:25:F3:CD:89iwconfig athO essid ResearchAPiwconfig athO mode monitorlfconflg athO up
Step 3: Collecting Weak Initialization Vectors
Start Wireshark and open the capture wmdow to capture WIreless frames. Thenrun the WEPCrack program pcap-get IV . p L using the fol1owing command:./pcap-getIV.pl -i athO. This may take several hours to run to col1ectsufficient information. This program produces a log file named IVFlle.log, whichcontams weak InttlaJtzatlOn vectors and encrypted outputs. They WI]] be used tohelp reveal the WEP key.
Step 4: Cracking
Run the WEPCrack.pl on IVFile.log to deduce the WEB-kep. After only a fewminutes of execution, WEPCrack arrived at the correct encryption key shown asbelow, where $ is the Linux prompt:
360 E Cracking WEP Keys using WEPCrack
$. /WEPCrack. p LKeysize = 13 [104 bits]96 6 91 24 207 211 39 92 158 7 240 37 234
E.3 Sample Code
The STA executes the following program, written by Stephen Brinton, to keep requesting Web pages.
requester.h
1************************************************
Header name: request.h*************************************************1
#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <netdb.h>#include <stdio.h>#include <stdIib.h>#include <strinq.h>#include <fcntl.h>#include <sys/stat.h>#include <unistd.h>
II Maximum Sizes#define BUFSIZE 1024#define HOST NAME SIZE 256#define COMMAND NAME SIZE 3#define FILENAME_SIZE 256#define PORTNUMBER_SIZE 4
#define QLEN 128
requester.c
/***********************************************************
Fllename: reguester.c
Deslgner: Stephen Brlnton UML
E.3 Sample Code
Overview: This program will continuously request and print
Web pages Usage:
client host port number command filename
Example: ./requester www.cnn.com GET index.html
Function: make_socket() - makes a socket connection
************************************************************7
#include "requester.h"
int main(int argc, char *argv[])
int sd; II socket descriptor ID
int n; II number of characters tolfrom socket
char msg[BUFSIZE]; II buffer used to hold socket message
char host[HOST_NAME_SIZE]; II host address
char command[COMMAND_NAME_SIZE]; II command - GET or PUT
char filename[FILENAME_SIZE]; II filename to GETIPUT
char port_number [PORTNUMBER_SIZE] ;
II store portnumber from command line arguments
361
int portnumber; II portnumber to GETIPUT
II **** GATHER THE ARGUMENTS FROM THE COMMAND LINE ****
if (argc !~ 5) II check if there are 5 arguments
II print error message otherwise
fprlntf(stderr, "Error - Usage:
client host port_number command filename\n");
exit(l);
sprlntf(host,argv[l]);
sprlntf(port_number,argv[2]);
portnumber - atol(port_number);
sprintf(command,argv[3] );
sprintf(filename,argv[4]);
whlle(l)
if (strcmp("GET",command) !=o && strcmp("PUT",command) !=O)
fprlntf(stderr, "Error - Invalld command entered:
%s (Must be either PUT or GET)\n", command);
362 E Cracking WEP Keys using WEPCrack
exit(I);
// setup command to be sent through socket to host
if (strcmp("GET",command)~~O) II Process the GET command
sprintf(msg, "GET %s HTTP/l.0\r\nHost: %s\r\n\r\n",
filename,host);
if ((sd = make_socket (portnumber, host)== -1)
exit(I);
};
write(sd,msg,strlen(msg»;
else II PUT command
FILE* fptr;
lnt fd;
lnt bytes_read;
struct stat flle_lnfo;
char* buffer;
size_t length;
If ((fptr - fopen(fllename, "rb"» -- NULL)
fprintf(stderr, "Error - File Not Found\n");
close (sd);
exit(I);
fd - flleno(fptr);
fstat (fd, &file_info);
length = file_info.st_size;
if (!S_ISREG (file_info.st_mode)
fprintf(stderr, "Error
close (fd);
close(sd) ;
exit(I);
File is not regular\n");
sprintf (msg, "PUT /%s HTTP/l.0\r\nHost:
%s\r\nContent-type:
text/plain\r\nContent-length:
%d\r\n\r\n",filename,host,length);
if ((buffer=(char*)malloc(length+strlen(msg)))==NULL)
fprlntf(stderr, "Error Insufflclent
E.3 Sample Code
memory available to send file\n");
close (fd);
exit(l);
memcpy(buffer, msg, strlen(msg));
363
bytes_read-fread(buffer+strlen(msg),I,length,fptr);
close (fd);
if ((sd = make_socket (portnumber, host)== -1)
free(buffer);
exit(I);
Liwrite(sd,buffer,bytes_read+strlen(msg));
II **** READ AND DISPLAY MESSAGES FROM SOCKET ****
77 read from socket and keep doing it until nothing
77 remains in socket
n - recv(sd,msg,slzeof(msg),O);
while (n>O)
wrlte(l,msg,n);
n - recv(sd,msg,slzeof(msg),O);
close(sd);
II **** CLOSE CONNECTION ****
return(O);
/*****************************************************************
Function name: make_socket
Overview: This function setups a socket to be used by this client
****************************************************** * * * * * * * * * * * 1
lnt make_socket(lnt portnumber, char* host)
struct has tent *ptrh; II pointer used by gethostbyname
struct sockaddr In sad;
int sd; 77 socket descriptor ID
77 **** PREPARE THE ADDRESS TO BE USED IN MAKING THE CONNECTION
memset ((char *)&sad, O,sizeof(sad));
sad. sin_family = AF_INET;
sad.sin_port = htons((u_short)portnumber);
ptrh - gethostbyname(host);
If (((char *)ptrh) -- NULL)
364 E Cracking WEP Keys using WEPCrack
fprintf(stderr,"Error-Invalid host entered: \%s\n",host);
return 1·,
memcpy(&sad.sin addr, ptrh->h addr, ptrh->h length);
77 **** MAKE THE SOCKET ****
sd = socket(PF INET, SOCK STREAM, 0);
if (sd < 0)
fprintf(stderr, "Error - Socket creation failed\n");
return 1·,
1II **** CONNECT TO SERVER ****
