Symmetric and Asymmetric Encryption Algorithm

Symmetric cryptography uses the same secret (private) key to encrypt and decrypt its data whereas asymmetric uses both a public and private key. Symmetric requires that the secret key be known by the party encrypting the data and the party decrypting the data. Asymmetric allows for distribution of your public key to anyone with which they can encrypt the data they want to send securely and then it can only be decoded by the person having the private key.

Let us see which one is faster!

Let us compare their performance by comparing the time taken by each to encrypt files of size 100MB,200MB,300MB,400MB and 500MB.

We use following syntax to create a file of 100MB size

jothis@jothis:~/Openssl$ dd if=/dev/zero of=100mb bs=1MB count=100
100+0 records in
100+0 records out
100000000 bytes (100 MB) copied, 0.373584 s, 268 MB/s

similarly we can create a file of 200MB size.

jothis@jothis:~/Openssl$ dd if=/dev/zero of=200mb bs=1MB count=200
200+0 records in
200+0 records out
200000000 bytes (200 MB) copied, 2.06894 s, 96.7 MB/s


Time taken for Symmetric encryption

jothis@jothis:~/Openssl$ time openssl enc -aes-256-cbc -in 200mb -out 200mb.enc -pass pass:hello

real    0m2.282s
user    0m1.224s
sys    0m0.272s

For Asymmetric Encryption we need a public key  and a private key

jothis@jothis:~/Openssl$ openssl req -x509 -nodes -days 100000 -newkey rsa:2048  -keyout privatekey.pem  -out publickey.pem

Time taken by Asymmetric Encryption

jothis@jothis:~/Openssl$ time openssl smime -encrypt -aes256 -in 200mb 
-binary -outform DEM -out 200mbasym.enc publickey.pem

real    0m4.080s
user    0m1.496s
sys    0m0.588s


Similarly we can calculate the time taken by each algorithm for files of size 100MB,300MB..etc.

Let us plot the time taken by both algorithm.We use gnuplot to plot a graph in ubuntu.

To install gnuplot

sudo apt-get install gnuplot

To plot the graph we write the time taken by each to two separate file "symmetric.txt" and "asymmetric.txt"

We use the following the syntax to plot the graph

$ set xlabel "Time(ms)"

$ set ylabel "File size(mb)"
$ plot "symmetric" using 2:1 with lines title "Symmetric encryption" "asymmetric" using 2:1 with lines title "Asymmetric encryption"

 So we can conclude that Symmetric encryption is faster than Asymmetric encryption
 

Cryptographic Hash Function

A cryptographic hash function is a function that takes a message of any length as input and transforms into a fixed length output called a hash value, a message digest, a checksum or a digital fingerprint.

Properties of Cryptographic hash function

1. Cryptographic hash function accept a block of data of any size as input.

2. Cryptographic hash function produce a fixed length output independent of the message size.

3. Cryptographic hash function behaves like a random function.

4. Given a message digest it is very difficult to generate the message.

MD5 hash algorithm ,SHA(Secure Hash function) are examples of Cryptographic hash function.

Message digest produced by a MD5 hash function

Message digest produced by a SHA hash function

Message digest produced by a SHA hash function after changing a single character

Message digest produced by a  MD5 hash function after changing a single character

We can see that the hash value generated using MD5 and SHA are different for  the original and modified message.

Top 10 Web Application Attacks

1. SQL Injection

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database.

How SQL injection is done ?

Consider the SQL code to get the username and password from the users table.The query will be executed if the name and password are valid.

 

 Using SQL Injection given below,an unauthorized user can view sensitive information .

 

 since '0=0' the query returns a true value thus an authorized user can easily see the information without giving the password.

How to prevent SQL Injection?

1. Prevent unnecessary database users and stored procedure

2. Parametrize the variable ( using 'PreparedStatement' in java).

2. Cross Site Scripting Attack(XSS)

XSS allows attackers to inject client side script into web pages. By injecting malicious scripts into web pages, an attacker can gain access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

How to prevent Cross Site Scripting?

It can be prevented by filtering and escaping  mechanism.In filtering mechanism 

the external data are passed through a filter which removes dangerous keyword such as JavaScript commands, CSS styles and other dangerous HTML markup.

In Escaping we are telling the browser that the data we are sending should be treated as data and should not be interpreted in any other way.

3. Buffer Overflow Attack

Hackers exploit buffer overflows by executing instructions and causing that code to overwrite adjacent memories. It can cause DOS attack and remote command execution.

How to prevent Buffer Overflow?

Bound checking within application is one way of preventing buffer overflow.

4. Session Hijacking

Session hijacking is exploiting of valid computer session to gain unauthorized access to services in a computer system.

How to prevent Session Hijacking?

Prevention 

1. Match connection with timestamp ,ip address etc
2. Encrypting the data which are transfered between the two entities
3. Using a long random number or string as session key

5. Source Code Disclosure

Here attacker can retrieve the source code of the web application. The code can then be used for further loopholes in the application.This occurs because of poor application design.

How to prevent Source Code Disclosure?

1.locking down web server configuration.

2.Secure coding practices.

6. Retrieving "non web " Files

Here the attacker can access "non web" application which includes zip files,text files,backup files etc.

How to prevent Retrieving "non web" Files?

One way to prevent is avoid presence of such files. The administrator should disable serving such file.

7. Directory Browsing

Here the attacker can retrieve complete directory listing within directories of the web server.This happens when the default document is missing.

How to prevent Directory browsing?

1.By locking down the web server configuration.

2.Disable serving of directory content.

8. Denial Of Service

This attack is making unavailable a resource (site, application, server) for the purpose it was designed. There are many ways to make a service unavailable for users by manipulating network packets, programming, logical, or resources handling vulnerabilities. If a service receives a very large number of requests, it may stop providing service to legitimate users. 

How to prevent Denial of Service?

1. Defines a Maximum Segment Life. This is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK, in milliseconds.

2. Through web application firewall inspects your HTTP traffic and checks their packets against rules so as to stop web applications from being exploited.

9. Server-Side-Include(SSI)

 

Here the attacker can send code to the web application which will later be executed in locally by the web server. This is done by injecting HTML scripts or any executable codes remotely.

 

How to prevent Server-Side-Include?

This can be prevented by controlling the type and size of character that are expected by the web server .

10. Cross-Site Request Forgery (CSRF)

Here the attacker tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function.

How to prevent Cross-Site Request Forgery?

1. Add a hash to URL and all forms.

2. Checking the referrer in the client's HTTP request will prevent CSRF attacks.