My TechnoBlogs

For those who can create wonders with Technology……

Archive for March, 2009

Digital Signature

Posted by Ravi shankar on March 3, 2009

A Digital Signature is basically a way to ensure that an electronic document (email, spreadsheet, text files, etc) is authentic. Authentic means that you know who created the document and you know that it has been altered in any way since that person created it.
It is alse defined as an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content message or the document that has been sent is unchanged.
A Digital Signature contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

There are three basic types of digital signature certifcates:

Class-1 Certificate: They are personal email Certificate that allow you to secure your email messages. These certificates can be used to: Digitally sign email, Encrypt Email and Authenticate to Web Server. They do not facilitate the strong authentication of the identity of the subscriber.

Class-2 Certificate: They are issued as Managed Digital Certificates to employees/partners/affiliates/customers of business and government organisation that are ready to assume the responbsibility of verifying the accuracy of the information submitted by their employees/partners/affilates/customers.The entire organisation is treates as a Sub-CA/RA. The organisation is given a digital certificate signed by TCS-CA to initiate the process of issuing Certificate to its employees/partners/affiliates/customers. The Sub-CA/RA in return request the issue of Digital Certificate of the organisaition from TCS-CA. The verification of details supplied with the request for a Digital Certificate is done by the organization appointed as a Sub-CA/RA under the TCS-CA Trust Network.
The certificate are legally valid under the Indian IT Act 2000.

Class-3 Certificate: They are issued to individual, companies, and government organisation. They can be used both for personal and commercial purpose. They are typically used for electronic commerce applications such as electronic banking, electronic data interchage (EDI), and membership-based online services, where security is a major concern.
During the verification you need to be physically present before a Registration Authority (RA), qualified by TCS-cA due to their neutrality and reliability. These validation procedure provides stronger assurance of an applicant’s identity.

Advertisements

Posted in Digital Certificate, Digital Signature | Tagged: , | 1 Comment »

FAQs of Controller of Certificate Authorty

Posted by Ravi shankar on March 3, 2009

Source: http://cca.gov.in/rw/pages/faqs.en.do#igetadigitalsignaturecertificate

How do I get a Digital Signature Certificate?
The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities.CA issue Digital Signature Certificate to end-user. You can approach any one of the seven CAs for getting Digital Signature Certificate. The website addresses are given below.
a. http://www.safescrypt.com
b. http://www.nic.in
c. http://www.idrbtca.org.in
d. http://www.tcs-ca.tcs.co.in
e. http://www.mtnltrustline.com
f. http://www.icert.gov.in
g. http://www.e-Mudhra.com
h. http://www.ncodesolutions.com

Who are the CAs licensed by the CCA?
a. Safescrypt
b. NIC
c. IDRBT
d. TCS
e. MtnlTrustline
f. iCertCA
g. e-MudhraCA
h. GNFC

What is the function of the Root certificate?
The RCAI Root certificate is the highest level of certification in India. It is used to sign the public keys of the Licensed CAs in India. The RCAI root certificate is a self-signed certificate.

Where do I get CCAs Root Certificate?
CCAs Root certificate can be downloaded from CCAs web site cca.gov.in

Is Root Certificate free?
Yes, it can be downloaded from CCA website.

What are the different classes of Digital Signature Certificates?
In addition to four classes of certificates given below, the Certifying Authority may issue more classes of Public Key Certificates, but these must be explicitly defined including the purpose for which each class is used and the verification methods underlying the issuance of the certificate. The suggested four classes are the following :-
Class 0 Certificate: This certificate shall be issued only for demonstration/ test purposes.
Class 1 Certificate: Class 1 certificates shall be issued to individuals/private subscribers. These certificates will confirm that user’s name (or alias) and E-mail address form an unambiguous subject within the Certifying Authorities database.
Class 2 Certificate: These certificates will be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well-recognized consumer databases.
Class 3 Certificate: This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e-commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.

