Nhảy tới nội dung

CS50: Week 10 - Cybersecurity

Recap

  • Over these past ten weeks, you have been drinking from the proverbial firehose.
  • While in this course, you learned how to program many programming languages; indeed, our great hope is that you learned how to program in all: Regardless of the programming language.
  • Further, we hope that you learned how to solve problems above all else.

Keyword

Authentication and Authorization

  • Passwords: Secret codes used for authentication.
  • Brute-Force Attacks: Attempts to guess passwords by trying all possible combinations.
  • Password Managers: Tools for storing and managing passwords securely.
  • Two-Factor Authentication (2FA): Security process requiring two forms of verification.
  • One-Time Passwords (OTPs): Passwords that expire after a single use.
  • Hashing: Irreversible transformation of data for security purposes.
  • Rainbow Table: Precomputed hash values for cracking passwords.
  • Salting: Adding random data to passwords before hashing.
  • Passkeys: Biometric or platform-based authentication methods.

Cryptography

  • Cryptography: The practice of protecting information and communication through codes.
  • Secret-Key Cryptography: Encryption using a single shared key.
  • Symmetric Cryptography: Another term for secret-key cryptography.
  • Asymmetric Cryptography: Encryption using a pair of keys (public and private).
  • Public-Key Cryptography: Another term for asymmetric cryptography.
  • HTTPS: Secure version of HTTP using SSL/TLS encryption.
  • End-to-End Encryption: Encryption that protects data from sender to recipient.

Data Security and Threats

  • Deletion: Removing data from a storage device.
  • Secure Deletion: Overwriting data multiple times to prevent recovery.
  • Full-Disk Encryption: Encrypting all data on a storage device.
  • Ransomware: Malware that encrypts files and demands a ransom for decryption.

Looking Ahead

  • As you journey from the work of this course to the world outside CS50, you may want to take a number of steps to prepare.
  • To be able to execute commands on the terminal, much like you did on CS50.dev, you can install command-line tools on your Mac or PC.
  • You can learn more about Git.
  • You can download and learn about VS Code.
  • You can host a website using GitHub or Netlify.
  • You can host a web app using AWS, Azure, or Google Cloud.
  • You can ask questions in relevant online communities.
  • You can ask questions using AI-based tools like OpenAI and GitHub Copilot.
  • You can take any of our other CS50 courses.
  • You can join one of our many communities.

Cybersecurity

  • Today will be a high-level overview of some of the cybersecurity-related topics.
  • Cybersecurity is understanding how our data is secure or not secure.

Passwords

  • One cybersecurity concern relates to our passwords.
  • Passwords are one method used to secure data online.
  • There are common passwords that people use:
1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890
  • If you have one of the passwords above, most likely, millions of people have the same password as you!
  • Adversaries in the world will start with this list.
  • Bad guys can also guess most of the heuristics you use to add symbols to your password.
  • Adversaries can use brute-force attacks, using a dictionary of passwords to simply try every possible password.
  • Your password is likely not as secure as you think it is.

Phone Security

  • Many phones are secured by a four-digit code.
  • The most simple form of attack would be to brute-force attempt all possible passwords.
  • There are 10,000 possible passwords when using a four-digit code.
  • If it takes one guess per second, it will take 10,000 seconds to crack the password.
  • However, if a programmer creates a program to generate all possible codes, the time required would be minimal. Consider the following code in Python:
from string import digits
from itertools import product

for passcode in product(digits, repeat=4):
print(passcode)
  • It should be quite disconcerting that the code above could take only a few seconds (at most!) to discover your password.
  • We could improve our security by switching to a four-letter password. This would result in 7,311,616 possible passwords.
  • Including uppercase and lowercase characters would create over 78 million possibilities.
  • Consider how we could modify your code to discover these passwords:
from string import ascii_letters
from itertools import product

for passcode in product(ascii_letters, repeat=4):
print(passcode)
  • We could even add the ability to look at all possible eight-digit passwords with letters, numbers, and punctuations:
from string import ascii_letters, digits, punctuation
from itertools import product

