Phase 2: Server authentication and key exchange
Phase 3: Client authentication and key exchange
Phase 4: Finish
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts
Wednesday, February 14, 2007
SSL Handshake Protocol
Phase 1: Establish security capabilities
Phase 2: Server authentication and key exchange
Phase 3: Client authentication and key exchange
Phase 4: Finish
Phase 2: Server authentication and key exchange
Phase 3: Client authentication and key exchange
Phase 4: Finish
Tuesday, February 6, 2007
Encryption Techniques
This semester, I'm taking ISA 662, Intro to Information Security, and here are some of the encryption techniques we discuss in class.
- Blind Signatures
- Blind signatures are used in situations where an author wants to get his or her message signed by a third party without revealing any information about the message to this party. They have many uses including timestamping, anonymous access control, digital cash, and cryptographic election systems. Blind signature schemes were first introduced by David Chaum using RSA signatures.
- Identity-based Encryption
- Identity-based encryption is a key authentication system that uses a public and private keys pair. It is called identity-based encryption, because the public key is some unique information about the identity of the user, such as his or her email address, and the system requires a trusted third party called Private Key Generator or PKG to generate the private key for the user based on the user’s unique value or public key.
- Threshold Cryptography
- Threshold Cryptography enables a private RSA key to be shared among K individuals called shareholders that are engaged in encryption or decryption, such that any K-1 or K-2 of them can decrypt incoming messages without reconstructing the key. The objective of Threshold Cryptography is to implement a distributed architecture in a hostile environment. It can be implemented to redundantly split the message into n pieces such that with t or more pieces the original message can be recovered.
- Key Escrow
- Key escrow is the arrangement where the user’s private key is generated and held in escrow by a trusted third party so that this key can be later used by a government agency to decrypt suspicious messages. Key escrow is used in identity-based encryption. The Private Key Generator or PKG generates and holds in escrow the private key it helps generate based on the user’s unique characteristic.
- Side Channel Analysis
- Side Channel Analysis helps assure the effectiveness of measures taken to protect cryptographic devices from leaking secret information. Attackers can take advantage of this secret information, which is gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the encryption algorithms. This type of attack is known as side channel attack, which uses the extra source of information, such as timing information, power consumption, electromagnetic leaks or even sound to break the system.
Tuesday, May 16, 2006
My First Experience with Secured Application Development
Before I forget all the cool things that I learned today, I better write them now. I attended my second Microsoft training workshop today. It was on secured application development. I have never had much experience in writing secured code, and I must admit it was a pretty cool learning experience for me.
I woke up at 6:45 am to get ready for the workshop, which started at 8:30. The workshop is in Washington D.C., and I had to print out the directions before I left the house. The traffic was a little bad on I-495, which is normally packed during rush hour, but it cleared up after a few miles, so it wasn’t that bad this morning. I got off at exit 39B on River Road heading toward Washington D.C. Drove for about 5 miles before I took a left on Western Ave. I drove for about half a mile before taking a right on Wisconsin Ave. The Microsoft office is located in the Chevy Chase Pavilion Building, which is right on Wisconsin Ave. I parked in the Pavilion parking lot and took the elevator up to the Microsoft office at around 8:35.
There were two receptionists, who directed me to the classroom all the way down the hall. I didn’t see a lot of people there, so my first thought was may be I was there a little early, but it turned out there are only about 20 of us at the workshop. My first Microsoft workshop was conducted in a theater where there were hundreds of people showed up. That was part of the Microsoft’s Ready to Launch events. There were food and beverages on a few tables set up outside the classroom for the attendees. I had myself a muffin and a cup of coffee.
The presenter at the workshop was Talhah Mir. He introduced himself as a member of the Microsoft’s ACE (Application Consulting and Engineering) team, which is responsible for application performance, security and privacy engineering at Microsoft. He started off with an ice breaker. It was nice to get an idea of who were in the room and know what everyone wanted to get away from the workshop.