Does a person require multiple Digital Signatures Certificates for different places or organizations
It is not mandatory. However, certificates could be issued for different purposes to the same individual. e.g. by the bank where the individual has an account, by the government to the individual as a citizen etc.

How does cross-border inter-operability work in relation to digital signatures?
Clearly, all certificates, not to mention technology applications, cannot and would not be issued by a single CA. Multiple CA’s do and must exist. Inter operability between CAs- national and cross-border – has been addressed as Cross Certification. As per Information Technology (Certifying Authority) Rules, 2000
The licensed CA shall have arrangement for cross certification with other licensed CAs within India, which shall be submitted to the Controller before the commencement of their operations as per rule 20. Disputes arising as a result of such arrangements shall be submitted to CCA, India for arbitration or resolution.
The arrangement for cross certification by the licensed CA with a foreign CA along with the application shall be submitted to CCA, India. The licensed CA shall not commence cross certification operations unless it has obtained the written or digital signature approval from CCA, India.

How often is auditing done? (Auditing Cycle Period)? Whether it is continuous process?
Yes, auditing is a continuous process. According to the Rules under the IT Act 2000.
a. The CA shall get its operations audited annually by an auditor and such audit shall include security policy and planning, physical security, technology evaluation, CA’s services administration, compliance to CPS, contracts/agreements, regulation prescribed by CCA, policy requirement of CA Rules, 2000.
The CA shall conduct –
b. half yearly internal audit of security policy, physical security and planning of its operation,

What types of measures are being executed by CCA for licensing a CA?
Detailed information, financial, technical and procedural is obtained from the CA as part of the application for license . These are examined and audited. Additionally, the following are done: – Supervision of activities of CAs. – Auditing of CPS – Auditing Hardware/Software – Certifying public key of CA. – Laying down standards to be maintained by CAs to ensure continues compliance to the requirements of the IT ACT 2000

What is CPS?
CPS (Certification Practice Statement): A statement of the practices, which a certification authority employs in issuing and managing certificates. A CPS may take the form of a declaration by the CA of the details of its trustworthy system and the practices it employs in its operations and in support of issuance of a certificate. General CPS framework is given in the guidelines.

Whether CPS differs for one CA to another CA?
Yes

What is the legal sanctity of a certificate issued by outside CA (CA of a foreign country)?
The sanctity of such a certificate will be as per the agreement between outside CA and a licensed CA in India. Such an agreement has to be approved by the CCA.

Can CA have sub CA? Or can there be a concept of root CA, CA and sub CA?
No. As per IT Act, 2000 there is no provision of a sub CA. All CAs must be granted license by CCA, India. In case of any dispute, the CA licensed by CCA will be answerable.

If a person is transferred from one post to another (say in govt. department), the digital signature will also change (yes/no)? Please explain?
Yes. On moving from one department to another, if the procedures in place so demand, then the existing certificate will be revoked and a new one issued. In any case, the digital signature generated is different each time, even if the same key has been used.

In what format the public key should be given to CA for certification?
In PKCS #10 format

In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures?
Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed.

What is the extent of liability of a CA in case of anti-national activities performed by a subscriber using digital signature and secure encrypted communication?
CA has no liability, since CA is only facilitating end-to-end secure communication using digital signature.

Can a person have two digital signatures say one for official use and other one for personal use?
Yes.

One can sign a paper without the knowledge of a signer. Is it possible in digital signature also?
It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused without the knowledge of the owner of the private key.

Is there a “Specimen Digital Signature” like paper signature?
No. The Digital signature changes with content of the message.

Can digital signature be employed in wireless network?
Yes

Does one require multiple certificates for different banks?
Ideally, not within the same class.

What is the difference between RA(Registration Authority) and CA(Certifying Authority)?
RA interacts with the subscribers for providing CA services. The RA is subsumed in the CA, which takes total responsibility for all actions of the RA.

