lab manual css
DESCRIPTION
cssTRANSCRIPT
Mahatma Education Society’sPillai HOC Mission’s College of Engineering
and Technology
Department of Computer Engineering
Cryptography and System Security (CSS)
-:Lab Manual:-
Prepared by Prof. Rohini Bhosale
Ms. Srijita Bhattacharjee HOD
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
( Subject –In-Charge) Computer Engg.
Mahatma Education Society’s Pillai HOC College of Engineering and Technology,Rasayani
Department of Computer Engineering
Subject : Cryptography & System Security (CSS) Class/Sem: BE/VII
LIST OF EXPERIMENTS
Experiment No.
Name of the Experiment
1. Implementation of Substitution Cipher Algorithm
2. Implementation of Transposition Cipher Algorithm
3. Implementation of RSA Algorithm
4. Implementation of Diffie-Hellman Algorithm
5. Implementation of DES Algorithm
6. Implementation/Configuration of Firewall
7. Implementation of Buffer Overflow
8. Study of Intrusion Detection System
Subject-In charge H.O.D.Ms. Srijita Bhattacharjee Prof. Rohini Bhosale
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 2
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO. 1
SUBSTITUTION CIPHER
Aim: To study Substitution cipher algorithm.
Theory:
Substitution over a single letter simple substitution can be demonstrated by writing out the
alphabet in some order to represent the substitution. This is termed a substitution
alphabet. The cipher alphabet may be shifted or reversed (creating the Caesar and Atbash
ciphers, respectively) or scrambled in a more complex fashion, in which case it is called a
mixed alphabet or deranged alphabet. Traditionally, mixed alphabets are created by first
writing out a keyword, removing repeated letters in it, and then writing all the remaining
letters in the alphabet.
Examples:
Using this system, the keyword "zebras" gives us the following alphabets:
Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet: ZEBRASCDFGHIJKLMNOPQTUVWXY
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 3
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Algorithm:
1. Start
2. Use the correspondence A <--> 0, B <--> 1, C <--> 2 ...Z <--> 25.
3. Associate each key K with an alphabetic string of length m, i.e. keyword.
4. This cipher encrypt m alphabetic characters at a time, each plaintext element is
equivalent to m alphabetic characters.
5. Assume m = 6 and the keyword is ‘Your Name‘
e.g. ‘CIPHER‘
6. Find Numerical equivalent K = (2, 8, 15, 7, 4, 17)
7. plaintext = thiscryptosystemisnotsecure
8. Convert the plaintext elements to residues modulo 26.
9. Write them in groups of 6.
10. Then add the keyword modulo 26.
11. Result will be ciphertext.
12. End.
Conclusion:
Thus, we have studied and implemented Substitution cipher algorithm.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 4
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO. 2
TRANSPOSITION CIPHER
Aim: To study Transposition cipher algorithm.
Theory:
A transposition cipher is methods of encryption by which the positions held by units of
plaintext (which are commonly characters or groups of characters) are shifted according to
a regular system, so that the ciphertext constitutes a permutation of the plaintext. That is,
the order of the units is changed.
Algorithm:
1. Start
2. Suppose the key is following permutation Π
3. Then inverse permutation Π^-1
4. Take plaintext as input
plaintext = shesellsseashellsbytheseashore
5. Group above plaintext into 5 groups of 6 letters each
i.e. shesel | lsseas | hellsb | ythese | ashore
6. Now each group of 6 letters is rearranged according to the permutation ╥, which gives,
EESLSH | SALSES | LSHBLE | HSYEET | HRAEOS
7. CIPHERTEXT = EESLSHSALSESLSHBLEHSYEETHRAEOS
8. End.
Conclusion:
Thus, we have studied and implemented Transposition cipher algorithm.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 5
П =1 2 3 4 5 6
3 5 1 6 4 2
П ^-1 =1 2 3 4 5 6
3 6 1 5 2 4
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO. 3
PUBLIC KEY CRYPTOGRAPHY ALGORITHM RSA
Aim: To study Public Key Cryptography.
Theory:
Public-key cryptography is a cryptographic approach which involves the use of
asymmetric key algorithms instead of or in addition to symmetric key algorithms. Unlike
symmetric key algorithms, it does not require a secure initial exchange of one or more
secret keys to both sender and receiver. The asymmetric key algorithms are used to create a
mathematically related key pair: a secret private key and a published public key. Use of
these keys allows protection of the authenticity of a message by creating a digital signature
of a message using the private key, which can be verified using the public key. It also
allows protection of the confidentiality and integrity of a message, by public key
encryption, encrypting the message using the public key, which can only be decrypted
using the private key.
