MALICIOUS SOFTWARE
'Malicious software are programs that corrupt other programs or pose severe security threats to the system. These fall into two categories: host dependent programs and host independent programs.
Figure 14.3 provides an overall taxonomy of software threats, or malicious programs.


Trapdoor: It is a secret entry point into a computer that allows someone who is aware of the trapdoor to gain access without going through normal methods of authentication.
Logic bomb: The logic bomb is code embedded in some legitimate program that checks for certain conditions to be met. When the conditions are met, it performs certain unauthorized actions (explodes).
Trojan horse:       A program that appears to be useful but contains a hidden code which when executed performs some unwanted functions. Trojan mule: A program that simulates the login session and displays login screen that appears genuine. A user unaware of the program enters ID and password. The program records the login session and terminates. Virus: A self-replicating program that infects other programs, either by modifying them directly or by modifying the environment in which they operate.
Host independent programs
Bacteria: Programs that consume system resources by replicating itself. The program does not explicitly damage any file. Worms:    Network worm program replicates itself and sends copies from one computer to another across network connections. Once active within a system, it can behave like virus or bacteria. Worms can also implant Trojan horses. In addition to propagation, a worm usually performs some disruptive or distractive actions.
  Safeguards
Scanners:      Every virus is constructed from a number of bytes. A unique sequence of these bytes can be selected which can be used to identify the virus. The sequence is known as virus signature. A scanner searches files looking for signature. Most anti­virus software are scanners which scan for known signatures. Some kits contain a heuristic scanner that scans based on virus behaviour.
Integrity checkers: An integrity checker can be used to identify viruses with unknown signatures. This utility calculates checksum for every file that the user chooses and stores the checksums in a file. Periodically, the integrity checker is run again on files and the checksums are re-calculated to detect discrepancies.
Behaviour blocker: This utility remains in memory and alerts the user of any suspicious activity.
  SECURITY SERVICES AND CRYPTOGRAPHY
Cryptography is a means of protecting information against unauthorized access when it is transmitted through insecure channels. Cryptography can also be used to prevent integrity attack, authenticity attack, denial attack and replay attack.
Cryptography is the science of encrypting information. People's desire to hide information from each other extends well back into ancient times. Once people had determined that they could apply language to writing, they knew how to share information with others. The next step was to keep information from others. The easiest way for people to do this was not to teach others how to read and write the language. As that became ineffective, methods of shifting the letters around to make the text unreadable were attempted. Spartans used a ribbon wrapped around a specific gauge cylinder and then wrote on the ribbon. When unwrapped, the ribbon appeared to hold a strange string of letters. The message could only be read when someone wrapped the ribbon back around the
same gauge cylinder. This is an example of a transposition cipher, where the same letters are used but the order is changed.The Romans typically used a different method known as a shift cipher. In this case, one letter of the alphabet is shifted a set number of places in the alphabet for another letter A common modern-day example of this is the RDT13 cipher, where every letter rotated 13 positions in the alphabet; n is written instead of a, and
o instead of b, etc.
These ciphers were simple to use and unfortunately also simple to break. This led to  the need for more advanced transposition and substitution ciphers. As the systems became more complex, they were frequently automated by some mechanical or electromechanical device. A famous example of a modern encryption machine is the amounts German of Enigma research machine line from World War II. This machine used a complex substitutions to     complex series of perform encryption, and interestingly enough gave rise to great .
Cryptanalysis, which is the process of analyzing available information to attempt to return the encrypted message to its original form, required advances in computer technology for the more complex encryption methods. The birth of the computer made it possible to easily execute more complex encryption algorithms encryption is performed today, which is how Y~ Computer technology has also aided cryptanalysis, allowing new methods to be tried such as linear and differential Differential cryptanalysis is done b  cryptanalysis. Y comparing the input plaintext to the output ciphertext to try and determine the key. Linear cryptanalysis is similar in
that it uses both plaintext and cipher text, but it puts the plaintext through a simplified cipher to try and deduce what the key is likely to be in the full version of the cipher.
•1 Cryptosystems
Cryptosystem deals with two primitive operations: encryption and decryption. Encryption (also called enciphering) is the process of transforming a
message (also called plain text, clear text) into unreadable form called cipher text
(or cipher). Decryption (also called deciphering) is the process of transforming the cipher
to clear text to get the message.
Alternatively, encryption is a function (encryption algorithm) having the form ( > Ke) and decryption is a function (decryption algorithm) having the g          form P = D (C, Kd). Also, decryption function D is the inverse of encryption function E, we have D(E(P, Ke), Kd) - p, where P is the plain text, C is the cipher text, Ke is the encryption key and Kd is the decryption key. To prevent the plain text from being easily revealed, it must be possible to transform a given plain text into large number of cipher texts by using different encryption keys. The strength of the cryptosystem depends on the algorithm and size of key.
 Cryptosystems have the following properties:
 (1) Encryption and decryption algorithms are easy and simple to use a
published. and can be
 (2) The security of cryptosystem rests on the security of keys.
(3) It should be computationally infeasible for an attacker to determine Kd even when Ke and algorithms are known.
There are two broad classes of cryptosystems: symmetric cryptosystem (also called  private key cryptosystems or shared key cryptosystems) and asymmetric cryptosystems also called public key cryptosystems).
We will look at each of them in detail under separate heads.

