Tuesday, March 09, 2010

CRYPTOGRAPHY IN SMART CARDS

CRYPTOGRAPHY IN SMART CARDS

In the age of universal electronic connectivity, of viruses and hackers there is indeed no time at which security does not matter. The issue of security and privacy is not a new one however, and the age-old science of cryptography has been in use, since people had some information that they wish to hide. Cryptography has naturally been extended into realm of computers, and provides a solution electronic security and privacy issue.
As the technology increases, Smart Cards (e.g.: SIM cards, Bank cards, Health cards) play very important role in processing many transactions with high level of security.
This security level achieved by means of Cryptography. In this paper we are presenting an introduction to






1. INTRODUCTION

Cryptography comes from the Greek words for – “secret writing”. Cryptography is the science of enabling secure communications between a sender and one or more recipients. It deals with a process associated with scrambling plain text (ordinary text, or clear text) into cipher text (a process called encryption) then back again (known as decryption).









Fig:Encryption model
An intruder is hacker or cracker who hears and accurately copies down the complete cipher text. Passive intruder only listens to the communication channel. But, active intruder can also record messages and play them back later, inject his own messages, or modify legitimate messages before they get to the receiver.



Cryptography concerns itself with four objectives:
1. Confidentiality (the information cannot be understood by any one for whom it was unintended)
2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected).
3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information).
4. Authentication (the sender and receiver can confirm each others identity and the origin/destination of the information).

2. TYPES OF ENCRYPTION
We have two variations
• Symmetric encryption
• Asymmetric encryption
In symmetric encryption, same key is used for both encryption and decryption. Consider a situation where Alice, a user from company A, is electronically communicating with Bob, a user of company B
In the figure of Symmetric communication between Alice and bob Alice would encrypt her message using a key, and then send a message to Bob. Alice would separately communicate the key to Bob to allow him to decrypt the message. To maintain security and privacy, Alice and Bob need to ensure that the key remains private to them.
Symmetric encryption can be implemented by
 DES – The Data Encryption Standard
 AES – The Advanced Encryption Standard
 Cipher modes
In Asymmetric encryption, separate keys are used for encryption and decryption

Fig: Asymmetric communication between Bob and Alice
Here, Alice is sending a message to Bob. Alice creates her message then encrypts it using Bob’s public key. When Bob receives the encrypted message, he uses his secret, private key to decrypt it. As long as Bob’s private key has not been
compromised then both Alice and Bob know that the message is secure.
Asymmetric Encryption can be implemented by
 RSA (Rivest, Shamir, Adleman)
Other public key Algorithms



3. APPLICATIONS OF CRYPTOGRAPHY:
The following are some of the applications of cryptography.
• Digital Signatures
• Digital Certificates.
• Message Digest.
• Secure Socket Layer.
• Secure E-Business
• Secure IP.
• Challenge/Response systems (Smart cards).
In this paper we are concentrating on Smart Cards.
4. SMART CARDS:
Smart cards are an ideal means to provide the required level of security. In recent years, smart card technology has quickly advanced and by now reached a state where smart cards easily integrate into public key infrastructures. Today's smart cards provide memory, and they have cryptographic coprocessors that allow them to generate digital signatures using the RSA.

a) Architecture:
A smart card is a credit card sized plastic card with an integrated circuit (IC) contained inside. The IC contains a microprocessor and memory, which gives smart cards the ability to process, as well as store more information.

Fig: Contact chip and Smart card architecture


The figure shows the architecture of smart card, which contains RAM, ROM, FLASH memory, and a Coprocessor. Smart cards uses RAM for temporary storage and ROM as a bootstrap for loading the operating system. FLASH memory allows much higher data storage capacity on the card. It has an on-chip dedicate Coprocessor called Crypto Processor with key generation and asymmetric algorithm acceleration.
Contact chip is a standard transistor that was created from a lithographic process as a series of etched and plated regions on a tiny sheet of silicon.
A smart card can be used for payment transactions, such as purchases, and non-payment transaction, such as information storage and exchange.

