introduction to securitycse435/lectures/2020-lectures... · • journeymen: modifies and extends...

11/26/19

K.Chan:CSE435:SoftwareEngineering 1

IntroductiontoSecurityKiraChan

K.Chan:CSE435:SoftwareEngineering

Softwareexpectation

• Inaregularmessagingapplication,whatdoyouexpect?• Let'sassume youwanttouseittomeetyourfriend forFridaynightdinner.• Messagesaredelivered• Deliverswithinatimelimitthreshold• Nooneelseisreadingyourmessages• Messageisnotaltered• Applicationdoesnot“lag”• Etc


11/26/19


Terminology

• “Acomputeris secure ifyoucandependonit anditssoftwaretobehaveasyouexpect (intent).” • ‘Trust describesourlevelofconfidencethata computersystemwillbehaveasexpected.’ (intended)

[Garfinkel & Spafford, Kasten]K.Chan:CSE435:SoftwareEngineering

Whyshouldweconsidersecurity?

• Canyoubuildamessagingapplicationthatsatisfiesrequirements• Whoaretherequirementsmadefor?

• Stakeholders?• Users?

• Doeseveryuserconformtotheexpectationsyouhaveset?• Resourcesandinformationcontainmonetaryorothervalues• Securitybreachescouldbedamagingtoyourreputation• Whenissecurityusually takenintoconsideration?• Securityisoftenanafterthought• Addedontoasystem,itmaynotfullyaddresstheunderlying issue• Lotsofnew“Band-Aids”topatchanissue,causesinefficiency


11/26/19


Potentialimpact• Wannacry

• Encryptsuserdataanddemandransomtodecrypt it• https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack

• SayIencryptedyourlaptop,yourfinalexamistomorrow• Ransomiseveryassetyouhave• Doyoupayit?

• Safety?• Whatifcriticalsystemsarecompromised?


Definition(NIST)

• Computersecurityistheprotectionaffordedtoanautomatedinformationsysteminordertoattaintheapplicableobjective ofpreservingtheintegrity,availabilityandconfidentialityofthesystem’s resources• https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-14.pdf


11/26/19


Confidentiality,IntegrityandAvailability

• Confidentiality:informationarenotdisclosed tounauthorizedparties• Integrity:assurethatinformationandprogramareonlychangedinanauthorizedmanner• Amessageisactuallyfromwhereitclaimstohavecomefrom• Mailmandeliversyouamailfromyourbestfriendoverseas,howdoyouknowifthismessagehavenotbeenmodified?

• Availability:assuresthatthesystemsworkpromptly, andservicesarenotdeniedtoauthorizeduserswhentheyrequestthem


Castleanalogy

Img source:McCallumK.Chan:CSE435:SoftwareEngineering

11/26/19


Securitychallenges.

• Defendingasystemishardsincewemustsecureallweakpoints• Attackeronlyneedstofindoneexploit• Usersdonotlikecomplicatedsystems• Benefitofsecurityisnotconsidereduntilabreachoccurs• ITtechperson,whydoweevenhirethisguy?

• Impedimenttotheuser


Terminology

• SecurityPolicy:asetofrulesandpracticesthatspecify orregulatehowasystemprovides securityservices toprotectsensitiveandcriticalsystemresources• Vulnerability:aflaworweaknessinasystemthatcanbeexploited• Threat:apotentialviolationofsecurity;apossible dangerthatmightexploitavulnerability• Attack:anassaultonthesystemthatderives fromathreat.• Threatscarriedout


11/26/19


Threats

• Hardware:physicaldevices– easytarget• “Involuntarycomputer-slaughter”• Accidentalactsnotintendedtodoharm• E.g.Spillingadrinkoncomputer

• “Voluntarycomputerslaughter”– machinicide:• Purposelybreakamachine

• Software:equipmentworthlesswithoutsoftware• Deletion• Modification• Theft

SlideprovidedfromDr.ChengK.Chan:CSE435:SoftwareEngineering

Whyarewetalkingaboutthis?

• Timeismoney• Organizationswantaproductthatmakesmoney, sotimespentnotmakingmoneyproducingsoftwareiswastedtime.• Monetory consequences areoftennotconsidereduntilabreach.• Example:CSE3xxprograms.• Didyouconsidersecuritywhenyoudevelopedyourprograms?


