24-Aug-24 1
Multi-factor Authentication
• When implementing MFA, it's generally recommended to use a
combination of these factors to ensure a higher level of
security.
• For example, a common MFA setup might involve a password
(knowledge factor) and a one-time code from an authenticator
app (possession factor).
• This way, even if one factor is compromised, the attacker would
still need the other factor to gain access
24-Aug-24 2
Distribution of Password Types
One character
0%
Other good Two characters
passwords 2%
14% Three characters
14%
Words in
dictionaries or
lists of names Four characters,
15% all letters
14%
Six letters,
lowercase Five letters,
19% all same case
22%
24-Aug-24 3
Password Storage
1. Use Strong Encryption: - Employ strong, industry-standard encryption algorithms (like bcrypt, scrypt, or Argon2) to hash passwords
before storing them. Avoid using weak or outdated encryption methods.
2. Salted Hashing: Always use a unique, random value (known as a "salt") for each password before hashing. This helps protect against
rainbow table attacks.
3. Avoid Plain Text Storage: - Never store passwords in plain text. If a database is breached, plain text can be easily exploited.
4. Implement Key Strengthening: - Use techniques like key stretching to make the hashing process computationally intensive. This slows
down brute-force and dictionary attacks.
5. Regularly Update Password Hashes: - Periodically rehash passwords using stronger algorithms or longer salts. This helps to stay ahead
of advances in computational power.
6. Protect the Database: - Implement strong access controls and encryption for the database where passwords are stored. Use firewalls
and intrusion detection systems to safeguard against unauthorized access.
7. Access Control: - Limit access to the password database to only those who need it. Use strict access controls and strong authentication
for administrators.
8. Monitor for Anomalies - Set up monitoring systems to detect unusual activity related to password storage or access.
9. Multi-Factor Authentication (MFA): - Implement MFA for privileged users who have access to password databases.
10. Use a Trusted Password Manager: If possible, encourage users to use trusted password managers to generate, store, and manage
their passwords securely.
11. Regularly Audit Password Security: - Conduct regular security audits and vulnerability assessments to identify and address any
weaknesses in the password storage process.
24-Aug-24 4
Brute Force Hacking
Brute force hacking is a method used by attackers to gain unauthorized access to a system or an
account by systematically trying out all possible combinations of usernames and passwords until the
correct one is found. This method does not rely on any specialized knowledge or vulnerabilities in the
system; instead, it relies on the sheer computational power and persistence of the attacker.
[Link] of Target: The attacker identifies a target, which could be a specific account (like an email
or social media account) or a system (like a website, server, or application) that they want to access.
[Link] List: The attacker compiles a list of potential usernames and passwords. These lists can be
generated in various ways, including using common passwords, dictionary words, or by harvesting data
from previous breaches.
[Link]: The attacker uses a program or script to automate the process of attempting to log in. The
program iterates through the list of usernames and tries each one with every password.
[Link] Credentials: For each combination of username and password, the program sends a login
request to the target system. If the combination is correct, the attacker gains access.
[Link] Process: The process continues until the correct combination is found or until the entire list
of possible combinations has been exhausted.
[Link] and Resources: The success of a brute force attack depends on the strength and complexity of
the passwords, the computational power available to the attacker, and the effectiveness of any
countermeasures in place (such as account lockouts after a certain number of failed login attempts).
24-Aug-24 5
Bruce Force Hacking
7. Variations:
1. Simple Brute Force: This involves systematically trying every possible combination of
characters until the correct one is found.
2. Dictionary Attacks: In this variation, the attacker uses a list of commonly used passwords or
dictionary words, potentially supplemented with variations (e.g., "password123", "letmein").
3. Hybrid Attacks: These combine elements of dictionary attacks with variations and patterns
that users commonly use to create passwords.
8. Countermeasures:
1. Account Lockouts: After a certain number of failed login attempts, an account may be
temporarily locked to prevent further unauthorized access attempts.
2. CAPTCHA: CAPTCHA challenges can be used to differentiate between human users and
automated scripts.
3. Strong Password Policies: Requiring complex passwords with a combination of uppercase,
lowercase, numbers, and special characters can significantly increase the difficulty of a
successful brute force attack.
4. Multi-Factor Authentication (MFA): Adding an extra layer of authentication, e.g. a one-time
code sent to a user's mobile device, greatly mitigates the effectiveness of brute force attacks.
