![5
Chapter 2
Web and network basics
The Internet and networks in computing have undoubtedly been around
a lot longer than we think; as soon as information is created and held in
an electronic system, it will have been the desire of those around to store
it at multiple points. This distribution of the information is great for those
whose access is desired but not so much a good idea in terms of security, if
there are those who can, perhaps, casually access it. This demonstrates the
need for appropriate security mechanisms.
Electronic systems have particular physical attributes, architectures,
topologies and protocols which can be under attack from an adversary or
snooper. It is, therefore, important to have some idea of those qualities
which exist in these systems first, before dwelling on particular techniques
that hackers use or system developers utilize as defense.
An electronic system that stores information does so by holding that
information in devices saving state in a memory medium, which in the past
has been magnetic, as in a tape, drums, disks and suchlike, as well as opti-
cal or solid state. These information stores are connected by networks and
processed by CPUs.
It should also be mentioned that as well as this storage and processing,
there are methods of input, such as keyboard, mouse and voice, as well as
output, which could be a screen or print out, for example.
Security weaknesses in the past have been found at each of these men-
tioned points.
NETWORKS
Networks provide the main transit for information, and because of this,
they are subject to scrutiny and attack. The basic model of network com-
munication can be visualized as in Figure 2.1.
The usual way to conceptualize a network in computing and electronics
engineering is through the Open Systems Interconnection (OSI) model (see
Figure 2.2) [1].
This is characterized by several layers of abstraction.
DOI: 10.1201/9781003096894-2](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-30-320.jpg)
![8 Advanced cybersecurity technologies
packets within a network. An email client, such as MS Outlook, has data
which resides at Layer 7 – the application layer. When an email is written
and send is pressed, the data works its way down the OSI layers one by one
and through the network. The data first works through the presentation
and session layers, before entering the transport layer; here, the email will
be sent by SMTP. The data will move through the network layer into the
data link. The packets eventually reach the physical layer, where the hard
wiring will send the data across the networks to the recipient.
When the recipient is reached, the process occurs in reverse, that is, it
will work its way back up the OSI model before reaching the application
level again.
TCP/IP MODEL
One of the main differences between the two models is that the application
layer, presentation layer and session layer are not distinguished separately
in the TCP/IP model [2], which only has an application layer above the
transport layer.
Application layer
This is equivalent to application, presentation and session layers in the OSI
model, dealing with higher-level application-based processes. The applica-
tions use the services of the underlying lower layers. For example, the trans-
port layer provides pipes between processes. The partners involved in this
communication are characterized by the application architecture, such as
peer-to-peer networking or the client-server model. At this layer reside the
application protocols such as SMTP, FTP, SSH and HTTP, each of which
has its own designated port.
Transport layer
Transport and network layers in the OSI model are concerned with host-to-
host transport of data. The transport layer uses the local or remote networks,
separated by routers, to perform host-to-host communication. It is this layer
which sets up a channel of communication which is needed by the applica-
tions. The basic protocol at this level is UDP, which provides an unreliable
connectionless datagram service. TCP provides flow control and the estab-
lishment of the connection, together with the reliable transmission of data.
Internet layer
The Internet layer is concerned with the exchange of datagrams across
network boundaries, providing a uniform network interface that hides the](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-33-320.jpg)
![10 Advanced cybersecurity technologies
such as SQL injection, where, for example, the software engineer has not
correctly allowed for invalid input. Injected code into the SQL database
could extract data. Here the main aim in mitigating such an issue is to
ensure good software engineering practices are adhered to.
PROTOCOLS AND PORTS
Any communication between parties requires a set of rules which are
understood between those involved. Someone speaking Chinese has a dif-
fering protocol set applied to their language than say, English. A mutually
understood change of rules and symbols used is required to allow for the
exchange of meaningful information. Similarly, to communicate between
computer systems, there need to be rules and interface points. The rules, or
agreed means of communicating, are known as protocols, while the inter-
face points, which are assigned protocols, are known as ports.
A system, whether it be a full-blown PC or an embedded controller, will
have many ports, each with an assigned protocol. While the list of ports is
extensive, some of the more common ones are listed below:
20 File Transfer Protocol (FTP) Data Transfer
21 File Transfer Protocol (FTP) Command Control
22 Secure Shell (SSH) Secure Login
23 Telnet remote login service, unencrypted text messages
25 Simple Mail Transfer Protocol (SMTP) E-mail routing
53 Domain Name System (DNS) service
67, 68 Dynamic Host Configuration Protocol (DHCP)
80 Hypertext Transfer Protocol (HTTP) used in the World Wide Web
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
143 Internet Message Access Protocol (IMAP) Management of digital
mail
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS) HTTP over TLS/SSL
Port numbers are divided into three ranges: well-known ports (also named
system ports), registered ports and dynamic or private ports. System ports
range from 0 through 1023. The ranges and ports themselves are defined by
convention, overseen by the Internet Assigned Numbers Authority (IANA)
[3]. Typically, core network services such as the web use well-known port
numbers. Operating systems require special privileges for particular appli-
cations to bind to specific ports, as they are critical for the operation of the
network. Ports that are between port numbers 1024 and 49151 are known](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-35-320.jpg)
![
Web and network basics 11
as registered ports; these are used by vendors for their own server applica-
tions. These ports are not assigned or controlled but can be registered to
prevent duplication.
Ports in the range 49152 to 65535 are dynamic ports, that is, they are
used for temporary or private ports. Vendors can register their application
ports with ICANN, so other vendors can respect their usage and choose
other unused ports from the pool.
UDP AND TCP
The Transmission Control Protocol (TCP) can be considered one of the
main protocols involved in the Internet protocol suite within the transport
layer. In fact, the entire suite is often known as TCP/IP, noting its origins
in the original initial network implementation. TCP has several important
characteristics – it provides reliable, ordered and error-checked delivery
of bytes between applications running on hosts in an IP network. This
includes web, file transfer, email and remote administration. Secure Sockets
Layer (SSL) and the newer Transport Layer Security (TLS) cryptographic
protocols often run on top of TCP. These provide communications security
over the computer network.
TCP is connection-oriented, where a communication session has a per-
manent connection established before data is transferred. Another example
of the application which uses TCP due to its persistent connection is Secure
Shell (SSH). This is a means of operating network services using a crypto-
graphic network protocol over an unsecure network. SSH uses TCP port 22
and was designed as a replacement for telnet and it should be said that SSH
is not an implementation of telnet with cryptography provided by SSL as is
sometimes thought.
User Datagram Protocol (UDP) [4] is another member of the Internet pro-
tocol suite at the transport layer. This protocol allows applications to send
messages, referred to as datagrams, to other members of the IP network. In
this instance, prior communications are not required to set up communica-
tion channels. UDP is a simple connectionless model with a very minimal-
istic protocol approach. UDP utilizes checksums for data integrity and port
numbers, which address different functions at the source and destination of
the datagram. It does not have handshaking communication and, therefore,
there can be exposure to issues of unreliability if present in the underly-
ing network; it offers no guarantee of delivery, ordering or duplication.
If such features as error correction are required, TCP or Stream Control
Transmission Protocol may be a better choice.
UDP is suitable for applications where dropped packets are preferable
to waiting for packets delayed in retransmission, within real-time systems,
such as media streaming applications (as lost frames are okay), local broad-
cast systems (where one machine attempts to find another, for example)](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-36-320.jpg)
![12 Advanced cybersecurity technologies
and some games which do not need to receive every update communica-
tion. Other systems that use UDP include DNS and Trivial File Transfer
Protocol, as well as some aircraft control systems.
A good way of understanding the difference is by a comparison of two
applications. For example, email would be good by TCP, as all the content
is received and so understandable, with no missing information, whereas
video streaming is fine by UDP, because if some frames are missing, the
content is still understandable.
WEB SPECIFICS
The web can be seen as a separate entity which relies on the Internet as its
infrastructure. Another way to put it is that the web is a way of accessing
information over the medium of the Internet. The web uses HTTP and
HTTPS protocols to allow applications to exchange data. The web uses
browsers to access documents which are linked to each other via hyper-
links. These web pages can contain a range of multimedia and text.
Both TLS and its deprecated predecessor SSL are used in web browsing,
email, instant messaging and voice over IP (VoIP).
The web is based on a client-server architecture, revolving around the
browser on the client side, with its various capabilities for communica-
tion, running scripts and rendering web pages. Web browsers run on var-
ious devices from desktops, laptops, to smartphones. The most popular
browser has been, for some time, Google Chrome. As of 2020, the general
share of browsers is around Chrome 62% and Safari 20%, with Firefox
at 4%. Others include Samsung, Opera, Edge and IE, only taking small
percentages.
The central idea of the browser is that of hyperlinks – the ability to
move between linked resources. The ideas for such systems have actu-
ally been in place since the mid-1960s, by people such as the futurist Ted
Nelson [5], followed by his ideas being explored by Neil Larson’s com-
mercial DoS Maxthink outline program, in which angle bracket hypertext
jumps between files that are created. Others developed this idea of linked
resources, which initially were only pages through to the 1990s.
Building on this hyperlink concept, the first browser was developed by
Tim Berners-Lee in 1990 and was called World Wide Web, which was fol-
lowed by the Line Mode Browser, which displayed web pages on dumb
terminals released in 1991. In 1993, Mosaic was launched, which could be
seem as the first true browser for normal use by anybody. This had a graphi-
cal interface and led to the Internet boom which occurred in the 1990s,
leading to the rapid expansion of the web. Members of the same team that
developed Mosaic went on to form their own company, Netscape, which
developed its own browser, named the Netscape Navigator in 1994, which
quickly became the more popular browser. In 1995, Microsoft produced](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-37-320.jpg)
![16 Advanced cybersecurity technologies
to change the server’s state. However, the second group, containing the
remaining POST, PUT, DELETE and PATCH, can cause changes in the
server, possibly email transmission, or financial transmissions.