if (connect (sd, (struct sockaddr *)&sad, sizeof(sad))<O)
fprintf(stderr, "Error - Connect failed\n");
return
return sd;
1·,
Appendix F
Acronyms
ACKACLAESAJAXAHALGAMSANSIAPARPASCIIASASICASPAVIDHCPCACBCCBC-MACCCMPCEOCERTCOlCIACIFSCHFCLGCOFFCOMCPU
Acknow ledgementAccess Control LIstAdvanced Encryption StandardAsynchronous JavaScript and XMLAuthentication HeaderApphcatlOn-Level Gateway; ApphcatlOn-Layer GatewayAnti MahclOus SoftwareAmencan NatIOnalStandard InstituteAccess PointAddress Resolution ProtocolAmencan Standard Code for InformatIOn InterchangeAuthentIcatIOn ServerApphcatlOn-Speclfic Integrated CIrcUItActive Server PageAudio- Video InterleavedDynamic Host Configuration ProtocolCertIficate AuthontyClpher-Block-Chammg ModeCipher-Block Chaining Massage Authentication CodeCounter Mode-CBC MAC ProtocolChief Executive OfficerComputer Emergency Response Team (USA)Common Gateway InterlaceCentral Intelhgence Agency (USA)Common Internet File SystemCryptographic Hash FunctionCIrcUIt-Level GatewayCommon Object FIle FormatComponent Object ModelCentral Processing Unit
366
CRCCTRDACDESDiFDISDLLDMZDoSDDoSDHCPDHBSDPFDSLDZEAPoLEBCDICECBECCECDHEFFELFESPESSIDFCSFATFTPGBGCHQGMKGUIHIHATHMACHBDHMMHTMLIATIBMICMPICVIDEAIDESIDPIDSIE
Cyclic Redundancy CheckCenterData Authentication CodeData Encryption StandardDistributed FirewaJlDigital Immune SystemDynamic Link LibraryDemilitarized ZoneDenial of ServiceDistributed Denial of ServiceDynamic Host Configuration ProtocolDouble-Homed Bastion SystemDynamic Packet FilterDigital Subscriber LineDemilitarized ZoneExtensible Authentication Protocol over LANExtended Bmary Coded DeCImal Interchange CodeElectronIc-Codebook ModeEllIptIc-Curve CryptographyElliptic-Curve Diffie-HeJlmanElectronic Frontier FoundationExecutable and Lmkmg FormatEncapsulatmg Secunty PayloadExtended Service Set IDentIfierFeistel Cipher SchemeFile AJlocation TableFile Transfer ProtocolGuojia Biaozhun (NatIOnal Standards, Chma)Bntlsh Government Communications HeadquartersGroup Master KeyGraphical User InterfaceHigh Interaction Honeypot Analysis ToolkitKeyed-Hash Message AuthentIcatIOn CodeHost-Based DetectionHIdden Markov ModelHypertext Markup LanguageImport Address TableInternatIOnal Busmess Machmes Corporation (USA)Internet Control Message ProtocolIntegnty Check ValueInternational Data Encryption AlgorithmIntrusion Detection Expert SystemIntrusion Detection PolicyIntruSIOn Detection SystemInternet Explorer
F Acronyms
F Acronyms
IECIEEEIETFlISIKE1MIMAPIPIPSIPsecIPv4IPv6ISAKMPISO
ISPITUJSONJVMJSPKDCKDPKGAKSALFSRMACMACMBSAMICMIDIMKPKCMPDUMSDULANNATNBDNBSNESSIENetBIOSNFS
NGVCKNICNIDSNIST
367
International Electrotechnical CommissionInstitute of Electrical and Electronics Engineers (USA)The Internet Engineering Task ForceInternet Information ServicesInternet Key ExchangeInstant MessagingInternet Mail Access ProtocolInternet ProtocolIntrusion Prevention SystemIP SecurityInternet Protocol version 4Internet Protocol version 6Internet Security Association and Key Management ProtocolInternational Standardization Organization;International Organization for StandardizationInternet Service ProviderInternatIOnal TelecommUnicatIOn UnionJavaScnpt Object NotationJava VIrtual MachmeJava Server PageKey Distribution CenterKey Determination ProtocolKey Generation AlgonthmKey Scheduhng AlgonthmLinear Feedback Shift RegistersMedia Access ControlMessage Authentication CodeMIcrosoft Basehne Secunty AnalyzerMessage Integnty CodeMusical Instrument Data InterfaceMultiple-Key Public-Key CryptographyMAC Protocol Data UnitMAC ServIce Data UnitLocal Area NetworkNetwork Address TranslatIOnNetwork-Based DetectionNational Bureau of Standards (USA)New European Schemes for SIgnatures, Integnty, and EncryptionNetwork BaSIC Input and Output SystemNetwork FIle System;National Science Foundation (USA)Next Generation Virus Creation KitNetwork Interface CardNetwork-based Intrusion Detection SystemNatIOnal Institute of Standards and Technology (USA)
368
NSANTFSOCBOFBOLEOSIPANPATPDAPEPEMPGPPHPPHTPIDPKAPKCPKIPKIXPMKPOPPOP3PRNGPTKP2PRADIUSRAMRSNRSNIERSNASASADSANSSASSCPSETSFTPSHASHBSSIVS/MIMESMTPSOHOSPDSPI
F Acronyms
National Security Agency (USA)New Technology File SystemOffset-Codebook ModeOutput-Feedback ModeObject Linking and EmbeddingOpen System InterconnectionPersonal Area NetworkPort Address TranslationPersonal Digital AssistantPortable ExecutablePrivacy-enhanced Electronic Mail ProtocolPretty Good PrivacyHypertext PreprocessorPseudo Hadamard TransformProcess IdentifierPublic-Key AuthorityPublIc-Key Cryptography; PublIc-Key CryptosystemPublIc-Key InfrastructureX.S09 Public-Key InfrastructurePairwise Master KeyPost Office ProtocolPost Office Protocol version 3Pseudo-Random Number GeneratorPairwise Transient KeyPeer-to-PeerRemote Authentication Dial-In User ServiceRandom Access MemoryRobust Security NetworkRobust Security Network InformatIOn ElementRobust Security Network AssociationSecurity AssociationSecurity Association DatabaseSysAdmIn, AudIt, Network, and Security Institute (USA)Secunty AssocIatIOn SelectorSecure Copy ProtocolSecure Electronic TransactionSecure File Transfer ProtocolSecure Hash AlgonthmSIngle-Homed BastIOn SystemSystem Integrity VenfierSecure/Multipurpose Internet Mail ExtensionSimple Mail Transfer ProtocolSma]] Office and Home OfficeSecurity PolIcy DatabaseSecurity Parameters Index; Stateful Packet Inspection