If somebody uses others computer, instead of his own computer, then is there any possibility of threat to the security of the owners/users digital signature?
No, there is no threat to the security of the owner / users digital signature, if the private key lies on the smartcard /crypto token and does not leave the SmartCard/cryptotoken.

Does CCA enforce Disaster Recovery Centre for CAs?
Yes, it is a mandatory requirement under IT Act 2000

If CA is out of business then if the subscriber is told to move to another CA then the subscriber has to get a new digital certificate. What happens to his/her earlier transactions ? Does this not create a legal and financial problem?
Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. Such problems should not therefore exist.

When you cancel an earlier communication you can get it back, how does this work in e-environment?
A new message saying that the current message supersedes the earlier one can be sent to the recipient(s). This assumes that  all messages are  time stamped

Posted in Cyber Crime, Cyber Law, Digital Certificate | Tagged: , , | Leave a Comment »

Evolution of Cyber Crime

Posted by Ravi shankar on March 2, 2009

Cyber crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief. The new age crimes such as hacking, web defacement, cybe stalking, web jacking etc.

Cyber crime is a unlawful acts wherin the computer is either a tool or a target or both.

The computer includes the laptop, desktop, PDA, cell phones, watches, car and host of gadgets.

The prominent types of Cyber Crime such as :

FInancial Crimes, Cyber Pornography, Sale of Illegal Articles, Online gambling, Intellectual Property Crimes, Email Spoofing, Forgery, Cyber Defamation, Cyber stalking, Web defacement, Email bombing, Data diddling, DOS attack, Virus.Worm Attacks, Internet Time Theft, Web Jacking, Email Frauds, Cyber Terrorism.

Financial Crimes: include cyber cheating, credit card frauds, money laundering, hacking into bank servers, computer manipulation, accounting scams etc.

Cyber POrnography: It covers pornographic websites, pornographic magazines produced using the computer and the internet to download and transmit pornographic pictures, photos, writings etc.

Sales of Illegal Articles: Cases where the sales of illegal articles such as narcotics drugs, weapons, wildlife etc is being facilitated by the internet, Information about the availability of the product fro the sale is being posted on auction websitesm, bullitien boards etc.

Online gambling: Websites offering online gambling. It is legal in some countries. But when a person residing in a foreign country like india(where such websote is illegal) gamles is a legal issue.

Intellectual Property Crimes: These includes software piracy, copyright infringement, trademarks violations, theft of computer source codes etc.

Email Spoofing: A spoofed email is the one that appear to originate from one source but actually has been sent from another source.

Forgery: Counterfit currency notes, postage and revenue stamps, mark sheets ,academic certificate, etc are made by criminals using sophisticated computer , printers and scanners.

Cyber defamation: It takes place with the help of computer and or internet. The information published in the website or email sent to defame targetting an individual or an organisation.

Cyber stalking: It refers to use of the internet, email , or other electronics communications devices to stalk another person. Stalking invloves harassing, or threatening behaviour that an individual is engaged in repeatedly. Stalking laws requires that the perpetrator make a credible threat of violence against the victim; other includes threat against the victim’s immediate family.

Email Bombing: It refers to sending a large number of emails to the victim resulting in the victims email account or mail server to crashing. It is a type of DOS attack in which flood of information requests is sent to a server, bringing the system to knees and making the server difficult to access.

Data diddling: It is a illegal or unauthorised data alteration. These changes can occur before and during data input or before output.It has affected banks, payrolls, inventory records, credit records, school trnascripts and virtually all other form of data processing know.

Salami Attack: These attacks are used for committing financial crimes. The key here is to make alteration so insignifacant that in a single case it would go completely unnoticed. The attack is called salami attack as it is analogous to slicing the data thinly ,like a salami. For instance the bank employee inserts a program into the bank server that detects a small amount (Rs.2 a month) from the account of every customer. No account holder will probably notice this unauthorised debit, but the bank employee make a sizeable amount of money.