It is the approach which is employed by many cryptographic algorithms and cryptosystems.
It underpins such Internet standards as Transport Layer Security (TLS), PGP, and GPG.
The two main branches of public key cryptography are:
Public key encryption: a message encrypted with a recipient's public key cannot be
decrypted by anyone except a possessor of the matching private key—presumably, this
will be the owner of that key and the person associated with the public key used. This is
used for confidentiality.
Digital signatures : a message signed with a sender's private key can be verified by
anyone who has access to the sender's public key, thereby proving that the sender had
access to the private key (and therefore is likely to be the person associated with the
public key used), and the part of the message that has not been tampered with. On the
question of authenticity, see also message digest.
An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail
slot is exposed and accessible to the public; its location (the street address) is in essence the
public key. Anyone knowing the street address can go to the door and drop a written
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 6
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
message through the slot; however, only the person who possesses the key can open the
mailbox and read the message.
An analogy for digital signatures is the sealing of an envelope with a personal wax seal.
The message can be opened by anyone, but the presence of the seal authenticates the
sender.
A central problem for use of public-key cryptography is confidence (ideally proof) that a
public key is correct, belongs to the person or entity claimed (i.e., is 'authentic'), and has
not been tampered with or replaced by a malicious third party. The usual approach to this
problem is to use a public-key infrastructure (PKI), in which one or more third parties,
known as certificate authorities, certify ownership of key pairs. Another approach, used by
PGP, is the "web of trust" method to ensure authenticity of key pairs.
Algorithm:
1. Start
2. Given a plaintext x, a bitstring x0 is constructed by permuting the bits of x according to
a (fixed) initial permutation IP
3. 16 iterations of a certain function are then computed. Compute LiRi, 1 <= I <= 16,
According to the following rule:
Li = Ri – 1
Ri = Li – 1 + f (Ri – 1, Ki) where + denotes exclusive or of two bit strings.
4. Function f takes as input a 1st argument A, which is a bitstring of length 32, and a 2nd
argument I that is a bitstring of length 48, and produces as output a bitstring of length
32.
5. Apply the inverse permutation IP^-1 to the bitstring R16L16, obtaining the cipertext y.
i.e. y = IP^-1 (R16L16)
6. End.
Conclusion:
Thus, we have studied and implemented Public Key Cryptography.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 7
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO. 4DIFFIE – HELLMAN KEY EXCHANGE
Aim: To implement Diffie – Hellman Key Exchange Algorithm.
Theory:
Diffie–Hellman key exchange (D–H) is a specific method of exchanging keys. It is one of
the earliest practical examples of Key exchange implemented within the field of
cryptography. The Diffie–Hellman key exchange method allows two parties that have no
prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications
using a symmetric key cipher. It is a type of key exchange.
Diffie–Hellman establishes a shared secret that can be used for secret communications by
exchanging data over a public network. Here is an explanation which includes the
encryption's mathematics:
Figure 1: Diffie–Hellman key exchange
The simplest, and original, implementation of the protocol uses the multiplicative group of
integers modulo p, where p is prime and g is primitive root mod p. Here's a more general
description of the protocol:
1. Alice and Bob agree on a finite cyclic group G and a generating element g in G.
(This is usually done long before the rest of the protocol; g is assumed to be known
by all attackers.) We will write the group G multiplicatively.
2. Alice picks a random natural number a and sends ga to Bob.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 8
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
3. Bob picks a random natural number b and sends gb to Alice.
4. Alice computes (gb)a.
5. Bob computes (ga)b.
Both Alice and Bob are now in possession of the group element gab, which can serve as the
shared secret key. The values of (gb)a and (ga)b are the same because groups are power
associative.
Algorithm:
1. Start
2. Alice and Bob are two members wants to communicate and agree on a large prime n &
g. such that, g is primitive mod n.
3. Protocol goes as follows
4. Alice chooses a random large integer x and sends Bob ‘X’ where, X = g^x mod n
5. Bob chooses a random large integer y and sends Alice ‘Y’ where, Y = g^y mod n
6. Alice computes K = Y^x mod n
7. Bob computes K’ = X^y mod n
Both k & k’ are equal to g^(xy) mod n
8. End.
Conclusion:
Thus, we have studied and implemented Diffie – Hellman Key Exchange algorithm.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 9
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO. 5
DATA ENCRYPTION STANDARD
Aim: To study data encryption standard (DES) algorithm.