F Acronyms
SPFSRESSSHSSLSSPSTASYNTCPTCPv4TCPv6TelnetTGSTFTPTSCTKIPTLSTOSTTLUDPURLUnicodeVBVBSVoIPVPNWAPWi-FiWEPWKDCWLANWNWPAWPA2WPANWPKIWSNXML
Stateful Packet FilteringSinged ResponseSecure ShellSecure Sockets LayerSecure Simple Pairing(wireless endpoint) StationSynchronizationTransmission Control ProtocolTransmission Control Protocol version 4Transmission Control Protocol version 6Teletype networkTicket-Granting ServerTrivial File Transfer ProtocolTKIP Sequence CounterTemporal Key Integrity ProtocolTransport Layer SecurityTrusted Operatmg SystemTime-to-Live valueUser Datagram ProtocolUniform Resource LocatorUnification CodeVIsual BaSICVIsual BaSIC ScriptVOIce of IPVirtual Private NetworkWireless Access PointWireless FidelityWIred EqUIvalent PrivacyWIreless Key DlstnbutlOn CenterWireless Local-Area NetworkWireless NodeWi-Fi Protected AccessWI-FI Protected Access version 2WIreless Personal Area NetworkWIreless Pubhc-Key InfrastructureWireless Sensor NetworkExtensible Markup Language
369
References
1. Adams C and Farrell S (1999) Internet X.509 Public Key Infrastructure: Certificate Management Protocols. RFC 2510
2. Agrawal M, Kayal N, and Saxena N (2004) PRIMES is in P. Annals of Mathematics160(2):781-793
3. Arkin 0 and Yarochkin F (2002) Xprobe v2.0: A "Fuzzy Approach to Remote Active Operatmg System Fmgerpnntmg. http://www . xprobe2. org.
4. Allen J (2001) The CERT Guide to System and Network Security Practices. AddisonWesley, Massacusetts
5. Bace R (2000) Intrusion Detection. Macmillan Technical Publishing, Indiana6. Bace Rand Mell P (2001) Intrusion Detection Systems. NIST Special Publication
800-31.http://www . csrc. nist. gov Ipublications Inistpubs 180 0-31 I sp800-31.pdf
7. Barreto P and Rijmen V (2003) The WHIRLPOOL Hashing Function.8. Barrett D, Silverman R, and Byrnes R (2005) SSH: The Secure Shell (The Definitive Guide).
2nd ed. O'Reilly, California9. Bass S (2007) Top 25 Web Hoaxes and Pranks. PC World.
http://www.pcworld.com/printable/article/id.131340/printable.html
10. Barta M, Bonnell J, Enfield A, Esposito D, Francis B, Harrison R, Homer A, Jakab S, Li S,Murphy S, and UIIman C (1997) ProfessIOnal IE4 Programmmg, Wrox Press
II. Bellovin S (1999) Distributed firewalls. ;login: (the USENIX magazine) 39-47.12. Biham E and Shamir A (1993) A Differential Cryptoanalysis of the Data Encryption Stan
dard. Snnger, New York13. Bluetooth Special Interest Group (2006) Simple pairing whitepaper. Version VlOrOO14. Bluetooth SpeCialInterest Group (2007) Bluetooth Protocol ArcllltectureIS. Bluetooth Specification Version 2.1 + EDR (2007) Volumes 0-416. Blum L, Blum M, and Shub M (1986) A simple unpredictable pseudo-random number gen
erator. SIAM Journal on Computing 15:364-38317. Bonsov N, Goldberg I, and Wagner D (2001) Interceptmg mobile commumcalions: the m
security of 802.11. In: Poceedings of the 7th Annual International Conference on MobileComputmg and Networkmg
18. Campbell K and Wiener M (1992) Proof that DES is not a group. In: Proceedings ofCrypto'92, 518-526. Springer-Verlag, Berlinbibitemmonograph Campbell P,Calvert B, and Boswell S (2003) Security Guide to NetworkSecurny Fundamentals. 2nd ed. Thompson Course technology, Massachusetts
19. Cappe 0, Moulines E, Ryden T (2005) Inference in Hidden Markov Models. Springer, 200520. CERT AdVISOry (200 I) "Code Red" worm exploltmg buffer overflow m IIS mdexmg service
DLL. CA-2001-19.http://www.cert.org/advisories/cA-2001-19.html
21. CERT Incident Note (2001) "Code Red II:" Another worm exploiting buffer overflow in IISmdexmg service DLL. IN-200l-09.http://www.cert.org/incident_notes/IN 2001 09.html
22. CERT Advisory (2001) Nimda worm. CA-2001-26.http://www.cert.org/advisories/CA-2001-26.html
23. CERT InCidentNote (2003) W32/Soblg.F worm. IN-2003-03.http://www.cert.org/incident_notes/IN-2003-03.html
24. Chandra P (2005) Bulletproof Wireless Security: GSM, UMTS, 802.11, and Ad Hoc Security. Elsevier, Paris
25. Chaum D (1983) Blind signatures for untraceable payments. In: Proceedings ofCRYPTO'82, 199-203. Plenum Press, New York
26. Chaum D, Fiat A, and Naor M (1990) Untraceable electronic cash. In: Proceedings ofCRYPTO'88, Lecture Notes in Computer Science, vol. 403, 319-327. Springer-Verlag,BerlIn
372 References
27. Chaum D and van Antwerpen H (1989) Undeniable signatures. In: Proceedings of Advancesin Cryptology (CRYPTO'89), 212-216
28. Cheswick W, Bellovin S, and Rubin A (2003) Firewalls and Internet Security, Repelling theWIly Hacker. 2nd ed. AddIson-Wesley, Massachusetts
29. CNSS (2003) National Policy on the Use of the Advanced Encryption Standard (AES) toProtect Security Systems and National Security Information. CNSS Policy No. 15 Fact SheetNo. I.http://www.cnss.gov/Assets/pdf/ cnssp 15 fs.pdf
30. Ciampa M (2005) Security Guide to Network Security Fundamentals. 2nd ed. ThompsonCourse technology, Massachusetts
31. Cohen F (1994) A Short Course on Computer Viruses. John Wiley & Sons, New Jersey32. Cole E (2002) Hackers Beware. New RIders, IndIana33. Comer D (2006) Network Systems Design using Network Processors: Intel IXP 2xxx ersion,
Prentice Hall, New Jersey34. Coppersmith D (1994) The Data EncryptIOnStandard (DES) and Its strength against attacks.