Denial of Service Attack: DOS Attack involve flooding a computer with more request that it can handle. This causes the computer to crash and result in authorized users being unable to access the service offered by the computer. In Distributed Denial of service attack (DDoS) wherin the perpetrators are many and are geographically widespread.

Virus/Worm Attack: Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation. A virus might corrupt or delete data on the victims computer, use the victims email program to spread itself to other computers, or even erase everything on the victim’s hard disk. Viruses are easily spread through email attachement or instant messages. Viruses can be disguised as attachments of
funny images, greeting cards, or audio and video files.
Worms unlike the viruses do not need the host to attach themselves. They merely make functional copies of themselves and do this repeatedly till they bring the system or a application to halt.

Trojans and Keyloggers: A Trojan is a unauthorized program which functions from inside what seems to be an authorised program, theryby concealing what it is actually doing. It performs undisclosed malicious functions that allow unauthorized access to the host machine, giving them the ability to save files on the users computer or even watch the users screen and control the computer.
Keyloggers: They are regularly used were to log all the strokes a victim makes on the keyboard. They are most commonly found in public computer such as cyber cafe, hotels etc.

Internet Time theft: This connotes the usage by an unauthorized person of the internet hours paid for by another person.

Web jacking: Web Jacking means forcefully taking over the control of the website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on the website.
There are many ways in which a hacker may get to know a password, the most common being the password cracking wherin the cracking software is used to guess a password. Password cracking attacks are most commonly of two types: The dictionary attack where the software will attempt all the word contained in a predefined dictionary of words. The other form is using the ‘Brute Force’. In this attack the software tries to guess the password by trying all possible combination of numbers, symbols, letters till the correct password is found.

Email frauds: or Phishing or Brand spoofing as it is called used fraudulent email messages and websites that look like they are from a legitimate company such as bank, credit card company, online retailer or government agencies. The Email you receive may look real with the company logos and branding but you may actually receive the spam or mass email from criminal.

Computer Terrorism: (Defination by Asian School of cyber Law) Cyber terrorism is the premediated use of disruptive activities or the  threat thereof, in cyber space, with the intention to further social, ideological , religious, political or similar objectivies, or to intimidate any person in furtherance of such activities.

The information is with reference to the website: http://www.asianlaws.org

Posted in Cyber Crime, Cyber Law | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »

Introduction to Cyber Law

Posted by Ravi shankar on March 2, 2009

Cyber Law is a law governing cyber space. Cyber space is a very wide term and includes computer, networks, software, data storage devices (such as hard disks, USB disk etc), the Internet, websites, emails and even electronics devices such as cell phones, ATM machines etc.

Cyber law enforces the law relating to :
Cyber Crime, Electronics and Digital Signatures, Intellectual Property and Data Protection & Privacy.

Cyber Crime: The unlawful acts where the computer is used either as a tool or as a target or both. Ex: Crime incident in the ecommerce, online share trading.

Electronics Signatures: are used to authenticate electronic records. Digital signature are one type of electronic signature. Digital signatures statisfy three major legal requirements: Signer authentication , Message authentication and message integrity.

Some law covered in Cyber Law are:

Copyright Law: In relation to computer software, computer source codes, cell phone content etc.

Software and Source licences

Trademark law: With relation to domain name, meta tags, mirroring, framing, linking etc.

Patent Law: In relation to computer hardware and software.

Data protection and Privacy: The law aims to achieve a fair balance between the privacy rights of a individual and the interest of data controller.

This piece of information is from the resources in Asian School of Cyber Law website

http://www.asianlaws.org/index.htm

Posted in Cyber Law | Tagged: , | Leave a Comment »

IPS: Next generation IDS

Posted by Ravi shankar on March 2, 2009

An IPS offers the ability to identify an intrusion, relevance, impact, direction and proper analysis of an event and then pass the appropriate information and commands to the firewalls, switches and other network devices to mitigate the event’s risk.
The key technical components of IPS include the marriage of global and local host controls, IDS, global and local security policy, risk management software and globally accessible consoles for managing IPS.

