ABSTRACT
The advancement of computers produce
computing infrastructures which handle resources in a more efficient way, and a
business model for selling computing resources and services. On the other hand,
such complex and distributed architectures becomes an attractive target for
intruders. Cloud and distributed computing offers great potential to improve
productivity and reduce costs, but at the same time it possesses many new
security risks. Some Intrusion Detection Systems (IDS) have been used widely to
detect malicious behaviors in network communication and hosts, but these
traditional intrusion detection system are not flexible in providing guaranteed security
especially in distributed
computing because of the architecture
of the computing. This paper presents the use of RSA (Rivest–Shamir–Adleman) cryptosystem to effectively detect
and prevent intrusion in a computer system. In this cryptosystem, the
encryption key is public and it is different from the decryption key which is
kept secret (private). This ensures maximum security.
TABLE OF CONTENTS
CHAPTER
ONE
INTRODUCTION
1.1 Introduction
1.2 Background
of the Study
1.3 Statement
of the Problem
1.4 Aim and
Objectives of Study
1.5 Significance
of the Study
1.6 Scope of the
Study
1.7 Limitations
of the Study
1.8 Definition
of Terms
CHAPTER
TWO
LITERATURE
REVIEW
2.0 Introduction
2.1 Related
Work
2.3 Brief
History Of Public Key Cryptography And Its Impact On Security
2.4 Security
Benefits Of Intrusion Tolerant Applications
CHAPTER
THREE
SYSTEM
ANALYSIS AND DESIGN
3.0 Introduction
3.1 Mythodology
3.2 Public Key
Cryptograhy
3.3 Provable Security
3.4 Provable
Security Of Public Key Cryptography
3.5 Design Of
The Rsa Cryptosystem
3.6 Design
Model
3.7 Attacks On
Rsa Cryptosystem
3.8 A Version
Of Rsa Implemented In Https
3.9 Attack On
Pkcs1
CHAPTER
FOUR
4.0 Implementing and using SSL to secure HTTP
traffic
4.1 Introduction to SSL
4.2 Encryption algorithms used in SSL
4.3 Java Security Libraries for RSA Implementation
4.3.1 Java Security Key Pair Generator
4.3.2 Java Security Key Pair (java.security.KeyPair)
4.3.4 Javax Crypto Cipher (javax.crypto.Cipher)
CHAPTER
FIVE
SUMMARY,
CONCLUSION AND RECOMMENDATION
5.0 Summary
5.1 Conclusion
5.2 Recommendation
REFERENCES
CHAPTER ONE
INTRODUCTION
1.1 INTRODUCTION
Most
current information systems are connected to the Internet for efficiency and
convenience. However, the growth of accessibility makes the systems vulnerable
to attackers. A web server is a program that runs over the Hyper Text Transfer
Protocol which has client-server mode to serve clients with files and other
details which are stored on the server. The web server is currently the most
widely deployed type of distributed data server. Every computer on the internet
that contains a website must have a web server program. Web servers are
providing dynamic contents rather than static ones which have opened up many
security flaws.With the development and scope of cloud computing, there is a
tremendous shift in the web hosting industries. Most users prefer a server in
the cloud due to ease of maintenance and low cost of infrastructure thus there
is a great need to ensure the integrity and confidentiality of the systems we
use. For this reason, many studies have been conducted in order to improve
security of information systems. To protect the private keys of web servers and
certificate authority, (Boneh et al, 1999) shared the keys among a number of
share servers.
1.2 BACKGROUND
OF THE STUDY
A
dependable system is defined as one that is able to deliver a service that can
justifiably be trusted; attributes of dependability include avaliablity (
readiness for correct service), reliablility (continuity of correct service),
confidentiality (prevention of unauthorised disclosure of information), and
integrity (absence of improper system state alterations) (Avizenis et al,
2001).
Large
network infrastructures, such as the Internet, are vital for citizens to
benefit from the services provided by theZ Information Society. However, users
must be able to trust the services offered to them. MAFTIA (Randell et al,
2003), an European Union funded project investigated a comprehensive approach
for tolerating both accidental faults and malicious attacks in large-scale
distributed systems, thereby enabling them to remain operational during attack,
without requiring time-consuming and potentially error-prone human
intervention. SITAR (Sargor et al, 2001) uses commercial-off-the-shell servers
to provide intrusion tolerance to distributed systems.