Theory:
The Data Encryption Standard (DES) is a block cipher that uses shared secret
encryption. It was selected by the National Bureau of Standards as an official Federal
Information Processing Standard (FIPS) for the United States in 1976 and which has
subsequently enjoyed widespread use internationally. It is based on a symmetric-key
algorithm that uses a 56-bit key. The algorithm was initially controversial with classified
design elements, a relatively short key length, and suspicions about a National Security
Agency (NSA) backdoor. DES consequently came under intense academic scrutiny which
motivated the modern understanding of block ciphers and their cryptanalysis.
DES is the archetypal block cipher — an algorithm that takes a fixed-length string of
plaintext bits and transforms it through a series of complicated operations into another
ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES
also uses a key to customize the transformation, so that decryption can supposedly only be
performed by those who know the particular key used to encrypt. The key ostensibly
consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits
are used solely for checking parity, and are thereafter discarded. Hence the effective key
length is 56 bits, and it is usually quoted as such. Every 8th bit of the selected key is
discarded, i.e. positions 8, 16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key
leaving behind only the 56 bit key.
Like other block ciphers, DES by itself is not a secure means of encryption but must
instead be used in a mode of operation. FIPS-81 specifies several modes for use with DES.[19] Further comments on the usage of DES are contained in FIPS-74.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 10
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Figure 1: DES Structure
The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of
processing, termed rounds. There is also an initial and final permutation, termed IP and FP,
which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have almost
no cryptographic significance, but were apparently included in order to facilitate loading
blocks in and out of mid-1970s hardware.
Before the main rounds, the block is divided into two 32-bit halves and processed
alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures
that decryption and encryption are very similar processes — the only difference is that the
subkeys are applied in the reverse order when decrypting. The rest of the algorithm is
identical. This greatly simplifies implementation, particularly in hardware, as there is no
need for separate encryption and decryption algorithms.
The ⊕ symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a
block together with some of the key. The output from the F-function is then combined with
the other half of the block, and the halves are swapped before the next round. After the
final round, the halves are not swapped; this is a feature of the Feistel structure which
makes encryption and decryption similar processes.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 11
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
The Feistel (F) function
Figure 2 F-function
The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and
consists of four stages:
1. Expansion — the 32-bit half-block is expanded to 48 bits using the expansion
permutation, denoted E in the diagram, by duplicating half of the bits. The output
consists of eight 6-bit(8*6=48bits) pieces, each containing a copy of 4 corresponding
input bits, plus a copy of the immediately adjacent bit from each of the input pieces to
either side.
2. Key mixing — the result is combined with a subkey using an XOR operation. Sixteen
48-bit subkeys — one for each round — are derived from the main key using the key
schedule (described below).
3. Substitution — after mixing in the subkey, the block is divided into eight 6-bit pieces
before processing by the S-boxes, or substitution boxes. Each of the eight S-boxes
replaces its six input bits with four output bits according to a non-linear transformation,
provided in the form of a lookup table. The S-boxes provide the core of the security of
DES — without them, the cipher would be linear, and trivially breakable.
4. Permutation — finally, the 32 outputs from the S-boxes is rearranged according to a
fixed permutation, the P-box. This is designed so that, after expansion, each S-box's
output bits are spread across 6 different S boxes in the next round.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 12
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
The alternation of substitution from the S-boxes, and permutation of bits from the P-box
and E-expansion provides so-called "confusion and diffusion" respectively, a concept
identified by Claude Shannon in the 1940s as a necessary condition for a secure yet
practical cipher.
Key Schedule
Figure 3: Key Schedule
Figure 3 illustrates the key schedule for encryption — the algorithm which generates the
subkeys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1
(PC-1) — the remaining eight bits are either discarded or used as parity check bits. The 56
bits are then divided into two 28-bit halves; each half is thereafter treated separately. In
successive rounds, both halves are rotated left by one and two bits (specified for each
round), and then 48 subkey bits are selected by Permuted Choice 2 (PC-2) — 24 bits from
the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean
that a different set of bits is used in each subkey; each bit is used in approximately 14 out
of the 16 subkeys.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 13
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
The key schedule for decryption is similar — the subkeys are in reverse order compared to
encryption. Apart from that change, the process is the same as for encryption. The same 28
bits are passed to all rotation boxes.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 14
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Algorithm:1. Start
2. Given a plaintext x, a bitstring x0 is constructed by permuting the bits of x according to
a (fixed) initial permutation IP.
3. 16 iterations of a certain function are then computed. Compute LiRi, 1 <= I <= 16,
According to the following rule:
Li = Ri – 1
Ri = Li – 1 + f (Ri – 1, Ki) where + denotes exclusive or of two bit strings.