Bad or malicious programming via bots and web crawlers can cause some
of the so-called safe group to bring about issues. These nonconforming pro-
grams can make requests out of context or through mischief.
CONVERSATIONS WITH A SERVER
To get an idea of how the communication process works between HTTP
client and HTTP server, it is possible to replicate the process by pretending
to be the client browser. This is done by using a terminal program such as
PuTTY or telnet in a terminal and talking to a web server over port 80.
This is made possible by the commands being simple text strings, following
a particular syntax.
For example, a request can be made using the following in a Linux
terminal:
telnet google.com 80
This starts telnet and connects to the google
.c
om website on port 80. There
will follow a response with either no-connection or a connection, as in this
case:
Trying 216.58.204.46...
Connected to google.com.
Escape character is '^]
'
.
The actual request is then made:
GET / HTTP/1.1
That is, there is a request for the index page at the root of the web server.
Again, the server responses with a page that is not found or found:
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2020 13:33:40 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP=This is not a P3P policy! See g.co/p3phelp for more
info.
Server: gws
X-XSS-Protection: 0](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-41-320.jpg)
![
Web and network basics 17
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2020-06-17-13; expires=Fri, 17-Jul-2020
13:33:40 GMT; path=/; domain=
.google
.c
om; Secure
Set-Cookie: NID=204=IEfJRPAg4hjlmvJ2VW-2FRgJkB-WgddzTTTRU
U9fpFr7WaOXlqaFk5kvNx7slnP5HWoVwnvMBitdh1roJdv3e20k5vfq1ONyC
viG9ToVueusykITs4JFevGhFC5ke60a-08kDqoajysA8HDQj6ArMmPRpRKPG
CCwvA
5eaG5
bcmU;expires=Thu, 17-Dec-2020 13:33:40 GMT;
path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
5b6d
!doctype htmlhtml itemscope= itemtype=http://schema
.org/WebPage lang=en-GBheadmeta content=text/html;
charset=UTF-8 …
The web page requested follows. The first line that is returned is the
response code, to the effect of it being found or not, though there are many
possible codes such as a website redirects and so on. These status codes
break into several groups: 1xx informational, 2xx success, 3xx redirection,
4xx client error and 5xx server error. In this instance, the code was 200,
that is, it was successful. However, a response of 404 would indicate that
the requested resource was not found.
There are other nonconventional ways of accessing web page informa-
tion, for example, with both wget and curl it is possible to interact with a
web server:
wget https://google.com
--2020-06-17 14:39:32-- https://google
.com/
Resolving google.com (google.com)... 216.58.204.46,
2a00:1450:4009:80d::200e
Connecting to google.com (google.com)|216.58.204.46|:443...
connected.
HTTP request sent, awaiting response... 301 Moved
Permanently
Location: https://www.google.com/ [following]
--2020-06-17 14:39:32-- https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.210.36,
2a00:1450:4009:814::2004
Connecting to www.google.com (www.google
.com)|216.58.210.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.1’
index.html.1 [ = ] 11.58K --.-KB/s in 0s
2020-06-17 14:39:32 (69.6 MB/s) - ‘index
.ht
ml’ saved [11853]](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-42-320.jpg)
![20 Advanced cybersecurity technologies
if one exists, will adapt, due to the greater number of connection requests
and allow these kinds of passive mode configurations to take place.
FTP can also set the type of data transmission into either binary or an
ASCII text mode, depending on the type of data being sent.
Another protocol used for file transfer is SCP (Secure Copy Protocol),
based on SSH protocol, though the developers have said that this is now
outdated and inflexible with the recommendation that SFTP and rsync is
used instead. The general idea behind SCP is that the client initiates an SSH
connection to the remote host and request for an SCP process is started on
the remote server, which operates in either a source mode (in which files are
read and transferred back) or a sink mode, where it writes accepted incom-
ing files to the remote host.
SFTP is a similar mechanism for allowing file transfer to FTP albeit in
a more secure manner. It is not simply FTP run over SSH but an entirely
new protocol developed from the ground up, and it should not be confused
with the unsecure and less complex Simple File Transfer Protocol, which is
little used.
TELNET (teletype network) [6] is one of a few application protocols
which provide a text-based virtual terminal connection over TCP and was
developed in 1969. The virtual terminal allows for a command-line inter-
face composed of specific keywords, such as passwd, which will allow a
password change. Most servers being accessed remotely would be Unix-like
server systems or network devices, such as routers.
This protocol is used to establish a connection to TCP port number 23,
where a telnet daemon, telnetd, is listening.
More recently, due to security concerns, telnet usage has diminished in
favor of SSH. Originally telnet was developed with large companies, gov-
ernment facilities or academic campuses in mind, where the communication
would take place over LAN and at relatively slow bandwidth. In the 1990s,
with the increase in communication speeds, Internet access and the rise in
hacking, telnet needed alternatives, or at least hardening in some sense. As
well as the lack of encryption, other problems became an issue, including
an interception by a party between the client and server, a so-called man-in-
the-middle attack and vulnerabilities in telnet daemon processes.
Some telnet versions and extensions were developed utilizing TLS secu-
rity, among others, though for the most part SSH has taken over.
One area where its use persists is that of Amateur radio, where hobbyists
use it for packet radio, though, as can be seen above, telnet can be useful
for testing ports or communicating with web servers, to see raw source files.
In Windows, PuTTY can open telnet windows for such testing or, Linux/
Unix-based systems can install telnet clients.
Rsync is a very useful tool for transferring and synchronizing files
between a source and destination, where the destination could be either
local or remote. It utilizes a comparison technique which looks at modi-
fication times and sizes of files and is written in C as a single-threaded](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-45-320.jpg)
![
Web and network basics 21
application. Rsync uses an algorithm which minimizes network usage and
can incorporate data compression along with SSH or stunnel for security.
Rsync can be used typically for synchronizing software repositories on mir-
ror sites used by package management systems.
Command usage examples include:
rsync options source destination
• -v: verbose
• -r: copies data recursively (but does not preserve timestamps and per-
mission while transferring data)
• -a: archive mode, archive mode allows copying files recursively and it
also preserves symbolic links, file permissions, user and group owner-
ships and timestamps
• -z: compress file data
• -h: human-readable, output numbers in a human-readable format
For example:
rsync -zvh websitebackup
.t
ar /tmp/backups/
Will sync a single file on a local machine from one location to another
backup location, whereas
rsync -avzh root@192.168.0.100:/home/tarunika/rpmpkgs /tmp/
myrpms
will copy and sync a remote directory to a local machine.
To utilize a particular protocol to use, the -e option can be given:
rsync -avzhe ssh root@192.168.0.100:/root/install
.l
og /tmp/
This copies a remote file to a local server using SSH.
SSH
The Secure Shell (SSH) protocol [7] is an encrypted network protocol which
allows network services to be used over an unsecured network. Typically,
a user can utilize remote log-in and run commands, but as this is a proto-
col as such, many network services can use this to be secure. It relies on a
client-server architecture, which has an SSH client application at one side
and an SSH server at the other. Using the TCP port 22, the protocol is usu-
ally used to access UNIX-type systems but can also be used for Windows,
and in particular Windows 10, which utilizes OpenSSH as its SSH server
and client.](https://image.slidesharecdn.com/18823818-250612041224-90fbbc09/85/Advanced-Cybersecurity-Technologies-1st-Edition-Ralph-Moseley-46-320.jpg)
Advanced Cybersecurity Technologies 1st Edition Ralph Moseley
- 1. Advanced Cybersecurity Technologies 1st Edition Ralph Moseley download https://ebookbell.com/product/advanced-cybersecurity- technologies-1st-edition-ralph-moseley-37647636 Explore and download more ebooks at ebookbell.com
- 2. Here are some recommended products that we believe you will be interested in. You can click the link to download. Advanced Cybersecurity Technologies 1st Edition Ralph Moseley https://ebookbell.com/product/advanced-cybersecurity-technologies-1st- edition-ralph-moseley-37647646 Advanced Smart Computing Technologies In Cybersecurity And Forensics 1st Edition https://ebookbell.com/product/advanced-smart-computing-technologies- in-cybersecurity-and-forensics-1st-edition-36065322 Advances In Cybersecurity Cybercrimes And Smart Emerging Technologies Ahmed A Abd Ellatif Yassine Maleh Wojciech Mazurczyk Mohammed Elaffendi Mohamed I Alkanhal https://ebookbell.com/product/advances-in-cybersecurity-cybercrimes- and-smart-emerging-technologies-ahmed-a-abd-ellatif-yassine-maleh- wojciech-mazurczyk-mohammed-elaffendi-mohamed-i-alkanhal-51139960 Ultimate Blockchain Security Handbook Advanced Cybersecurity Techniques And Strategies For Risk Management Threat Modeling Pen Testing And Smart Contract Defense For Blockchain Taha Sajid https://ebookbell.com/product/ultimate-blockchain-security-handbook- advanced-cybersecurity-techniques-and-strategies-for-risk-management- threat-modeling-pen-testing-and-smart-contract-defense-for-blockchain- taha-sajid-52871452
- 3. The Threat Hunt Process Thp Roadmap A Pathway For Advanced Cybersecurity Active Measures Mark A Russo Cisspissap Ceh Ifpc https://ebookbell.com/product/the-threat-hunt-process-thp-roadmap-a- pathway-for-advanced-cybersecurity-active-measures-mark-a-russo- cisspissap-ceh-ifpc-43716162 Network Security Strategies Protect Your Network And Enterprise Against Advanced Cybersecurity Attacks And Threats Aditya Mukherjee https://ebookbell.com/product/network-security-strategies-protect- your-network-and-enterprise-against-advanced-cybersecurity-attacks- and-threats-aditya-mukherjee-23520044 Comptia Casp Cas004 Exam Guide Az Of Advanced Cybersecurity Concepts Mock Exams Realworld Scenarios With Expert Tips Dr Akashdeep Bhardwaj https://ebookbell.com/product/comptia-casp-cas004-exam-guide-az-of- advanced-cybersecurity-concepts-mock-exams-realworld-scenarios-with- expert-tips-dr-akashdeep-bhardwaj-44504682 Network Security Strategies Protect Your Network And Enterprise Against Advanced Cybersecurity Attacks And Threats 1st Edition Aditya Mukherjee https://ebookbell.com/product/network-security-strategies-protect- your-network-and-enterprise-against-advanced-cybersecurity-attacks- and-threats-1st-edition-aditya-mukherjee-36045762 Theoretical Cybersecurity Principles And Advanced Concepts 1st Edition Jacob G Oakley https://ebookbell.com/product/theoretical-cybersecurity-principles- and-advanced-concepts-1st-edition-jacob-g-oakley-43865272
- 9. First edition published 2022 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2022 Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material repro- duced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www .copyright .com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact mpkbookspermis- sions@tandf.co.uk Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging‑in‑Publication Data Names: Moseley, Ralph, author. Title: Advanced cybersecurity technologies / Dr. Ralph Moseley. Description: First edition. | Boca Raton : CRC Press, 2022. | Includes bibliographical references and index. Identifiers: LCCN 2021037788 | ISBN 9780367562274 (hbk) | ISBN 9780367562328 (pbk) | ISBN 9781003096894 (ebk) Subjects: LCSH: Computer security. | Computer networks--Security measures. | Cyberspace--Security measures. Classification: LCC QA76.9.A25 M6735 2022 | DDC 005.8--dc23 LC record available at https://lccn.loc.gov/2021037788 ISBN: 9780367562274 (hbk) ISBN: 9780367562328 (pbk) ISBN: 9781003096894 (ebk) DOI: 10.1201/9781003096894 Typeset in Sabon by Deanta Global Publishing Services, Chennai, India
- 10. This book is dedicated to Professor Miltos Petridis, an inspiring academic and thoughtful Head of the Department of Computer Science at Middlesex University, along with all those others who passed away in the COVID-19 pandemic.