11/26/19


Patches


Patches

• Changesmadetofix, improveorupdateyoursystem• Whatarepatchesused for?• Bug-fixes• Improvements• Newfeatures

• Whycanwenotjustpatchsecurityissues away?


11/26/19


Whentousepatchesforsecurity

• Securityshould bedefinedinyouroriginaldesign• Patchesshouldonlybegivenasemergencysolution• Userignorespatchesalotoftime

• Patchesmaynotfixthefundamentalissues


Howdoweprovidesecuritytoasystem?

• Easiestway:noaccess.• Challengeistopreventunauthorizedaccesstosystem,whilecausingtheleastamountofimpedimenttolegitimateusers.

Userexperience

Security forsystem


11/26/19


Howtodesignyoursystem?• Designofsecurityshould beassmallandsimple asneeded• Easytotest/verifyitsstrength,fewerflaws

• OpenDesign:securitymechanismshould notbeasecret!• Why?• Expertscanreviewandpointtoflaws• Reverseengineeringcanexposeyour software• Youwillnotknowifyoursoftwarehavebeencompromised


Howtodesignyoursystem(cont.)

• Psychological acceptability:thesecuritymechanisms shouldnotinterferewiththeworkoftheuser• Considerourmessagingapp

• Asksforuserpasswordevery30seconds• Lessextremeofanexample:requirerestartevery 12hours• Userwilldisarmifnot!

• Layering:Multiplelayersofsecurity.Failureatonepointwillnotleaveyoursystemcompromised• Example:messagingapplication

• Encryptstoredmessages• Ensureotherapplicationsonsamedevicecannotaccessthosefiles

• Leastastonishment:nosurprises!• Functionsshouldconformtouserexpectation


11/26/19


Remainderofpresentation

• Iwillfocus onwhatyoucandoasadevelopertohelpsecureyoursystem• Whattodoandwhatnottodo


RiskAssessment

• Threequestions toanswer:• What amItryingtoprotect?• Whatdo Ineed toprotectagainst?• Howmuchtime,effort,andmoneyamIwillingtospendtoobtaintheseprotection?

• Threekeysteps:• Identifyassets• Identifythreats• Calculaterisks

• Risk:expected lossfromtheprobability thatathreat thatwillexploit avulnerability inthesystem

SlideprovidedfromDr.ChengK.Chan:CSE435:SoftwareEngineering

11/26/19


IdentifyAsset

• Whatareyoutryingtoprotectagainst?RecallCIA• Data?• Messageconfidentiality?• Systemresources?• Availability?• Categoriesofvulnerabilities:• Corruption (lossofintegrity)• Leaky(lossofconfidentiality)• Unavailableorslowaccess(lossofavailability)


IdentifyThreats

• Whatisthethreat?• Hackers?• Politicalopponents• Rivalcompanies• Activist

• Whatistheintent/objective ofthethreat?


11/26/19


3classesofintruderskilllevel

• Apprentice:minimaltechnicalskills• Useexistingtechnologies• Mostintrudersbelonginthiscategory• Easytodefend

• Why?

• Journeymen:modifiesandextendsattacktoolkits• Master:high-level technicalskills• Capableofdiscoveringnewattacks• Understandsunderlyingprotocolused• Writestheirownattacksandtoolkits• Hardesttodefendagainst


Calculatingrisk

• Howlikelyisaparticularthreat?• WhatisthechancethatXwillhappen, andwhatistheconsequenceofit?• Ifaneventhappens onregularbasis, youcanestimatebasedonprevious experiences.


11/26/19


Differentkindofattacksyoumayconsiderasadeveloper


DenialofService(DoS)

• Attackonavailabilityofasystem• Denylegitimateusertheabilitytouseasystemoritsresources• DistributedDenialofServiceattack(DDoS)


11/26/19


Quickoverviewofhowthewebworks

• Verysimplified• Yourclientconnectstoa“socket”ofaserverandthatsocketservesyou• Imagineaparkinglotconnectedtoamall.• Youcanonlyaccessthismallafterparkingatthelot• Eachparkingspot(socket)servesonecar(yourcomputer)only


SimpleImplementation

• Nofeeorregistration• Letanyoneinwhentheyshowupatthegate• Onlyonecarcanpassthroughthegateatatime


11/26/19


in out

10(reservedport)

2 3 … 65535

Oneserver


ClassicPingofdeathattack(moreinfo)

• Spampingtraffictothevictim,whichaffectsthenetworkperformance.• Notveryeffectivefromonecomputer• Itwillalsocrippletheattackingdevice,sinceyoualsomustsendthepackets.