Emerging applications like electronic
commerce and secure communications over open networks have made clear the
fundamental role of public key cryptography as unique security solutions. On
the other hand, these solutions clearly expose the fact that the protection of
private keys is a security bottleneck in these sensitive applications. This
problem is further worsened in the cases where a single and unchanged private
key must be kept secret for very long time (such is the case of certification
authority keys, and e-cash keys).
When
classified information is sent electronically from one individual to another,
some form of encryption must be used to protect the information from prying
eyes. Because internet technology relies on the transmission of data through
the public domain, this encryption is absolutely essential to preserving the
security of electronically-transmitted information. Public key encryption,
which was first developed in the 1970s, has gradually come to dominate the
“cryptology market” because of its innate advantages over private-key methods
of encrypting data; unlike its counterpart, public key encryption does not
require that individuals share a secret key.
Although public key encryption
algorithms such as RSA (Rivest et al, 1977) have achieved universal acceptance
in the modern cryptology arena, they remain vulnerable to many potential
security threats. For example, because public key encryption involves the
“receiver” providing a public key to any “senders” who wish to send him
confidential information (the receiver uses a different, private key to decrypt
the data), it is entirely possible for a devious individual to send an
encrypted message to the receiver that appears to have been sent from someone
else; after all, the public key used to encrypt this message is fully available
to everyone. In other words, when constructed improperly, public encryption
systems such as RSA do not intrinsically protect against false sender
identification.
1.3 STATEMENT
OF THE PROBLEM
The computer security problem includes lots of
buggy and insecure applications.
Attackers can infect your system with malware and steal credentials like
credit card details, passwords etc. Example of this is a malware called
SilentBanker. It appends itself to your computer and stays silent. Now anytime
your computer makes a web request to port 80 or 443 it monitors the request.
Though port 443 is encrypted using SSL it doesn’t bother the malware. The
malware injects malicious javascript to the target page to change it so
whenever you type your password for authentication the password would get sent
to the attacker. This malware was used to steal a lot of passwords from UK
banks.
An attacker can steal your IP address and use
it to send spam messages. An attacker does this to protect himself and shift
the blame to the person whose computer he uses to send the spam messages. There
are organizations that provide Denial of Service as a service. That is they can
attack a web page or web server for a fee you pay. They do this by bombarding either
a web server or web page with a lot of requests than it can process.
Nowadays,
we see the spread of war from physical space to the cyber space. An example of
this is the Stuxnet virus (2008) which the NSA and Israeli Intelligence
agencies used in shutting down Iran’s nuclear power plant. What the attackers
did was that they use four zero day windows exploit to infect the computer of
the administrator that maintains the nuclear facility. This exploits just sits
on your windows computer and only functions if you have the Siemens PCS 7 SCADA
control software on your windows computer. It will wait for your to connect the
Siemens controller to the network then it will affect the network. This malware
in the target computers serves as logic bombs. They used this to attack the
nuclear plant thereby shutting down a billion dollar project with just a
malware.
Snowden (2013), an NSA whistleblower released
a top secret espionage carried out by US and British Intelligence agencies in
which they intercept over 80% of web traffics from sites like Facebook, Google,
Twitter etc. and store this information to be used for various activities. This
revelations together with the ones from whistleblowing site WikiLeaks made
aware of the insecurity of the web which we depend so greatly for our daily
activities.
More recently, we were made aware that
some Nigerian governors use the exploits of the malware firm Hacking Team.
Hacking Team is a legal malware company that creates exploit used to attack
varieties of devices ranging from web servers, computers and anything you can
think of. This exposes the fact that in Nigeria today there are people who
poses this weaponized- cyber tools that can be used to access virtually almost
all devices and steal information, plant information for the purpose of
implicating the target.
Noting this problems we face in this
modern era, we turn to cryptography. Cryptography is used to encrypt data so it
can only be read by the person who has the secret key. So, even though an
attacker breaks into our system he cannot decode our information.