- 12. vii Contents Biographyxv Abbreviations and Acronymsxvii 1 Introduction 1 2 Web and network basics 5 Networks 5 Application layer 7 Presentation layer 7 Session layer 7 Transport layer 7 Network layer 7 Data link layer 7 Physical layer 7 How the OSI model works 7 TCP/IP model 8 Application layer 8 Transport layer 8 Internet layer 8 Link layer 9 Protocols and ports 10 UDP and TCP 11 Web specifics 12 HTTP 13 HTTP resources 14 HTTP connections 14 Conversations with a server 16 UPnP 18 Remote access protocols 19
- 13. viii Contents SSH 21 Suggested projects and experiments 22 Deploy Apache 22 Deploy a Droplet or virtual server 23 References 23 3 Cryptography 25 Why we need cryptography 25 Classical cryptography 25 Substitution ciphers 26 Frequency analysis 27 Caesar cipher 29 Vigenere cipher 30 The one-time pad 31 Modern algorithms 33 Practical encryption engineering 34 Encryption in Node.js 35 Hashes 35 Python cryptography 38 Steganography 39 Terminology and basics 40 Images 41 Audio encryption 42 Least significant bit (LSB) coding 43 Phase encoding 43 Spread spectrum 43 Parity encoding 43 Echo hiding 44 DeepSound 44 Using stenography practically 45 Digital watermarking 46 Suggested projects 48 4 Hacking overview 49 Case histories – a context and background of hacks and hacker’s motivations 49 Worms 49 Viruses 50 Deception 52 File replication 52
- 14. Contents ix Trojan 53 Botnets 54 DDoS 55 Motivations behind malware 56 History 56 Case history: Stuxnet 58 Case history: Michael Calce (Aka MafiaBoy) 59 Case history: Jonathan James 60 Case history: Gary McKinnon 61 Case history: Lauri Love 62 Huawei 62 Techniques 63 Spoofing email – the basis of phishing attack 63 Bots and automated mechanisms 65 References 71 5 Packet analysis and penetration testing 73 Packet sniffing 73 Wireshark 74 Modifying Wireshark 78 Analysis with Wireshark 81 Analyzing malware – Trickbot 83 Conclusion 93 Suggested projects 93 6 Social engineering 95 Phishing 96 Spear phishing 97 Vishing 97 Smishing 98 Pretexting 98 Water holing 98 Baiting 98 Quid Pro Quo 99 Tailgating 99 Scareware 100 Other varieties 100 Social engineering process 100 Research 100 Engagement 100
- 15. x Contents The attack 101 The conclusion 101 Social engineering countermeasures 101 Training 101 Frameworks and protocols 101 Categorizing information 101 Protocols 101 Tests 101 Resistance to social engineering 102 Waste handling 102 General advice 102 Software protection 103 Intelligence and research used for social engineering 103 Sources 103 Search engines 103 Google Alerts 105 Google/Bing images 105 Using web archives 105 Social media 106 Specialized search engines 106 Media – documents, photographs, video 106 Telephone numbers and addresses 107 Online tracing with IP addresses and presence 107 Conclusions 107 References 107 7 Cyber countermeasures 109 Introduction 109 Training 109 Firewalls 109 Linux 109 Cloud 113 Shields 115 Malware detection 115 Websites 115 Antivirus 115 Ransomware 119 Keep backups! 120 Conclusions 120 Reference 121
- 16. Contents xi 8 Incident response and mitigation 123 Example: Malware outbreak 124 Remediation – clear and hold 128 Misunderstanding threats 129 Mistiming of response 130 Gauging the severity of an incident – triage 131 Analysis 132 Containment 134 Terminate 134 Failing to verify 135 Recovery 135 The notification process 136 European Union – GDPR 136 Ransomware 137 Individual reporting 137 Timing of breach notifications 138 The notification 140 Data privacy and protection in the United States 141 Comparison of EU versus US privacy laws 141 California Consumer Privacy Act 142 Basic CIS controls 144 Foundational CIS controls 146 Organizational CIS controls 148 Post-incident analysis and applying gained insights 150 Ongoing preparedness 150 Conclusions 151 References 151 9 Digital forensics 153 Introduction 153 Low level 154 System level 154 Application level 154 Network level 155 Storage level 155 Tape 155 Flash 156 SSD 157 USB memory devices 158
- 17. xii Contents Information retrieval 158 Disk analysis 158 Memory forensics 158 Windows registry analysis 158 Mobile forensics 159 Network analysis 159 Linux distributions 159 Kali Linux 160 Binwalk tool 160 Bulk extractor tool 160 HashDeep tool 161 Magic rescue tool 161 Scalpel tool 161 Scrounge-NTFS tool 161 Guymager tool 161 Pdfid tool 162 Pdf-parser tool 162 Peepdf tool 162 img_cat tool 162 ICAT tool 162 Srch_strings tool 162 Parrot 163 BlackArch Linux 163 BackBox Linux 163 ForLEx 163 Technique 163 Preservation 163 Collection 164 Examination 164 Analysis 164 Analysis techniques 164 Targeted searches 167 Constructing timelines and events 167 Utilizing log files 167 Computer storage analysis 169 Moving files 170 Deleted file reconstruction 170 Directory restoration 171 Temporal analysis 171 Time bounding 172
- 18. Contents xiii Dynamic temporal analysis 172 Conclusions 172 References 172 10 Special topics: Countersurveillance in a cyber-intrusive world 173 Where is detection of an individual in the electronic domain possible? 173 Strategies for avoidance 174 Deletion 174 Obfuscation 175 Network 176 Tor 176 Identity 177 Defeating profiling and identity capture 177 False tells 177 One name, many people 178 Identifying device shuffling 178 Obfuscation agents and automated stealth 178 Suggested projects 179 Resource scanner 179 Hardware-based memory shredder 180 References 180 11 Special topics: Securing the Internet of Things (IoT) 181 Introduction 181 The use of crypto-integrated circuits 182 Comparison of crypto ICs 183 Wi-Fi connection 188 Cloud connectivity and dashboard 189 Security by design in IoT devices 191 Network devices with possible network weaknesses 193 Modems 193 Routers 193 Home appliances 193 Cameras 193 Environment sensors 194 Automation 194 Automotive 194
- 19. xiv Contents Streaming devices 194 Body sensors 194 Arduino IoT 194 Suggested projects 197 IoT robot with encrypted communication channels 197 Encrypted chat system (hardware based) 197 References 198 Index 199
- 20. xv Biography Dr. Ralph Moseley is a senior lecturer in computer science and cyber secu- rity at Middlesex University, London. He has acted as a consultant in the security of organizations and businesses, as well as an expert witness for the Metropolitan Police. His research areas include applying artificial intel- ligence techniques within cyber defense and brain–computer interface tech- niques to train mental states. As well as this, Ralph is a keen yoga and meditation teacher who can often be found creating virtual worlds online. eResources are available at www.routledge.com/9780367562328.