An IPS is the next security layer to be introduced that combines the protection of firewall with the monitoring ability of an IDS to protect our network with the analysis necessary to make the proper decision on the fly.

IDS started the overall protection by first protecting host(HIDS), then network (NIDS). First and second generation IDS currently protects our network by identifying the threats. IDS provides real time alerts and reports. They cannot provide the necessary intelligence to notify all the network components downstream and upstream from the point of identification. This is where the IPS becomes the part of overall layered approach to security. IPS gathers all network information and make determination of the threat, then notify all other devices of those findings. Upstream providers can notify the downstream customers of possible attacks before or during the events as that malicious attempts arrives and vice versa.
Although IPS are actually the next generaton IDS, there will always be a need to keep those seperate technologies. Security devices must remain seperate to allow depth in overall protection; thus , firewall will need IDS and the network will need IPS. Each techology is bound to each other with the dependencies that will not disappear.

IPS has all the features of a good IDS, but can also stop malacious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flow on a network, actively shutting down attempted attacks as they are sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to traget from the user account, IP address or other attributes assocaited with that attacker, or by blocking all access to the targetted host, services, or application.

Posted in IDS/IPS | Tagged: | Leave a Comment »

Location of IDS in the network

Posted by Ravi shankar on March 2, 2009

In Intrusion detection, the components are general purpose components and may vary in terms of the processing of data that they collect. There are events correlation mechanism and attack signature database in the heart of each IDS. These components are used to distinguish IDSes from network monitor. The event correlation mechanism are either arranged as a filter that works by the matching packets contents with the known attack pattern, or operate in a somewhat more sophisticated intelligent manner, detecting network abnormalities and abuse.
This is nearly always a utility or sensor that operates in promiscuous mode. This mode name implies that the network card “listens” to all packets being sent in so called collision domain. This means that this group of packets does not include the audit file processing system that are associated with their work, that resides on the server.
When deploying either distributed or centralized IDS attention should be paid to follow the same guidelines as those used by experts who are responsible for installing the sensor being guided by the common sense and well thought out and balanced security policy.

To attempt to consider a suitable location for the distributed IDS engine, the first decision that must be made is to configure the computer to accomodate the IDS application. The workstation to install an IDS on, should be hidden to make it difficult for intruder to trace. The trick is that one should configure the system so that it should not respond to any incoming packets. In addition one should protect the system by adding  firewall to the computer. An IDS should reside in a collision domain, which means all the device within such a domain should have same address called the broadcast address and must not be isolated by switches. The IDS will perform perform well if it is within the same domain as the firewall. This is particulary important where large private network are concernes.

Designers started to develop system with arrayed sensor. Such sensor can be installed throughout a private network on the server and client workstation to collect and redirect information to the selected central location where the information is processed in accordance with the preestablished rules. The potential intruders who either manages to get inside a private network or who will attack from inside may deduct on seeing large number of checking packets directed towars a single address, that this network host an IDS. It may also detect the IDS and freeze its acitivty. It is therefore considerably important to provide security criticical points with a traditional solution ie. to tie a seperate undetectable workstation having a local IDS into the network.

An IDS-Firewall Interaction:

A IDS excels at detecting break in events, so it is complimentary to firewall to possibly reconfigure the firewall rules. The advantage is obvious- a successful intruder who had used a system flaw to penetrate the network may be automatically blocked at the firewall. Different opinion exist on where an IDS has to sit-ie. upstream or downstream from the firewall. But it is a secondary matter, as even if the firewall is placed behind the firewall and will not audit all incoming packets, the firewall itself may be taken over its activity by registering suspicious packets. The only problem may appear with the event correlation, since a certain portion of the unwanted packets may get inside the network whilst another portion may be blocked by the firewall. Frequently the IDS and Firewall is installed on the same machine.