• Canuseabotnet(abunchofcompromised computers)topingthesamevictim

Regular internettrafficisabout10kbpsDuringDoSattack,thisspikesto32Mbps


11/26/19


12…

cars


Signatures

• Ifapersongeneratesaticketthatuses thesamecarmodel, yearfor60,000cars,itisprobablynotlegit.


11/26/19


Naïveprotocol

• 3Wayhandshake• Clientrequestsconnection• Serverresponsewithasynack• Allocateresourcesfortheclient

• Clientresponsewithanacktoack

Clienthello

Server ack

Clientack

Connectionestablishedhere


in out

10(reservedport)

2 3 … 65535

Oneserver


11/26/19


Naïveparkinglot

• Driverrequestticketonline• Wereservetheparkingspaceforthem• Savedetailsofcarmodel,makeandyear

• Drivershowsup,inputs theticketandenterstheparkinglot• Theyfinish theirbusiness inthemallandleavesthelot(disconnect)• Theirspot canthenbereservedagainfornextcar


Websiteattacks

• Consumeawebserver’sentirecapacity• Newlegitusersareunabletoestablishaconnection• Fairlycommon;youmayhaveencounteredoneorwillencounterone• Example:TCPsynattack(moreinfo)• RecentDDoSattacks:Github2018,WikipediaSep2019• Consequences?

• Damagetoreputation• Whatifthishappened toonline sellingplatform?• Consider ifyouareamazon,andthis happensduringblackfriday


11/26/19


TCPsynattack

• Taketicketonline• Parkinglotreservesaspotforyou

• Nevershowuptoclaimthespot

Clienthello

Server ack

Clientack

Connectionestablishedhere


HowtodefendagainstDoSattacks?

• Youcannotpreventtheseentirely!• Highvolumesoftrafficmaybecompletelylegit• Thinkoftrafficamazon.com.Itmaybethatabunchofuserswanttobuyatthesametime(CyberMonday, lastminuteholidayshopping)

• HowtominimizeimpactofDoSattacks• Defensesatmultiplelayer• TCPconnections:usemodifiedTCPconnectioncode.

• UseTCPsyncookies• Dropanentryforincomplete connection fromTCPconnection tablewhenoverflowing

• Useofcaptcha• Useofmirrorsandreplicatedservers

• Disadvantage?


11/26/19


TCPsyncookieusingparkinglot

• Drivertakesaticket,theinformationofthevehicleisembeddedintheticket• Addsomeinformation thatwewanttotheticket• Spotisnotreserveduntilthecararrivesandentersthetickettothegate• Ifacarisidlefortoolong,kickitout

• Again,thisissimplified


SlowLoris

• AnotherformofDoSattack• Sendalittlebitofdataatatime• Alegitclientmighthaveslowconnection• Onlyuses verylittlebandwidth andprocessing powerofattacker• Serverlosesabilitytoservenewclients• HowdowedefendagainstSlowLoris?

PictureCredit:Tilo NadlerK.Chan:CSE435:SoftwareEngineering

11/26/19


Dynamicservers• Ideacamefromanonlinemultiplayergames• Hardwarehostmadetoaccountnormalleveloftraffic• Duringpeaktime(whenpeoplegetoffwork),dynamically spinupmoreserveroncloud

Server 1 …

1

65535

CloudServer n …

1

CloudServer 1 …

1

65535

CloudServer 2 …

1

65535

…


Otherresourcesifyouarehostingyourownwebsite• https://www.cloudflare.com/• OrsimilarserviceswhocanprovideyouDDoSprotection• Ifyouhostyourownwebsiteasasmallbusiness, DDoSattackscanbedetrimental(sinceyouhavetopayforeachpacketsenttoyou)


11/26/19


Phishing


Phishingattacks

• Socialengineeringattack• Aimstogetuserstocompromise theirownsystem• Verydangerous• Wecannotpatchthisaway

• Masqueradeasatrustedsource(looks legit)• Usespsychology tricks• Timeisrunningout,resetyourpasswordsoon

• Spear-phishing:emailspecificallycraftedforatarget


11/26/19


Source:CameronCampK.Chan:CSE435:SoftwareEngineering

Howtodefend?