- 22. xvii Abbreviations and Acronyms 3DES Triple Data Encryption Standard AE Authenticated Encryption AES Advanced Encryption Standard ANSI American National Standards Institute APT Advanced Persistent Threat ASCII American Standard Code for Information Interchange AV Anti-virus CAPTCHA Completely Automated Public Turing Test to Tell Computers and Humans Apart CBC Cipher Block Chaining CBC-MAC Cipher Block Chaining Message Authentication Code CCA Chosen Ciphertext Attack CERT Computer Emergency Response Team CHAP Challenge Handshake Authentication Protocol CMS Content Management System CNC Cipher Block Chaining CND Computer Network Defense CPA Chosen Plaintext Attack CRC Cyclic Redundancy Check CSO Chief Security Officer CTR Counter CVE Common Vulnerabilities and Exposures DDoS Distributed Denial of Service DEM Data Encapsulation Mechanism DES Data Encryption Standard D-H Diffie Hellman key exchange DNS Domain Name Server DoD Department of Defense DoS Denial of Service DSA Digital Signature Algorithm ECB Electronic Code Book ECC Elliptic Curve Cryptography FTP File Transfer Protocol
- 23. xviii Abbreviations and Acronyms HMAC Keyed-Hash Message Authentication Code HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IA Information Assurance IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IMAP Internet Message Access Protocol ISO International Organization for Standardization JSON JavaScript Object Notation KEK Key Encryption Key KPK Key Production Key LFSR Linear Feedback Shift Register LSB Least Significant Bit MAC Message Authentication Code MD Message Digest MD5 Message Digest 5 MEK Message Encryption Key MITM Man in the Middle MSB Most Significant Bit NCSA National Cyber Security Alliance NIST National Institute of Standards and Technology OSINT Open Source Intelligence OTP One Time Pad PGP Pretty Good Privacy PKC Public Key Cryptography PRF Pseudo Random Function PRG Pseudo Random Generator PRP Pseudo Random Permutation RAM Random Access Memory RFC Request for Comments RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHTTP Secure Hypertext Transfer Protocol SIEM Security Information and Event Management SKE Symmetric Key Encryption SSH Secure Shell SSL Secure Socket Layer SSO Single Sign On TCP/IP Transmission Control Protocol / Internet Protocol TDEA Triple Data Encryption Algorithm TKIP Temporal Key Integrity Protocol TLS Transport Layer Security uPNP Universal Plug and Play URI Uniform Resource Indicator
- 24. Abbreviations and Acronyms xix URL Uniform Resource Locator USB Universal Serial Bus VPN Virtual Private Network WEP Wired Equivalent Privacy WPA Wi-Fi Protected Access WPA2 Wi-Fi Protected Access II WPS Wi-Fi Protected Setup WWW World Wide Web XEX Xor-Encrypt-Xor XOR Exclusive OR ZKP Zero Knowledge Proof
- 26. 1 Chapter 1 Introduction As network systems have become ever more complex, with increased speeds and capacities for storage expanded, the need for security to guard against intrusion or even accidental disclosure of private or sensitive information has increased. This growth in complexity of systems has been coupled with ever-more sophisticated attacks on systems. Threats have increased at vari- ous levels whether personal, commercial or military. Systems are under threat from individuals, special interest groups or even nation-states, with armies of hackers. At each of these levels there is a sub- stantial capability which arises from weaknesses in networks or computer operating systems and the ability to develop tools which attempt automated entry or denial of use. This automation of attacks has seen the rise of script development that attempts known hacks, hijacks and probing for bugs in networked sys- tems; the scripts themselves are easily available in the darker corners of the Internet. These require only the rudiments of knowledge to run if the attacker is motivated enough. At another level, there is the capability to build bots which have this knowledge and can roam freely, perhaps assess- ing systems, reporting back and even replicating themselves to wreak untold havoc on systems. Technical capability and the automation of threats can also be leveraged with social engineering techniques, or intelligence work, to target individu- als or groups. Background research, revealing a target’s interests and basic personal details, can often create an opening for more social contact, which brings about the ability for a much deeper attack, perhaps to steal financial information or to apply extortion. Artificial Intelligence (AI), which has many positive uses, also has the capability to both defend systems against attack and to be the perpetrator itself. It may be that AI systems will be matched against each other. Each of these instigators of attack can find many ways into systems through weaknesses in operating systems, firmware in devices, web brows- ers and emails. This book will look at how information can be made secure, by exploring methods of attack (and by revealing this, how they can be thwarted) as well DOI: 10.1201/9781003096894-1
- 27. 2 Advanced cybersecurity technologies as emerging technologies in the field. While technology is obviously key, a large component and often the weakest link in the chain is often the human component, so this too will be at the forefront of this investigation. Chapter 2 discusses the basics of network and web technology to set the context for the work that follows. This provides an outline of the topogra- phy, architecture and basic protocols used. Chapter 3 discusses the basis of information security with a thorough exploration of cryptography and its allied subjects, such as steganography and digital watermarking. To provide ultimate security of information and to ensure it is seen by only those for who it is intended, cryptography is outlined from the more classical beginnings, through to the advanced tech- niques that are utilized today. Emerging technologies in this area are also detailed. This chapter gives examples and code and explores which cryptog- raphy techniques are suitable for programming projects. Often, program- mers simply choose from libraries an encryption module without knowing its level of security or its suitability for the task in hand. For example, there can be a lot of difference between encryption for a stream of live data to one which hides a file. Therefore, a guide is provided for some special cases of encryption and hiding of messages such as steganography, as well as an exploration of future possibilities and mechanisms for development of systems. Chapter 4 discusses the basics and background of hacking, outlining a brief general history, before moving into a detailed review of particu- lar cases, then on to current practices, common weaknesses and types of attack. Here a wide review of hacking is given – from networks, Internet- connected devices, embedded systems, through to PCs, laptops and mobile phones. The chapter discusses in detail the actual mechanisms used for an attack, referring to some of the systems mentioned in the overview chapter. Code is outlined to show how simple automated attacks occur and how more intelligent bots can be built, which replicate or recover from faults as they traverse the net, providing ever-more robust means to attack. Chapter 5 the discusses in detail the tools used, along with penetration testing. As detailed previously, one of the most important aspects of the challenge of security is social engineering – the vulnerability of a technological system via the human user. In Chapter 6, this is examined in detail, focusing on the psychology and ability of users to be manipulated into providing the necessary details for a more technical attack. It is shown here that prior to any engagement with the user, or their system, the primary work is one of intelligence research into the target by gaining insight through their social media, and interactions through the web or more covert means. After detailed information about the attack on targets, the book moves on to Chapter 7, discussing countermeasures, that is, what can be done to
- 28. Introduction 3 protect. Of course, knowing the techniques used gives a user knowledge to defend but there are useful tools that can be deployed, which enable some degree of protection. As well as tools, a user can be trained to avoid par- ticular behavior or to avoid systems which are in some sense compromised. Coding techniques are shown for common problems, whether it be spam- bots or more contrived attacks on servers. It is often the case that a programmer or system developer is telephoned at some late hour to be told that their system is currently under attack – how to respond? Chapter 8 provides ways of dealing with such an event and maps out the protocols that should be followed, whether dealing with an ongoing assault or finding the result of one through to looking for possible evidence of covert surveillance or system manipulation from outside. Once an attack has occurred and the scene or evidence secured, what should be checked? What is useful and again, what routines need to be followed to preserve and make use of logs and states of systems. Chapter 9 focuses on these issues. Following this are a couple of special topics chapters based on cyber countersurveillance and cyber-physical IoT security. These chapters look at the cutting edge and bleeding edge of the developments which build on the previous practical work in the book. Chapter 10 examines ways of decreasing an individual’s digital presence or utilizing techniques which can circumvent intrusion, or capturing of unnecessary data by unwanted organizations, businesses and suchlike. Chapter 11 looks closely at embedded systems and the latest develop- ments and capabilities for deploying hardware securely, particularly with reference to cloud and networked devices. This book is written with a university course in cybersecurity in mind, though any trainee or interested individual will gain from it. The book is written in a progressive manner, building up knowledge of an area and providing an opportunity for practical exploration. This comes in the form of code or experimenting with the tools mentioned. Online resources are available, including code from the book, utilities and examples at https:// simulacra.uk/act.zip
- 30. 5 Chapter 2 Web and network basics The Internet and networks in computing have undoubtedly been around a lot longer than we think; as soon as information is created and held in an electronic system, it will have been the desire of those around to store it at multiple points. This distribution of the information is great for those whose access is desired but not so much a good idea in terms of security, if there are those who can, perhaps, casually access it. This demonstrates the need for appropriate security mechanisms. Electronic systems have particular physical attributes, architectures, topologies and protocols which can be under attack from an adversary or snooper. It is, therefore, important to have some idea of those qualities which exist in these systems first, before dwelling on particular techniques that hackers use or system developers utilize as defense. An electronic system that stores information does so by holding that information in devices saving state in a memory medium, which in the past has been magnetic, as in a tape, drums, disks and suchlike, as well as opti- cal or solid state. These information stores are connected by networks and processed by CPUs. It should also be mentioned that as well as this storage and processing, there are methods of input, such as keyboard, mouse and voice, as well as output, which could be a screen or print out, for example. Security weaknesses in the past have been found at each of these men- tioned points. NETWORKS Networks provide the main transit for information, and because of this, they are subject to scrutiny and attack. The basic model of network com- munication can be visualized as in Figure 2.1. The usual way to conceptualize a network in computing and electronics engineering is through the Open Systems Interconnection (OSI) model (see Figure 2.2) [1]. This is characterized by several layers of abstraction. DOI: 10.1201/9781003096894-2
- 31. 6 Advanced cybersecurity technologies Figure 2.1 Network topology. Figure 2.2 OSI model.