Talhah started off with Threat Modeling. I learned that threat modeling should be done independently off any specific platform. This is something that needs to be done before any code is written. Threat modeling can be summarized as follows: threats are realized through attacks, which are materialized through vulnerabilities, which then can be mitigated with countermeasures. Talhah described the task of the development team were to define these threats clearly and precisely, so that the security team could come up with attacks, vulnerabilities, and countermeasures appropriately. Talhah also introduced the Microsoft Threat Analysis and Modeling Tool along with Attack Libraries. I like the tool for its extensibility through XML and XSLT.
Talhah introduced the concept of cryptography. He also went on to demonstrate various loopholes in writing code. A few that I remember are Dynamic SQL, Integer Overflow and Session and Cookie Attacks. I thought the demos were cool and neatly organized to show the various kinds of attacks and solutions to these attacks.
The workshop ended around 3pm, which I like because I could go home before rush hour kicked in. I start to like these workshops more and more, because it gives me a chance to learn about so many things. I learned a lot at the workshop today, not only through Talhah’s presentation, but also from the discussions from other attendees. I still consider myself new to the development world, because I have only been doing it professionally for two years, so it’s always great to listen and learn from the people around me.
I thought Talhah was a good presenter. He was very knowledgeable about the topic, and he was able to communicate it clearly. I learned a great deal about threat modeling through his presentation and demos. He said if there is one thing that one should have got from the presentation was the Principle of Least Privilege. I will keep it in mind as I continue to learn to write less unsecured code.
I woke up at 6:45 am to get ready for the workshop, which started at 8:30. The workshop is in Washington D.C., and I had to print out the directions before I left the house. The traffic was a little bad on I-495, which is normally packed during rush hour, but it cleared up after a few miles, so it wasn’t that bad this morning. I got off at exit 39B on River Road heading toward Washington D.C. Drove for about 5 miles before I took a left on Western Ave. I drove for about half a mile before taking a right on Wisconsin Ave. The Microsoft office is located in the Chevy Chase Pavilion Building, which is right on Wisconsin Ave. I parked in the Pavilion parking lot and took the elevator up to the Microsoft office at around 8:35.
There were two receptionists, who directed me to the classroom all the way down the hall. I didn’t see a lot of people there, so my first thought was may be I was there a little early, but it turned out there are only about 20 of us at the workshop. My first Microsoft workshop was conducted in a theater where there were hundreds of people showed up. That was part of the Microsoft’s Ready to Launch events. There were food and beverages on a few tables set up outside the classroom for the attendees. I had myself a muffin and a cup of coffee.
The presenter at the workshop was Talhah Mir. He introduced himself as a member of the Microsoft’s ACE (Application Consulting and Engineering) team, which is responsible for application performance, security and privacy engineering at Microsoft. He started off with an ice breaker. It was nice to get an idea of who were in the room and know what everyone wanted to get away from the workshop.
Talhah started off with Threat Modeling. I learned that threat modeling should be done independently off any specific platform. This is something that needs to be done before any code is written. Threat modeling can be summarized as follows: threats are realized through attacks, which are materialized through vulnerabilities, which then can be mitigated with countermeasures. Talhah described the task of the development team were to define these threats clearly and precisely, so that the security team could come up with attacks, vulnerabilities, and countermeasures appropriately. Talhah also introduced the Microsoft Threat Analysis and Modeling Tool along with Attack Libraries. I like the tool for its extensibility through XML and XSLT.
Talhah introduced the concept of cryptography. He also went on to demonstrate various loopholes in writing code. A few that I remember are Dynamic SQL, Integer Overflow and Session and Cookie Attacks. I thought the demos were cool and neatly organized to show the various kinds of attacks and solutions to these attacks.
The workshop ended around 3pm, which I like because I could go home before rush hour kicked in. I start to like these workshops more and more, because it gives me a chance to learn about so many things. I learned a lot at the workshop today, not only through Talhah’s presentation, but also from the discussions from other attendees. I still consider myself new to the development world, because I have only been doing it professionally for two years, so it’s always great to listen and learn from the people around me.
I thought Talhah was a good presenter. He was very knowledgeable about the topic, and he was able to communicate it clearly. I learned a great deal about threat modeling through his presentation and demos. He said if there is one thing that one should have got from the presentation was the Principle of Least Privilege. I will keep it in mind as I continue to learn to write less unsecured code.
Subscribe to:
Posts (Atom)