4. Function f takes as input a 1st argument A, which is a bit string of length 32, and a 2nd
argument I that is a bit string of length 48, and produces as output a bit string of length
32.
5. Apply the inverse permutation IP^-1 to the bit string R16L16, obtaining the cipertext y.
i.e. y = IP^-1 (R16L16)
6. End
Conclusion:
Thus, we have studied and implemented data encryption standard (DES) algorithm.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 15
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 16
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO.6
CONFIGURING FIREWALL
Aim: To implement/configure firewall.
Theory:
What is a firewall?
A firewall helps keep your computer more secure. A firewall restricts information that
comes to your computer from other computers and gives you more control over the data on
your computer. Additionally, a firewall provides a line of defense against people or
programs, including viruses and worms that try to connect to your computer without
invitation. Think of a firewall as a barrier that checks information, also known as traffic
that comes from the Internet or from a network. The firewall either turns traffic away or
let’s traffic pass through to your computer, depending on your firewall settings.
Firewall Configuration
Red Hat Enterprise Linux ES offers firewall protection for enhanced system security. A
firewall exists between your computer and the network, and determines which resources on
your computer remote users on the network can access. A properly configured firewall can
greatly increase the security of your system.
Figure 1: Firewall Configuration
Choose the appropriate security level for your system.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 17
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
High
If you choose High, your system will not accept connections (other than the default
settings) that are not explicitly defined by you. By default, only the following connections
are allowed:
DNS replies
DHCP — so any network interfaces that use DHCP can be properly configured
If you choose High, your firewall will not allow the following:
Active mode FTP (passive mode FTP, used by default in most clients, should still
work)
IRC DCC file transfers
RealAudio™
Remote X Window System clients
If you are connecting your system to the Internet, but do not plan to run a server, this is the
safest choice. If additional services are needed, you can choose Customize to allow
specific services through the firewall.
Medium
If you choose Medium, your firewall will not allow remote machines to have access to
certain resources on your system. By default, accesses to the following resources are not
allowed:
Ports lower than 1023 — the standard reserved ports, used by most system services,
such as FTP, SSH, telnet, and HTTP
The NFS server port (2049)
The local X Window System display for remote X clients
The X Font server port (by default, xfs does not listen on the network; it is disabled in
the font server)
If you want to allow resources such as RealAudio™ while still blocking access to normal
system services, choose Medium. Select Customize to allow specific services through the
firewall.
No firewall
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 18
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
No firewall provides complete access to your system and does no security checking.
Security checking is the disabling of access to certain services. This should only be
selected if you are running on a trusted network (not the Internet) or plan to do more
firewall configuration later.
Choose Customize to add trusted devices or to allow additional incoming services.
Trusted Devices
Selecting any of the Trusted Devices allows access to your system for all traffic from that
device; it is excluded from the firewall rules. For example, if you are running a local
network, but are connected to the Internet via a PPP dialup, you can check eth0 and any
traffic coming from your local network will be allowed. Selecting eth0 as trusted means all
traffic over the Ethernet is allowed, put the ppp0 interface is still firewalled. If you want to
restrict traffic on an interface, leave it unchecked.
It is not recommended that you make any device that is connected to public networks, such
as the Internet, a Trusted Device.
Allow Incoming
Enabling these options allow the specified services to pass through the firewall. Note,
during a workstation installation, the majority of these services are not installed on the
system.
DHCP
If you allow incoming DHCP queries and replies, you allow any network interface that
uses DHCP to determine its IP address. DHCP is normally enabled. If DHCP is not
enabled, your computer can no longer get an IP address.
SSH
Secure SHell (SSH) is a suite of tools for logging into and executing commands on a
remote machine. If you plan to use SSH tools to access your machine through a firewall,
enable this option. You need to have the openssh-server package installed in order to
access your machine remotely, using SSH tools.
Telnet
Telnet is a protocol for logging into remote machines. Telnet communications are
unencrypted and provide no security from network snooping. Allowing incoming Telnet
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 19
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
access is not recommended. If you do want to allow inbound Telnet access, you will need
to install the telnet-server package.
WWW (HTTP)
The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If
you plan on making your Web server publicly available, enable this option. This option is
not required for viewing pages locally or for developing webpages. You will need to install
the apache package if you want to serve webpages.
Mail (SMTP)
If you want to allow incoming mail delivery through your firewall, so that remote hosts can
connect directly to your machine to deliver mail, enable this option. You do not need to
enable this if you collect your mail from your ISP's server using POP3 or IMAP, or if you
use a tool such as fetchmail. Note that an improperly configured SMTP server can allow
remote machines to use your server to send spam.