for passcode in product(ascii_letters + digits + punctuation, repeat=8):
print(passcode)
  • Expanding to eight characters, including upper and lowercase letters, numbers, and symbols, would result in 6,095,689,385,410,816 possible combinations.
  • In the digital world, you simply want your password to be better than other peoples’ passwords such that others would be attacked far before you—as you are a much less convenient target.
  • A downside of using such a long password is the downside of having to remember it.
  • Accordingly, there are other defenses that could be employed to slow down an attacker. For example, some phone manufacturers lock out those who guess a password incorrectly.
  • Security is about finding a “sweet spot” between the trade-offs of enhanced security while maintaining convenience.

Password Managers

  • Password managers can be used to create very challenging passwords and remember them for you.
  • The probability of a password secured by a password manager being broken is very, very low.
  • You’d hope that such password managers are secure. However, if one gains access to your password manager, they would have access to all your passwords.
  • In the end, you are far less likely to be at risk by those you live with—and much more likely to be at risk by the billions of other people on the internet.
  • As mentioned prior, you can make a decision based on a balance between security and convenience.

Two-factor Authentication

  • Adding another means by which you must authenticate adds further security. However, there is a human cost as you might not have access to your second factor.
  • These are implemented as one-time passwords of sorts that are sent to an email, device, or phone number.
  • Always, security policies attempt to balance the needs of security and human convenience.

Hashing

  • Your account information and other sensitive data should not be stored as raw text in an online database.
  • If a database becomes compromised and all credentials are stored in plain text, credentials for other services at other websites are likely also compromised.
  • Hence, hashing algorithms, as discussed earlier in this course, are used to store only hashed values of passwords.
  • One-way hashing allows online services to actually never store the original password typed by the user: Only the hashed value of these passwords. Accordingly, if there is a breach, only the hashed value will be known.
  • Rainbow tables are huge dictionaries that adversaries use to attempt to pre-hash possible passwords as a means by which to attempt to break the hash algorithm.
  • As an additional process to heightened security, programmers may sometimes introduce salting where it becomes unlikely that multiple users may have the same hash value to represent their passwords. You can imagine this as follows:

salt and password being fed to an algorithm outputting a hash

Cryptography

  • Similar to hashing, a cipher algorithm can use a public key and text to create ciphertext.
  • In turn, a private key and the ciphertext can be fed to the algorithm to decrypt the text.

Passkeys

  • Passkeys are a new technology only emerging in the most recent months.
  • Through private keys and a challenge being fed to an algorithm, websites can authenticate you through the unique signature created by your device.

public key and challenge being provided to an alogirthm resulting in a signature

  • Hence, passwords and usernames may soon become obsolete.

Encryption

  • Encryption is a way by which data is obscured such that only the sender and intended receiver can be read.
  • Early in this course, we learned a very simple algorithm to “shift” the text by one or more characters as a rudimentary form of encryption.
  • End-to-end encryption is a way by which encrypting and decrypting happen on the same system without a middleman. This prevents the middleman or a malicious actor from being able to snoop on your data. Zoom and Apple Messages can both utilize end-to-end encryption.

Deletion

  • Trashing a file on your computer or emptying the trash can does not actually delete the actual bits of the file on your computer.
  • Instead, remnants of the files are left.

remnants of a file on a hard drive

  • Secure deletion is where the remnants of those files are turned into zeros and ones.
  • Still, some remnants may remain because of what is rendered inaccessible by the operating system.
  • Full-disk encryption allows your entire hard drive to be encrypted. Thus, your deleted files are less accessible to adversaries.
  • Considering encryption, it’s this same technology that adversaries use to create ransomware that can, quite literally, hold your hard drive for ransom.

Summing Up

  • Use a password manager.
  • Use two-factor authentication.
  • Use (end-to-end) encryption.

>>> Slide PDF

>>> Source