IBM Journal of Research and Development 38:243-25035. Courtois Nand Pieprzyk J (2002) Cryptanalysis of block ciphers with overdefined systems
of equations. In: Proceedings of the 8th International Conference on the Theory and ApplicatIOnof Cryptology and InformatIOn Secunty (ASIACRYPT), Lecture Notes In ComputerScience, vol. 2501, 267-287. Springer, Berlin
36. Crume J (2000) Inside Internet Security: What Hackers Don't Want You to Know. AddisonWesley, New Jersey
37. Daemen J and RlJmen V (1999) AES Proposal: The RIJndael Block CIpher.http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf
38. Dawson E and Nielsen L (1996) Automated cryptanalysis of XOR plaintext strings. Cryptologia, 2:165-181
39. Dennmg D (1987) An mtruslOn detectIOn model. IEEE TransactIOns on Software Engmeering 13(2):222-232
40. Diffie Wand Hellman M (1976) New directions in cryptograpy. IEEE Transactions in Information Theory 22:644-654
41. Doraswamy Nand Harkings D (1999) IPSec The New Security Standard for the Internet,Intranet, and Vlflual Pnvate Networks. PrentICeHall, New Jersey
42. Doman A (2002) The Essential Guide to Wireless Communications Applications. PrenticeHall, New Jersey
43. Easttom C (2006) Network Defense and Countermeasures: Principles and Practices. PearsonPrentice Hall, New Jersey
44. Edney J and Arbaugh W (2004) Real 802.11 Security: Wi-Fi Protected Access and 802.lli.AddIson-Wesley, Boston
45. Electronic Frontier Foundation (1999) Distributed.Net and EFF DES Cracker put the finalnUll Into the Data EncryptIOn Standard's coflin.http://www.eff.org/Privacy/Crypto/Crypto_misc/OESCracker
46. Elgamal T (1985) A public-key cryptosystem and a signature scheme based on discretelogarithms. IEEE Transactions on Information Theory 31(4):469-472
47. FIPS 46-3 (1999) Data Encryption Standard (DES). Federal Information Processing Standards Publication 46-3 (Reaffirmed), National Institute of Standards and Technology
48. FIPS-171 (1995) American National Standard Financial Institution Key Management(Wholesale). National Institute of Standards and Technology
49. FIPS 180-1 (1995) Secure Hash Standard. Federal Information Processing Standards Publication 180-1, National Institute of Standards and Technology
50. FIPS 180-2 (2002) Secure Hash Standards. Federal Information Processing Standards Publication 180-2, National Institute of Standards and Technology
51. FIPS 186-2 (2000) Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186-2, National Institute of Standards and Technology
52. FIPS-197 (2001) Announcing the Advanced Encryption Standard. FIPS Special Publication197, National Institute of Standards and Technology
References 373
53. FIPS-198 (2002) The keyed-hash message authentication code (HMAC). FIPS Special PubhcatlOn 198, NatIOnalInstitute of Standards and Technology
54. Fluhrer S, Mantin I, and Shamir A (2001) Weaknesses in the key scheduling algorithm ofRC4. In: Proceedings of the 8th Annual International Workshop on Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 2259,1-24. Springer-Verlag, London
55. Forouzan B (2008) Cryptography and Network Security. McGraw-Hill, New York56. Harley D, Slade R, and Gattiker U (2001) Viruses Revealed. McGraw-Hill, New York57. Gerkis A and Purcell J (2006) A Survey of Wireless Mesh Networking Security Technology
and Threats. SANS Institute58. Hayre J and Kelath J (2006) AJAX Security Basics.
http://www.securityfocus.com/infocus/1868/159. He C and Mitchell J (2004) Analysis of the 802.1Ii 4-way handshake. In Proceedings of the
3rd ACM Workshop on Wireless Security, 43-50. ACM Press, New York60. Housley R, Ford W, Polk W, and Solo D (2002) Internet X.509 Public Key Infrastructure:
Certificate and CRL Profile. RFC 328061. Howlett T (2005) Open Source Security Tools: A Practical Guide to Security Applications.
Prentice-HaIl, New Jersey62. Hua L-K (1987) Introduction to Number Theory. Translated from Chinese by P. Shiu.