 Symmetric Cryptosystems
In a symmetric cryptosystem, either both the encryption key and the decryption key are the same, or it is easy to compute decryption key from the encryption key. Usually, a common key is used for both encryption and decryption. The key must be kept secret. The encryption and decryption is depicted in Figure 14.4.

The advantage of symmetric cryptosystems is that they are very fast and efficient. The distribution of keys poses a serious problem. Some popular symmetric cryptosystems are DES and IDEA. The first one, system DES, is used most widely while the second one, system IDEA, is believed to be the most secure amongst the known systems.
System DES: data encryption standard
System DES was designed by National Security Agency (NSA) of US. It was adopted for use in all unclassified US government applications in 1977. Since then, it has become the most widely used private-key cryptosystem in the world. Essentially, DES is a generalization of system XOR obtained by incorporating non-linearity in the system.
Key:   64-bits string k where every eight bit is the parity of the previous seven bits (so effectively, key size is 56-bits). Encryption algorithm: The algorithm is a bit complex. We will not describe it in complete detail. In particular, we do not go into the details of the permutations, the S-boxes, and the key bits selection mechanism. We describe the overall structure of the algorithm:
Plaintext is divided into blocks of size 64-bits each. Each block is encrypted separately. Initially, the bits of a block are permuted according to a fixed permutation called IP. After that, the permuted text goes through sixteen rounds of transformation, and finally, the inverse of the permutation IP is applied to obtain the cipher text. The transformation in each round is: break the 64 bit input into two halves of 32-bits each,L and R; output the concatenation of R with L O+ f(R, K), where f is a function of the right half and the key K. A pictorial representation of this is given in Figure 14.5.

Function f is computed as follows: on input R and K,
(1) Expand R to a 48-bit string by repeating 16-bits of R.
(2) Select 48-bits from the 56-bits key K according to a round-dependent scheme. (3) XOR the expanded R with selected bits from K.
(4) Break the resultant 48-bits into eight blocks of six bits each.
(5) On each of these blocks, apply a function, given by an S-box that maps six bits to 4 bits; and
(6) Apply a permutation P on the resulting 32-bits to obtain the output of function f. Each of the 8 S-boxes represents a different non-linear function.

