Security in Android apps

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Security in Android apps"

Transcription

1 Security in Android apps Falco Peijnenburg ( ) August 16, 2013 Abstract Apps can be released on the Google Play store through the Google Developer Console. The Google Play store only allows apps that are signed by a private key owned by the developer. The developer is responsible for creating and maintaining their own certificate. Keys can be generated with the Keytool program. The generated keys are stored in a keystore file, which should be kept secret. A leak is, however, not immediately disastrous since the keystore is encrypted. The security of an Android installation package cannot be assured when there are two files in it with duplicate file names. Apps are restricted in their access and have to ask for explicit consent to access personal data. The permissions system that takes care of this system can, however, be worked around in many ways. 1 Introduction Android apps are written in Java. They are compiled to a Android Application Package File (APK). APK files contain compiled code and various other files, compressed in zip format. These APK files can be published over the Google Play store. After publishing an app, people can download and install it. Releasing apps on the Play store cannot be done without the necessary security measures, and once an app has been released it could pose a risk to the end user s privacy. The next section describes how apps are released on the market. The third section details the application signing process. The fourth section describes how keys and certificates are managed. The fifth section takes a closer look at the privacy in apps and the last section concludes this paper. 2 Releasing apps on Google Play To publish an app on the Google Play store, the developer needs access to the Developer Console. The developer console is a web based set of tools that allows the developer to publish and monitor their apps. Once an app has been published the developer console provides insight in the usage, reviews and crash reports. To publish one or more apps on the Play store, the developer is required to pay a one time fee of $25 U.S. dollars (as of June 13th 2013) [8]. 1

2 An app does not have to be released on the Play store. Besides the play store there are various other (unofficial) markets from which an end user can install apps. The end user can even choose to install an app directly from a website or . Apps distributed by means other than the Google Play store have a higher risk of containing malicious code that could, for instance, send private data to advertisement companies. This is why Android does not allow the installation of apps from unknown sources by default. A simple toggle in the settings menu disables this restriction. 3 Application signing Every published app needs to be signed. This is done with an asymmetric encryption algorithm. When building a debug version of the app, the signing is done automatically with a debug key. The public/private keypair of the debug key is stored in the Integrated Developer Environments (IDE) that allow the developer to create and build the application. This implies that the private debug key is publicly available. The debug key does not provide any security of verification. The only reason for it to exist is to facilitate the development process. After all, it can be cumbersome to have to sign every test build. The developer could also choose to create their own debug key. Since debug keys prove no authenticity, the Developer Console does not allow developers to upload apps that are signed with them. Instead, the developer is required to create their own key pair and certificate. The certificate has to meet strict requirements [7]: 1. it has to be encrypted with either RSA or the ElGamal based Digital Signature Algorithm (DSA) [10] 2. the certificate has to be valid until at least 22 October it has to represent the person or company that created it A certificate that is valid for twenty years poses some risks. The chance of leaking the private key increases as it is used for a longer period of time. When it does get leaked, it could potentially be abused for a long time. From a security point of view it might be better to decrease the validity period of the certificate. However, each app has its release certificate permanently associated with it; it cannot be changed. The same certificate is used when an app is updated. The reason why the certificates are permanently associated to apps is to prevent a man in the middle from replacing the genuine app with a malicious one that is signed with a different private key. This way, end users will have to uninstall the app and install the version with the different certificate to get the malicious version, as the app cannot be installed as an update. Expired certificates are also not accepted, which means that apps cannot be updated after the expiry date of the certificate. This means there has to be a balance between the security of a certificate and its usability. Google advise a validity period of more than 25 years [7]. 2

