Study Notes-5

Cyber Security

 Public-Private Key Encryption

 Symmetric and Asymmetric Keys
 Digital Signatures use case and importance
 OWASP 10 Web-Security Risks
Study Notes-Cyber Security

Digital Signature
A digital signature is a special type of electronic signature used to sign and protect documents
sent online. It is considered the safest form of electronic signature compared to others. Digital
signatures follow a standard process called the public key infrastructure (PKI) protocol, which is
accepted worldwide. Because of this, they are viewed as the most secure and are legally
recognized in many countries.

Just like a handwritten signature, a digital signature is unique to each person. It ensures "non-
repudiation," meaning the signer cannot deny signing the document. Digital signatures also
show when a document was signed and can be tracked if needed. They add a layer of security
to prove that the document has not been changed since it was signed, which is crucial for
securely working with documents online.

How does a digital signature work?

2
Study Notes-Cyber Security

A digital signature uses a process called the PKI (Public Key Infrastructure) to ensure the
security and authenticity of a document. It works through encryption to verify the sender's
identity. In PKI, two long numbers are created by a computer—called the public key and private
key. These keys work together to lock (encrypt) and unlock (decrypt) information, making sure
that only the correct person can read or sign the document.

Here’s how a digital signature process works:

1. Mary wants to send a file to James and digitally signs it.

2. Mary’s computer creates a hash (a unique summary) of the file.
3. The hash is encrypted using Mary's private key, forming her digital signature.
4. Mary sends the file with the digital signature to James.
5. When James receives the file, his computer checks the digital signature by decrypting it
with Mary's public key. It then calculates the hash of the original file and compares it
with the hash received.
6. If the hashes match, the file is verified as untampered. If they don’t match, it means the
file has been altered.

3
Study Notes-Cyber Security

What are the benefits of using a digital signature?

A digital signature offers many advantages in handling documents and is more efficient than
traditional signatures. Here are some key benefits:

1. Highly trusted and legally compliant

When someone digitally signs a document, they must provide specific credentials that
are unique to them. This confirms the signer’s identity and shows their clear consent to
the signature. Since no one else has these credentials, digital signatures are highly
trusted and legally valid in many countries, serving as proof of identity and consent.
2. High security and protection
A digital signature creates a secure audit trail, which tracks any changes to the
document. It locks (or encrypts) the document, ensuring that it cannot be altered after
signing. If there are any changes, the recipient will be alerted, ensuring the document’s
authenticity and protecting both the sender and receiver.
3. Time-saving and cost-effective
Digital signatures are done entirely online, eliminating the need for physical copies of
documents. This saves time by avoiding printing, scheduling in-person meetings, and
mailing documents. It also reduces costs associated with paper, travel, and the potential
for human error when handling physical documents

Use cases for digital signatures

Digital signatures are widely used by businesses to streamline their processes and secure
important online documents, especially for critical transactions. Some common examples
include:

1. Contracts and legal documents

Many countries consider digital signatures legally binding, making them ideal for
contracts and legal documents. They ensure that signatures are authenticated, and the
document remains unchanged after signing.
2. Sales agreements
Digital signatures protect both buyers and sellers by verifying their identities and making
sure that the signed agreements are legally binding. It also ensures that the terms and
conditions can’t be changed by third parties.
3. Banking and financial documents
Companies can digitally sign invoices and send them to customers securely. This ensures
that customers are dealing with the legitimate seller, reducing the risk of fraud or
scams.
4. Healthcare data
Protecting patient records and research data is crucial in healthcare. Digital signatures

4
Study Notes-Cyber Security

secure sensitive information and ensure it isn’t altered during sharing between
authorized parties.
5. Government documents
Government agencies must follow strict regulations when handling data. Digital
signatures help ensure that only authorized people can approve documents, while
preventing any unauthorized changes.
6. Shipping documents
Manufacturers can digitally sign shipping documents, making them easier to access and
more secure. This reduces costly shipping errors caused by incorrect or tampered cargo
documents compared to traditional physical copies.

Public-Private Key Encryption

Public-private key encryption is a cryptographic method that uses two interconnected keys to secure
important data. One key, the public key, is accessible to everyone, while the other, the private key, is
kept secret by its owner. These two unique keys work together to protect digital information from
unauthorized access

In public-private key cryptography, the public and private keys work together to secure data.
The public key, which anyone can access, is used to encrypt a message. However, only the
owner of the matching private key can decrypt it.

Think of the public key like a business address—it’s available to everyone, and anyone can use it
to send a message. In asymmetric encryption, once a sender has the public key, they use it to
lock (encrypt) their message.