Spnnger, Berhn63. Javitz H and Valdes A (1991) The SRI IDES statistical anomaly detector. In Proceedings of
the IEEE Symposium in Security and Privacy, IEEE Computer Society Press, pages 316-32664. Karro J and Wang J (1998) Protecting Web servers from security holes in server-side In
cludes. In: Proceedings of Annual Computer Security Application Conference (ACSAC'98),103-111. IEEE Computer Society Press, Washmgton DC
65. Karygiannis T and Owens L (2002) Wireless Network Security: 802.11, Bluetooth, andHandheld Devices. National Institute of Standards and Technology, Special Publication 8002ffi
66. Knightley P (1986) The Second Oldest Profession, Spies and Spying in the Twentieth Century. Pengum Books, New York
67. Knuth D (1998) The Art of Computer Programming, Vol. 2: Seminumerical Algorithms. 3rded. Addison-Wesley, Massachusetts
68. Koblas D and Koblas M (1992) SOCKS. In: Proceedings of the Third Usenix Security SympuslUm.Pages 77-83
69. Kobliz N (1998) Algebraic Aspects of Cryptography. Springer-Verlag, Berlin70. LAN/MAN Committee (2004) IEEE Standard for Information technology: Wireless LAN
Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6:Medium Access Control (MAC)Security Enhancements
71. Lmn, J (1987) Pnvacy Enhancement for Internet Electromc Mall: Part I: Message Enclpherment and Authentication Procedures. RFC 989
72. Linn, J (1993) Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and AuthenticatIOn Procedures. RFC 1421
73. Massey J (1993) SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. In Proceedmgs of Fast Software EncryptIOn, 1-17
74. Massey J, Khachatnan G, and Kureglan M (1998) SAFER+. In Proceedmgs of the FirstAdvanced Encryption Standard Candidate Conference. National Institute of Standards andTechnology
75. McKean C (2001) Peer-to-Peer Security and Intel's Peer-to-Peer Trusted Library. SANSSecunty Essentials, USEe Practical ASSignment, VersIOn 1.2e
76. Merkle R (1979) Secrecy, Authentication, and Public Key Systems. PhD thesis, StandfordUniversity
77. Miller, G (1976) Riemann's Hypothesis and Tests for Primality. Journal of Computer andSystem Sciences 13(3): 300-317
78. Moore T, Clulow J, Anderson R, Nagaraja S (2007) New Strategies for Revocation in AdHoc Networks. In Proceedings of the 4th European Workshop on Security and Privacy in Adhoc and Sensor Networks. Lecture Notes in Computer Science, vol. 4572, pages 232-246,Springer-Verlag, Berlin
374 References
79. Mirkovic J and ReIher P (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communications Review 34(2):39-53
80. Neuman B-C and Ts' 0 T (1994) Kerberos: an authentication service for computer networks.IEEE Communications 32(9):33-38
81. Northcutt S (1999) Network Intrusion Detection, An Analysit's Handmonograph. New Riders, Indiana
82. Oppliger R (1999) Security Technologies for the World Wide Web. Artech House, Massachusetts
83. PC Magazine (2007) Ten most common passwords. http://www.pcmag.com/article2/0,1759,2113976,OO.asp
84. Peterson L and Davie B (2006) Computer Networks A Systems Approach. 3rd ed. Elsevier,Pans
85. Pfteeger C and Pfteeger S (2006) Security in Computing. 4th ed. Prentice-Hall, New Jersey86. Pietrek M (1994) Peering Inside the PE: A Tour of the Win32 Portable Executable File
Format. MSDN Magazine.http://msdn2.microsoft.com/en-us/library/ms809762.aspx
87. Pietrek M (2002) An In-Depth Look into the Win32 Portable Executable File Format.MSDN MagaZine. Part I:http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx.Part II:http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx
88. Proctor P (2001) The Practical IntruSIOn DetectIOn Handmonograph. Prentice-Hail, NewJersey
89. Provos N (2004) A VIrtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium. Pages 1-14
90. Ramachandran V and Ahmad M (2007) Cafe latte with a free topping of cracked WEP:retrieving WEP keys from road-warriors. In Proceedings of ToorCon
91. Ranum M (1992) A network firewall. In: Proceedll1gs of the FIrst World Conference onSystems Administration and Security
92. Rabll1, M (1980) Probablhstlc algontlul1 for testll1g pnmahty. Journal of Number Theory12(1): 128-138
93. Rescorla E (2001) SSL and TLS: Deslgmng and BUlldll1g Secure Systems. AddIson-Wesley,Massachusetts
94. RIvest R-L (1992) The RC4 encryption algonthm. RSA Data Secunty95. Rivest R-L (1995) The RC5 encryption algorithm. Dr. Dobb's Journal 20:146-14896. Rivest R-L, Shamir A, and Adleman L-M (1978) A method for obtaining digital signatures
and public-key cryptosystems. Communications of the ACM 21:120-12697. Rogaway P, Bellare M, and Black J (2003) OCB: A block-cipher mode of operation for
effiCient authenticated encryption, ACM Transactions on Information and System Secunty,6(3):365-403
98. Rubin A (2001) White-Hat Secunty Arsenal, Tackhng the Threats. AddIson-Wesley, Massachusetts
99. Salomaa A (1990) PUbhc-Key Cryptography. Spnnger-Verlag, Berlin100. Seaminatha T and Elden C (2003) Wireless Security and Privacy. Addison-Wesley, Mas
sachusetts101. Schneier B (1996) Applied Cryptography. 2nd ed. John Wiley & Sons, New York102. SchneIer B (2000) Secrets and LIes, DIgital Secunty In a Networked World. John Wiley &
Sons, New York103. Shaked Y and Wool A (2005) Cracking the Bluetooth PIN. In Proceedings of the 3rd
USENIX/ACM Conference Mobile Systems, Applications, and Services (MobiSys), pages39=.50
104. Shor P-W (1997) Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26:1481-1509
105. Skoudis E (2002) Counter Hack, A Step-by-Step Guide to Computer Attacks and EffectiveDefenses. Prentice Hall, New Jersey
References 375
106. Stallings W (2006) Cryptography and Network Secuirty: Principles and Practice. 4th ed.Prentice HaIl, New Jersey
107. Steiner J, Neuman C, and Schiller J (1988) Kerberos: an authentication service for opennetwork systems (VersIOn 4). In Proceedings of the Winter 1988 Usemx Conference
108. Suehring S and Ziegler R (2006) Linux Firewalls. 3rd ed. Novell Press, Indiana109. Szor P (2005) The Art of Computer Virus Research and Defense. Addison-Wesley, New
Jersey110. Thomas S (2000) SSL and TLS essentials secunng the Web. John Wiley & Sons, New York111. Tibbs R and Oakes E (2006) Firewalls and VPNs Principles and Practices. Pearson Prentice
HaIl, New Jersey112. Trappe Wand Washington L (2006) Introduction to Cryptography with Coding Theory. 2nd
ed. Prentice Hall, New Jersey113. Vlega J and McGraw G (2002) Bmdllng Secure Software. Addison-Wesley, Massachusetts114. Voice of America (1999) Navajo Code Talkers. http://www.voanews.com/
specialenglish/archive/2002-02/a-2002-02-01-26-1.cfm115. Wack J, Cutler K, and Pole J (2002) Guidelines on Firewalls and Firewall Policy. NIST
SpeCialPublicatIOn SP 800-41116. Walker J (2002) 802.11 security series part II: the Temporal Key Integrity protocol (TKIP).