3 The certificate does not have to be verified by a certificate authority. This has several reasons. Registering a key with a certificate authority is a huge step can significantly slow down the release progress and thus be a deterrent for less experienced developers. A second reason is that the owner of a certificate is the developer s Google account that uploads the app to the Developer Console. The developer is trusted to be the only person or company that has access to the Google account. Consequently, each used certificate is trusted to be held by the developer. The third reason is each released app having its certificate permanently linked to it. This means that apps cannot be updated even if someone were to get unauthorized access to a developer s Google account, since they would have to sign it with a key they do not possess. 4 Key management The Google Play store uses the certificate of an app for its identification. The Play store will know when a new version of a previously published app is uploaded when the certificates (and package names) match. This means that the developer is in possession of one key pair for each app they publish. The Google Play store accepts any signed non-debug certificate. This implies that the developer has full responsibility over the security and validity of their certificates. 4.1 Generating keys The developer of an app is responsible for generating the key pair and certificate. They can be generated with a program called keytool [13]. This is a command line based application that can be downloaded by the developer. The keytool provides a variety of features for generating keys and certificates. A public/private keypair can be generated by running the keytool with the -genkey parameter. To generate a key, the keytool needs the following information: 1. The asymmetric encryption algorithm (either RSA or DSA) 2. A human readable alias for the key pair (so it can be recognized) 3. The key length in bits 4. The signature algorithm. The signature is created by encrypting the hash of the certificate with the private key. The signature algorithm is a combination of a hash function (commonly MD5 or SHA1) with the chosen asymmetric encryption algorithm 5. The validity of the certificate in days. 6. The file in which the certificate and keys will be stored 7. The password to (symmetrically) encrypt the file in which the keys and certificate are stored 3

4 The keytool creates a keystore file which stores the keys. A keystore is a database that can hold more one or more key pairs and references of trusted certificates. The private key of each key pair is encrypted with a password. The password is human readable, with usually a very low entropy. Since it cannot be directly used as an encryption key, the password is hashed (with MD5 by default [12]). This hash is then used by the encryption algorithm (3DES by default), which encrypts the private key. 4.2 Attacks Since the private keys in the keystore file are encrypted, leaking the keystore file will not have an immediate disastrous effect. However, an attacker could try to brute force the private keys. This can be done in two ways: 1. Hash generated passwords and try to decrypt the private key with the hash 2. Skip the passwords and enumerate all possible hashes Both brute force methods have up- and downsides. Generating passwords and hashing them can be slow. Besides, it will take longer to iterate over the hash space, since several passwords can hash to the same digest. However, this method could get very quick results if the password is weak. After all, an intelligent brute force program tries the most common passwords first. The other brute force method skips the hashing of passwords and attempts to crack the encryption immediately. This method can attempt more keys per second, since it requires less work. It is also complete: it can iterate over the entire key space without the chance of hitting duplicates. Assuming 3DES with a key length of 168 bits. With a meet in the middle attack, the amount of required encryptions can be reduced to [11]. A brute force attack would have to try keys. A computer that can try one hundred billion keys per second would take , 000, 000, 000 seconds, which is about years. By that time the certificate will most likely have become invalid. When the keystore has been cracked, the attacker will gain access to one or more private keys. These private keys can be used to sign a malicious version of the app. When installed, this app will replace the app from the original author, making it look like an update. The malicious version of the app can be only be released to the Play store when the attacker also has the login credentials of the developer on the Developer Console. In this situation the developer is still not completely powerless. Once the developer finds out their private key was compromised, they can remove the app from the Play Store and upload a new version of the app that is signed with a different key. 4