- 32. Web and network basics 7 Application layer The function of this layer is high-level APIs, remote file sharing and resource sharing in general. Presentation layer This layer is concerned with the translation of data between a network- ing service and an application. This could be data compression, character encoding and encryption or decryption. Session layer The functionality of the session layer is concerned with managing com- munication sessions, such as the continuous exchange of information in the form of back-and-forth transmission between nodes. Transport layer This layer deals with the reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing. Network layer The network layer functionality includes the structuring and managing of multi-node networks, including addressing, routing and traffic control. Data link layer Here the reliable transmission of data frames between two nodes connected by a physical layer is the main concern. Physical layer Finally, the physical layer is focused on the transmission and reception of raw bit streams over a physical medium. Another model which is useful to compare with the above OSI here is the TCP/IP model. HOW THE OSI MODEL WORKS The layers work together to form a mechanism of communication between systems at various levels of abstraction. How this works in practice can be understood by an example of its use and envisaging the movement of
- 33. 8 Advanced cybersecurity technologies packets within a network. An email client, such as MS Outlook, has data which resides at Layer 7 – the application layer. When an email is written and send is pressed, the data works its way down the OSI layers one by one and through the network. The data first works through the presentation and session layers, before entering the transport layer; here, the email will be sent by SMTP. The data will move through the network layer into the data link. The packets eventually reach the physical layer, where the hard wiring will send the data across the networks to the recipient. When the recipient is reached, the process occurs in reverse, that is, it will work its way back up the OSI model before reaching the application level again. TCP/IP MODEL One of the main differences between the two models is that the application layer, presentation layer and session layer are not distinguished separately in the TCP/IP model [2], which only has an application layer above the transport layer. Application layer This is equivalent to application, presentation and session layers in the OSI model, dealing with higher-level application-based processes. The applica- tions use the services of the underlying lower layers. For example, the trans- port layer provides pipes between processes. The partners involved in this communication are characterized by the application architecture, such as peer-to-peer networking or the client-server model. At this layer reside the application protocols such as SMTP, FTP, SSH and HTTP, each of which has its own designated port. Transport layer Transport and network layers in the OSI model are concerned with host-to- host transport of data. The transport layer uses the local or remote networks, separated by routers, to perform host-to-host communication. It is this layer which sets up a channel of communication which is needed by the applica- tions. The basic protocol at this level is UDP, which provides an unreliable connectionless datagram service. TCP provides flow control and the estab- lishment of the connection, together with the reliable transmission of data. Internet layer The Internet layer is concerned with the exchange of datagrams across network boundaries, providing a uniform network interface that hides the
- 34. Web and network basics 9 underlying network connections’ topology or layout. It is, therefore, this layer which provides the actual capability to internet-work; in effect, it establishes and defines the Internet. It is this layer which defines the routing and addressing capabilities that are used in the TCP/IP protocols, the main one of which is the Internet Protocol, which define the IP addresses. In rout- ing, its function is to transport datagrams to the next host. Link layer This is the data link layer in the OSI model, concerned with the network interface and specifically the local network link where hosts communicate without routers between them. Typically, these models allow conceptualization of the process of com- munication between source and destination. This leads us to the question of why these models are of interest to any- one studying cyber security. Understanding the layers gives a way of seeing information in transit and a way of looking at how weaknesses occur at various points. For example, an attack at layer 1, the physical aspect, is an attack on the cabling and infrastructure used to communicate. This kind of disruption could be as simple as cutting through a cable to disrupt signals. The OSI data link layer focuses on the methods for delivering data blocks, consisting of switches which utilize specific protocols, such as Spanning Tree Protocol (STP) and Dynamic Host Configuration Protocol (DHCP). An attack at this layer may target the insecurity of protocols used, or even the routing devices themselves and their lack of any hardening. The switches them- selves are concerned with LAN connectivity and any attack may be from within the organization. This layer can also be attacked by MAC flooding or ARP poisoning. To resolve these kinds of issues, network switches can be hardened and techniques such as ARP inspection can be utilized or, unused ports can be disabled, as well security on VLANs can be enforced. At level 3, the network layer IP protocols are in use and common attacks involve IP packet sniffing DoS attacks based on Ping floods and ICMP attacks. Unlike layer 2 attacks, which occur within the LAN, layer 3 attacks can be performed remotely via the Internet. To circumvent such attacks, routers can be hardened and packet filtering along with routing information can be added and controlled. The transport layer 4 utilizes TCP/IP and UDP as protocols, and the techniques used in the attack here focus on port scanning to identify vul- nerable or open ports. The key to resolving these kinds of problems are effective firewalls, which lock down ports and seal off this kind of attack, thus mitigating risks of this nature occurring at this level. Beyond layer 4, the main form of attack is through applications which come about through poor coding, bugs and suchlike. There are many types of vulnerabilities which can be exploited through specific types of attack,
- 35. 10 Advanced cybersecurity technologies such as SQL injection, where, for example, the software engineer has not correctly allowed for invalid input. Injected code into the SQL database could extract data. Here the main aim in mitigating such an issue is to ensure good software engineering practices are adhered to. PROTOCOLS AND PORTS Any communication between parties requires a set of rules which are understood between those involved. Someone speaking Chinese has a dif- fering protocol set applied to their language than say, English. A mutually understood change of rules and symbols used is required to allow for the exchange of meaningful information. Similarly, to communicate between computer systems, there need to be rules and interface points. The rules, or agreed means of communicating, are known as protocols, while the inter- face points, which are assigned protocols, are known as ports. A system, whether it be a full-blown PC or an embedded controller, will have many ports, each with an assigned protocol. While the list of ports is extensive, some of the more common ones are listed below: 20 File Transfer Protocol (FTP) Data Transfer 21 File Transfer Protocol (FTP) Command Control 22 Secure Shell (SSH) Secure Login 23 Telnet remote login service, unencrypted text messages 25 Simple Mail Transfer Protocol (SMTP) E-mail routing 53 Domain Name System (DNS) service 67, 68 Dynamic Host Configuration Protocol (DHCP) 80 Hypertext Transfer Protocol (HTTP) used in the World Wide Web 110 Post Office Protocol (POP3) 119 Network News Transfer Protocol (NNTP) 123 Network Time Protocol (NTP) 143 Internet Message Access Protocol (IMAP) Management of digital mail 161 Simple Network Management Protocol (SNMP) 194 Internet Relay Chat (IRC) 443 HTTP Secure (HTTPS) HTTP over TLS/SSL Port numbers are divided into three ranges: well-known ports (also named system ports), registered ports and dynamic or private ports. System ports range from 0 through 1023. The ranges and ports themselves are defined by convention, overseen by the Internet Assigned Numbers Authority (IANA) [3]. Typically, core network services such as the web use well-known port numbers. Operating systems require special privileges for particular appli- cations to bind to specific ports, as they are critical for the operation of the network. Ports that are between port numbers 1024 and 49151 are known
- 36. Web and network basics 11 as registered ports; these are used by vendors for their own server applica- tions. These ports are not assigned or controlled but can be registered to prevent duplication. Ports in the range 49152 to 65535 are dynamic ports, that is, they are used for temporary or private ports. Vendors can register their application ports with ICANN, so other vendors can respect their usage and choose other unused ports from the pool. UDP AND TCP The Transmission Control Protocol (TCP) can be considered one of the main protocols involved in the Internet protocol suite within the transport layer. In fact, the entire suite is often known as TCP/IP, noting its origins in the original initial network implementation. TCP has several important characteristics – it provides reliable, ordered and error-checked delivery of bytes between applications running on hosts in an IP network. This includes web, file transfer, email and remote administration. Secure Sockets Layer (SSL) and the newer Transport Layer Security (TLS) cryptographic protocols often run on top of TCP. These provide communications security over the computer network. TCP is connection-oriented, where a communication session has a per- manent connection established before data is transferred. Another example of the application which uses TCP due to its persistent connection is Secure Shell (SSH). This is a means of operating network services using a crypto- graphic network protocol over an unsecure network. SSH uses TCP port 22 and was designed as a replacement for telnet and it should be said that SSH is not an implementation of telnet with cryptography provided by SSL as is sometimes thought. User Datagram Protocol (UDP) [4] is another member of the Internet pro- tocol suite at the transport layer. This protocol allows applications to send messages, referred to as datagrams, to other members of the IP network. In this instance, prior communications are not required to set up communica- tion channels. UDP is a simple connectionless model with a very minimal- istic protocol approach. UDP utilizes checksums for data integrity and port numbers, which address different functions at the source and destination of the datagram. It does not have handshaking communication and, therefore, there can be exposure to issues of unreliability if present in the underly- ing network; it offers no guarantee of delivery, ordering or duplication. If such features as error correction are required, TCP or Stream Control Transmission Protocol may be a better choice. UDP is suitable for applications where dropped packets are preferable to waiting for packets delayed in retransmission, within real-time systems, such as media streaming applications (as lost frames are okay), local broad- cast systems (where one machine attempts to find another, for example)
- 37. 12 Advanced cybersecurity technologies and some games which do not need to receive every update communica- tion. Other systems that use UDP include DNS and Trivial File Transfer Protocol, as well as some aircraft control systems. A good way of understanding the difference is by a comparison of two applications. For example, email would be good by TCP, as all the content is received and so understandable, with no missing information, whereas video streaming is fine by UDP, because if some frames are missing, the content is still understandable. WEB SPECIFICS The web can be seen as a separate entity which relies on the Internet as its infrastructure. Another way to put it is that the web is a way of accessing information over the medium of the Internet. The web uses HTTP and HTTPS protocols to allow applications to exchange data. The web uses browsers to access documents which are linked to each other via hyper- links. These web pages can contain a range of multimedia and text. Both TLS and its deprecated predecessor SSL are used in web browsing, email, instant messaging and voice over IP (VoIP). The web is based on a client-server architecture, revolving around the browser on the client side, with its various capabilities for communica- tion, running scripts and rendering web pages. Web browsers run on var- ious devices from desktops, laptops, to smartphones. The most popular browser has been, for some time, Google Chrome. As of 2020, the general share of browsers is around Chrome 62% and Safari 20%, with Firefox at 4%. Others include Samsung, Opera, Edge and IE, only taking small percentages. The central idea of the browser is that of hyperlinks – the ability to move between linked resources. The ideas for such systems have actu- ally been in place since the mid-1960s, by people such as the futurist Ted Nelson [5], followed by his ideas being explored by Neil Larson’s com- mercial DoS Maxthink outline program, in which angle bracket hypertext jumps between files that are created. Others developed this idea of linked resources, which initially were only pages through to the 1990s. Building on this hyperlink concept, the first browser was developed by Tim Berners-Lee in 1990 and was called World Wide Web, which was fol- lowed by the Line Mode Browser, which displayed web pages on dumb terminals released in 1991. In 1993, Mosaic was launched, which could be seem as the first true browser for normal use by anybody. This had a graphi- cal interface and led to the Internet boom which occurred in the 1990s, leading to the rapid expansion of the web. Members of the same team that developed Mosaic went on to form their own company, Netscape, which developed its own browser, named the Netscape Navigator in 1994, which quickly became the more popular browser. In 1995, Microsoft produced