b) Role of Cryptography:
The smart card provides two types of security services user authentication and digital signature generation. Smart cards are specifically designed to perform these services with a high level of security. Authentication of users means proving that users are who they say they are. There are various ways to implement authentication using a smart card, but in this paper we are presenting smart cards with crypto processors.Smart cards data storage capability structure is comparable with directory structure of disk media.
The main structure is based on three component types:
• Master File (MF), the root directory
• Dedicated file (DF), application directories or sub-directories
• Elementary file (EF), data files.
On the smart card there is only one Master File that contains some data files with global information about the smart card and its holder.
Dedicated files are directories that can be set under the root directory. Each application has a directory of its own. An application directory can have one or more sub directories.
Each directory has some specific elementary files, which contains secret cryptographic keys. All Dedicated and Elementary files have access conditions to execute a command on a file.
c) Cryptographic computations by Smart Cards:
The maximal length of data that can be encrypted by the smart card and that is not stored on the smart card is 8 bytes. The command that provides the encryption is called INTERNAL AUTHENTICATION and is developed to authenticate the smart card to the outside world. The command requires a random number from the outside world and a secret key that is stored on the smart card. The random number is encrypted with a secret key by the smart card to access the information.
The smart card is also able to compute a Message Authentication Code (MAC) over data that is stored on the smart card. A MAC that is computed by the smart card is also called a stamp.
All data is stored unencrypted on a smart card. A smart card can encrypt data that is stored in specific files on the smart card. The encryption is possible for a file that has access condition ENC (ENCrypted) for the read command.
d) Storage of Secret keys on Smart Card
The architecture of smart cards allows storing secret cryptographic keys in safe manner. The stored keys can only be used to perform cryptographic computations but not for reading. The keys are stored in specific data files called EF_KEY. The initial secret keys are written on the smart card during the initialization process performed by the card issuer. To write a new secret key Knew on the smart card, secret keys are needed that are (already) stored in the smart card.
Smart card makes use of two kinds of secret keys
 Management key
 Operational key.
A management key is used to encrypt another management key or an operational key that have to be written on the smart card. A management key is also called a Key Encrypting Key (KEK).
An operational key is used by the smart card to perform data cryptographic operations

5. APPLICATIONS OF SMART CARD:
Smart cards are used for huge range of applications today. A few common examples of applications are briefly described here.

i) SIM cards:
A common application for Smart Cards is for mobile phones. The central security processor of a mobile phone is provided by a global system for mobile communication SIM (Subscriber Identity Module). The use of SIM cards has radically improved security of digital phones compared to the older analogue devices.


ii) Bank Cards:
Increasingly credit and debit cards are being used, using the contact chip rather than being swiped. The security feature offered by Smart Cards protect consumers from their cards being cloned as it is much more difficult to copy a chip protected cryptographically than a magnetic strip.
iii) Health Cards:
Increasingly, Smart Cards are being used to store a citizen’s medical data. The cards are carried by the citizen and can contain information such as list of allergies, current and past medications, past treatment history, disease history and doctors notes. This enables medical information to be easily accessed in an emergency.

Consider the scenario how a smart card works for banking.

Stage 1: This is the initial process where the enrollment of customer can takes place; the image and details of customer are saved on card.
 Evaluation Scenario of Smart cards
Stage 2: After the enrollment process money loaded and wallet value is updated.
Stage 3: When customer inserts the card for money, the system read the data from the card, to verify the validity of customer.
Stage 4: After verification the machine facilitates to credit or debit on the customer’s account. Finally the wallet value is updated.

6. MERITS AND DEMERITS:
High-level security can be achieved using cryptography in smart cards. Data present in the smart card is more secured and can be viewed only by the authorized persons only.
Although this system is very effective as protection, due to the large amount processing power needed to run this system it is impossible for use on older, slower computers without the necessary processing power to use such an extensive encryption system. Weak-authentication may break the security provided by the smart card.

7. CONCLUSION:
Cryptography provides a solution to the problem of security and privacy issues. The usage of cryptography in Smart Cards became very popular. Smart card technology can be implemented for multi-applications such as Bankcards, SIM cards, and Health cards.
As card technologies continue to develop we can expect to see advanced cards interacting directly with users through displays, biometric sensors and buttons. This will open up many exciting novel applications, and further increase the usability of Smart Cards.