FTP
The FTP protocol is used to transfer files between machines on a network. If you plan on
making your FTP server publicly available, enable this option. You need to install the
wuftpd (and possibly the anonftp) package for this option to be useful.
Other ports
You can allow access to ports which are not listed here, by listing them in the other ports
field. Use the following format: port: protocol. For example, if you want to allow IMAP
access through your firewall, you can specify imap:tcp. You can also explicitly specify
numeric ports; to allow UDP packets on port 1234 through the firewall, enter 1234: udp.
To specify multiple ports, separate them with commas.
SECURITY LEVEL CONFIGURATION TOOL
During the Firewall Configuration screen of the Red Hat Enterprise Linux installation,
you were given the option to enable a basic firewall as well as allow specific devices,
incoming services, and ports.
After installation, you can change this preference by using the Security Level
Configuration Tool.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 20
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
To start the application, select Main Menu Button (on the Panel) => System Settings =>
Security Level or type the command redhat-config-securitylevel from a shell prompt (for
example, in an XTerm or a GNOME terminal).
Figure 2: Security Level Configuration Tool
Select one of the following options:
Disable firewall — disabling the firewall provides complete access to your system and
does no security checking. Security checking is the disabling of access to certain
services. This should only be selected if you are running on a trusted network (not the
Internet) or plan to do more firewall configuration later.
Warning
If you have a firewall configured or any customized firewall rules in the /etc/sysconfig/iptables file, the file will be deleted if you select Disable firewall and click OK to save the changes.
Enable firewall — this option configures the system to reject incoming connections
that are not in response to outbound requests, such as DNS replies or DHCP requests. If
access to services running on this machine is needed, you can choose to allow specific
services through the firewall.
If you are connecting your system to the Internet, but do not plan to run a server, this is
the safest choice.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 21
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Selecting any of the Trusted devices allows access to your system for all traffic from
that device; it is excluded from the firewall rules. For example, if you are running a
local network, but are connected to the Internet via a PPP dialup, you can check eth0
and any traffic coming from your local network will be allowed. Selecting eth0 as
trusted means all traffic over the Ethernet is allowed, but the ppp0 interface is still
firewalled. To restrict traffic on an interface, leave it unchecked.
It is not recommended that you make any device that is connected to public networks,
such as the Internet, a trusted device.
Enabling options in the trusted services list allows the specified service to pass
through the firewall.
WWW (HTTP)
The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If
you plan on making your Web server publicly available, enable this option. This option is
not required for viewing pages locally or for developing webpages. You must have the
httpd package installed to serve webpages.
Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP.
FTP
The FTP protocol is used to transfer files between machines on a network. If you plan on
making your FTP server publicly available, enable this option. The vsftpd package must be
installed for this option to be useful.
SSH
Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote
machine. To allow remote access to the machine via ssh, enable this option. The openssh-
server package must be installed to access your machine remotely using SSH tools.
Telnet
Telnet is a protocol for logging into remote machines. Telnet communications are
unencrypted and provide no security from network snooping. Allowing incoming Telnet
access is not recommended. To allow inbound Telnet access, you must have the telnet-
server package installed.
Mail (SMTP)
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 22
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
To allow incoming mail delivery through your firewall so that remote hosts can connect
directly to your machine to deliver mail, enable this option. You do not need to enable this
if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool
such as fetchmail. Note that an improperly configured SMTP server can allow remote
machines to use your server to send spam.
Click OK to save the changed and enable or disable the firewall. If Enable firewall was
selected, the options selected are translated to iptables commands and written to the
/etc/sysconfig/iptables file. The iptables service is also started so that the firewall is
activated immediately after saving the selected options. If Disable firewall was selected,
the /etc/sysconfig/iptables file is removed, and the iptables service is stop immediately.
The options selected are also written to the /etc/sysconfig/redhat-config-securitylevel file
so that the setting can be restored the next time the application is started. Do not edit this
file by hand.
Even though the firewall is activated immediately, the iptables service is not configured to
start automatically at boot time.
ACTIVATING THE IPTABLES SERVICE
The firewall rules are only active if the iptables service is running. To manually start the
service, use the command: /sbin/service iptables restart
To ensure that it is started when the system is booted, issue the command:
/sbin/chkconfig --level 345 iptables on
The ipchains service is not included in Red Hat Enterprise Linux. However, if ipchains is
installed (for example, an upgrade was performed, and the system had ipchains previously
installed), the ipchains service should not be activated along with the iptables service. To
make sure the ipchains service is disabled and configured not to start at boot time, execute
the following two commands:
/sbin/service ipchains stop
/sbin/chkconfig --level 345 ipchains off
The Services Configuration Tool can be used to enable or disable the iptables and
ipchains services.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 23
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Conclusion: Thus, we have studied and configured firewall.
