Family name: Chaparro González First name: Diego E-mail: dchaparro@acm.org PRELIMINARY ASSIGNMENT FOR INFORMATION SECURITY TECHNOLOGY ---------------------------------------------------------- 1. BASIC CONCEPTS: =+=+=+=+=+=+=+=+=+=+=+=+= These are three methods to provide confidentiality to the messages:[3] ˇ Secret key algorithms Data is encrypted and decrypted with the same key. The key must be known by the sender and the receiver before the transmission of data. ˇ Public key algorithms The public keys algorithms uses two keys for sending messages. Each user has two keys (one public and one private). The sender encrypt with the receiver public key, and the receiver decrypt with his private key. ˇ Hibrid algorithms It uses both algorithms: secret key and public key algorithms. The secret key is encrypted with the public key by the sender, and the receiver decrypts the secret key with his private key. After that both the receiver and the sender have a secret key that has been transmitted for a secure way. For example, we would like to assure integrity and availability of data in the next situation: The teacher of a course has to announce in a newsgroup when the next exam will be arranged. He needs to assure that the message will be availabe and the message will not be modified. 2. PGP/GnuPG: =+=+=+=+=+=+=+=+=+=+=+=+= A) -- PGP/GnuPG can be used for secure the communication. For example these are three task that can be done with PGP/GnuPG:[2] ˇ We can encrypt a message. GPG command: % gpg -e -r recipient -u 'mi_uid' doc.txt ˇ We can sign a message. GPG command: % gpg -s -r recipient -u 'mi_uid' doc.txt ˇ We can verify a message signature. GPG command: % gpg --verify doc.txt.gpg B) -- A PGP fingerprint is the result of hash the user's certificate, every PGP certificate has a unique PGP fingerprint. And it can be used to verify the validity of a certificate.[4] C) -- PGP authentication is that both sender and receiver are sure that the other person is who says to be. With PGP authentication a person can be sure that is communicating with the person that he wants, but before they have exchanged their public keys.[4] In this course it is very important, because both the course staff and the student want to be sure that the assignment are sent from/to they want. The student wants to be sure that he is sending the assignment to the course staff, and the course staff want to be sure that is the student who is sending the assignment. And to do the authentication at the beginning of the course is important because the communication between both starts at the beginning of the course. And both want to be sure about the communications from the beginning of the course. 3. FIND THE RIGHT PAIRS: =+=+=+=+=+=+=+=+=+=+=+=+= a. Denial of Service attack 5. A mischievous friend of yours is playing with your mobile phone and enters a wrong PIN code so many times that you can not use your phone until you manage to find out and enter the unlocking code (PUK). b. Social engineering attack 2. Pretending to be an administrator and asking a user to give his password. c. Man in the middle attack 6. A beginning chess player challenges two grandmasters in postal chess (one as black, one as white) and sends their moves between them as they were his own. (Based on J. Conway's original idea.) d. Salami attack 3. The cash register at Nice Try Supermarket is rounding the total in euros wrong (always rounding up). e. Eavesdropping 1. Sniffing for passwords in a local network. f. Replay attack 4. Harry Hacker hangs around a big shopping mall's parking place and catches signals that are used in remote controlled car locks. Next day, when a customer comes shopping again, Harry waits until the customer has gone out of sight and opens the car locks using the opening signal that he cought the day before. 4. MAN IN THE MIDDLE: =+=+=+=+=+=+=+=+=+=+=+=+= The difference is that in the normal Man in the Middle attack, the attacker acts between the sender and the receiver of the transmission, and they don't know about the presence of this third person. And the transmission was initiated between both, the sender and the receiver.[1] But in the example above the sender and the receiver of the transmission think that they are communicating with the third person, but still they are communicating between the them, and not with this third person (the attacker). And the transmission wasn't initiated between both, the sender and the receiver. 5. USING SOURCES: =+=+=+=+=+=+=+=+=+=+=+=+= A) -- I have to mark the text with citations marks and then put the reference after the text.[5] B) -- I have to translate on my own words, and then put the reference after the text. C) -- I have to put the reference after the text I have written.[5] 6. FEEDBACK: =+=+=+=+=+=+=+=+=+=+=+=+= I have been six or seven hours doing this assingment, and it wasn't too difficult, except the references to the sources, because I haven't do it before. REFERENCES: =+=+=+=+=+=+=+=+=+=+=+=+= [1] Anderson, Ross, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001 [2] Ashley, Mike, The GNU Privacy Handbook, 8.8.2000 URL: http://www.gnupg.org/gph/en/manual.html [3] GSyC (Systems and Communications Group, Rey Juan Carlos University), Seguridad en Sistemas Distribuidos, 26.4.2001 URL: http://gsyc.escet.urjc.es/docencia/asignaturas/redes-II /transparencias/seguridad/seguridad.html [4] Network Associates, Inc. and its Affiliated Companies, Introduction to Cryptography, [referred 1.10.2002] URL: http://www.pgpi.org/doc/pgpintro/ [5] Telecommunication Software and Multimedia Laboratory, HUT, Using and referring to sources, 11.1.2002, URL: http://www.tml.hut.fi/Studies/Guides/refer.html