5 5 The Bluebox attack The certificate of an application contains a hash of the APK file. This hash is calculated with a function H. This hash is encrypted with the private key x of the developer. This is called the signature. Signature = Encr x (H(AP K)) During the installation this signature is verified with the public key y as follows: Decr y (Signature) = H(AP K) The installation is aborted when this assertion fails. The verification of the signature is required to assure the integrity of the package. A man in the middle is unable modify the APK file since the hash of its content would differ from the one in the signature. Modifying an app in such a way that the hash fingerprints match is considered infeasible. Yet researches at the Bluebox company have found a way to circumvent this security. [3] 5.1 The exploit The problem lies with the function that verifies the signature of an APK file (V ) and the function that actually unpacks its contents (U). V is calculated by iterating over the files in the APK and running their contents through a hash algorithm H. V Decr y (Signature) =? H(file1 + file2 + file3 +...) Someone with malicious intent could insert a malicious file in the APK package by using Google s APK tool and other zip tools. This malicious file has the exact same name as some other file in the APK. The signature of the APK file is left in, but will have become invalid as the APK was modified. However, due to a bug in V [2], only one of the two files are iterated over when calculating the hash. This means that the malicious file is skipped when calculating the hash. This (false) hash matches the one in the signature, causing the app to be considered valid. U on the other hand, is implemented in C [4]. Whereas V (implemented in Java) skips the malicious file and iterates over the genuine file, U finds the malicious file and skips the genuine file when unpacking. As a result, the malicious file is installed on the device while the original is discarded. 5.2 Consequences With this exploit, a man in the middle can put malicious code in any APK file while tricking the Android device into thinking the signature is still valid. The malicious version of the app can be installed as an update to the genuine app, allowing malicious code to be run without being noticed by the end user. This exploit can also be used to create a rootkit. The press release from Bluebox [3] shows a screenshot of a maliciously updated system app. The malicious version of the app inherits the root privileges that the original system app used to perform its tasks. Removal of this malicious software is easy now the exploit is known, but it would not have been if it remained unknown. 5

6 The most important lesson here is that certificates and signatures, even when considered cryptographically secure, can be rendered useless by an exploit in the code that uses them. The part of the APK file that Android checks against the certificate is indeed valid and signed by the owner of the certificate. The failure of verifying the entire APK file and the difference between U and V compromise the security that the certificates and signatures would otherwise provide. 6 Privacy in apps Android devices often contain personal information, such as the phone number, contacts and other personal files. Android apps should not be able to retrieve any personal information without explicit consent of the end user. On the other hand, apps might need this personal information to perform the tasks they were designed for. For instance, a contacts manager app needs access to the contacts. For this purpose, Android has implemented a permissions system [5]. At the time of writing, there are 130 permissions [6]. They range from connecting to the internet to accessing the exact location through GPS. 6.1 Using functions that require permissions Android provides an Application Programming Interface (API) that allows developers to make their app interact with the Android operating system. Many classes and methods in this API can be called without requiring any permissions. Some methods, however, do require one or more permissions before they can be called. One clear example is the TelephonyManager.getLine1Number() method which returns a string that contains the phone number of the device running the app. To run this method, the app requires the READ PHONE STATE permission. When this method is called without this permission, a Java exception is thrown: Figure 1: The exception that is thrown when trying to retrieve the phone number without permission Leaving this exception uncaught will crash the app with just the error Unfortunately, app name has stopped. 6.2 Getting permissions Each app defines its permissions in an XML file called the Android Manifest. When using the Eclipse developer environment, privileges can be added through the user interface. Figure 6.2 on the next page shows how permissions are requested in the Android manifest file. 6

7 Figure 2: Requesting permissions for GPS location, reading phone information and enabling the flashlight Before installing an app, the user is warned about the permissions it requests. The user has to explicitly grant these permissions. Once the app has been installed, it does not ask for the permissions again unless an update of the app requires new permissions. 6.3 Problems with permissions There are several major problems with the permissions system. Many of problems hurt usability, other problems allow apps to bypass the permissions system altogether. Here follows an incomplete, yet revealing list of problems the permissions system has: Not clear It is not unusual for an app to request a dozen permissions. In many cases, apps ask for permissions that look suspicious, but are, in the end, used for genuine purposes. One example is the Guardian live news app [9], which requires the permission to find social network accounts on the device. This information could be sent to a server to be stored or even sold to governments or advertisement companies. However, it actually uses this permission to allow users to share articles to their friends and family on social networks. Some developers explain their use of permissions in the description of the app. Some (like the Guardian) explain it on their website. Nevertheless, even with an explanation the end user has to trust the developer not to abuse these permissions. Often ignored The average end user cares about privacy as long as it is not their responsibility to maintain it. Permissions are often granted without scrutiny. Partially because of the first problem, but also because it takes effort to take a closer look at the permissions an app uses. The Google Play store is designed to be able to install an app within seconds. This is why accepting the permissions is but one extra click. End users are not encouraged to mind their privacy when installing apps. New permissions in an update Popular app developers can afford to release an update that asks for more permissions. Sometimes these permissions are needed for newly implemented features, but these new permissions can also be abused. The latter situation confronts the end users (who notice) with a dilemma. They could either continue using their app with a risk or uninstall the app and lose the functionality it provided. Since losing the functionality is immediately noticeable, taking the risk is often the preferred choice. There is however a third choice: there are apps on the market that can restrict individual permissions of other apps. The problem with these apps is that they require administrator access (root) to the device, which, depending on the device, can be difficult to obtain. 7