Achieving higher QOS by GPRS, WLAN Integration

ABSTRACT:-
GPRS (General Packet Radio Service) is a packet based communication service for mobile devices that allows data to be sent and received across a mobile telephone network. GPRS is a step towards 3G and is often referred to as 2.5G. As the wireless technology evolves, one can access the Internet almost everywhere via many wireless access networks such as wireless LAN and GPRS. People would like to use the wireless networks with high data rate, large coverage and low cost. Some networks such as GPRS can provide large coverage, but they only provide low data rate; some networks like wireless LAN can provide high data rate, but the access points are not widely deployed. None of the wireless


Networks can meet all requirements of a mobile user. Heterogeneous networks solve parts of the problem. In heterogeneous networks, users can roam among different kind of networks such as 802.11 wireless LAN and GPRS through vertical handoffs. But in heterogeneous networks, each kind of wireless networks provide different quality of services. Users roaming among the wireless networks will suffer enormous change of quality of services. The paper proposed three access network selection strategies that keep mobile users staying in the wireless networks with higher quality services longer and thus improves the average available bandwidth and decreases the call blocking probability.


Introduction:

IEEE 802.11 wireless LAN is the most popular high data rate wireless network. But the coverage of an access point is too small, and the access points are not widely deployed and well organized. Users cannot receive the WLAN services ubiquitously and have to change their settings when they are in different WLAN.
On the other way, cellular systems like GPRS can provide services almost everywhere, but they cannot have a data rate like WLAN. Vertical handoffs in the heterogeneous works let users can get service from both GPRS and WLAN. Users who leave the coverage of an access point can vertically handover to the GPRS networks, and the Internet service. IEEE 802.11g has a 54 Mbps transmission rate while GPRS has only 171 kbps for optimal transmission rates for the users will not be terminated. The paper proposes new


Mobility strategies to extend the time mobile hosts staying in higher quality networks in the heterogeneous network environment by using ad hoc network. In an ad hoc network, mobile hosts relay messages for other mobile hosts. Such characteristic helps to extend the service range of an access point while there are mobile hosts available to form a path that are able to relay messages to the access point.
Interworking mechanisms:-



The integration of WLAN into GPRS will provide users in “hot-spot” areas to use the high-speed wireless network, and when outside a hot-spot coverage area, use the cellular data network. This is however not simple to implement as it must provide services such as: session continuity, integrated billing and authentication between networks, inter-carrier roaming, and most importantly, provide a seamless user experience.
Some Existing coupling methods:
1. Tight coupling methods:


In general, the proposed tight coupling architecture provides a novel solution for internetworking between 802.11 WLANs3 and GPRS, and features many benefits, such as:
• Seamless service continuation across WLAN and GPRS. The users are able to maintain their data sessions as they move from WLAN to GPRS and vice versa.
• Reuse of GPRS AAA.
• Reuse of GPRS infrastructure (e.g., core network resources, subscriber databases, billing systems) and protection of cellular operator’s investment.
• Support of lawful interception for WLAN subscribers.
• Increased security, since GPRS authentication and ciphering can be applied on top of WLAN ciphering.
• Common provisioning and customer care.
2.Loose Coupling Methods:


Loose coupling is another approach that provides internetworking between GPRS and WLAN. As can be seen, the WLAN network is coupled with the GPRS network in the operator’s IP network. Note that, in contrast to tight coupling, the WLAN data traffic does not pass through the GPRS core network but goes directly to the operator’s IP network.
Disadvantage of Existing Methods:


• After coupling between WLAN and GPRS Network cannot easily support third-party WLANs.
• Throughput capacities are very less.

• More important, tight coupling cannot support legacy WLAN terminals, which do not implement the GPRS protocols.
• Cost is more to implemententation.
The Proposed Strategies:


In the paper, the heterogeneous network is composed of WLAN, ad hoc WLAN and GPRS network. With the use of ad hoc WLAN network, mobile hosts can access Internet with others’ relaying to a WLAN AP. In original heterogeneous network environment, mobile hosts will prefer WLAN. But if no WLAN AP available, the mobile hosts will handover to the GPRS networks to keep the connections alive. With the use of ad hoc WLAN, mobile hosts have another alternative when there is no WLAN AP available. They can choose ad hoc WLAN. However, there may be more than one mobile host can relay packets to more than one access points. Mobile hosts may select one of the best relay mobile hosts, or decide not to use the ad hoc network. One of the best relay mobile hosts, or decides not to use the ad hoc network.