System IDEA: International Data Encryption Algorithm
System IDEA was proposed by two Swiss cryptographers, Lai and Massey in 1992. The operations used in encryption are very simple ones unlike the mysterious S-boxes in DES. Lai and Massey provided an ingenious solution to the problem of introducing non-linearity in the system while maintaining invariability: all the operations (there are three in all) used in encryption are group operations (and therefore, linear!) However, composition of any two of the operations is non-linear. This is achieved by adopting three different views of the plaintext block. We will now take a look at the details: Key: any 128-bit string K.
Encryption algorithm: Plaintext is divided into blocks of 64 bits each. A block is further divided into four 16-bit sub-blocks. Each sub-block is viewed in three different ways during encryption:
(1) As a 16-bit binary vector; under this view, it is added with other 16-bit vectors. (2) As a number module, 21s; under this view, it is added with other numbers, 1s modulo 2.(3) As a non-zero number module 216 + 1 (= 65537) (the sub-block with all zeros is taken to be equal to 216); under this view, it is multiplied with other non­zero numbers, modulo 216 + 1. The three operations listed above are all group operations and therefore invertible: set of all 16-bit vectors form a group under XOR, set of 16-bit numbers form a group under addition modulo 216 (ADD), and set of all non-zero 16-bit numbers (where all zeros is taken to represent 216) form a group under multiplication modulo 216 + 1 (MUL) (this is because 216 + 1 is a prime number). However, a combination of any two of these operations becomes non-linear making the task of inverting without knowing the key difficult.
There are eight identical rounds of transformation in the algorithm. We describe the first round pictorially as shown in Figure 14.6. In each round, 96 bits of the key are used in the form of six 16-bit sub-blocks. A round-dependant scheme governs the choice of these 96 bits from 128 bits of the key. For round number j, we denote these six key sub-blocks by Z1( j), Z20), ..., Z60. The four sub-blocks of plaintext are denoted by Xl, XZ, X3 and X4. After the eight rounds, two additions and two multiplications are performed on the four sub-blocks using four sub-blocks of the key.
Decryption algorithm:     This is identical to the encryption algorithm except for the key sub-blocks used in each round. There is a similar calculation that yields the key sub-blocks for each round of decryption. In fact, the mysterious looking sequence of operations in encryption is designed so that the decryption is exactly the same as encryption (just as in DES).
As all the three operations are linear transformations, the cipher-text has excellent randomness properties. At the same time, any of the three operations is non­linear in the other two groups. Therefore, it is far easier to believe in security of IDEA than that of DES, which depended on the S-boxes. The only drawback in IDEA is that it has not been related to a hard-to-solve problem. Nevertheless, IDEA appears to be the most secure system, amongst all the known systems. Besides, it can achieve comparable speeds to DES in both software and hardware implementation.
Let us now analyze the strength of IDEA against the cryptanalytic attacks. A brute-force attack requires cycling through 212$ keys as the key size is 128-bits. The time taken to do this is beyond the capabilities of current technology: given a computer system that can go through lOZ° keys per second (a very tall order)), it would still require 1018 seconds to break IDEA. This is roughly 10 billion years! IDEA is also resistant to differential cryptanalysis. In fact, Lai argued that IDEA becomes immune to this analysis after only four of its eight rounds.
There are many other private-key cryptosystems. Notable amongst these are: REDOC, Khufu, RC2, DES3 (this is a variant of DES that uses a 128-bit key). There are good points in each of these systems, and they are supposed to be secure. However, none of these is as elegant as IDEA or as well analyzed as DES (in fact, the details of RC2s encryption algorithm are not in public domain).
We now briefly discuss stream ciphers-system that has a block size of one bit. These systems are used when either very high speed is required (of the order of tens of Gpbs), or the transmission channel is error prone. If a block cipher is used in an error-prone transmission, one bit of error in cipher text will destroy one whole blockof plaintext on decryption. If frequent errors cannot be avoided-as in the case of online transmission of voice/video-a large portion of data will be destroyed. This problem is avoided using stream ciphers where one bit or error affects only one bit of decrypted plaintext.
The strategy adopted in the system ciphers is to generate a "stream" of key bits­as long as the size of plain text-and XOR these bits with the bits of plaintext to obtain the cipher text. At the receiver end, the same process is repeated to recover the plaintext. The stream of key bits is typically generated using a non-linear function that takes as input b bits, and outputs a single bit. A sequence of b bits is the secret key. The first bit of the key stream is the output of the function when the key is provided as input. Subsequent bits are computed using the function on some combination of key bits and the bits output in the key stream so far. A typical strategy is to drop the most significant bit of the input of the function and add the previous output bit as the least significant bit to form the new input. Clearly, the same key should not be used to encrypt two messages as a known plaintext attack will break the system. For this reason, stream ciphers are used in situations in which there is a continuous transmission of data, as in satellite transmission. The high-speed requirement implies that only very simple non-linear functions can be used to encrypt data. Typically, these functions are combinations of Linear Feedback Shift Register (LFSRs). (ALFSR computes a univariate polynomial whose coefficients are provided by the input to it). Most of LFSR-based ciphers can be broken in a few days if some information about the plaintext is available (for example, if the plaintext is normal English text, then different letters occur with different frequency). Therefore, it is necessary to keep changing keys often.

BACK