8 Privilege escalation attack There are ways for apps to get personal information without requiring the permissions. This is called a privilege escalation attack. One way to do this is to send a malicious message to an app that does have permissions to pry out a response from it that contains personal information (as described in [1]). Another way is to find an exploit in the Android operating system to gain access to the root user, One example is the bluebox attack. The root user is the user account that has full access to the device. An app that gains access to this root account is called a rootkit. Rootkits can not only gather any information from the device without the user noticing, it could also hide itself from the user and make it nearly impossible to be removed. 7 Conclusion Android apps can be published over the Google Play Store or through other means. When publishing through the Play store, the app needs to be signed. The certificate is to be created by the developer, but has to meet specific demands about encryption, validity and ownership. Certificates do not need to be verified by a certificate authority. The key pair and certificate can be generated with the Keytool program, which stores them in a Keystore file on the developer s computer. The responsibility lies with the developer to keep this Keystore file secret and secure. An attacker could pose as the developer and update the app once they are in possession of the private key. When not in possession of the private key, the attacker could perform a Bluebox attack to modify an APK file without needing to change the signature. Ideally, apps cannot access personal information from the owner of the device on which it is installed. When such access is needed to provide functionality, the app will ask for permission before installation. These permission requests are, however, often ignored. On top of that there are exploits that bypass the permissions system altogether. End users are encouraged to always be alert for suspicious apps. References [1] K. Casteel, O. Derby, and D. Wilson. Exploiting common intent vulnerabilities in android applications. December [2] G. Condra. Remove support for duplicate file entries. February [3] J. Forristal. Uncovering android master key that makes 99 July [4] J. Freeman. Exploit (& fix) android master key. July

9 [5] Google. Permissions. June [6] Google. Manifest.permission. June [7] Google. Signing in release mode. June [8] Google. Google play developer console. June [9] T. Grinsted. Guardian android app: being open about permissions. April [10] D. W. Kravitz. Digital signature algorithm, July US Patent 5,231,668. [11] S. Moore. Meet-in-the-middle attacks. November [12] Oracle. Java TM cryptography architecture sun providers documentation [13] Oracle. Keytool man page. Oracle,

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

Overview Keys. Overview

Overview Keys. Overview Overview Keys Overview The PGPmail program performs fast, high-security, public-key encrypting (with optional compression), decrypting, and authenticating of electronic messages and files. The program

More information

MySQL Security: Best Practices

MySQL Security: Best Practices MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

SecureStore I.CA. User manual. Version 2.16 and higher

SecureStore I.CA. User manual. Version 2.16 and higher User manual Version 2.16 and higher Contents SecureStore I.CA 1. INTRODUCTION...3 2. ACCESS DATA FOR THE CARD...3 2.1 Card initialisation...3 3. MAIN SCREEN...4 4. DISPLAYING INFORMATION ABOUT THE PAIR

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements... Hush Encryption Engine White Paper Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...4 Passphrase Requirements...4 Data Requirements...4

