Computer science networking

Introduction

Assuming that symmetric key encryption is compromised through brute force, a 100-bit key is currently considered to be a strong encryption standard due to the difficulty of generating 2^100 combinations.

If computer power doubles, a 101-bit key will be regarded as a strong key next year since 2^100 = 2*(2^100). Following this reasoning, a key length of 130 bits will be considered strong after 30 years

The Shannon’s criteria of a good cryptographic system are as follows (Shannon, 1949)

• The secrecy amount that is required will depend on the amount of effort suitable for decryption and encryption.
• The algorithm for enciphering and the keys should not be complex.
• The process of implementation should be simple.
• Any ciphering error should not corrupt any part of the message.
• The enciphered text size should not be larger than original text size .

The NIST’s criteria for selection of AES and DES are (Smid, 2021)

• A strong block cipher having support for multiple operation modes.
• The cipher can be used by both U.S. government world-wide and industries.

After studying both the criteria it can be said that they are related in some areas and also have some significant differences.  They are related because both the criteria focus on the ease of implementation by those who will be using it. Strong security is a must requirement in both the scenarios.  NIST had first developed the DES encryption algorithm which fulfilled all the criteria of Shannon but with time its vulnerabilities came into view. NIST wanted a new algorithm which along with the previous criteria also would include the following:

• more secure and efficient than the DES variant Triple DES.
• The key size is variable.

Therefore, there was some significant differences that came into view in NIST’s criteria from Shannon’s criteria. The Shannon’s criteria is more like the fundamental requirements that every good cryptographic system must follow but NIST’s criteria is more specific. Like they specified that AES should be more secure than DES and also have variable key size.

With the creation of AES, the reflection of  a changed  environment many years after Shannon wrote his standards can be noticed. The previous DES standards key length was only 56 bits, slow, bit-oriented, only encrypt 64 bits of plaintext and vulnerable to brute force attack. So, even after fulfilling the criteria of Shannon it was not an efficient cryptographic system. This led to NIST bringing about the AES algorithm which had variable key length of 128-bits, 192-bits, and 256-bits, byte oriented and was not vulnerable to any known crypto-analytical attacks. In future, there may be requirement of a more efficient algorithm if any novel and sophisticated crypto attacks arise.

A program that is written to compute the sum of the integers from 1 to 10 and has properties of reusability and maintainability can be sabotaged in the following ways

• If the code is written in C then the binary file generated can be edited with Hex editor Then those variables that define the starting and ending points of the computation can be manipulated. This will be a tedious process because it will not be easy to locate the variable in the binary file.
• If the code is written in JAVA, and the function used for the computation is public then through introspection we can call the function externally with separate values. This is the simplest way of sabotage and can be avoided by making the data members private. The function could also be made private if there is no requirement for access externally.
• If this program is developed on a Linux machine using GDB then the state of the variable can be changed.

The confinement property can be applied to this program by not allowing any external process access to the program and only allowing the Windows program scheduler to access it. By allowing external processes to access it the program becomes vulnerable like previously in Windows XP,  Resource hacker software could be used to change icons and desktop settings.

A covert timing channel refers to a form of a covert channel where data is transmitted through changes in the timing of events, like the time between packets or processing tasks duration. Conversely, a covert storage channel is a form of a covert channel where data is conveyed through storage resources, such as disk space or memory.

Although these two types of covert channels seem different, it's feasible to convert a covert timing channel into an equivalent covert storage channel by utilizing storage resources to encode the information that was initially transmitted through timing variations.

To achieve this, a buffer or memory location can be utilized to retain a sequence of data values that match the timing fluctuations in the covert timing channel. Suppose the original timing channel conveyed information by altering the time between packets by either a short or long duration. In that case, a concealed storage channel can be established by storing a series of bits in memory that reflect these short and long intervals. To retrieve the information transmitted via timing variations, the recipient can read the data from the buffer or memory location and decode it. It can be concluded that converting a covert timing channel to a covert storage channel requires converting the information conveyed through timing variations into a sequence of data values and storing it in memory or some other storage resource. This indicates that the differentiation between covert timing and covert storage channels is not always straightforward and that data transmission can occur using various methods based on the attacker's available resources.

PART B

TJX companies Inc. faced a massive cyber security attack in the year 2007. The financial information the customers were stolen and as a result, many Visa and MasterCard accounts were compromised. The loss was about $.5 billion (Walker, 2017). This was due to multiple security weaknesses and they are described below:

• Wireless Network Security was inadequate

  The data store that contained the sensitive data of customers used a wireless network that had no proper security. The security protocol they used was WEP (Wired Equivalent Privacy) which is very easy to crack and can be done in a minute.

• Improper storage of customer data

  The TJX company’s data storing policy was also in violation of industry standards. It was reported that they stored every content of customers’ cards which included their CVV and PIN number. This was not done with any malicious intent by the company, but they were using old POS (Point of Sale) software whose design was such that they capture all data.

• Customer Data encryption failure

  The TJX companies did not store the customer’s data with encryption. If they were encrypted, then even after breaking in the data breach wouldn’t occur.

• Insufficient security controls

  The in-store computers were directly connected to the corporate network. It allowed the intruders to connect flash drives to one such computer and gain access to corporate network. The attackers have also used keylogging to and stole ‘s customer’s user id and password using them to create fictitious accounts and used them to cause fraud.

• There are some measures that could have been taken by TJX company that would have prevented this disaster. They are provided below

• Encryption

  If TJX used encryption to store the customer’s information, then it would be difficult for the attackers to steal the sensitive data of the customer.

• Incorporate access control

  If TJX employed access control on their corporate network, then it could not be accessed through any in-store computers and therefore the breach could be prevented.

• Conducting vulnerability management program

  TJX should have conducted vulnerability assessment on a regular basis which would help them identify the weaknesses in their network and take necessary actions.

• Not using outdated WEP protocol

  Instead of using the old and insecure WEP protocol for wireless communication if they used protocols like WPA-2 or WPA-3 then the intruders would not be able to crack and gain access to the network
• The CIA triad is a model that is used to describe the three primary goals of information security: confidentiality, integrity, and availability. In the 2007 attack on the TJX company, they violated all two goals of the CIA.

The confidentiality goal which ensures that all sensitive data remain confidential was violated because, in the TJX data breach, hackers were able to access customer data, including credit card information, that was supposed to be confidential.

The integrity goal which ensures that data is not manipulated by unauthorised people was violated because TJX used the stolen data to manipulate and create fictitious accounts and use them for fraud.

REFERENCES

Shannon, C. E. (1949). Communication theory of secrecy systems*. Bell System Technical Journal, 28(4), 656–715. https://doi.org/10.1002/j.1538-7305.1949.tb00928.x

Smid, M. E. (2021). Development of the advanced encryption standard. Journal of Research of the National Institute of Standards and Technology, 126. https://doi.org/10.6028/jres.126.024

Walker, R. (2017). Maxxed out: TJX Companies and the largest-ever Consumer Data Breach. Kellogg School of Management Cases, 1–8. https://doi.org/10.1108/case.kellogg.2016.000194