- 38. Web and network basics 13 the Internet Explorer, leading to what has commonly become known as the “browser war” with Netscape. However, because Microsoft could bundle their software in the Windows operating system, they gained a peak of 95% of browser uses by 2002. The Mozilla Foundation was formed in 1998, by Netscape. This created a new browser using the open-source software model, which finally evolved into Firefox, released by Mozilla in 2004, which went on to gain a 28% market share in 2011. Apple too developed their own browser, Safari, in 2003, which although dominant on their own platforms was not popular elsewhere. Google released its own browser, Chrome, in 2008, which overtook all others by 2012, remaining the most dominant since this time. Over time browsers have expanded their capabilities in terms of HTML, CSS and general multimedia, to enable more sophisticated websites and web applications. Another factor which led to this is the increase in con- nection speeds, which allowed for content which is data-intensive, such as video streaming and communications that were not possible in the web starting years with dial-up modem devices. The prominence of Google Chrome led to the development of the Chromebook, first released by several vendors, such as Acer, Samsung and Google themselves in 2011 – a laptop system which is driven by the Chrome browser at its core, controlling many of its features and capabilities. Chromebooks by 2018 made up 60% of computers purchased for schools. HTTP Hypertext Transfer Protocol (HTTP) is a protocol used by applications in the collaborative, hypermedia information system known as the web. The main idea being the ability to link documents and later resources simply by clicking the web page at specific points. HTTP has a long history of development since its early development back in 1989 by Tim Berners-Lee at CERN. HTTP/1.1 was first documented in 1997, with further develop- ments in 2015, as HTTP/2 with HTTP semantics and then HTTP/3 in 2019 added to Cloudflare and Google Chrome. Each revision brought new improvements, for example, in HTTP/1.0, a separate connection to the same server was made for each request, whereas in HTTP/1.1, a single con- nection can be used multiple times to download web page components such as images, stylesheets, scripts etc., which may take place when the page has actually been delivered. This obviously improved latency issues involving TCP connection establishment which creates significant overheads. Within the client-server computing model, HTTP functions as a request- response model, with the client typically running the browser and the server hosting a website. The client, via the browser, submits an HTTP request message to the server which then provides, in return, resources such as
- 39. 14 Advanced cybersecurity technologies HTML and multimedia in response. The response message also contains metadata such as whether the request was successful and the information itself in its main body. HTTP utilizes intermediate network elements to allow better communi- cation to take place between the clients and servers involved, for example, high-traffic websites can use web cache servers to deliver content to improve response time. Caches can also be used in the web browser to help reduce network traffic. Also, HTTP proxy servers can allow communication for clients acting as gateways where they do not have a globally routable address, acting as relays between external servers. HTTP is designed within the framework of the Internet protocol suite at the application layer. It is built upon the transport layer protocol specifi- cally; TCP is used though HTTP can be adapted to use the unreliable UDP. An example of this is the adapted version HTTPU utilized by Universal Plug and Play (UPnP) for data transfer and also Simple Service Discovery Protocol (SSDP), primarily utilized for advertising services on a TCP/IP network and discovering them. HTTP RESOURCES One of the main aspects of the web is the ability to link pages and resources, this is done through Uniform Resource Locators (URLs) (see Figure 2.3) using the Uniform Resource Identifiers (URIs) schemes for http and https. For example: http://nanook.dog:passwordinfo@www.somewhere.com:248/arc hive/question/?quest=bookorder=past#top HTTP CONNECTIONS As HTTP has evolved, some network-related changes have occurred. Early versions of HTTP (0.9 / 1.0) closed the connection after each single request/ response. In version 1.1, the keep-alive mechanism was brought in where the connection can be reused for more than one request. This is an example of a persistent connection which will reduce the overheads and, therefore, Figure 2.3 Uniform resource locator breakdown.
- 40. Web and network basics 15 latency in communications. The 1.1 version also introduced a chunked transfer encoding, allowing such connections to be streamed rather than buffered. Methods were also introduced to control the amount of a resource transmitted – sending only the amount actually requested. Although HTTP is a stateless protocol (with no persistent connection) which does not require the server to retain information, web applications can utilize server-side sessions, hidden variables within forms or HTTP cookies. HTTP protocols are built on messages. The request message consists of the request line, for example, GET /docs/mydognanook.png HTTP/1.1, which requests the image file mydognanook.png from the server. Along with this, there are request header fields such as Accept-Language: en. This is followed by an empty line and then the message body, which can be optional. As seen in this example, HTTP contains words which indicate the desired action to take place, which in this case is GET: GET – This is a request for a resource, it retrieves data and has no other effect. HEAD – The HEAD method is similar to the GET request but has no response body. In effect, this is useful for retrieving meta-information in response headers without retrieving the whole content. POST – The post method requests that the server receives the contained resource, which could be, for example, a message for a blog, a mailing list, comments for a social media page or a block of data that has been submitted through a web form for processing. PUT – The PUT method requests that the transmitted resource is stored at the supplied URI, which can modify an existing resource or create a new one. DELETE – This method deletes the specified resource. TRACE – This repeats the received request so a client can see if changes have been applied by servers in transit. OPTIONS – This method returns HTTP methods that are available on a server for a particular URL. This is useful to check the functionality of the web server. CONNECT – The HTTP CONNECT method can be used to open a two- way communication with a requested resource, possibly through a TCP/IP tunnel. An example of this would be its access via SSL (HTTPS). PATCH – This method allows the application of modifications to a resource. These methods can be broken into two groups. The first group encom- passing GET, HEAD, OPTIONS and TRACE can be defined as safe, that is, they are utilized for information retrieval and do not have the ability
- 41. 16 Advanced cybersecurity technologies to change the server’s state. However, the second group, containing the remaining POST, PUT, DELETE and PATCH, can cause changes in the server, possibly email transmission, or financial transmissions. Bad or malicious programming via bots and web crawlers can cause some of the so-called safe group to bring about issues. These nonconforming pro- grams can make requests out of context or through mischief. CONVERSATIONS WITH A SERVER To get an idea of how the communication process works between HTTP client and HTTP server, it is possible to replicate the process by pretending to be the client browser. This is done by using a terminal program such as PuTTY or telnet in a terminal and talking to a web server over port 80. This is made possible by the commands being simple text strings, following a particular syntax. For example, a request can be made using the following in a Linux terminal: telnet google.com 80 This starts telnet and connects to the google .c om website on port 80. There will follow a response with either no-connection or a connection, as in this case: Trying 216.58.204.46... Connected to google.com. Escape character is '^] ' . The actual request is then made: GET / HTTP/1.1 That is, there is a request for the index page at the root of the web server. Again, the server responses with a page that is not found or found: HTTP/1.1 200 OK Date: Wed, 17 Jun 2020 13:33:40 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 P3P: CP=This is not a P3P policy! See g.co/p3phelp for more info. Server: gws X-XSS-Protection: 0
- 42. Web and network basics 17 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2020-06-17-13; expires=Fri, 17-Jul-2020 13:33:40 GMT; path=/; domain= .google .c om; Secure Set-Cookie: NID=204=IEfJRPAg4hjlmvJ2VW-2FRgJkB-WgddzTTTRU U9fpFr7WaOXlqaFk5kvNx7slnP5HWoVwnvMBitdh1roJdv3e20k5vfq1ONyC viG9ToVueusykITs4JFevGhFC5ke60a-08kDqoajysA8HDQj6ArMmPRpRKPG CCwvA 5eaG5 bcmU;expires=Thu, 17-Dec-2020 13:33:40 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked 5b6d !doctype htmlhtml itemscope= itemtype=http://schema .org/WebPage lang=en-GBheadmeta content=text/html; charset=UTF-8 … The web page requested follows. The first line that is returned is the response code, to the effect of it being found or not, though there are many possible codes such as a website redirects and so on. These status codes break into several groups: 1xx informational, 2xx success, 3xx redirection, 4xx client error and 5xx server error. In this instance, the code was 200, that is, it was successful. However, a response of 404 would indicate that the requested resource was not found. There are other nonconventional ways of accessing web page informa- tion, for example, with both wget and curl it is possible to interact with a web server: wget https://google.com --2020-06-17 14:39:32-- https://google .com/ Resolving google.com (google.com)... 216.58.204.46, 2a00:1450:4009:80d::200e Connecting to google.com (google.com)|216.58.204.46|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.google.com/ [following] --2020-06-17 14:39:32-- https://www.google.com/ Resolving www.google.com (www.google.com)... 216.58.210.36, 2a00:1450:4009:814::2004 Connecting to www.google.com (www.google .com)|216.58.210.36|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.1’ index.html.1 [ = ] 11.58K --.-KB/s in 0s 2020-06-17 14:39:32 (69.6 MB/s) - ‘index .ht ml’ saved [11853]
- 43. 18 Advanced cybersecurity technologies Using wget it is also possible to download entire websites: # download website, 2 levels deep, wait 9 sec per page wget --wait=9 --recursive --level=2 http://example .org/ cURL will also download files and web pages, for example: curl http://www.centos.org will output the web page to the terminal in Linux, whereas curl -o mygettext.html http://www.gnu.org/software/gettext/ manual/gettext.html will output to a file. UPNP Universal Plug and Play protocols allow network devices such as personal com- puters, Internet gateways, scanners and printers to find each other without too much complexity involved. This set of protocols manages services for data sharing, and communications, as well as entertainment; to this end, UPnP is primarily intended for residential networks rather than business or enterprise class-level devices. The idea is one which extends the concept of plug and play, that is, devices which are attached to a computer can automatically establish working configurations with other devices. The manner in which this is done, via multicast, results in consumption of network resources with a large num- ber of devices involved, hence the unsuitability at the enterprise level. UPnP utilizes IP leveraging HTTP on top of this in order to provide device interaction, description, data transfer and event management. This is primarily done on UDP port 1900 using a multicast version of HTTP, known as HTTPMU. There are various security issues with UPnP, some of which will be men- tioned here. This service, for example, does not implement any authentica- tion, due to the nature of its ideal simplicity. Though implementations of this should utilize a Device Protection service or Device Security Service, allowing user authentication and authorization for devices and applica- tions. If such authentication mechanisms are not implemented, routers and firewalls running the protocol are vulnerable to attack. Tools have been developed, for example, which exploit flaws in the UPnP device stacks; allowing requests to enter from the Internet. As shown by this tool, it is a widely dispersed problem with millions of vulnerable devices freely accessible around the world. UPnP is still being developed and certification for new versions of this protocol continues in a bid to outdesign and the flaws which appear.