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

SSL/TLS: The Ugly Truth

SSL/TLS: The Ugly Truth SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

SENSE Security overview 2014

SENSE Security overview 2014 SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2

More information

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2 BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution

More information

HP ProtectTools Embedded Security Guide

HP ProtectTools Embedded Security Guide HP ProtectTools Embedded Security Guide Document Part Number: 364876-001 May 2004 This guide provides instructions for using the software that allows you to configure settings for the HP ProtectTools Embedded

More information

Gladinet Cloud Backup V3.0 User Guide

Gladinet Cloud Backup V3.0 User Guide Gladinet Cloud Backup V3.0 User Guide Foreword The Gladinet User Guide gives step-by-step instructions for end users. Revision History Gladinet User Guide Date Description Version 8/20/2010 Draft Gladinet

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms Radhika G #1, K.V.V. Satyanarayana *2, Tejaswi A #3 1,2,3 Dept of CSE, K L University, Vaddeswaram-522502,

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

E-Book Security Assessment: NuvoMedia Rocket ebook TM

E-Book Security Assessment: NuvoMedia Rocket ebook TM E-Book Security Assessment: NuvoMedia Rocket ebook TM July 1999 Prepared For: The Association of American Publishers Prepared By: Global Integrity Corporation 4180 La Jolla Village Drive, Suite 450 La

More information

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Database security issues PETRA BILIĆ ALEXANDER SPARBER Database security issues PETRA BILIĆ ALEXANDER SPARBER Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information

More information

WiMAX Public Key Infrastructure (PKI) Users Overview

WiMAX Public Key Infrastructure (PKI) Users Overview WiMAX Public Key Infrastructure (PKI) Users Overview WiMAX, Mobile WiMAX, Fixed WiMAX, WiMAX Forum, WiMAX Certified, WiMAX Forum Certified, the WiMAX Forum logo and the WiMAX Forum Certified logo are trademarks

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Two Factor Zero Knowledge Proof Authentication System

Two Factor Zero Knowledge Proof Authentication System Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted

More information

Ciphire Mail. Abstract

Ciphire Mail. Abstract Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the

More information

Encrypting and signing e-mail

Encrypting and signing e-mail Encrypting and signing e-mail V1.0 Developed by Gunnar Kreitz at CSC, KTH. V2.0 Developed by Pehr Söderman at ICT, KTH (Pehrs@kth.se) V3.0 Includes experiences from the 2009 course V3.1 Adaptation for

More information

PowerChute TM Network Shutdown Security Features & Deployment

PowerChute TM Network Shutdown Security Features & Deployment PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network

More information

B U S I N E S S G U I D E

B U S I N E S S G U I D E VeriSign Microsoft Office/Visual Basic for Applications (VBA) Code Signing Digital Certificates Realizing the Possibilities of Internet Software Distribution CONTENTS + What Is Developer Code Signing?

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors

More information

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure) Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.

More information

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release 12.0.87.01.0 [August] [2014]

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release 12.0.87.01.0 [August] [2014] SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release 12.0.87.01.0 [August] [2014] Table of Contents 1. CONFIGURING SSL ON ORACLE WEBLOGIC... 1-1 1.1 INTRODUCTION... 1-1 1.2 SETTING UP

More information

1.2 Using the GPG Gen key Command

1.2 Using the GPG Gen key Command Creating Your Personal Key Pair GPG uses public key cryptography for encrypting and signing messages. Public key cryptography involves your public key which is distributed to the public and is used to

More information

Enabling SSL and Client Certificates on the SAP J2EE Engine

Enabling SSL and Client Certificates on the SAP J2EE Engine Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs SAP AG 1 Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine

More information

Dashlane Security Whitepaper

Dashlane Security Whitepaper Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.