Intel Cooperation.http://cache-www.intel.com/cd/OO/OO/Ol/77/17769_80211_part2.pdf
117. Wang X, Yin Y, and Yu H (2005) Finding collisions in the full SHAI. In: Proceedings ofCRYPTO'05, Lecture Notes in Computer Science, vol. 3621, 17-36. Springer, Berlin
118. WEPCrack: http://wepcrack.sourceforge.net119. Whiteman M-E and Mattord H-J (2005) Principles of Information Security. 2nd ed. Thom
son Course Technology, Massachusetts120. Yao A (1982) Protocols for secure computations. In Proceedings of the 23rd IEEE Sympo
sium on the Foundations of Computer Science (FOCS'82), 160-164121. Ylonen T (2006) The Secure Shell (SSH) Protocol Architecture. RFC 4251122. Ylonen T (2006) The Secure Shell (SSH) Authentication Protocol. RFC 4252123. Ziv J and A Lempel (1977) A universal algorithm for sequential data compression. IEEE
Transacliuns un Inlurmaliun Theury, 23:337-343
Index
I's complement sum, 1402DES,553DES/2,553DES/3,554-way handshake, 221802.IX,219
A
access point (AP), see wireless access point(WAP)
ActiveX, 305ActiveX control, 306ad hoc WLAN, 208, 210Adleman, L, 90Advanced Encryption Standard, 39adware,25AES
add round key, 58, 62add subkey, 62inversed S-Box, 70meet-in-the-middle attack, 110mix-columns, 58, 64partial information attack, 109reverse S-Box, 60S-Box, 60, 70shift-rows, 58state matrix, 58substItute bytes, 58, 63
algebraic cryptanalysis, 44almost b-conserving, 77anti-malicious-software system, 28antI-phlshmg extension, 7AP spoofing, 211application gateway, 251application-specific integrated circuit (ASIC),
250
ARP poisoning, 14ARP spoofing, 14, 16,35Asynchronous JavaScript and XML (AJAX),
308avalanche effect, 43Avast AntiVirus, 296
B
backdoor, 22, 23Barreto, P, 132Base64 encoding, 191bastion host, 259, 260batch detection, 326BBS pseudorandom bit generator, 79beacomng, 209behavior signature, 329behaviorial data forensics, 336Bellare, M, 143bias vector, 235big endian, 85bmary string, 40birthday attack, 132, 146
set intersection attack, 149birthday paradox, 148bit, 40Black, J, 143black-hat hacker, 25, 26blackhole attack, 244blind signature, 155, 164block cipher, 41
initialization key, 239, 240link key, 234, 239, 240secure pairing, 233
378
secure simple pairing (SSP), 242Blum, L, 79Blum,M,79boot virus, 278bootstrap protocols (Bootp), 253botnet, see zombie armybroadcast attack, 330browser hijacking, 24buffer overflow, 16buffer overrun, see buffer overflowbugnosis, 315
CAchain, 120network, 120
cache gateway, 258CERT,30certificate authonty, 119certificate path, 120challenge-response authentication, 212character code sets, 40Chaum, D, 164chosen-plaintext attack, 44cipher-block-chaining mode (CBe), 72cipher-feedback mode (CFB), 72, 73ciphertext data, 4ciphertext stealing mode (CTS), 86clogging attack, 181Cocks, C, 91collisIOn resistance, 131Common Criteria, 260Common Internet File System (CIFS), 253Common Object File Format (COFF), 285commutative group, 112Component Object Model (COM), 305compound signature, 330-332computatIOnal umqueness property, 130, 131computer
forensics, 3hijacking, 24virus, 2
confusion, 43congruence relation, 92, 93content signature
payload signature, 329contextual interpretation, 337conventional encryption algorithm, 39cookie, 181,306counter mode (CTR), 72, 74counter mode-CBC MAC protocol (CCMP),
229cracker, 26
Index
crafted packet, 253crafted SYN packet, 14cryptanalysIs, 4crypto placement, 168cryptographic algorithm, 165cryptographic checksum, 140cryptographic hash function, 129, 130cryptosystem, 28cyber
spy, 25, 27terrorist, 25, 28
Cyclic Redundancy Check (CRe), 140,212
D
availability, 2confidentiality, 2mtegnty,2non-repudiation, 2storage state, 2transrmssron state, 2
data authentication code standard (DAC), 142Data Encryption Standard (DES), 39,45data mining, 318, 336, 337data refinement, 337database security, 3DDoS attack, 20de-association attack, 232deep layered defense, 3
encryption, 51expansion permutation, 51initial permutation, 52permutatIOn on keys, 48S-Box,49subkeys,48substitution, 51
detection engine, 326detectIOn policy, 324dictionary attack, 5, 7, 8differential cryptanalysis, 44Diffie, W, 90Diffie-Hellman key exchange, 89, 181diffusion, 43digital certificate, 119digital digest, 129digital fingerprint, 129, 130digital immune system (DIS), 297digital signature standard (DSS), 150
Index 379
disaster recovery, 3discrete elliptic curves, 113discrete logarithm (discrete log), 10 I
fast modular exponentiation, 94, 95Feistel cipher scheme, 45Feistel, H, 45
distributed denial of service (DDoS), 20, 310distributed firewall, 251DoS attack, 20, 36double signature, 164dnll down, 337dual signature, 153, 154dynamic document
Active Server Page (ASP), 303
Ferguson, N, 222Fermat's little theorem, 94File Allocation Table (FAT), 279file-format virus, 279file-system vrrus, 279fingerprint reader, 12finite continued fraction, 99firewall, 28, 249
Common Gateway Interface (COl), 303Hypertext Preprocessor (PHP), 303JavaServer Page (JSP), 303
ipf,268iptables, 268, 269access control list (ACL), 252
Dynamic Host Configuration Protocol(DHCP),253
Dynamic Link Library (DLL), 279
application gateway, 257application-level gateway (ALG), see
application gatewaycircuit gateway, 251, 255
E circUit-level gatcway (CLG) , see ctrcuitgateway
connection-state filtering, 254demilitarized zone, 261, 264dual-home bastion host (DHBH), 262dual-homed bastion system, 261dynamic packet filter, 251dynamic packet filter (DPF), 255egress filtering, 251