Mobile wireless network is the infrastructure less mobile network, commonly known as an ad hoc Network. Infrastructures less networks have no fixed routers. All nodes are capable of movement and can be connected dynamically in an arbitrary manner. Nodes of these networks function as routers which discover and maintain routes to other nodes in the network.
Selection strategies:-
Making such decisions will be a problem, and three selection strategies are proposed. The selection strategies are detailed below,
A. Fixed hop counts (FHC)
In the strategy, the ad hoc route cannot be longer than n hops; the mobile host first finds the access points, if no access point available, the mobile host will try to find a mobile host has a route shorter than n – 1 hops away from an access point. If more than one route shorter than n – 1 hops, select the shortest one. If more than one route is the shortest hop counts, select the AP has same IP range with itself. If no AP has same IP range, select arbitrary one. If no route is shorter than n – 1 hops, try to select GPRS network.


B. Any available route (AAR)
In the strategy, any ad hoc route will be chosen if there are no higher service networks available, the mobile host will try to find a mobile host that has a shortest route to an access point. If no route is available, try to select GPRS network.
C. Bandwidth pre-evaluation (BPE)
In the third strategy, the network status will be measured before selection; ad hoc networks will be select only if they have a higher quality of service than the GPRS network. In the proposed strategy, when a mobile host tries to initiate a call, it will look for WLAN AP, ad hoc WLAN relay host and GPRS networks sequently. And if none of the network can be selected, the connection is rejected. When a user leaves the coverage of a GPRS cell or an access point, a handoff occurred. The cases are more complicated than call initiation, and we discussed the three cases separately.


Call initiation in network:-

In the proposed strategy, when a mobile host tries to initiate a call, it will look for WLAN AP, ad hoc WLAN relay host and GPRS networks sequently. And if none of the network can be selected, the connection is rejected. When a user leaves the coverage of a GPRS cell or an access point, a handoff occurred. The cases are more complicated than call initiation, and we discussed the three cases separately.
A. Handoff from WLAN:-
First, try to find another WLAN AP. If no other AP is available, try to select an ad hoc WLAN network. And if no ad hoc WLAN is qualified, try to select the GPRS network. Finally, if no GPRS network is available, the connection will be forced terminated.
B. Handoff from ad hoc WLAN:-
First, try to find a WLAN AP. If no AP is available, try to select an ad hoc WLAN network. And if no ad hoc WLAN is qualified, try to select the GPRS network. Finally, if no GPRS network is available, the connection will be forced terminated.
C. Handoff from GPRS:-
First, try to find another GPRS base station. If no other base station is available, try to find a WLAN AP. If no AP is available, try to select an ad hoc WLAN network. And if no ad hoc WLAN is qualified, the connection will be forced terminated.
Conclusions:-
Proposed strategies can reduce the times a user changes his/her IP address. The advantage disappears with the increase of mobility, because the route cannot be maintained in a high mobility network. Here, three mobility strategies are proposed to improve the service quality for mobile hosts in heterogeneous networks by using ad hoc routing. Using the proposed strategies, the average available bandwidth can be two times more than no strategy applied, and the request-blocking rate can have a 94% reduction at most and a 50% reduction in average. The change of IP address is a serious problem for mobile users, and the proposed strategies can have a 9% improvement in the times of IP address changing. It helps to ease the impact of the mobile IP protocols to the real time applications.
However, the drawback of the ad hoc networks is inherited in the proposed strategies. The handoff opportunity rises due to the unstable of relaying host. This can be prevented by using an ad hoc routing protocol that considered the stability or reducing the length of an ad hoc route.