It is important for individuals and organizations to implement strong password practices and other
security measures to protect against brute force attacks
24-Aug-24 6
How Long Does It Take a Hacker to Brute Force a Password in 2023
• Hive Systems conducts annual research to determine how long it takes to crack
passwords
• Provides a time of how long it would take a hacker with a consumer budget to crack
passwords using a desktop computer with a top-level consumer-grade graphics card.
• If a password is set of 8 characters, using the NIST recommendation of choosing a
randomly generated string of 8-characters, using a top-of-a-range GPU that was
available in 2018 (RTX 2080) it would take 4 hours to crack a password with numbers,
upper- and lower-case letters, and symbols.
• Today, using the latest GPUs (RTX 4090) it takes just 59 minutes, but if cloud resources
were used, the time taken to crack the password drops to just 19 minutes if using 8 x
A100 GPUs from Amazon AWS, and 12 minutes if using 12.
• The table on next slide shows how long it would take a hacker using standard
equipment to guess a password
24-Aug-24 7
Time it takes hackers to brute force passwords
24-Aug-24 8
Federated Identity Management
• FIM is a system of single login, multiple access. For FIM to work effectively, all
involved partners must have a sense of mutual trust. Each trust domain
maintains its own identity management.
• However, all domains are interlinked through a third-party service that stores
users' access credentials and provides the trust mechanism needed for FIM to
work. This third service is known as the identity provider or identity broker.
• Users' credentials are provided to and stored with their identity provider, which
is their home domain. Then, when logging in to a service such as a software-
as-a-service application, they don't have to provide credentials to the service
provider. Rather, the service provider trusts the identity provider to validate
these credentials and grant them access.
• Examples of FIM systems include OpenID and Open Authorization, as well as
Shibboleth, which is based on the Organization for the Advancement of
Structured Information Standards' Security Assertion Markup Language
(SAML).
24-Aug-24 9
Federated Identity Management
• A federated identity management scheme is a union of separate identification and
authentication systems. Authentication is performed in one place, and separate
processes and systems determine that an already authenticated user is to be
activated.
24-Aug-24 10
Single Sign-On
• Single sign-on lets a user log on once per session but access many different
applications/systems.
• It often works in conjunction with federated identity management, with the federated
identity provider acting as the source of authentication for all the applications.
• Google, LinkedIn, Apple, Twitter and Facebook offer popular SSO services that enable end
users to log in to third-party applications with their social media authentication
credentials.
24-Aug-24 11
Single Sign-On vs FIM
• Single sign-on (SSO) is an important component of FIM, but it is not the same as FIM.
• Implementing single sign-on doesn't necessarily require FIM, but the latter does rely
heavily on SSO technologies for authentication among domains.
• SSO enables users to use a single set of credentials to access multiple systems within a
single organization. It is token-based, meaning that users are identified by a token
rather than a password.
• FIM enables users to access systems across federated organizations. They can use the
same credentials to access the applications, programs and networks of all members
within the federated group. It provides single-step access to multiple systems across
different organizations. Unlike SSO, FIM users don't provide credentials directly to a
web application, but to the FIM system itself.
24-Aug-24 12
Cryptography
• Cryptography is the study of conversion of plain text (readable format) to
ciphertext (non-readable format) i.e. encryption. It is also called the study
of encryption.
• Cryptology, on the other hand, is the study of the conversion of plain text to
ciphertext and vice versa. It is also called the study of encryption and
decryption.
24-Aug-24 13
Cryptography
• Cryptography is used to secure data at rest, stored in servers,
and in motion, transmitted over the network.
• Cryptography involves mathematical operations that convert
the original plaintext into an unintelligible ciphertext
(encryption) and the reverse process, converting ciphertext to
plaintext (decryption).
• Cryptography is classified into symmetric cryptography and
asymmetric cryptography.
24-Aug-24 14
Symmetric systems
24-Aug-24 15
Asymmetric (Public) key systems
24-Aug-24 16
Purpose and Goal of Cryptography
The goal of the cryptography schemes is to ensure:
• Entity authentication: The entities are alive and active as
corroborating with both parties.
• Data origin authentication: Each party is corroborated of the
information source.
• Implicit key authentication: Only the intended recipient can
determine the private key and use it to complete the
encryption/decryption process.
• Key confirmation: Confirm that the recipient is in possession of
their particular secret key.
• Explicit key authentication: Ensure that the given secret key is
in possession of the intended recipient.
24-Aug-24 17
Key Management
• Cryptographic keys are a vital part of any security system. They do
everything from data encryption and decryption to user
authentication.