stateless filtering, 252Fluhrer, S, 77
proxy server, see apphcatlon gateway
stateful filtering, 252, 254stateful packet inspection (SPI), 259
screened subnet, 261, 263single-homed bastion system, 261
packet filter, 251
SOCKS, 257
ingress filtering, 251
fragmentation attack, 217
Elgamal PKC, 102Elgamal public-key cryptosystem, 89
encryption, 116
elliptic-curve Diffie-Hellman (ECDH), 117
electronic-codebook mode (ECB), 72
key exchange, 117electronic cash, 156, 157
Elgamal, T, 102elliptic-curve cryptography, 91, 112
elliptic-curve public-key cryptobraphy, 89emergency response, 3encrypted checksum algorithm, 129
eCash, 157ECC~-~-~~------------~~-~~~~-~~~~~
decryption, 116encoding, 114
elliptic-curve encoding parameter, 116elliptic-curve logarithm, 116
encrypted hash, 7Euclid's algorithm, 79, 80Euler's theorem, 93
G
Euler's totient function, 93event counter, 334
Galois field, 68gateway, 19
event gauge, 335 Gray code, 144event timer, 335Extensible Authentication Protocol over LAN
grayhole attack, 244grey-hat hacker, 25, 26
(EAPoL),220 group master key (GMK), 220external network, 250
HF
false negative detection, 324hacker, 25hacking tool, 27
false positive, 324false positive alarm, 324
hash function, 130header signature, 329, 330
380
healthy host, 22heap, 16Hellman, M, 90hidden Markov model (HMM), 316High Interaction Honeypot Analysis Toolkit
(HIHAT), 339HoneyBow, 339honeypot, 29, 317,338Honey trap, 339Honeywall, 339, 343host-based detection (HBD), 318, 325, 328host-based signature, 330hybrid detection, 318Hypertext Markup Language (HTML), 303
I
identity spoofing, 12Import Address Table (IAT), 285infected host, 22information, 2information security, 3infrastructure WLAN, 208initial vector, 72instant messaging (1M), 301integer factorization, 80
Internet InformatIOn Services (lIS), 293Internet Mall Access Protocol (IMAP), 193intrusion, 18Intrusion Detection Expert System (IDES),
334intrusion detection system (IDS), 28, 318intrusion prevention system (IPS), 318IP
header, 15, 16scan, 18,35spoofing, 14
IPsec, 165Internet key exchange, 173AH format, 177authentication header (AH), 173cookie exchange, 181encapsulating security payload (ESP), 173mtegnty check value (lCV), InInternet secunty association and key
management protocol (ISAKMP), 180Oakley key determination protocol (KDP),
180SA bundle, 174SA selectors (SAS), 174, 175security association (SA), 174
Index
security association database (SAD), 174,175
security parameters index (SPI), 174security policy database (SPD), 174, 175slldmg wmdow, 178
irreducible polynomial, 68
J
Java Virtual Machine (JVM), 304
K
Katz, P, 185Kerberos, 165, 194
authentication server, 195multiple-realm Kerberos, 195, 198server ticket, 195single-realm Kerberos, 195ticket, 195ticket granting server, 195
key distribution center (KDC), 126key ring, 122key scheduling algorithm (KSA), 75keyed-hash message authentication code
(HMAC), 129, 142keystroke logger, 25
Koblas, M, 257Koblitz, N, 91Krovetz, T, 143
L
left-circular shift operation, 48, 235Lempel, A, 185Line Printer Remote protocol (LRP), 253linear cryptanalysis, 44little endian, 85logic bomb, 22, 23
M
MACbackward intractability, 141computational uniqueness, 141forward efficiency, 141uniform distribution, 141
MAC address, 16MAC Service Data Unit (MSDU), 214MAC-address filtering, 209macro virus, 279Mafiaboy, 21
Index
Maginot Line, 31malicious software, 22malware
see malicious software, 22man-in-the-middle attack, 12, 101Mantin, I, 77Massey, J, 234master key, 118master zombie, 310master-slave DDoS attack, 310master-slave-reflector DDoS attack, 310mathematical attack, 44McAfee VirusScan, 296meet-in-the-middle attack, 55meet-in-the-middle attacks on 2DES, 56memory layout, 17memory-resident virus, 280Merkle, R, 132message, 2
replay, 12, 13message authentication code (MAC), 129message injection, 216message mtegnty code (MIC), 222metamorphic virus, 280, 287, 316MIller, G, 97MIller, S, 194Miller, V,91Mitnick, K, 15modular exponentiation, 95modular inverse, 93
multi-host signature, 330, 331multiple-key public-key cryptography
(MKPKC),164Multipurpose Internet Mail Extension protocol
(MIME), 193muted computer, 14
N
Nepenthes, 339network
administration tools, 31smfter, see packet smfter, 33spoofing, 12, 14
network address translation (NAT), 265dynamic NAT, 266
Network Basic Input/Output System(NetBIOS), 253
Network File System (NFS), 253network interface card (NIC), 357network signature, 329network tap, 326
381
network-based detection (NBD), 318, 325, 326network-node detection, 326network-sensor detection, 326Neuman, C, 194Neumann, P, 317New Technology File System (NTFS), 279Next Generation Virus Creation Kit (NGVCK),
287Nimitz, C, 27node subversIOn, 347nonce, 13, 172Norton AntiVirus, 296
o
Objcct Linking and Embcdding (OLE), 305offset codebook mode (OCB), 143one-time pad, 42one-way property, 130operational detection, see signature detectionout-of-band data, 337output-feedback mode (OFB), 72, 74
p
P2PBitTorrent, 299eMule,299Gnutella, 299Napster, 299
sniffer, 3, 33padding, 41pairwise master key (PMK), 219, 220pairwise transient key (PTK), 220password sniffing, 5, 10, 25payload signature, 329peer-to-peer (P2P), 301peer-to-peer security, 299per-frame key, 224penmeter secunty, 249periodic detection, 326phisher, 6, 7phlshmg, 5, 6phishing site, 7physical address, 16piconet, 232
master device, 232parked station, 232slave device, 232