• Knowledgeisessential• Checkdomain nameofemail(e.g.www.chasbank.com, [email protected])• Ifyoudoneedtoresetapassword, gotothewebsitedirectlyandresetitthroughtheirportal.Emaillinksaredangerous!• Ifanemailhasasenseofurgency,proceedcautiously• Ex:“Updateyourpaymentinformationoryourserviceswillbeterminated”


11/26/19


Passwords(Important!)


Passwords

• Commonly used• Useraccountsmusthaveanassociatedpasswordwithit• Howdowestoretheseinadatabase?• Plaintext?• Encrypted?

• Keyconcept:developerneverneedtoknowauser’spassword!• Thefollowing conceptwillattempttodeteranattackonyoursystembutmaynotcompletelydefendagainstallattacks!• Entitieswithlargeresourcesandtimecancrackpasswords• IfIwanttoknowacertainpassword,Icantryallcombinationpossibleusingmanycomputers


11/26/19


Standardapproachestostoringpasswords

1. Taketheinputandhashit.• Ahashfunctiontakesanylengthinputandconvertsittoafixedlengthstringthatisdifferentforevery input.(SHA256,SHA512)

• Issue?• Someusersuseweakorcommonpasswords• Attackercanprecomputethehashedvalueofcommonpasswordsandcomparewithcompromiseddata

• Rockyou.txt2. Useasalt (randomstring)

• Tosolvethis,weappenda“salt”ofrandomstringstotheuserpassword,thenhashtheconcatenatedstring.Wethenstorethepasswordandsaltnexttoeachother

• Eachtimetheuserenterstheirpassword,addthesaltbeforeyouhashandcompare


Cont.

3. Usea“pepper”(randomstring)• Similarconcepttoasalt,butthesamestringfortheentiresite• Aimtoslowdownattacker


11/26/19


Example

1. Input:password ->sha512(password)• B109F3BBBC244EB8244…

2. Saltandpassword:sha512(password +103FD07)• AB8B060C7283E36D93E…

3. Saltandpepper:sha512(sha512(password+salt), pepper)• Thisispainfulforanattackertocrack,especiallyiftheyaretryingtoexecuteabroadcomparisonagainstadatabaseofpasswords


ExampleTableID Name Username Password Salt

1 JonDoe [email protected] NVSQY8ZBod… JLDq1RBXzN

2 WolfgangMozart wolfzart fgKotr16PM… jWTNN7kXhm

3 JohannPachelbel jpach 0iJExGx74e… yO1HoxSdoK

4 ClaudeDebussy debussy Y4hAdMD6Mr… 7Xz4iH0XMP

5 … … … …

Sitepepper(Notstoredindatabase):UW2vdTKmZN


11/26/19


Fromanattacker’sperspective

• Let'sconsider theotherperspective• Ifyouwanttoobtainapassword,howwouldyou?

• Phish• Tryallcommonpasswords• Eavesdropping• Tryallpossible combinations


Howtosecureyourownpasswords

• Donotusethesamepasswordformultiple sites• Ifonesiteiscompromised,thenextone istoo• Somesitesmaystorepasswordsinplaintext(thereisno federalregulations)

• Donotusesimpleorcommonpasswords• Trytofinditinrockyou.txt

• Use:passphrases• myFavoriteBookIsGreatGatsby!


11/26/19


Passwordinputs


SQLinjectionattacks(SQLi)

• Oneofthemostdangerousformofattacks• Asof2017,51%ofcyberattacksonwebappsarefromSQLi• https://www.akamai.com/de/de/multimedia/documents/state-of-the-internet/q2-2017-state-of-the-internet-security-report.pdf

• Userenterscodeintotheinputboxes• Servertakestheinputandruns it• Damages:unauthorizedlogin,unauthorizedchangestotable,droptables…

• Code….TakeUserInputDirectly…Code


11/26/19


Example

• UseofTautology(makecondition alwaysequaltotrue)• Inputpasswordas1’OR‘1’=‘1

• Useofcommentmark“--”• Subsequentcode (passwordcheck)ignored• https://www.w3schools.com/sql/trysql.asp?filename=trysql_comment_single_2

• Piggybackqueries• InsertSQLcodeafterinput• userPassword+;+DROPtable…• SELECT*FROMUSERSWHERE…..;DROPTABLEUSERS;--…..