• The compromise of any cryptographic key could lead to the collapse
of an organization’s entire security infrastructure, allowing the
attacker to decrypt sensitive data, authenticate themselves as
privileged users, or give themselves access to other sources of
classified information.
• Proper management of keys and their related components can
ensure the safety of confidential information.
• Key Management is the process of putting certain standards in
place to ensure the security of cryptographic keys in an
organization.
• Key Management deals with the creation, exchange, storage,
deletion, and refreshing of keys. They also deal with the members
access of the keys.
24-Aug-24 18
Why is Key Management important?
• Key management forms the basis of all data security.
• Data is encrypted and decrypted via the use of encryption keys,
which means the loss or compromise of any encryption key would
invalidate the data security measures put into place.
• Keys also ensure the safe transmission of data across an Internet
connection.
• With authentication methods, like code signing, attackers could
pretend to be a trusted service like Microsoft, while giving victim’s
computers malware, if they steal a poorly protected key.
• Keys provide compliance with certain standards and regulations to
ensure companies are using best practices when protecting
cryptographic keys.
• Well protected keys are only accessible by users who need them.
24-Aug-24 19
What is Key Management?
• Effective use of cryptography requires key management, which refers
to the all-encompassing activities in handling cryptography keys
during the entire lifecycle. It is designed to defend against two
attacks, which refer to the key exchange problem:
• Forward secrecy
• Leakage of the key material can compromise previous session keys. The lack
of historical secrecy would allow an adversary to bypass the cryptography
operations applied to a different session key. Knowledge of a future session
key can help map the cryptographic processes used in the past sessions.
• Known key attack
• If the keying material is compromised, future session keys are no longer
secure. An adversary can impersonate the legitimate entity using this
knowledge, but the past communication sessions are not compromised by
this attack.
24-Aug-24 20
Types of Keys
• There are two types of cryptographic keys, symmetric and
asymmetric keys.
• Symmetric keys deal with data-at-rest, which is data stored in a
static location, such as a database.
• Symmetric key encryption uses the same key for both
encryption and decryption.
• Using data in a database as an example, while the data is stored
in the database, it is encrypted with the symmetric key. Once
an authorized user attempts to access the data, the
information is decrypted with the same symmetric key and
made accessible to the user.
• The other type of cryptographic key is an asymmetric key.
24-Aug-24 21
Symmetric key cryptography
• It involves the usage of one secret key along with encryption and
decryption algorithms which help in securing the contents of the
message.
• The strength of symmetric key cryptography depends upon the
number of key bits.
• It is relatively faster than asymmetric key cryptography.
• There arises a key distribution problem as the key has to be
transferred from the sender to the receiver through a secure
channel.
24-Aug-24 22
Asymmetric key cryptography
• It is also known as public-key cryptography because it involves
the usage of a public key along with the secret key.
• It solves the problem of key distribution as both parties use
different keys for encryption/decryption.
• It is not feasible to use for decrypting bulk messages as it is
very slow compared to symmetric key cryptography.
24-Aug-24 23
Encryption using Asymmetric Keys
• Encryption using asymmetric keys is a little more complicated than symmetric key
encryption. Instead of using the same key for both encryption and decryption, two
separate keys called a public and private key, are used for the encryption and
decryption of data.
• These keys are created as a pair, so that they relate to each other. The public key of a
pair of asymmetric keys is mainly used to encrypt data.
• This key can be shared with anyone since it encrypts, not decrypts, data.
• The private key is used for the decryption of data encrypted by its public key
counterpart, so it must stay secure.
• Asymmetric keys focus on encrypting data-in-motion. Data-in-motion is data sent
across a network connection, whether it be a public or private connection. When
transporting sensitive data, most encryption processes use both symmetric and
asymmetric keys to encrypt data.
• The data is first encrypted-at-rest by a symmetric encryption key.
• The symmetric key is now encrypted by the public key of the person who the data is
being sent to. That encrypted symmetric key and the ciphertext are sent to the
recipient of the data.
• Once the ciphertext and key reach the recipient, the symmetric key is decrypted by
that user’s private key, and the ciphertext is decrypted.
24-Aug-24 24
How Key Management Works?
• Key management follows a lifecycle of operations which are
needed to ensure the key is created, stored, used, and rotated
securely.
• Most cryptographic keys follow a lifecycle which involves key
• Generation
• Distribution
• Use
• Storage
• Rotation
• Backup/Recovery
• Revocation
• Destruction
24-Aug-24 25
Key management lifecycle
24-Aug-24 26
Key management lifecycle
1. Key generation
• First step: generating a cryptography key using an approved set
of rules, including the use of a pseudo-random generator.