EXPERIMENT NO. 7
BUFFER OVERFLOW
Aim : Simulation of buffer overflow.Theory:Buffer overflow occurs when data is input or written beyond the allocated bounds of an object, causing a program crash or creating a vulnerability that attackers might exploit.Description:A buffer overflow occurs when data is written beyond the boundaries of a fixed length buffer overwriting adjacent memory locations which may include other buffers, variables and program flow data. Considered the “nuclear bomb” of the software industry, the buffer overflow is one of the most persistent security vulnerabilities and frequently used attacks.Risk: How Can it Happen?Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code. C++ is particularly vulnerable to buffer overflow. However, Java is designed to avoid the buffer overflow by checking the bounds of a buffer (like an array) and preventing any access beyond those bounds. Even though Java may prevent a buffer overflow from becoming a security issue, it is essential for all programmers to understand the concepts described below.Example of Occurrence:Buffer overflow vulnerabilities were exploited by the the first major attack on the Internet. Known as the Morris worm, this attack infected more than 60,000 machines and shut down much of the Internet for several days in 1988.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 24
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Program for Simulation of Buffer Overflowimport java.util.Scanner;
public class Overflow { public static void main(String[] args) { int importantData =1; int[] buffer = new int[10];
for (int i =0; i < 15; i++) buffer[i] = 7;
System.out.println("after buffer overflow "); System.out.println("Important data = "+importantData); }}
Conclusion: Thus we have implemented buffer overflow,successfully.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 25
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
EXPERIMENT NO. 8
INTRUSION DETECTION SYSTEM
Aim: To install wireless Intrusion Detection System and detect attacks on Wireless network
Theory: 1. WLAN Security Vulnerabilities :
Having introduced some of the wireless technologies I will now have a closer look at some of the particular security threats to them. Reconnaissance, theft of identity and denial of service (DoS) are not new security threats in themselves, but the confidentiality, integrity and availability in a WLAN does present IT Security teams with new mitigation challenges. This holds true for all IT Security teams, as wireless network access to their network could be installed withouttheir knowledge.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4By definition, wireless frequencies are designed to be heard by anyone with a wireless receiver anyone can tune into a wireless network in the same way that they can tune into a radio station. It’s this simplicity which makes wireless networks such a potential threat.Let’s start with the basic component in a wireless network – the access point (AP) and some of the potential threats to it.The signal range of an authorised AP. Consequently, an AP’s placement and signal strength have to be calibrated or blocked to make sure the transmitting coverage is just enough to cover the correct area.
The RSSI (Received Signal Strength Indicator) on a Laptop wireless card is a good way of measuring wireless coverage inside and outside of a WLAN perimeter. The signal strength needed to make a connection is much higher than that needed to just listen into the network traffic. So by its nature it’s a lot easier to just listen than it is to make a legitimateconnection.The physical security of an authorized AP. Most AP’s are mounted on walls or ceilings in clear view, so again, their placement is critical to avoid accidental damage, theft, vandalism or direct access to the physical network cable.The rogue, or unauthorized, AP – by placing an unauthorized access point on the network and configuring it to look legitimate, hackers can gain access to wireless user’s data. User devices simply connect to the strongest available AP signal and once the association has been madewith the rogue AP, the hacker can monitor and manipulate all data that goes through the AP. This is known as ‘man-in-the-middle attack’. In built up areas where many WLANS exist, accidental rogue AP association can also cause problems.5−The easy installation and the advantages of having an AP. It is tempting for employees to introduce an unauthorized wireless network onto an internal network to utilise these
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 26
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
advantages. This threat also applies to companies who don’t even officially use wireless networks.−The AP configuration. A poorly configured or unauthorized (rogue) AP can provide an open door to the WLAN and can allow a hacker easy entry. By default some AP’s can have security controls and encryption switched off.−Protocol weakness and capacity limits on authorized AP’s. These can be subject to denial of service attacks from hackers using rogue AP’s when they are flooded with spurious traffic forcing them to reboot or deny legitimate access.Other security vulnerabilities away from the access point also exist and user indifference to these vulnerabilities, through a false sense of security that distributed wireless connectivity breeds, is one of the other major challenges ITSecurity faces.