• ExamplestakenfromDr.ScottTu


Relevantxkcd

https://xkcd.com/327/K.Chan:CSE435:SoftwareEngineering

11/26/19


DefensesagainstSQLi

• ALLINPUTSAREEVIL!!• Sanitizeinput(afunction providedbyphp)• Stripsoutanycommentmarksandquotations

• Makesurethatinputconforms toexpectedinput• Parameterizedinputs• “preparestatements”:SELECTFROM?• Placeholdersareusedforparametersandvaluesaresuppliedatexecutiontimes

• Taketheseas“plaintext”anddonot runanythingthatresemblescommands• “Preattack”yoursystem


Otherthingsthatyoumayencounter

• Redteamvsblueteam• Redteamisthe“adversary”• Theyattempttobreakintothesystem

• PenetrationTesters• Identifiesweaknessinasystem(mightbethecompany)• CouldbeapersondisguisedasITsupport toseeifemployeeswillfallforit

• Ethicalhackers


11/26/19


ConfidentialityandIntegrity


Confidentiality

• Wedonotwantathirdpartylisteningtoourcommunications• Bankpassword?• Example:wireshark


11/26/19



Communication betweenAliceandBob

Alice Bob

Let’smeet forcoffeetomorrowat7

Eve


11/26/19


AliceBob

PlaintextM EncryptionAlgorithm

CiphertextC DecryptionAlgorithm

PlaintextM


Encryption

• Caesarcipher:earliestandsimplestcipher(moreinfo)• Shifteachcharacterbyafixednumbern.• Ifn=5• Attackatdawn->fyyfhp fy ifbs

• Strength?• Weak• Attackeronlyneedstotry26combinationstoobtaintheplaintextmessage.


11/26/19


Encryptionusedtoday

• Basedonmathematics• Typicallyuses a“ClassicFeistelNetwork”• Usessubstitution andtransposition• Substitution:replacexwithy• Transposition:switchbitsaround


Disclaimer!

• Donottrytoimplementyourownencryption algorithm!• Youwillprobably doitwrongorleavesecurityflawsbehind• Useexistingones


11/26/19


SymmetricvsAsymmetric

• Symmetricencryptionuses thesamekeytoencryptanddecrypt• Ex:DES,3DES,AES

• Asymmetricencryptionuses privatekeyandpublickey• Encryptingwithprivatekeymeansonlypublickeycandecrypt• Encryptingwithpublickeymeansonlyprivatekeycandecrypt• Userkeepsprivatekeyprivate,publickeycanbesenttoanyone• What'sthepointofencryptingwithprivatekey?• Ex:RSA


Symmetricencryption

AliceBob

PlaintextM AESencrypt Ciphertext C AESdecrypt PlaintextM

KeyA KeyA


11/26/19


Asymmetricencryption

AliceBob

PlaintextM RSAencrypt Ciphertext C RSAdecrypt PlaintextM

Bob’s Public Key Bob’s PrivateKey


BlockCiphers

• Chopmessagesintoblocks offixedsize• Runencryptionalgorithmsontheseblocks• Permutatethekeysoweuseadifferentoneperblock• How?• Hash(key+1),Hash(key+2)…


11/26/19


Symmetricencryption:DES(moreinfo)

• DataEncryptionStandard• Keylength:56bits• 16rounds• Developedinearly1970s• UsestheFeistelfunction topermutateandaddkeyhalfblock atatime• Insecuresince thekeyisshort.• Proven in1998,keycanbediscovered in56hours.

• UsedinWEPandWPAwifi encryption(donotusethese)


Source:MattCryptoK.Chan:CSE435:SoftwareEngineering

11/26/19


HowdoweaddressweaknessesofDES?

• HardwareismadeforDES,expensivetoreplace.• Solution: 3DES• Encryption:C=Encrypt(K3,Decrypt(K2,Encrypt(K1, Plaintext)))• Decryption:P=Decrypt(K1,Encrypt(K2,Decrypt(K3,Ciphertext)))• Variablekeylengthof168, 112,56bits• WhyEncrypt->Decrypt->Encrypt?