1.4 AIM
AND OBJECTIVES OF STUDY
Despite the use of public key
cryptography in simplifying encryption processes, we are still stuck with
security bottlenecks. Now we see advanced viruses, worms, Trojans etc. Most
applications are not implemented correctly. The goal of this project includes
1.
To analyze some versions of RSA
implemented in HTTPS.
2.
To show the strengths and weaknesses of RSA.
Some common attacks on it.
3.
To show how RSA cryptosystem can be used correctly to
build intrusion tolerant application that can function correctly even when
attacked.
4.
To design a version of RSA cryptosystem
which is tamper-resistant and can be used for encryption, session setup etc.
5.
To develop a software based on this
design.
1.5 SIGNIFICANCE
OF THE STUDY
RSA is the most widely used public key
cryptosystem. It is used for encryption, session startups, implementing digital
signatures and many others. It is implemented in our smart cards, the operating
system we use and the browsers we use for surfing the internet etc. However
over the years versions of RSA implemented in WEP, HTTP etc has been broken.
This project analysis the security of RSA in WEB, HTTP etc and also covers
attacks on RSA, and at the end designing and implement a version of RSA that is
intrusion tolerant.
1.6 SCOPE
OF THE STUDY
This project covers ITTC (Boneh et al,
1999), an intrusion tolerant application that uses RSA for encryption. ITTC is
a projects that protects the private keys of web servers and certificate
authorities by splitting server into smaller share servers so that even if the
attacker penetrates a few of the servers he cannot compromise the whole system.
Also, I discussed about SITAR (Sargor et al, 2001) a DARPA-funded research
project that investigates the intrusion tolerance in distributed system to
provide reliable services. I showed some attacks on RSA like the binding
attack, common modulus attack etc. and I also analyzed security problems of
some versions of RSA like the PKCS1 etc. I also showed how to design and
implemented RSA correctly.
1.7 LIMITATIONS
OF THE STUDY
The
main limitation is that I could not access specialized hardware suitable for
RSA. Most specialized RSA implementation are implemented in both hardware and software.
Also I did not cover properly its use in environments like smart cards because
of limited tools to analysis security in these environments.
1.8
DEFINITION OF TERMS
This are the meaning of keywords used in
the project:
1.
ITTC:
Intrusion Tolerant via Threshold Cryptography
2.
MAFTIA:
Malicious and Accidental Fault Tolerance for Internet Applications
3.
COTS:
Commercial Off the Shelf
4.
SITAR:
Scalable Intrusion Tolerant Architecture
5.
DPASA:
Designing Protections and Adaptation into a Survivability Architecture
6.
PKI: Public Key Infrastructure
7.
SCIT: Self Cleansing Intrusion
Tolerance
8.
ACT: Adaptive Cluster Transformation
9.
MAC: Message Authentication Code
10.
RSA: Rivest Shamir Adleman
11.
CA: Certificate Authority
12.
MD5: Message Digest 5
13.
RFITS: Randomized Failover Intrusion
Tolerant System.
This
are the definition of some of the terms used in this project.
1.
PUBLIC
KEY CRYPTOGRAPHY: This is a cryptography in which a pair
of keys is used to encrypt and decrypt a message. The public key is used to
encrypt the message, while the private key is used to decrypt the cipher-text.
2.
CRYPTOSYSTEM:
This refers to a suite of cryptographic algorithms needed to implement a
particular security service. Typically it consists of three algorithms, one for
key generation, one for encryption, and one for decryption.
3.
THRESHOLD
CYPTOSYSTEM: A cryptosystem is threshold if in order
to decrypt an encrypted message, several parties must cooperate in the
decryption protocol.
4.
CRYPTOGRAPHY:
This is the practice and study of techniques for secure communication in the
presence of third parties.
5.
CRYPTANALYSIS:
This is the study of techniques used to breach cryptographic security systems
and gain access to the contents of encrypted messages, even if the
cryptographic key is unknown.
6.
SYMMETRIC-KEY
ALGORITHMS: These are algorithms for cryptography
that use the same cryptographic keys for both encryption of plaintext and
decryption of cipher-text.
Click “DOWNLOAD NOW” below to get the complete Projects
FOR QUICK HELP CHAT WITH US NOW!
+(234) 0814 780 1594
Login To Comment