NETWORK SECURITY Honeypot Solutions




NETWORK SECURITY






Honeypots are an exciting new technology.In the past several years there has been growing interest in exactly what this technology is and how it works. The purpose of this paper is to introduce you to honeypots and demonstrate their capabilities.
A honeypot is a security resource whose value lies in being probed, attacked, or compromised. The key point with this definition is honeypots are not limited to solving only one problem; they have a number of different applications. To better understand the value of honeypots, we can break them down into two different categories:
1.Production
2.Research..
A properly constructed honeypot is put on a network, which closely monitors the traffic to and from the honeypot. This data can be used for a variety of purposes
 Forensics - analyzing new attacks and exploits
 Trend analysis - look for changes over time of types of attacks, techniques, etc
 Identification - track the bad guys back to their home machines to figure out who they are
 Sociology - learn about the bad guys as a group by snooping on email, IRC traffic, etc which happens to traverse the honeypot.Traditionally, honeypots have been physical systems on a dedicated network that also contains multiple machines for monitoring the honeypot and collecting logs from it.
This paper throws further light on the advantages and the disadvantages of honeypots and on some honeypots solutions. For sure, Honeypots are a boon to the field of Network Security.






Introduction:
Many people have their own definition of what a honeypot is, or what it should accomplish. Some feel its a solution to lure or deceive attackers, others feel its a technology used to detect attacks, while other feel honeypots are real computers designed to be hacked into and learned from. In reality, they are all correct.
Definitions and Value of Honeypots:
Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are not a new technology; they were first explained by a couple of very good papers by several icons in computer security. There are a variety of misconceptions on what a honeypot is, how it works, and how it adds value. It is hoped this paper helps clear up those issues.
We may define a honeypot as "a security resource whose value lies in being probed, attacked or compromised." This means that whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited. Keep in mind, honeypots are not a solution. They do not 'fix' anything. Instead, honeypots are a tool. How you use that tool is up to you and depends on what you are attempting to achieve. A honeypot may be a system that merely emulates other systems or applications, creates a jailed environment, or may be a standard built system. Regardless of how you build and use the honeypot, it's value lies in the fact that it is attacked.
We will break honeypots into two broad categories
1.Production Honeypot
2.Research Honeypot
Production Honeypot:
The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Traditionally, commercial organizations use production honeypots to help protect their networks. It adds value to the security of production resources. Lets cover how production honeypots apply to the three areas of security, Prevention, Detection, and Reaction.

Prevention:
Honeypots will not help keep the bad guys out. What will keep the bad guys out is best practices, such as disabling unneeded or insecure services, patching what you do need, and using strong authentication mechanisms. It is the best practices and procedures such as these that will keep the bad guys out. A honeypot, a system to be compromised, will not help keep the bad guys out. In fact, if incorrectly implemented, a honeypot may make it easier for an attacker to get in.
Some individuals have discussed the value of deception as a method to deter attackers. The concept is to have attackers spend time and resource attacking honeypots, as opposed to attacking production systems. The attacker is deceived into attacking the honeypot, protecting production resources from attack. Deception may contribute to prevention, but you will most likely get greater prevention putting the same time and effort into security best practices.
Detection:
While honeypots add little value to prevention, they add extensive value to detection. For many organizations, it is extremely difficult to detect attacks. Intrusion Detection Systems (IDS) are one solution designed for detecting attacks. However, IDS administrators can be overwhelmed with false positives. False positives are alerts that were generated when the sensor recognized the configured signature of an "attack", but in reality was just valid traffic. The problem here is that system administrators may receive so many alerts on a daily basis that they cannot respond to all of them. Also, they often become conditioned to ignore these false positive alerts as they come in day after day.The very IDS sensors that they were depending on to alert them to attacks can become ineffective unless these false positives are reduced. This does not mean that honeypots will never have false positives, only that they will be dramatically less than with most IDS implementations.
Another risk is false negatives, when IDS systems fail to detect a valid attack. Many IDS systems, whether they are signatures based, protocol verification, etc can potentially miss new or unknown attacks. It is likely that a new attack will go undetected by currently IDS methodologies. Also, new IDS evasion methods are constantly being developed and distributed. It is possible to launch a known attack that may not be detected, such as with K2's ADM Mutate. Honeypots address false negatives as they are not easily evaded or defeated by new exploits. In fact, one of their primary benefits is that they can most likely detect when a compromise occurs via a new or unknown attack by virtue of system activity, not signatures. Administrators also do not have to worry about updating a signature database or patching anomaly detection engines. Honeypots happily capture any attacks thrown their way. As discussed earlier though, this only works if the honeypot itself is attacked.
Reaction:
Often when a system within an organization is compromised, so much production activity has occurred after the fact that the data has become polluted. Incident response team cannot determine what happened when users and system activity have polluted the collected data.
The second challenge many organizations face after an incident is that compromised systems frequently cannot be taken off-line. The production services they offer cannot be eliminated. As such, incident response teams cannot conduct a proper or full forensic analysis.
Honeypots can add value by reducing or eliminating both problems. They offer a system with reduced data pollution, and an expendable system that can be taken off-line. For example, let’s say an organization had three web servers, all of which were compromised by an attacker. However, management has only allowed us to go in and clean up specific holes. As such, we can never learn in detail what failed, what damage was done, is there attacker still had internal access, and if we were truly successful in cleanup.
However, if one of those three systems were a honeypot, we would now have a system we could take off-line and conduct a full forensic analysis. Based on that analysis, we could learn not only how the bad guy got in, but also what he did once he was in there. These lessons could then be applied to the remaining webservers, allowing us to better identify and recover from the attack.
Research Honeypot:
One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, how do they attack, what are their tools, and possibly when will they attack? It is questions like these the security community often cannot answer. For centuries military organizations have focused on information gathering to understand and protect against an enemy. To defend against a threat, you have to first know about it. However, in the information security world we have little such information.
Honeypots can add value in research by giving us a platform to study the threat. What better way to learn about the bad guys then to watch them in action, to record step-by-step as they attack and compromise a system. Of even more value is watching what they do after they compromise a system, such as communicating with other blackhats or uploading a new tool kit. It is this potential of researches that is one of the most unique characteristics of honeypots. Also, research honeypots are excellent tools for capturing automated attacks, such as auto-rooters or Worms. Since these attacks target entire network blocks, research honeypots can quickly capture these attacks for analysis.
In general, research honeypots do not reduce the risk of an organization. The lessons learned from a research honeypot can be applied, such as how to improve prevention, detection or reaction. However, research honeypots contribute little to the direct security of an organization. If an organization is looking to improve the security of their production environment, they may want to consider production honeypots, as they are easy to implement and maintain. If organizations, such as universities, governments, or extremely large corporations are interested in learning more about threats, then this is where research honeypots would apply. The Honeynet Project is one such example of an organization using research honeypots to capture information on the blackhat community.

