Chapter 5 - Security

Some background on Cyber Security is always desirable when applying for a technical job, all software developers are now expected to have acquired some knowledge on the subject.

Encryption

What is Symmetrical Encryption?

• Symmetrical encryption is a type of encryption where the same key is used to encrypt plaintext messages and to decrypt ciphertext.
• Symmetrical encryption is usually much less computationally expensive as compared to asymmetric encryption.
• Often called "shared secret" encryption, or "secret key" encryption.
• To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance. This sharing can be done via asymmetric encryption.

What is Asymmetric Encryption?

• A pair of keys are required: a private key and a public key . Public keys can be shared with anyone while private keys should be kept secret and known only to the owner.
• A private key can be used to decrypt a message encrypted by the corresponding public key. A successful decryption verifies that the holder possesses the private key.
• Also known as public-key cryptography.

What is Public Key Infrastructure?

A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed.

References

• https://www.wikiwand.com/en/Public_key_infrastructure

What is the difference between encryption and hashing?

• Encryption is reversible whereas hashing is irreversible. Hashing can be cracked using rainbow tables and collision attacks but is not reversible.
• Encryption is reversible, assuming one has the key, it ensures confidentiality whereas hashing ensures Integrity.

SSH

An SSH session consists of two stages, Negotiating Encryption and User Authentication .

How does SSH Negotiating Encryption work?

The goal of this stage is for the client and server to agree upon and establish encryption to protect future communication, by generating an identical session key. One possible algorithm to generate the session key is the Diffie–Hellman key exchange scheme. Each party generates a public/private key pair and exchanges the public key. After obtaining an authentic copy of each other's public keys, each party can compute a shared secret offline.

The basis of this procedure for classic Diffie-Hellman is:

1. Both parties agree on a large prime number, which will serve as a seed value.
2. Both parties agree on an encryption generator (typically AES), which will be used to manipulate the values in a predefined way.
3. Independently, each party comes up with another prime number which is kept secret from the other party. This number is used as the private key for this interaction (different than the private SSH key used for authentication).
4. The generated private key, the encryption generator, and the shared prime number are used to generate a public key that is derived from the private key, but which can be shared with the other party.
5. Both participants then exchange their generated public keys.
6. The receiving entity uses their own private key, the other party's public key, and the original shared prime number to compute a shared secret key.
7. Although this is independently computed by each party, using opposite private and public keys, it will result in the same shared secret key.
8. The shared secret is then used to encrypt all communication that follows.

The purpose of the shared secret key is to wrap all further communication in an encrypted tunnel that cannot be deciphered by outsiders.

How does SSH User Authentication work?

The goal of this stage is to authenticate the user and discover whether access to the server should be granted. There are two approaches for authenticating, either by using passwords, or SSH key pairs.

For password authentication, the server simply prompts the client for the password of the account they are attempting to login with. The password is sent through the negotiated encryption, so it is secure from outside parties.

Authentication using SSH key pairs begins after the symmetric encryption has been established as described in the last section. The procedure happens like this:

1. The client begins by sending an ID for the key pair it would like to authenticate with the server.
2. The server check's the authorized_keys file of the account that the client is attempting to log into for the key ID.
3. If a public key with matching ID is found in the file, the server generates a random number and uses the public key to encrypt the number.
4. The server sends the client this encrypted message.
5. If the client actually has the associated private key, it will be able to decrypt the message using that key, revealing the original number.
6. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the SHA256 hash of this value.
7. The client then sends this SHA256 hash back to the server as an answer to the encrypted number message.
8. The server uses the same shared session key and the original number that it sent to the client to calculate the SHA256 value on its own. It compares its own calculation to the one that the client sent back. If these two values match, it proves that the client was in possession of the private key and the client is authenticated.

References

• https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process

What is SHA-256?

SHA-256 stands for Secure Hash Algorithm – 256 bit and is a type of hash function commonly to hash collision proof values. A hash function is a type of mathematical function which turns data into a fingerprint of that data called a hash.

What about MD5?

MD5 is another hashing algorithm, which is now known to be vulnerable to collision attack.

Common Web Application Vulnerabilities

What is XSS? How would you mitigate it?

XSS stands for Cross Site Scripting and is a commonly found JavaScript vulnerability in web applications. The easiest way to explain it is with a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted code getting saved or reflected, and then executed on the client side.

Countermeasures of XSS are input validation and/or output escaping.

What is the difference between stored XSS and reflected XSS?

In case of Stored XSS, the script is stored, generally on a backend, it is fetched by the webpage and executed on the client browser. Reflected XSS, on the other hand, require the user to send a request first. The request will start running on the browser of the victim’s computer and then will reflect the results back from the website or the browser to the user who has sent the request.

What is CSRF?

Cross Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request usually gets processed on behalf of a user without its consent, usually coupled with a XSS vulnerability to perform the exploit.

How can you defend a web application against CSRF attacks?

Require every request to include a random token only present on the trusted scope of the web client.

What is SQL injection?

SQL Injection is a very common application layer attack techniques that takes advantage of improper coding of a web application that would allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within the database.

How to mitigate the risk SQL injections?

The most effective measure against SQL Injection is to use prepared statements throughout the application where the code is building SQL statements. Prepared statements ensure escaping of input values so that no statement execution can be altered by the end user.