More information

Security Goals Services

Security Goals Services 1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;

More information

Fighting product clones through digital signatures

Fighting product clones through digital signatures Paul Curtis, Katrin Berkenkopf Embedded Experts Team, SEGGER Microcontroller Fighting product clones through digital signatures Product piracy and forgery are growing problems that not only decrease turnover

More information

Securing your Online Data Transfer with SSL

Securing your Online Data Transfer with SSL Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does

More information

Encrypting Email with KMail, Mozilla Thunderbird, and Evolution LOCK AND KEY BY FRAUKE OSTER

Encrypting Email with KMail, Mozilla Thunderbird, and Evolution LOCK AND KEY BY FRAUKE OSTER COVER STORY Encrypting Email Encrypting Email with KMail, Mozilla Thunderbird, and Evolution LOCK AND KEY The leading email applications include new features for helping users secure and authenticate their

More information

SafeNet KMIP and Amazon S3 Integration Guide

SafeNet KMIP and Amazon S3 Integration Guide SafeNet KMIP and Amazon S3 Integration Guide Documentation Version: 20130524 2013 SafeNet, Inc. All rights reserved Preface All intellectual property is protected by copyright. All trademarks and product

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.

More information

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013 USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security

More information

Deploying EFS: Part 1

Deploying EFS: Part 1 Security Watch Deploying EFS: Part 1 John Morello By now, everyone has heard reports about personal or sensitive data being lost because of laptop theft or misplacement. Laptops go missing on a regular

More information

What s New in MySQL 5.7 Security Georgi Joro Kodinov Team Lead MySQL Server General Team

What s New in MySQL 5.7 Security Georgi Joro Kodinov Team Lead MySQL Server General Team What s New in MySQL 5.7 Security Georgi Joro Kodinov Team Lead MySQL Server General Team Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information

More information

SSL A discussion of the Secure Socket Layer

SSL A discussion of the Secure Socket Layer www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record

More information

Final Year Project Interim Report

Final Year Project Interim Report 2013 Final Year Project Interim Report FYP12016 AirCrypt The Secure File Sharing Platform for Everyone Supervisors: Dr. L.C.K. Hui Dr. H.Y. Chung Students: Fong Chun Sing (2010170994) Leung Sui Lun (2010580058)

More information

Crypho Security Whitepaper

Crypho Security Whitepaper Crypho Security Whitepaper Crypho AS Crypho is an end-to-end encrypted enterprise messenger and file-sharing application. It achieves strong privacy and security using well-known, battle-tested encryption

More information

Tutorial on Smartphone Security

Tutorial on Smartphone Security Tutorial on Smartphone Security Wenliang (Kevin) Du Professor wedu@syr.edu Smartphone Usage Smartphone Applications Overview» Built-in Protections (ios and Android)» Jailbreaking and Rooting» Security

More information

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing

More information

Sharing Secrets Using Encryption Facility

Sharing Secrets Using Encryption Facility Sharing Secrets Using Encryption Facility Eysha S. Powers IBM Corporation Insert Custom Session QR if Desired Tuesday, August 11, 2015: 6:00pm 7:00pm Session Number 17624 Cryptography is used in a variety

More information

SafeNet KMIP and Google Cloud Storage Integration Guide

SafeNet KMIP and Google Cloud Storage Integration Guide SafeNet KMIP and Google Cloud Storage Integration Guide Documentation Version: 20130719 Table of Contents CHAPTER 1 GOOGLE CLOUD STORAGE................................. 2 Introduction...............................................................

More information

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE HOW ENCRYPTION WORKS Technology Overview Strong Encryption BackupEDGE Introduction to BackupEDGE Data Encryption A major feature of BackupEDGE is the ability to protect archives containing critical client

More information

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December 2014. Document issue: 2.0

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December 2014. Document issue: 2.0 Entrust Certificate Services Java Code Signing User Guide Date of Issue: December 2014 Document issue: 2.0 Copyright 2009-2014 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

Lecture 9: Application of Cryptography

Lecture 9: Application of Cryptography Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

More information

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2 Contents Introduction--1 Content and Purpose of This Guide...........................1 User Management.........................................2 Types of user accounts2 Security--3 Security Features.........................................3

More information

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver. 2011 KYOCERA MITA Corporation

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver. 2011 KYOCERA MITA Corporation Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Is Your SSL Website and Mobile App Really Secure?