plaintext data, 4polymorphic viruses, 280port address translation (PAT), 266
382
port scan, 18,35Portable Executable (PE), 285Pretty Good Privacy (PGP), 165primality test, 97prime number theorem, 92primitive root, 94, 95private key, 90private network, 266pnvate-key nng, 122, 192probabilistic algonthm, 97program behavior, 321protocol
defect, 2flaw, 2loophole, 2
Pseudo Hadamard Transform (PHT), 236pseudorandom number generator (PRNG), 78public key, 90public-key authonty (PKA), 127public-key certificate, 118, 119public-key cryptography (PKC), 89public-key cryptosystem, 89
backward intractability, 91commutability,91forward effiCiency, 91
public-key infrastructure (PKI), 165, 170public-key ring, 122, 123, 192
R
Rabin, M, 97Radix-64 encoding
see Base64 encoding, 191rainbow table, 8RC4 stream cipher, 75real-time detection, 326reduction function, 8registry virus, 280related-plaintext attack, 77relatively prime, 79repudiatIOn attack, 17retma scanner, 12Rijmen, Y, 57, 132Rivest, R, 75, 90robust secunty network (RSN), 221Rogaway, P, 143rollback attack, 231round key, 57route leak, 273route-error-injection attack, 245RSA
challenge number, 111small exponent attack, 108time analysis, 107
Index
RSA public-key cryptosystem, 90RSN IE poisoning, 231rule-based detection, 329rushing attack, 244
s
SANS, 30scanning, 209script kiddies, 25, 27script virus, 280Sebeck, 339secret key, 4secure code, 3Secure Electronic Transaction Protocol (SET),
154secure hash algorithm, 132Secure Shell (SSH), 165secure socket layer protocol (SSL), 184Secure Sockets Layer (SSL), 165
assessment, 3auditing, 3, 319policy, 3training, 3
security network association (RSNA), 221secunty profile, 319, 321session key, 118Shamir, A, 77, 90Shor, P, 80, 101Shub,M,79side channel attack, 45sieve, 97signature detection, 329signature verification, 151silenced computer, see muted computersmged response (SRES), 240smgle-event signature, 330, 331slave zombie, 310Smith, D, 289, 290smurt attack, 20
SOHO firewall, 267source combination, 337
Index
spam filter, 22spam honeypot, 339spam mail, 21spam trap, see spam honeypotspammer,22special b-exact key, 77spyware, 22, 24SSH
connection layer, 200, 201transport layer, 200user authentication layer, 200
SSLalert protocol, 185change-cipher-spec protocol, 185connection, 186handshake protocol, 184, 185master secret, 188pre-master secret, 188rccord protocol, 184, 189
STA spoofing, 211stack, 17stealth VIruS, 280Stoned Empire Monkey, 279stream cipher, 75strong colhslOn resistance, 131strongly collision resistant, 131subkey generation algorithm (SGA), 76subhmmal channel, 127Sun Tzu, 1sweeping attack, 332symmetnc-key encryption algonthm, see
conventional encryption algorithmsSYN flooding, 14system mtegnty venfier (SIV), 328
T
tag, see message authentication code (MAC)TCP
fragmentation attack, 253, 270header, 15hijacking, 14, 15packet, 15port, 18wrappers, 15
the Chinese remainder theorem, 98the fundamental theorem of arithmetic, 92time stamp, 13, 172timing attack, 45TKIP sequence counter (TSC), 224traffic analysis, 18transparent proxy firewall, 255Transport Layer Security (TLS), 165transport layer security protocol (TLS), 184
transport mode, 169tnple-DES, 39Trivial File Transfer Protocol (TFTP), 253Trojan dropper, 298Trojan horse, 22, 23trusted operating system, 3trusted operating system (TOS), 259
no read up, 260no write down, 260
tunnel mode, 169
II
undeniable signature, 164user password, 5user profile, 321
v
van Antwerpen, H, 164Vemam, G, 75vicious employee, 28virtual honeypot personality, 342virtual local area network (VLAN), 267virtual private network (VPN), 173virus, 22
Black Ice, 280cascade, 279DIR-II,279Elk Cloner, 279Happy99.exe, 280host program, 278infected program, see host programLoveLetter, 280WMIDMV,279XM/Larous, 279Zafi,284
VIruS emulator, 297vrrus hoax, 299virus scan, 22vrrus scanner, 294voice of IP (VoIP), 30 I
w
Wang, X, 131, 132Web
active document, 303dynamic document, 303static document, 303
Web bug, 315Web proxy server, 258WEP
FMS attack, 77
383
384
per-frame key, 214temporal key mtegnty protocol (TKIP), 218
WEP key, 211WHIRLPOOL
add round constant, 137, 140add round key, 137, 140mix rows, 137, 139shift columns, 137shift rows, 139state matrix, 136, 137substitute bytes, 137
white-hat hacker, 25, 26WI-FI,209Wi-Fi Alliance, 209WI-FI hotspot, 209Wi-Fi network, 209WI-FI Protected Access (WPA), 207, 218Wi-Fi Protected Access version 2 (WPA), 207Wilhamson, M, 90Windows Defender, 308Wired Equivalent Privacy (WEP), 75, 207, 211wireless access point (WAP), 208wireless key dlstnbutlon center (WKDC), 244wireless local-area network (WLAN), 207wireless personal area networks (WPAN), 207,
232wireless pubhc-key ll1frastructure (WPKI), 244wireless sensor network (WSN), 248worm, 22
Code Red, 292, 293Code Red II, 293infection propagator, 287LoveLetter, 280mass mailer, 288Melissa, 289rabbit, 288SQL slammer, 293storm, 293target locator, 287mm,293W32/Nimda, 293mm,293
worm tunnel, 244wormhole attack, 244WPA
DoS attack, 229Enterprise WPA, 219Home-and-SmaII-Office WPA, 219key mixing, 224message mtegnty code (MIC), 218pairwise transient key (PTK), 220
WPA2,229
x
X.509certificate authonty, 17lcertificate revocation list, 171end entity, 17lregistration authority (RA), 171Repository, 171
X.509 PKI, 170
Y
Yao, F, 132YlOnen, T, 200
z
Zimmermann, P, 192ZIP
base window, 353look-ahead window, 353
Ziv, J, 185zombie
computer, 21software, 21zapper,21
zombie army, 21Zombie Zapper, 36zombieware, 22
Index