- 44. Web and network basics 19 REMOTE ACCESS PROTOCOLS Several protocols allow for access remotely to servers and other devices. They either allow a terminal-type access or access which is limited to the transfer of files. Obviously, any mechanism which allows the command of a machine in such a way at a distance provides a means to also access data or services available, if hijacked. A common means of transferring files while building websites, for exam- ple, is FTP – file transfer protocol. FTP is based on a client-server modal architecture with separate means of control and data connections between the client and the server. The original FTP utilized a clear-text sign-in pro- tocol with username and password, although there is also an anonymous connection mode available, if the server is configured for this. To secure both log-in authentication and the transfer of content, FTP can be protected with SSL/TLS (FTPS), or entirely replaced with SSH File Transfer Protocol (SFTP). FTP was originally based on utilization through the command line, with various commands allowing the transfer and manipulation of files. These text-based command systems are actually still built into most operating systems, though graphical-based interfaces have overtaken them but still utilize the underlying basic mechanism of a command set which has been added to programmatically. These applications allow batch operations and automation of such activities. IDEs, which allow editing of files directly, such as HTML, JavaScript or even server side, PHP and Node, can have a built-in FTP system. Other edi- tors such as Notepad++ have these included as plug-ins. FTP can run in active or passive network modes, which determine how a data connection is established. However, a common feature is that the client will create a TCP control connection from a random port to the FTP server command port 21. In the active mode, the user connects from the random port to port 21 (the command channel), where it will send the PORT command specifying which client-side port should be used for the data channel, which will be connected to port 20 on the server. In passive mode, the data port on the server, instead of being port 20, is any port designated by the server. The sequence in this case is that the cli- ent will connect to the server on port 21 with the PASV command and the server will reply with a port number for data transfer. The reasoning here, to have two modes available, is to get round possible problems whereby, in active mode, the attempted connection from port 20 to the FTP client on a random port is blocked by the client’s firewall. In effect, here, it is the server which is initiating the connection. In the passive mode, it is the client which initiates the connection and, therefore, the firewall on the client side is organized in such a way as to allow the connection through. It is much more likely that the server firewall,
- 45. 20 Advanced cybersecurity technologies if one exists, will adapt, due to the greater number of connection requests and allow these kinds of passive mode configurations to take place. FTP can also set the type of data transmission into either binary or an ASCII text mode, depending on the type of data being sent. Another protocol used for file transfer is SCP (Secure Copy Protocol), based on SSH protocol, though the developers have said that this is now outdated and inflexible with the recommendation that SFTP and rsync is used instead. The general idea behind SCP is that the client initiates an SSH connection to the remote host and request for an SCP process is started on the remote server, which operates in either a source mode (in which files are read and transferred back) or a sink mode, where it writes accepted incom- ing files to the remote host. SFTP is a similar mechanism for allowing file transfer to FTP albeit in a more secure manner. It is not simply FTP run over SSH but an entirely new protocol developed from the ground up, and it should not be confused with the unsecure and less complex Simple File Transfer Protocol, which is little used. TELNET (teletype network) [6] is one of a few application protocols which provide a text-based virtual terminal connection over TCP and was developed in 1969. The virtual terminal allows for a command-line inter- face composed of specific keywords, such as passwd, which will allow a password change. Most servers being accessed remotely would be Unix-like server systems or network devices, such as routers. This protocol is used to establish a connection to TCP port number 23, where a telnet daemon, telnetd, is listening. More recently, due to security concerns, telnet usage has diminished in favor of SSH. Originally telnet was developed with large companies, gov- ernment facilities or academic campuses in mind, where the communication would take place over LAN and at relatively slow bandwidth. In the 1990s, with the increase in communication speeds, Internet access and the rise in hacking, telnet needed alternatives, or at least hardening in some sense. As well as the lack of encryption, other problems became an issue, including an interception by a party between the client and server, a so-called man-in- the-middle attack and vulnerabilities in telnet daemon processes. Some telnet versions and extensions were developed utilizing TLS secu- rity, among others, though for the most part SSH has taken over. One area where its use persists is that of Amateur radio, where hobbyists use it for packet radio, though, as can be seen above, telnet can be useful for testing ports or communicating with web servers, to see raw source files. In Windows, PuTTY can open telnet windows for such testing or, Linux/ Unix-based systems can install telnet clients. Rsync is a very useful tool for transferring and synchronizing files between a source and destination, where the destination could be either local or remote. It utilizes a comparison technique which looks at modi- fication times and sizes of files and is written in C as a single-threaded
- 46. Web and network basics 21 application. Rsync uses an algorithm which minimizes network usage and can incorporate data compression along with SSH or stunnel for security. Rsync can be used typically for synchronizing software repositories on mir- ror sites used by package management systems. Command usage examples include: rsync options source destination • -v: verbose • -r: copies data recursively (but does not preserve timestamps and per- mission while transferring data) • -a: archive mode, archive mode allows copying files recursively and it also preserves symbolic links, file permissions, user and group owner- ships and timestamps • -z: compress file data • -h: human-readable, output numbers in a human-readable format For example: rsync -zvh websitebackup .t ar /tmp/backups/ Will sync a single file on a local machine from one location to another backup location, whereas rsync -avzh root@192.168.0.100:/home/tarunika/rpmpkgs /tmp/ myrpms will copy and sync a remote directory to a local machine. To utilize a particular protocol to use, the -e option can be given: rsync -avzhe ssh root@192.168.0.100:/root/install .l og /tmp/ This copies a remote file to a local server using SSH. SSH The Secure Shell (SSH) protocol [7] is an encrypted network protocol which allows network services to be used over an unsecured network. Typically, a user can utilize remote log-in and run commands, but as this is a proto- col as such, many network services can use this to be secure. It relies on a client-server architecture, which has an SSH client application at one side and an SSH server at the other. Using the TCP port 22, the protocol is usu- ally used to access UNIX-type systems but can also be used for Windows, and in particular Windows 10, which utilizes OpenSSH as its SSH server and client.
- 47. 22 Advanced cybersecurity technologies Public-key cryptography is used in SSH to authenticate the remote com- puter and also the user if desired. In SSH, there are several methods of proceeding with the encryption; one such way can be done by using auto- matically generated public-private key pairs to encrypt a network connec- tion and then using a password as authentication for the log on. Lists of authorized public keys are usually stored in the home directory of the user that is allowed to log in remotely. Typically, this is ~/ .ssh/autho- rized _ keys, subject to certain conditions, such as being not writable by anything apart from the user and root. If there is a matching public key on the remote server which corresponds to a private key on the local side, there is no need for a typed password, though additional security can lock the private key with a passphrase to protect it further. A utility called ssh-keygen can produce pairs of public and private keys. Password-based authentication can also be encrypted by automatically generated keys, though a man-in-the-middle-based attack could mean the attacker imitating the server side, and could ask for the password and obtain it. This would only be possible if the two sides hadn’t been authenti- cated previously, as SSH knows previous keys that the server side has used. A warning is usually given before accepting keys of new servers. SUGGESTED PROJECTS AND EXPERIMENTS As well as the exercises mentioned above, such as talking to web server via a terminal-type program, there are a few other ideas to explore. Deploy Apache If you are relatively new to web development, one of the best ways of learn- ing is to actually set up your own web server and configure it. To do this you have several options: • XAMPP or similar, LAMP etc. XAMPP is a useful server that can be installed quickly and is a relatively painless way to learn how to con- figure Apache server on several platforms, including Windows, Linux or Mac OSX. • Apache install. Apache can be installed on various platforms directly; in fact some platforms come with Apache already but need activating and configuring. • Serve via Flask – Python has its own modules for deploying a web server, including Flask a micro web serving module. • Serve via Node – Node . js has, like Python, ways to serve web pages. It can do this at a lower level or via modules such as Express. • Other – many other languages have their own way of deploying a web server, usually through modules or libraries.