2. Key installation
• Next, we move into the process of setting up, configuring and
testing keying material, including hardware, software and
cryptomodules.
3. Key establishment
• The distribution of keys between two or more entities involved
in the communication. The process may involve Key Generation
or Key Agreement, where a new key is produced as a function
of the secret (key) information possessed by the individual
communicating parties.
24-Aug-24 27
Key establishment process
Private key establishment
• In symmetric key cryptography, the same secret key is used for
encryption and decryption. This is also called Private Key
Cryptography. It looks like this:
1. Alice initiates a request to access encrypted information; a Data Encryption
Key (DEK) retrieval request is sent to Bob.
2. Alice also sends a certificate for verification to Bob, who verifies this
signature with a Certification Authority (CA) for authentication.
3. Bob then responds by sending his certificate to Alice for authentication and
acceptance by the CA and initiates a secure TLS connection. Alice may now
encrypt the data using the DEK provided by Bob. Encryption schemes used in
this key exchange protocol include AES and Triple-DES.
4. Upon receiving this encrypted ciphertext, Bob uses the Key Encryption Key
(KEK) to decrypt the data.
5. The DEK may be stored by Alice until the end of the session.
24-Aug-24 28
Key establishment process
Public key establishment
• Asymmetric Key Cryptography is a combination of a public key
and secret private key is used for encryption and decryption.
This is also called Public-Key Cryptography. It works like this:
1. Alice and Bob verify each other’s certificate against a CA for
authentication and mutual acceptance.
2. Bob then responds to Alice’s request to send his public key.
3. Alice then creates an ephemeral session key using a key exchange
mechanism that may follow an asymmetric algorithmic scheme such
as Elliptic Curve Cryptography, Diffie-Hellman Key Exchange or RSA
protocol.
4. Alice then encrypted this secret key with Bob’s public key. The resultant
key is used to encrypt data, to be sent to Bob.
5. Bob recipes this data and decrypts it with his own private key.
24-Aug-24 29
Key management lifecycle
4. Key certification
• Now the key must be certified — an authentication using digital signatures
(issued by third party certification authority) that unambiguously associate
the key with the appropriate sources. Users are registered as the authorized
members of the security domain to which these digital signatures may
apply.
5. Key usage
• Key usage is the process of ensuring operational availability of keying
material during the applicable cryptoperiod of the keys. Depending on the
type of key establishment protocols, the key may be temporary (session key)
and need revocation at the expiration end of the digital certificate.
6. Key storage
• Cryptography keys must be stored with a high degree of Confidentiality,
Integrity and Availability (CIA). The storage location may not be an active
memory but only acquired from an operational memory available to
cryptographic algorithms.
24-Aug-24 30
Key management lifecycle
7. Key update & recovery
• Mechanisms that allow authorized entities to update and
retrieve the keys stored in the operational memory. This
follows the principle of securing data at rest and is useful for
reconstructing a key from archived keying information.
8. Key revocation
• The key is destroyed or deregistered when no further key
management operations are applicable to the associated
source entities. These entities may have completed the
communication process or may no longer be eligible for the key
certification process.
24-Aug-24 31
Key Management in Cryptography
• In cryptography, it is a very tedious task to distribute the public
and private keys between sender and receiver.
• If the key is known to the third party (forger/eavesdropper)
then the whole security mechanism becomes worthless. So,
there comes the need to secure the exchange of keys.
• There are two aspects for Key Management:
1. Distribution of public keys.
2. Use of public-key encryption to distribute secrets.
24-Aug-24 32
Distribution of Public Key
• The public key can be distributed in four ways:
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.
• Public Announcement: Here the public key is broadcasted to everyone. The
major weakness of this method is a forgery. Anyone can create a key
claiming to be someone else and broadcast it. Until forgery is discovered
can masquerade as claimed user.
24-Aug-24 33
Distribution of Public Key
• Publicly Available Directory: In this type, the public key is
stored in a public directory. Directories are trusted here, with
properties like Participant Registration, access and allow to
modify values at any time, contains entries like {name, public-
key}. Directories can be accessed electronically still vulnerable
to forgery or tampering.
• Public Key Authority: It is similar to the directory but, improves
security by tightening control over the distribution of keys from
the directory. It requires users to know the public key for the
directory. Whenever the keys are needed, real-time access to
the directory is made by the user to obtain any desired public
key securely.
