Fundamental Math; Elliptic Curve

ECClines-3.svg

 

Math is the underpinning of all technology. Whilst math itself is simply a man made creation, those rules and systems are the foundations of security. It is sad, then that by the time student’s reach college in the UK, many have a deep fear of mathematics.

Unlike linguistics, math has few ambiguities which is why it is a great foundation for technology.

Today we will be learning about the elliptic curve.

The math behind an elliptic curve is very complex and can take some time to digest, so we will be working from a high level and getting more complex as we progress.

The elliptic curve is a set of points that satisfy an equation based on two variables with the points marking out a set of degree.

The example equation we often see is – y2 = x3 + ax + b

Which creates the representation seen in the image below.

Curve

 

We can think of this diagram as a drawn version of the points mapped out to give a visual representation.

A deeper view would show us the individual points of the equation marked out.

Some interesting qualities about elliptic curves are that they offer horizontal symmetry and any non-vertical line will intersect the curve in at least three places.

These idiosyncrasies are what go into making the elliptic curve one of the most secure forms of cryptography today.

Elliptic curves are important because Asymmetric schemes like RSA and Elgamal require exponentiation in integer rings  which are not only computationally demanding but many experts predict that these forms of cryptography could be broken within years.

Elliptic curves can be defined over finite fields, not just real numbers, For purposes of cryptography we are interested module a prime b – or rather, elliptic curves over prime fields.

 

 Curve22

http://cs.ucsb.edu/~koc/cren/docs/w03/09-ecc.pdf

To make a graphical representation we first generate points on an elliptic curve through point addition P+Q=R – (Xp, Yp) + (Xq, Yq) = (XrYr).

Then to get a geometric graphical representation we draw a straight line through P and Q (if P = Q we draw a tangent line) mirror third intersection point of drawn line with elliptic curve along x-axis.

Elliptic curve can be used for key exchange and offers performance advantages over public key encryption methods such as RSA.

Elliptic curve is based on the discrete logarithm model.

The discrete logarithm is

 

 

Advertisements

Security job progression

So one of the first questions you might ask when seriously considering a job in the security field is what jobs can I do? and what progression is possible?

Vulnerability scanner – This is the easiest role by far, and essentially see’s you running ready made software against the companies network in order to assess vulnerabilities and make note of any insecure or misconfigured/open ports.

Whilst the software does require some training, anyone who desires to – can reasonably expect to learn it in a matter of weeks. Which is why this role is not only in short supply but also commands a relatively low wage.

Pentesting – Penetration testing goes a step further and you can be expected to create a virtual attack within the network’s environment and assess how much information and damage can be done from these exploits.

The nice thing about Pentesting careers is that there is no substitute for hard work. You may be able to secure junior positions with the ability to run other peoples exploits however if you want to command a good wage or consider freelance then the ability to understand and write your own exploits is invaluable.

And whilst those skills can take many years to learn, they can not be brought by anyone unwilling to do the work.Thus commuting to learning these skills will transform you into a marketable and valuable asset that will have moderate power and maneuverability within the global job market.

Risk Analysis – You might think being last in the list that risk analysis  would require the most commitment to learning, however this is not really the case. Risk analysis is a separate set of skills, and not everyone has the patience to do it well.

Someone hired for the role of Risk analysis/assessor is expected to perform the role of the pen-tester but to also understand every facet of company and organizational policy,needs and requirements as well as patiently developing an exhaustive list of the findings carried out during the various tests. They will also need to assess the risk of future attacks and implement or suggest security measures based on the probability.

Whilst you could learn Risk Analysis from the internet it really needs to be consolidated in an academic/working environment as you will be working on very clinical frameworks that require patience, attention to detail and a thorough understanding of all security threats and their respective counter measures.

There are other jobs within the security field, such as application/mobile and national security but these is a general career path that shows what the jobs entail as well as the amount of work needed to succeed in these roles.

Ultimately the path is not an easy one, however you will be at the front line ensuring that companies and organizations are secure and constantly learning and growing into a true professional. With that knowledge you become one among few, instead of common among many and will earn a wage that reflects this.

So the next time you find yourself slacking off remember that the future you want depends on the work you do today.

 

 

 

 

Bring Your Own Virus

Bring your own device has been widely talked about for several years now, and it’s inherent dangers should be widely known. Yet according to IT research and advisory company Gartner 38 percent of employers expect to stop providing devices to employees by 2016 and 50 percent will demand their employees bring their own devices by 2017[1].

There’s no denying that BYOD has it’s advantages, according to a Cisco study conducted in 2013 the average BOYD user saves 37 minutes per week, with the US saving an estimated 81 minutes per week[2].

However the flip side to time saved and employee happiness is that implementing a BYOD policy opens up a whole host of attack vectors that your company is unlikely to be ready for.

One of the most prominent issues is the nature of personal devices today, and the multitude of applications stored onto them. If a user brings a device into work with a rouge application knowingly or mistakenly it is entirely possible that the data collected could be used in an attack against the company.

Equally the threat posed if an employee loses their device can be a major problem, without the ability to monitor the employees use of their devices trade in’s, repairs and even casual use can all pose a threat to the integrity of company data.

Privacy is also a concern, it is not considered ethical to ensure compliance by monitoring the use of personal devices, however it’s a given that at some point at least one employee will browse malicious sites or mistakenly download a virus and this can easily lead to hole’s in the companies security.

Whilst these potential pitfalls can be avoided by implementing strict download policies, monitoring or ensuring passcodes on devices and ensuring 24/7 use of a threat and vulnerability scanner/firewall it is imperative that companies recognize both the real cost effectiveness of implementing BYOD aswell as the many avenues of attack that will be opened if BYOD is implemented without foresight.

[1] ‘Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes‘ Available From: (http://www.gartner.com/newsroom/id/2466615) 1st May 2013 [Accessed 24th November 2015]

[2] Jeff Loucks The Financial Impact of BYOD‘ Available From: (https://www.cisco.com/web/about/ac79/docs/re/byod/BYOD-Economics_Econ_Analysis.pdf) 2013 [Accessed 24th November 2015]