Honeypot Solutions:
Now that we have been discussing the different types of honeypots and and their value, lets discuss some examples.Simply put, the more an attacker can interact with a honeypot, the more information we can potentially gain from it, however the more risk it most likely has.The more a honeypot can do and the more an attacker can do to a honeypot, the more information can be derived from it. However, by the same token, the more an attacker can do to the honeypot, the more potential damage an attacker can do. For example, a low interaction honeypot would be one that is easy to install and simply emulates a few services. Attackers can merely scan, and potentially connect to several ports. Here the information is limited (mainly who connected to what ports when) however there is little that the attacker can exploit. On the other extreme would be high interaction honeypots. These would be actual systems. We can learn far much more, as there is an actual operating system for the attacker to compromise and interact with, however there is also a far greater level of risk, as the attacker has an actual operating system to work with. Neither solution is a better honeypot. It all depends on what you are attempting to achieve. Remember that honeypots are not a solution. Instead, they are a tool. Their value depends on what your goal is, from early warning and detection to research. Based on 'level of interaction', lets compare some possible honeypot solutions.
For this article, we will discuss four honeypots. There are a variety of other possible honeypots, however this selection covers a range of options. We will cover BackOfficer Friendly, Specter, Honeyd, and Homemade honeypots. This article is not meant to be a comprehensive review of these products. It only highlights some of their features. Instead, It hopes to cover the different types of honeypots, how they work, and demonstrate the value they add and the risks involved.
• BackOfficer Friendly:
BOF (as it is commonly called) is a very simple but highly useful honeypot.BOF is a program that runs on most Window based operating system. All it can do is emulate some basic services, such as http, ftp, telnet, and mail. Whenever some attempts to connect to one of the ports BOF is listening to, it will then log the attempt. BOF also has the option of "faking replies", which gives the attacker something to connect to. This way you can log http attacks, telnet brute force logins, or a variety of other activities. It can monitor only a limited number of ports, but these ports often represent the most commonly scanned and targeted services.
• Specter:
Specter is a commercial product similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced, as there is no real operating system for the attacker to interact with. For example, Specter can emulate a webserver or Telnet server of the operating system of your choice. When an attacker connects, it is then prompted with an http header or login banner. The attacker can then attempt to gather web pages or login to the system. This activity is captured and recorded by Specter, however there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specter value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process.
• Home made Honeypots:
Another common honeypot is homemade. These honeypots tend to be low interaction. Their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with, however the risk is reduced because there is less damage the attacker can do. One common example is creating a service that listens on port 80 (http) capturing all traffic to and from the port. This is commonly done to capture Worm attacks. One such implementation would be using netcat, as follows:
netcat -l -p 80 > c:\honeypot\worm
In the above command, a Worm could connect to netcat listening on port 80. The attacking Worm would make a successful TCP connection and potentially transfer its payload. This payload would then be saved locally on the honeypot, which can be further analyzed by the administrator, who can assess the threat of the Worm.