2. Wireless Intrusion Detection:It is clear, from the summary of security issues highlighted above, that in order to protect our network we need to ensure that we know:−where all access points reside on our network−what actions to take to close down any unauthorized access points that do not conform to the company security standards−what wireless users are connected to our network−what unencrypted data is being accessed and exchanged by those usersTo do this we must monitor our air space using a Wireless Intrusion Detection System.
2.1 What is Intrusion Detection?Let’s firstly start with the principle and to do this I found the following quote from Ant Allen, research director at Gartner.“For an enterprise to protect itself from abuse of its information, it must monitor the events occurring in its computer system or network and analyze them for signs of intrusion. To do this, the enterprise must install an Intrusion DetectionSystem (IDS).” First thing to clarify here is that an IDS is not a firewall! Firewalls are designed to be outward looking and to limit access between networks in order to prevent an intrusion happening. IDS watch the wired and wireless network from the inside and report or alarm depending on how they evaluate the network traffic they see.They continually monitor for access points to the network and are able, in some cases, to do comparisons of the security controls defined on the access point with pre-defined company security standards and either reset or closedown any non conforming AP’s they find. The distinction between placing IDS sensors on both wired and wireless networks is an important one as large corporate networks can be worldwide.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46IDS systems can also identify and alert to the presence of unauthorized MAC addresses on the networks. This can be an invaluable aid in tracking down hackers.In their simplest form, Intrusion detection systems are designed and built to monitor and report on network activities, or packets, between communicating devices. There are a number of tools available which can be used to monitor, capture and decode wireless network traffic. Some are commercial products and some are open source products available on the internet. Some can only capture and store the WLAN traffic, while some can analyze that traffic and create reports with lists of AP’s and network devices. Finally, some are advanced enough to
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 27
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
analyze signal strength and transmission speed which can be useful in tracking and closing down rogue AP’s. In all cases IDS is a vital component in auditing a network installation.I will look at some IDS products, in more detail, in section 4.The different types of IDS can be described in the following terms though some products will utilize more than one type:− misuse IDS or anomaly IDS: misuse detection or signature based detection as it is sometimes known, looks for network attack sequences or events that match a predefined pattern (or signature). This method is only as good as the signatures provided to it, however, and relies on regular signature updates to keep abreast of known attacks. The advantage of this method is that there are few false alarms, or false positives, when attacks are detected. Anomaly detection on the other hand, relies on the administrator to define normal traffic behavior on the network – things like typical packet size for example. The sensors then monitor the network for deviations to this normal behavior and alert when anomalies are discovered. This method can produce a number of false alarms and the systems rely heavily on being ‘trained’ in what is normal network traffic and what is not. −network-based or host-based systems: in a network-based IDS, orNIDS, the traffic flowing through a network is analyzed. NIDS is able to detect malicious packets that are designed to be overlooked by a firewall’s filtering rules. In a host-based system, or HIDS, the IDS examine the activity on each individual computer. This is done by installing a software client on the host which, again, will detect known attack patterns but only against the host that the client is installed on. −passive IDS or reactive IDS: the passive IDS detect suspicious network traffic, logs the information and signals an alert. A reactive IDS responds to the suspicious traffic by logging off a user or closing down an AP.When we compare ‘conventional’, or wired IDS, with wireless IDS, the only difference is network topology and the requirement to scan air rather than wire – all the other elements remain the same.