A simple trap to catch the intruder:
There are two IDS devices: one sits between a perimeter router and firewall and another inside the network trap. The first firewall’s task is to detect an attack and reconfigure the firewall rules so that each packet being sent by a potential intruder will be securely traped. Here another IDS watches intuder activities and collects the proof for further analysis or possible criminal prosecution. Naturally registering the intruder attempts is possible when a server residing on the network trap is attacked . A well configured IDS will remain invisible for him and will quickly and silently be able to identify what is going on.

Posted in IDS/IPS | Tagged: | 1 Comment »

Intrusion Detection System

Posted by Ravi shankar on March 2, 2009

Intrusion Detection System:

IDS is a software or hardware designed to detect unwanted attempts at accessing, manipulating and/or disabling of computer system, mainly through the network.  It is used to detect several types of malicious behaviour that can compromise the security and trust of the computer system. This includes the network attacks againts vulnerable services, data driven  attacked on the application, host based attacks such as privelege escalation, unauthorised login, access to sensitive files, and malware (viruses, trojan horses and worms).

An IDS is composed of several components:
-Sensor:    Which generates the security events
-Console:    To monitor events and alerts an control the sensor
-Central Engine:That records events logged by the sensor in a database and uses a system of rules to generate alerts from security events received.

There are several ways to categories an IDS depending on the type and location of the sensor and the methodology used by the engine to generate alerts. In many simple IDS implementation the three components are combined in a single device or appliances.

Types of IDS:

Network IDS (NIDS): It identifies the intrusion by examining network traffic and monitors multiple hosts. NIDS gain access to network traffic by connecting to a hub, network switch configured for port mirroring or network trap. Ex: SNORT

Protocol Based IDS (PIDS): The system is kept at the front end of the server, monitoring and analyzing the communication protocol between a connected device and server.
For Web Server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the Web Server/system. When HTTPS is in use then this system would reside in the “shim” or interface between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.

Application Protocol baased IDS (APIDS): It consist of system or agent that would typically sit within a group of server, monitoring and analysing the communication on application specific protocol. For example: In a Web Server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with  the database.

Host based IDS (HIDS): It consisit of an agent on a host which identifies intrusion by analysing system calls, application logs, file system modification (binaries, passowrd files, capability /acl databases) and other host related activities and state. An example of a HIDS is OSSEC.

Hybrid IDS: It combined two or more approaches. Host agend data is combined with the network information to form a comprehensive view of the network. An example of Hybrid IDS is Prelude.

Passive system vs Reactive system:

In Passive system the IDS sensor detects a potential breach, logs information and signals an alerts on the console and or owner. In Reactive system also know as IPS (Intrusion Prevention System) , the IDS responds to suspicious activity by resetting the connection or reprogramming the firewall to block network traffic from the malacious sources. This can happen automatically or by the command of the operator.

A system which terminates connection is called an IPS and is another form of application layer firewall. The term IDPS is commonly used to refer to hybrid security system that both detect and prevent.

IDS uses one the two detection techniques: Statistical anomaly based and/or Signature based

Statistical anomaly based IDS: A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluation. It will then sample traffic activity to this baseline in order to detect whether or not it is within baseline parameter. If the sampled traffic is not within the baseline parameter an alarm will be triggered.

Signature based IDS: Network traffic is examined for preconfigured and predetermined attacks pattern know as signature. Many attacks today have distinct signature. In good security practice, a collection of these signature must be constantly updated to mitigate emerging threats.

Free IDS:
Snort, Endian Firewall, Untangle, Bro NIDS, Prelude Hybrid IDS, Osiris HIDS, OSSEC HIDS, Flowmatrix

Professional IDS:
Sourcefire

Posted in IDS/IPS | Tagged: , | 1 Comment »