• Honeyd:
Honeyd is an extremely powerful, OpenSource honeypot. Designed to run on Unix systems, it can emulate over 400 different operating systems and thousands of different computers, all at the same time. Honeyd introduces some exciting new features. First, not only does it emulate operating systems at the application level, like Specter, but it also emulates operating systems at the IP stack level. This means when someone Naps your honeypot, both the service and IP stack behave as the emulated operating system. Currently no other honeypot has this.Second, Honeyd can emulate hundreds if not thousands of different computers all at the same time. While most honeypots can only emulate one computer at any point in time, Honeyd can assume the identity of thousands of different IP addresses. Third, as an OpenSource solution, not only is it free to use, but it will exponentially grow as members of the security community develop and contribute code.

Value of Honeypots:
Honeypots have certain advantages (and disadvantages) as security tools. It is the advantages that help define the value of a honeypot. The beauty of honeypots lies in its simplicity. It is a device intended to be compromised, not to provide production services. This means there is little or no production traffic going to or from the device. Any time a connection is sent to the honeypot, this is most likely a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As there is little production traffic going to or from the honeypot, all honeypot traffic is suspect by nature. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity.
Advantages :
The advantages of honeypots include:
 Small Data Sets: Honeypots only collect attacks or unauthorized activity, dramatically reducing the amount of data they collect. Organizations that may log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyze.
 Reduced False Positives: Honeypots dramatically reduce false alerts, as they only capture unauthorized activity.
 Catching False Negatives: Honeypots can easily identify and capture new attacks never seen before.
 Minimal Resources: Honeypots require minimal resources, even on the largest of networks. This makes them an extremely cost effective solution.
 Encryption: Honeypots can capture encrypted attacks.
 In-depth Information: Honeypots can capture data no other technology can, including the identity of your attacker, their motives, and whom they are potentially working with.
 IPv6: IPv6 is the new IP protocol that represents the future of the Internet and IP based networking. Most technologies cannot detect, capture, nor analyze IPv6 based traffic. Honeypots are one of the few technologies that can operate in any IPv6 (or IPv6 tunneled) environments.
Disadvantages:
• Single data point:
Honeypots all share one huge drawback; they are worthless if no one attacks them. Yes, they can accomplish wonderful things, but if the attacker does not send any packets to the honeypot, the honeypot will be blissfully unware of any unauthorized activity.
• Risk:
Honeypots can introduce risk to your environment. As we discuss later, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. Risk is variable, depending on how one builds and deploys the honeypot.
It is because of these disadvantages that honeypots do not replace any security mechanisms. They can only add value by working with existing security mechanisms. Now that we have reviewed the overall value of honeypots, lets apply them to security.
Conclusion :
A honeypot is just a tool. How we use that tool is up to us. There are a variety of honeypot options, each having different value to organizations. We have categorized two types of honeypots, production and research. Production honeypots help reduce risk in an organization. While they do little for prevention, they can greatly contribute to detection or reaction. Research honeypots are different in that they are not used to protect a specific organization. Instead they are used as a research tool to study and identify the threats in the Internet community. You will have to determine what is the best relationship of risk to capabilities that exist for you. Honeypots will not solve an organization's security problems. Only best practices can do that. However, honeypots may be a tool to help contribute to those best practices.



EXAMPAPERS123.BLOGSPOT.COM