- 48. Web and network basics 23 Once you have your web server running, usually, in whatever platform and language you use, there is a live folder for your web pages to go in. Deploy a Droplet or virtual server A slightly different idea to deploying to your own machine is to “spin-up” your own virtual machine in the cloud. Several companies offer this capabil- ity, one of which is Digital Ocean and their Droplets, which are reasonably priced to run – and not a great deal of resources are needed to experiment with a simple web server deployment. Digital Ocean Droplets also let you deploy a ready-made web server – so there are no modules to deploy. You can also include database capability such as MySQL within the package, or deploy a second Droplet to act in this capacity, behind a firewall with only access to the main web server Droplet. Once the Droplet is instantiated, it can be controlled via the web panel and connected to via terminals or applications through SSH. Again, you may have gone for the Apache option, and this will have all the usual features on whatever platform you opted for. Once you have your web server deployed, in any of the above configura- tions and platforms, you have the perfect testing ground to learn the basics or more advanced techniques mentioned elsewhere in this book. For now, experiment with web pages, and scripting. REFERENCES 1. L.G. Roberts and B.D. Wessler, “Computer network development to achieve resource sharing,” Proc. Spring Joint Computer Conf., May 1970. 2. R. Braden, “Requirements for Internet Hosts – Communication Layers.” https://history-computer.com/Library/rfc1122.pdf RFC Retrieved 20th May 2021. 3. https://www .iana .org/: Retrieved 20th May 2021. 4. J. Postel, “User Datagram Protocol.” https://tools .ietf .org /html /rfc768 RFC Retrieved 20th May 2021. 5. T.H. Nelson, “Complex information processing: a file structure for the com- plex, the changing and the indeterminate,” ACM '65: Proc. 1965 20th Nat. Conf., August 1965, Pages 84–100. https://dl.acm.org/doi/10.1145/800197. 806036 6. J. Postel and J. Reynolds, “TELNET Protocol Specification.” https://tools .ietf . org /html /rfc854 RFC Retrieved 20th May 2021. 7. T. Ylonen, “The Secure Shell (SSH) Transport Layer Protocol.” https://tools . ietf.org/html/rfc4253
- 50. 25 Chapter 3 Cryptography WHY WE NEED CRYPTOGRAPHY When the Internet was initially developed it would never have been imag- ined the number of uses that has been found for it. The web brought with it everything, from the trivial to the essential – and much in between. Along with it came military, educational and commercial applications. In every sphere that was brought into the net came the important question of keeping information safe and secure. Whether it was the deployment of troops, guidance systems or simply keeping grades for students safe from manipulation, all required the idea of being “eyes only” for those who were in charge of it. While networks can be made relatively secure, there is always the possi- bility that the information can be intercepted at some point or unauthorized access gained. When this happens, there is a final defense – encryption. If the information is undecipherable, then capturing it may not be the down- fall of a system. CLASSICAL CRYPTOGRAPHY Since ancient times the division between one side and its adversary has made it important to search for a way of hiding messages while information is in transit. Obviously, there was a lack of any device such as a computer chip to make such processing easy but there were ideas, albeit fairly simple by modern standards, of how to scramble a message beyond recognition and at a later time reveal it again. Classical algorithms are usually defined as those invented pre-computer, up to around the 1950s. These techniques tended to work on the actual letters themselves, rather than other representations such as bits and bytes. Some of these techniques you may have already encountered as a child attempting to send messages to your friends. It should be noted here that classical ciphers are symmetric in nature – they rely on the same key for both encryption and decryption. There are many types which fall into the classical category, including: DOI: 10.1201/9781003096894-3
- 51. 26 Advanced cybersecurity technologies • Atbash Cipher • ROT13 Cipher • Caesar Cipher • Affine Cipher • Rail-fence Cipher • Baconian Cipher • Polybius Square Cipher • Simple Substitution Cipher • Codes and Nomenclators Cipher • Columnar Transposition Cipher • Autokey Cipher • Beaufort Cipher • Porta Cipher • Running Key Cipher • Vigenère and Gronsfeld Cipher • Homophonic Substitution Cipher • Four-Square Cipher • Hill Cipher • Playfair Cipher • ADFGVX Cipher • ADFGX Cipher • Bifid Cipher • Straddle Checkerboard Cipher • Trifid Cipher • Base64 Cipher • Fractionated Morse Cipher During World War II, ciphers were developed, which rely on complex gear- ing mechanisms to encipher the text. These include the Enigma Cipher and the Lorenz Cipher. One of the main problems behind encryption is the production of random numbers – mechanical devices are deterministic and produce only pseudorandom keys. A far better way of generating ran- dom numbers is to use a white noise source, such as the one patented by Dr. Werner Liebknecht in 1952, which was the first patent filed for such a device. This produced evenly spread nondeterministic numbers that were suited for encryption devices. Some of these ciphers are discussed here, most notably those which are substitution ciphers. SUBSTITUTION CIPHERS Substitution ciphers are a means of encrypting plaintext with cipher- text, according to a fixed system. This is done by replacing units within the plaintext with the ciphertext, where the units could be either single
- 52. Cryptography 27 letters (the most common method) or even multiple letters, such as pairs, triplets or mixtures of the two. To decipher the text, the receiver of the encrypted message performs the inverse substitution. It is useful here to compare with transposition cipher where the units of the plaintext are left the same but rearranged in a different order in a usually complex order. In the substitution cipher the units are changed but the order in the sequence remains the same. Substitution ciphers are of several types, including the simple, where the cipher operates on single letters, and the polyalphabetic, where the cipher operates on larger groups of letters. There can also be variety within this, a monoalphabetic cipher will use a fixed substitution over the message, whereas a polyalphabetic cipher will use a number of substitutions at dif- ferent points in the message. FREQUENCY ANALYSIS There are 26! cipher keys for a rather simple substitution cipher, which, if you know the original language and some frequency distribution of the let- ters that occur, make it easier to decrypt. In the English language, “e” will generally appear most frequently, then “t” and “a”. Letters such as “x”, “q” and “z” appear at the end. If the entire range of this distribution is known (see Figure 3.1), it can help when analyzing a longer (say over 100 letters) text. To do this, either by hand, for a simple message, or by writing a small script, it's possible to compare the frequency of the characters occurring and remap, to some extent, their possible plaintext unit. For example, it’s a fairly easy matter to pull out the “e”s first. For shorter texts, this can present a problem, as Figure 3.1 English language distribution of letters.
- 53. 28 Advanced cybersecurity technologies there is not as much to analyze. However, it's also possible to look for the most common two-, three- and four-letter words as units to help with the analysis, along with punctuation, if this still exists in the text (which is unlikely). Other patterns to look for also exist on a frequency basis, which can be used in any algorithm developed. The complete analysis may, there- fore, include looking for: • Most frequent letters • Frequent words of varying lengths (one letter, two letter, three let- ter etc.) • Frequent single letters, digraphs, trigraphs, doubles, initial letters, final letters By breaking the text up into bigrams, trigrams or quadrams, further analy- sis can be done. To get around the idea of frequency analysis being able to crack substitu- tion ciphers, a method, on the cryptography side, must be found that effec- tively flattens the distribution of letters contained within the ciphertext. One of the ways this is done is by allowing more choices per letter in terms of encryption. This is known as homophonic substitution. For example, it is possible to allow the “E”, the most common letter to have several different possibilities rather than just one; in this way, the frequency distribution is flattened, and the cipher becomes more secure (see Figure 3.2). To break such a system of encryption it is necessary to use more complex cryptanalysis techniques, such as hill-climbing algorithms which use heu- ristics. Hill climbing is an iterative algorithm which starts with an initial arbitrary solution and then attempts to find a better solution by making small incremental changes to the solution. This process continues producing better solutions until no more improvements can be found. Interestingly, if stopped at any point, the algorithm will return a valid solution even before completing. In the context of this particular problem, the homophonic sub- stitution, there is the finding of which letters map to others but also, in Figure 3.2 Flattening the distribution technique.
- 54. Cryptography 29 addition to this, there is the need to determine how many letters each plain- text letter can become. In the case of hill climbing, it is possible to create layers of the algorithm in which the outer layer determines the number of symbols each letter maps to and an inner layer to determine the exact map- ping taking place. CAESAR CIPHER Perhaps the most famous of these ancient encryption systems is the Caesar cipher, so called by the ancient historian of Rome, Suetonius. He wrote that Julius Caesar had used it in the Gallic military campaigns against tribes within Gaul. This cipher is a shift cipher; that is it relies on a shift of the alphabet according to some key. It is said that Caesar used a simple version with a shift of 3, but, of course, any number of shifts could be applied from 1 to 25. Another shift, that is shift 26, will bring the alphabet back to its original state, as there are 26 characters in the alphabet. Why would Caesar have chosen 3? Simply because it is relatively easy to compute on paper or in your head, but remember too that he was likely assuming his enemies to be uneducated, or at least illiterate. A simple device or machine can be made to encrypt or decrypt messages visualized as two disks, larger and smaller placed on top of each other, the inner one of which is fixed, and around its outside the alphabet is written. The outer disk, likewise, has an alphabet written around its rim and is freely moving so the alphabet can be shifted to line up with the inner ring at any point. To encrypt, the outer ring is moved the desired number of shifts dictated by the key, and the character underneath is read off. To make it harder you could use a secret key, that is, the shift value. However, as there are only 25 possible shift values, an attack could be made which tries all these until an intelligible message is discerned. We should define some key phrases here: Plaintext - encryption technique - ciphertext A key is used at the encryption stage, in this case, the shift value, as an input to the technique being applied. The plaintext is the message you wish to send and the ciphertext is the encoded message. Similarly, to decrypt: Plaintext - decryption technique - ciphertext Again, the key is an input to the decryption technique which will again reveal the hidden message, and because it is symmetric, the same key is used both ways.
- 55. Another Random Scribd Document with Unrelated Content
- 56. small donations ($1 to $5,000) are particularly important to maintaining tax exempt status with the IRS. The Foundation is committed to complying with the laws regulating charities and charitable donations in all 50 states of the United States. Compliance requirements are not uniform and it takes a considerable effort, much paperwork and many fees to meet and keep up with these requirements. We do not solicit donations in locations where we have not received written confirmation of compliance. To SEND DONATIONS or determine the status of compliance for any particular state visit www.gutenberg.org/donate. While we cannot and do not solicit contributions from states where we have not met the solicitation requirements, we know of no prohibition against accepting unsolicited donations from donors in such states who approach us with offers to donate. International donations are gratefully accepted, but we cannot make any statements concerning tax treatment of donations received from outside the United States. U.S. laws alone swamp our small staff. Please check the Project Gutenberg web pages for current donation methods and addresses. Donations are accepted in a number of other ways including checks, online payments and credit card donations. To donate, please visit: www.gutenberg.org/donate. Section 5. General Information About Project Gutenberg™ electronic works Professor Michael S. Hart was the originator of the Project Gutenberg™ concept of a library of electronic works that could be freely shared with anyone. For forty years, he produced and distributed Project Gutenberg™ eBooks with only a loose network of volunteer support.
- 57. Project Gutenberg™ eBooks are often created from several printed editions, all of which are confirmed as not protected by copyright in the U.S. unless a copyright notice is included. Thus, we do not necessarily keep eBooks in compliance with any particular paper edition. Most people start at our website which has the main PG search facility: www.gutenberg.org. This website includes information about Project Gutenberg™, including how to make donations to the Project Gutenberg Literary Archive Foundation, how to help produce our new eBooks, and how to subscribe to our email newsletter to hear about new eBooks.
- 58. Welcome to our website – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com