2.2 Limitations of Intrusion Detection SystemsTo be effective, IDS must be run online, in real time. Offline, or after-the-event-IDS, is useful for audit trail but will not prevent an attack from taking place. Real time IDS needs to be able to stream data across a network from sensors to a central point where it can be stored and analyzed, sometimes known as a correlation server. This ‘additional’ network traffic running concurrently can significantly impact network performance so sufficient bandwidth is a prerequisite, though certain tools such as AirDefense Guard allow you to “set rate throttles on each sensor to bring transfer rates to the server as low as 9.6 Kbps.”7Today’s wireless intrusion detection systems such as AirDefense Guard or AirMagnet Distributed, utilise a misuse, signature, based IDS which has the drawback of only being as good as the signature files and known attack pattern recognition files given to them. This is their basic flaw – you only have protection against what are known to be attacks. The new attack will be the one that gets you, which underlines the need to have an efficient mechanism for keeping all network security components with rule or signature based tables up to date.All real time IDS system can suffer from issuing false alarms, especially those that use the anomaly based approach. This leads to complacency amongst those members of staff employed to react to or monitor those alarms. The monitoring of IDS alerts is also a 24 x 7 activity and relies on human intervention – as very few hackers work office hours! This is
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 28
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
where the big technology players have the advantage over the smaller start-ups – they have the economies of scale which allow them to provide the specialist resources.2.3 How to Implement Wireless Intrusion Detection SystemsWireless intrusion detection systems will monitor a WLAN using a mixture of hardware and software called intrusion detection sensors. The sensor will sit on the 802.11 network and will examine all network traffic. The first challenge to be faced when installing IDS is to decide on the best place to locate the sensors. To help make this decision, some detailed analysis must first be carried out on the site of the WLAN:−What kind of a building or location is it? Steel framed or wooden? (A steel framed building will limit the wireless transmitter’s range)−Are there areas of the site that have to be kept segregated? (In a built up area there will be mixed businesses, or it may be that a payroll department may want to be segregated in a large company for example.)−What MAC addresses are in use? (This list can be used as a baseline for comparison)−What authorized Access Points already exist? (Again, this list can be used as a baseline for future comparisons)Based on this information and from information gathered from sniffing thewireless network - using open source software such as Kismet we can easily build up a picture of what our WLAN looks like – where our AP’s are located who uses them, from where and how strong the radio signals are and how strong the radio signals need to be.We are now in a position to determine where our IDS sensors need to be and to determine how many we need. A ‘warwalk’ can then be carried out to verify and test the implementation.
Once we have our sensors on the network, the AP’s signal strength can be calibrated or blocked to ensure appropriate coverage (see figure1), the network traffic can be analysed and, if we have decided on a misuse type of IDS, can be compared to a signature file for comparison for attack patterns and known vulnerabilities. If an attack pattern is detected the sensor can send off an alert to either a central console, a member of staff or a managed security service provider for appropriate response and action.In both anomaly and signature based IDS, the systems have to be configured in such a way so as to recognize what is a legitimate network device; say for example a hacker with a rogue laptop enters company premises, and what is not.In my experience four sensors and one correlation server (the central repository designed to receive the IDS network information) are considered to be a minimum deployment for a small to medium WLAN and this requires the following technical expertise to support it:−IDS Security analysts who can interpret the alerts and make sense of the output−IDS Software Programmers to program the correlation tools−IDS Database AdministratorsThe simplest way to setup a wireless IDS is to use the same open source scanning tools the hackers do. These scanning tools can be divided into active and passive scanning tools where the latter is also known as a ‘sniffer’. WLAN scanning software such as Kismet and Netstumbler are freely available on the internet and with a laptop fitted with a Wireless NIC, you have the easiest way of sniffing out all AP’s on a network to provide a basic IDS.Analysing and triggering an alarm is done by the IDS software – the action takenin response to the software alert and the architecture and the surrounding processes provide the overall solution and it is here that the bigger technology players (the integrators )have a commercial advantage over the smaller start-ups (the technology innovators).
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 29
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
2.4 Open Source Scanning SoftwareOpen source tools for wireless intrusion detection have become accepted because they are vendor independent.”Gartner, a leading research and advisory firm, reports that companies will getthe most efficient WLAN intrusion detection protection from a vendor independent dedicated sensor investment. The overwhelming advantage of this method is that all WLAN traffic can be detected regardless of the equipment and vendors involved.”9In this section I will introduce the two most common open source wireless scanners.
2.4.1 Kismet:Downloadable from http://www.kismetwireless.net, Kismet is an 802.11a/b/g network sniffer. It is able to monitor networks using almost any card supported in LINUX and Mac OSX operating systems. It works by passively collecting network traffic (listening, not probing) and detecting the standard named networks. Over time, it can also detect hidden networks by analyzing data traffic and building upa ‘picture’ of data movement.
Kismet can be used for carrying out site surveys, for detecting wireless networks, access points and signal strength.
Figure 1: Kismet Screenshot showing detected networks
2.4.2 NetStumbler:Downloadable from http://www.stumbler.net, Netstumbler is the easiest to setup and most popular scanner used on Microsoft Windows. NetStumbler works by sending 802.11 probes that actively scan by sending out requests every second and reporting on the responses.AP’s by default, respond to these probes, but can be configured not to and to stay silent.
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 30
(CSS) CRYPTOGRAPHY AND SYSTEM SECURITY LAB MANUAL – VII (CBGS)
Figure 2: NetStumbler Screen provided by Marius Milner
Conclusion: Thus we have studied installation of wireless Intrusion Detection System (WIDS) and detection of attacks on Wireless network 802.11
DEPARTMENT OF COMPUTER ENGINEERING, PHCET, Rasayani 31