24-Aug-24 34
Distribution of Public Key
• Public Certification: This time authority provides a certificate
(which binds an identity to the public key) to allow key
exchange without real-time access to the public authority each
time. The certificate is accompanied by some other info such as
period of validity, rights of use, etc. All of this content is signed
by the private key of the certificate authority and it can be
verified by anyone possessing the authority’s public key.
• First sender and receiver both request CA for a certificate
which contains a public key and other information and then
they can exchange these certificates and can start
communication.
24-Aug-24 35
Public Key Encryption
• When the two parties communicate to each other to transfer the intelligible or
sensible message, referred to as plaintext, is converted into apparently random
nonsense for security purpose referred to as ciphertext.
• The process of changing the plaintext into the ciphertext is referred to
as encryption.
• The encryption process consists of an algorithm and a key. The key is a value
independent of the plaintext.
• The security of conventional encryption depends on the major two factors:
1. The Encryption algorithm
2. Secrecy of the key
• Once the ciphertext is produced, it may be transmitted. The Encryption algorithm
will produce a different output depending on the specific key being used at the time.
Changing the key changes the output of the algorithm.
• Once the ciphertext is produced, it may be transmitted. Upon reception, the
ciphertext can be transformed back to the original plaintext by using a decryption
algorithm and the same key that was used for encryption.
• The process of changing the ciphertext to the plaintext that process is known
as decryption.
24-Aug-24 36
Public Key Encryption
• Asymmetric is a form of Cryptosystem in which encryption and decryption
are performed using different keys-Public key (known to everyone) and
Private key (Secret key). This is known as Public Key Encryption.
Basis Encryption Public-Key Encryption
•One algorithm is used for encryption
and a related algorithm decryption with
•Same algorithm with the same key is
pair of keys, one for encryption and other
used for encryption and decryption.
Required for Work: for decryption.
•The sender and receiver must share the
•Receiver and Sender must each have
algorithm and key.
one of the matched pair of keys (not
identical) .
•One of the two keys must be kept
•Key must be kept secret. secret.
•If the key is secret, it is very impossible •If one of the key is kept secret, it is very
to decipher message. impossible to decipher message.
Required for Security:
•Knowledge of the algorithm plus •Knowledge of the algorithm plus one of
samples of ciphertext must be the keys plus samples of ciphertext must
impractical to determine the key. be impractical to determine the other
key.
24-Aug-24 37
Characteristics of Public Key Encryption
• Public key Encryption is important because it is infeasible to determine the
decryption key given only the knowledge of the cryptographic algorithm
and encryption key.
• Either of the two keys (Public and Private key) can be used for encryption
with other key used for decryption.
• Due to Public key cryptosystem, public keys can be freely shared, allowing
users an easy and convenient method for encrypting content and verifying
digital signatures, and private keys can be kept secret, ensuring only the
owners of the private keys can decrypt content and create digital signatures.
• The most widely used public-key cryptosystem is RSA (Rivest–Shamir–
Adleman). The difficulty of finding the prime factors of a composite number
is the backbone of RSA.
24-Aug-24 38
Example
• Public keys of every user are present in the Public key Register. If B wants to send a
confidential message to C, then B encrypt the message using C Public key. When C
receives the message from B then C can decrypt it using its own Private key. No
other recipient other than C can decrypt the message because only C know C’s
private key.
24-Aug-24 39
Components of Public Key Encryption
• Plain Text:
This is the message which is readable or understandable. This message is
given to the Encryption algorithm as an input.
• Cipher Text:
The cipher text is produced as an output of Encryption algorithm. We
cannot simply understand this message.
• Encryption Algorithm:
The encryption algorithm is used to convert plain text into cipher text.
• Decryption Algorithm:
It accepts the cipher text as input and the matching key (Private Key or
Public key) and produces the original plain text.
• Public and Private Key:
One key either Private key (Secret key) or Public Key (known to everyone) is
used for encryption and other is used for decryption.
24-Aug-24 40
Weakness of the Public Key Encryption
• Public key Encryption is vulnerable to Brute-force attack.
• This algorithm also fails when the user lost his private key, then the Public
key Encryption becomes the most vulnerable algorithm.
• Public Key Encryption also is weak towards man in the middle attack. In this
attack a third party can disrupt the public key communication and then
modify the public keys.
• If user private key used for certificate creation higher in the PKI(Public Key
Infrastructure) server hierarchy is compromised, or accidentally disclosed,
then a “man-in-the-middle attack” is also possible, making any subordinate
certificate wholly insecure. This is also the weakness of public key
Encryption.