Symmetricencryption:AES(moreinfo)

• 3DESisnotapermanentsolution• AdvancedEncryption StandardakaRijndael• ReplacedDES(2001)• Inputblocksize:128,192or256bits• 10,12and14rounds respectively• Mostpopularformofsymmetricencryption• UsedforWPA2


11/26/19


EachroundofAES(Verysimplified)

1. Substitution: Replaceeachdatawithrespecttoatable(S-box)2. Shiftrows:Performcircularshiftoneachrow3. MixColumn:UseofGaloisfinitefieldmultiplication4. Addroundkey:XORwiththekey

https://www.commonlounge.com/discussion/e32fdd267aaa4240a4464723bc74d0a5


Img fromstallingandbrowntextbookK.Chan:CSE435:SoftwareEngineering

11/26/19


Asymmetricencryption:RSA(moreinfo)

• Rivest,Shamir,andAdleman MITin1977• Bestknownandwidelyusedpublickeyalgorithm• Usesprivateandpublickeys• Securityreliesondifficultyoffactoringaprime


Howtogeneratekeys

1. Selecttwoprimes pandq,say17and112. Calculatep*q=17*11=1873. Calculateφ(n)=(p-1)*(q-1) [Euler’sproductformula] =16*10=1604. Selectpublic keyesuch thateisrelativelyprimetoφ(n)andlessthan

φ(n).Wechoosee=75. Determineprivatekeydsuch thatd*emodφ(n)=1.d=23• 23*7=161

Example fromDr.ScottTuK.Chan:CSE435:SoftwareEngineering

11/26/19


RSAFactoringChallenge

• Suppose attackerhavepublickeyandencryptedmessageC• TodecryptC,theymustinferprivatekeyd• Todoso,theymustcalculated=(k*φ(n)+1)/e• Musttryeverypossiblecombination

• Calculatingφ(n) isinNP• Weuseextremelylargeprimenumbersfordande


Whichencryptionschemeshouldyouuse?

• YougenerallywanttouseRSAorAES• Otherconceptsrelatedtokeysifyouareinterested• TransportLayerSecurity(TLS)• https

• DiffieHellmanKeyExchange


11/26/19


Malware


Definitionfrom[NISTIR7298]

• Aprogramthatisinsertedintoasystem,usually covertly,withtheintentofcompromising theConfidentiality, Integrity,orAvailabilityofthevictim’s data,apps,OSorotherwiseannoying/disruptive.


11/26/19


Virus

• Infectsprograms(usually executables)• Needsahosttoinfect• Whenattachedtoanexecutable(.exefile),avirus candoanythingthattheprogramcando• OSspecific!• Howtodefendagainstthistypeofattack?• Useofantivirus,theycanlookforknowvirussignatures


Worms

• Similartovirus, spreadsthroughnetworkconnection, email…• STANDALONEPROGRAM• Activelyseeksoutmorehosts toinfectandeachinfectedmachineservesasaplatformtolaunchfurtherattacks.• Examples:• ILOVEYOU(2000s)• Conflicker worm(2008)• Wannacry (2017)• Petya(2016)


11/26/19


MorrisWorm

• WrittenbyRobertMorristohighlightsecurityflawsoftheinternet• Wasnotmeanttobeanactualattack• Worminfectssamecomputermultiple times,causingaforkbomb• Resultinginadenialofserviceattack

• SpreadthroughtheUSandtookdowntheentireinternet• Funtrivia:“TheWormBeforeChristmas”


Bots

• Usuallycreatedfromaworm• Acompromised computer• Botnet:anetworkofcompromised computers• Attackcansendcommandstothem

• Example:conflicker worm• Infectsacomputer• Computer thentakescommandsfromsomecentrallocation• 10,500,000+infected(source)


11/26/19


Keytakeaways

• Securityshould beconsidered asanintegralpartofyoursystem• Itshouldbeapartofyourdesigndocument

• Donotwaituntilyouhavebeencompromised• Stayvigilantandlookoutforpossible attacks• Expecttheunexpected!• Wedesignprogramsforthemajorityofuser.Thisistotallyvalid• Butthe“edgecases”isoftenavulnerability

• Knowhowtostorepasswords• Whatisthedifferencebetweenasaltandpepper?• Whydoweusesaltandpepper?


Keytakeaways(cont.)

• ALLINPUTSAREEVIL!• Username:youexpectusertotypeinlegitusernames

• Trueformostofthetime• ButSQLinjection attacksrelyoninputting different inputs

• KnowwhatSQLi attacksareandhowtopreventthem!• Thisisimportant,youcangetinlegaltroubleifsoftwareyouwroteisleftvulnerabletoattacks.

• Whatdoes encryptingamessagewithaprivatekeyensure?• Encryptingwithapublickey?

• Ifyouneedtouseencryption,AESandRSAarethecurrentstandards


introduction to securitycse435/lectures/2020-lectures... · • journeymen: modifies and extends...

Documents