Is Your SSL Website and Mobile App Really Secure? Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電

More information

UNCLASSIFIED Version 1.0 May 2012

UNCLASSIFIED Version 1.0 May 2012 Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice

More information

BYOD Guidance: BlackBerry Secure Work Space

BYOD Guidance: BlackBerry Secure Work Space GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Multi Factor Authentication API

Multi Factor Authentication API GEORGIA INSTITUTE OF TECHNOLOGY Multi Factor Authentication API Yusuf Nadir Saghar Amay Singhal CONTENTS Abstract... 3 Motivation... 3 Overall Design:... 4 MFA Architecture... 5 Authentication Workflow...

More information

An Introduction to Cryptography and Digital Signatures

An Introduction to Cryptography and Digital Signatures An Introduction to Cryptography and Digital Signatures Author: Ian Curry March 2001 Version 2.0 Copyright 2001-2003 Entrust. All rights reserved. Cryptography The concept of securing messages through

More information

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series User Guide Supplement S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series SWD-292878-0324093908-001 Contents Certificates...3 Certificate basics...3 Certificate status...5 Certificate

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Princeton University Computer Science COS 432: Information Security (Fall 2013) Princeton University Computer Science COS 432: Information Security (Fall 2013) This test has 13 questions worth a total of 50 points. That s a lot of questions. Work through the ones you re comfortable

More information

Installation and usage of SSL certificates: Your guide to getting it right

Installation and usage of SSL certificates: Your guide to getting it right Installation and usage of SSL certificates: Your guide to getting it right So, you ve bought your SSL Certificate(s). Buying your certificate is only the first of many steps involved in securing your website.

More information

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10. Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate A STEP-BY-STEP GUIDE to test, install and use a thawte Digital Certificate on your MS IIS Web

More information

Encrypted Connections

Encrypted Connections EMu Documentation Encrypted Connections Document Version 1 EMu Version 4.0.03 www.kesoftware.com 2010 KE Software. All rights reserved. Contents SECTION 1 Encrypted Connections 1 How it works 2 Requirements

More information

LiteCommerce Advanced Security Module. Version 2.8

LiteCommerce Advanced Security Module. Version 2.8 LiteCommerce Advanced Security Module Version 2.8 Reference Manual Revision date: Jul/03/2007 LiteCommerce Advanced Security Module Reference Manual I Table of Contents Introduction...1 Administrator...2

More information

Cloud Services. Email Anti-Spam. Admin Guide

Cloud Services. Email Anti-Spam. Admin Guide Cloud Services Email Anti-Spam Admin Guide 10/23/2014 CONTENTS Introduction to Anti- Spam... 4 About Anti- Spam... 4 Locating the Anti- Spam Pages in the Portal... 5 Anti- Spam Best Practice Settings...

More information

Analyzing the Security Schemes of Various Cloud Storage Services

Analyzing the Security Schemes of Various Cloud Storage Services Analyzing the Security Schemes of Various Cloud Storage Services ECE 646 Project Presentation Fall 2014 12/09/2014 Team Members Ankita Pandey Gagandeep Singh Bamrah Pros and Cons of Cloud Storage Services

More information

White Paper BMC Remedy Action Request System Security

White Paper BMC Remedy Action Request System Security White Paper BMC Remedy Action Request System Security June 2008 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information

More information

Trouble Shooting on e-filing

Trouble Shooting on e-filing DSC Registration Problem Description: I am not able to register my Digital Signature Certificate. Or while trying to e-file Income Tax Return using Digital Signature Certificate, the 'Select your.pfx file'

More information

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Types. Password-based Authentication. Off-Line Password Guessing Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:

More information

HTTPS is Fast and Hassle-free with CloudFlare

HTTPS is Fast and Hassle-free with CloudFlare HTTPS is Fast and Hassle-free with CloudFlare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their

More information

WIRELESS LAN SECURITY FUNDAMENTALS

WIRELESS LAN SECURITY FUNDAMENTALS WIRELESS LAN SECURITY FUNDAMENTALS Jone Ostebo November 2015 #ATM15ANZ @ArubaANZ Learning Goals Authentication with 802.1X But first: We need to understand some PKI And before that, we need a cryptography

More information

An Analysis of Twitter s App Based Two- Factor Authentication and Recovery System

An Analysis of Twitter s App Based Two- Factor Authentication and Recovery System An Analysis of Twitter s App Based Two- Factor Authentication and Recovery System By Alexander Tong December 2014 Abstract This paper attempts to analyze the potential of app based two- factor authentication

More information

A Practical Guide to creating, compiling and signing an Android Application using Processing for Android.

A Practical Guide to creating, compiling and signing an Android Application using Processing for Android. A Practical Guide to creating, compiling and signing an Android Application using Processing for Android. By Joseph Alexander Boston http://www.jaboston.com IMPORTANT NOTE: EVERYTHING YOU INSTALL SHOULD

More information

Internet Programming. Security

Internet Programming. Security Internet Programming Security Introduction Security Issues in Internet Applications A distributed application can run inside a LAN Only a few users have access to the application Network infrastructures

More information

KMIP installation Guide. DataSecure and KeySecure Version 6.1.2. 2012 SafeNet, Inc. 007-012120-001

KMIP installation Guide. DataSecure and KeySecure Version 6.1.2. 2012 SafeNet, Inc. 007-012120-001 KMIP installation Guide DataSecure and KeySecure Version 6.1.2 2012 SafeNet, Inc. 007-012120-001 Introduction This guide provides you with the information necessary to configure the KMIP server on the

More information

VoteID 2011 Internet Voting System with Cast as Intended Verification

VoteID 2011 Internet Voting System with Cast as Intended Verification VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could

More information

CHAPTER 7 SSL CONFIGURATION AND TESTING

CHAPTER 7 SSL CONFIGURATION AND TESTING CHAPTER 7 SSL CONFIGURATION AND TESTING 7.1 Configuration and Testing of SSL Nowadays, it s very big challenge to handle the enterprise applications as they are much complex and it is a very sensitive

More information

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based

More information

Exchange Reporter Plus SSL Configuration Guide

Exchange Reporter Plus SSL Configuration Guide Exchange Reporter Plus SSL Configuration Guide Table of contents Necessity of a SSL guide 3 Exchange Reporter Plus Overview 3 Why is SSL certification needed? 3 Steps for enabling SSL 4 Certificate Request

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Angel Dichev RIG, SAP Labs

Angel Dichev RIG, SAP Labs Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine SSL

More information

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER with Convenience and Personal Privacy version 0.2 Aug.18, 2007 WHITE PAPER CONTENT Introduction... 3 Identity verification and multi-factor authentication..... 4 Market adoption... 4 Making biometrics

More information

Password Manager with 3-Step Authentication System

Password Manager with 3-Step Authentication System Password Manager with 3-Step Authentication System Zhelyazko Petrov, Razvan Ragazan University of Westminster, London z.petrov@my.westminster.ac.uk, razvan.ragazan@my.westminster.ac.uk Abstract: A big

More information

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many In the world of secure email, there are many options from which to choose from to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many cryptographical concepts to achieve a supposedly

More information

ADT Plugin for Eclipse

ADT Plugin for Eclipse ADT Plugin for Eclipse Android Development Tools (ADT) is a plugin for the Eclipse IDE that is designed to give you a powerful, integrated environment in which to build Android applications. ADT extends

More information

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

More information

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1 Installing Digital Certificates for Server Authentication SSL on BEA WebLogic 8.1 Installing Digital Certificates for Server Authentication SSL You use utilities provided with the BEA WebLogic server software

More information