The private key, on the other hand, is like the key to the front door of the business. Only the
owner has it, and it’s used to unlock (decrypt) the message. This ensures that only the intended
recipient can access the encrypted information.

Public and private keys are created using large prime numbers that are mathematically
connected. This connection means that anything encrypted with the public key can only be
decrypted by the matching private key.

However, you can't figure out the private key just by knowing the public key. This makes it safe
to share the public key with anyone, while the private key remains private and is only known to
the owner.

How Public-Private Key Cryptography Works

Here’s an easy example of how public and private keys work together:

5
Study Notes-Cyber Security

Bob wants to send an encrypted email to Alice. He uses Alice’s public key (which anyone can
access) to encrypt the message. When Alice receives the email, she uses her private key (known
only to her) to decrypt and read Bob’s message.

Even if attackers try to hack the server and steal the encrypted message, they won’t be able to
read it because they don’t have Alice’s private key. Only Alice can decrypt and access the
message. When Alice replies, she uses Bob’s public key to encrypt her message, and Bob will
use his private key to decrypt it.

There are several common mathematical methods used to create public and private keys. Some
of the well-known algorithms include:

1. Rivest-Shamir-Adleman (RSA): The oldest public-private key system, commonly used to

share keys for symmetric encryption.
2. Digital Signature Standard (DSS): A standard by NIST that defines the algorithms used to
generate digital signatures.
3. Elliptic Curve Cryptography (ECC): This method uses elliptic curves to create keys and is
often used for digital signatures and key agreements. PreVeil, for example, uses ECC's
Curve-25519 and NIST P-256.

6
Study Notes-Cyber Security

Open Worldwide Application Security Project (OWASP)

The Open Worldwide Application Security Project (OWASP) is a nonprofit organization focused on
enhancing software security. It follows an “open community” model, allowing anyone to get involved
and contribute to discussions, projects, and other activities related to OWASP. From online tools and
videos to forums and events, OWASP ensures that all its resources are free and easily accessible through
its website.

7
Study Notes-Cyber Security

1. Broken Access Control (A01:2021)

Earlier ranked fifth, broken access control has now risen to the top position for 2021.
This vulnerability enables an attacker to access user accounts, either as a regular user or
as an administrator.

Example: An application permits changes to a primary key. If someone changes this key to point
to another user’s record, they can then view or alter that user’s account.

2. Cryptographic Failures (A02:2021)

Previously ranked third and known as sensitive data exposure, this item has been
renamed to cryptographic failures to better highlight it as a root cause rather than just a
symptom. Cryptographic failures happen when critical data that is stored or transmitted
(like a social security number) is compromised.

Example: A financial institution does not sufficiently safeguard its sensitive data, making it
vulnerable to credit card fraud and identity theft.

3. Injection (A03:2021)
Injection has dropped from the top spot to third place, with cross-site scripting now
classified under this category. Essentially, a code injection happens when an attacker
sends invalid data into a web application, causing it to perform actions it wasn’t
intended to do.

Example: An application incorporates untrusted data when creating a vulnerable SQL call.

4. Insecure Design (A04:2021)

Insecure design is a new category introduced in 2021 that addresses risks linked to
design flaws. As organizations increasingly adopt a "shift left" approach, relying solely
on threat modeling, secure design patterns, and reference architectures is insufficient.

Example: A movie theater chain offers group booking discounts that require a deposit for
groups larger than 15. Attackers may analyze this system to try booking hundreds of seats
across different theaters in the chain, leading to significant financial losses.

5. Security Misconfiguration (A05:2021)

The previous category for external entities has been integrated into this risk category,
which has risen from its former position at number 6. Security misconfigurations refer to
design or configuration weaknesses that arise from errors or shortcomings in the setup.

Example: A system still has a default account with its original password active, leaving it open
to exploitation.

8
Study Notes-Cyber Security

6. Vulnerable and Outdated Components (A06:2021)

This category has risen from number 9 and addresses components that present both
known and potential security risks, rather than focusing only on the known ones.
Components with known vulnerabilities, such as CVEs, need to be identified and
patched, while outdated or malicious components should be assessed for their reliability
and the risks they may pose.

Example: A development team might not be fully aware of all the components included in their
application due to the large number used, which could lead to some components being
outdated and vulnerable to attacks.

7. Identification and Authentication Failures (A07:2021)

Formerly called broken authentication, this category has dropped from number 2 and
now encompasses CWEs associated with identification failures. When authentication
and session management functions are improperly implemented, they can enable
attackers to access passwords, credentials, and sessions, resulting in stolen user
identities and more.

Example: A web application permits the use of weak or easily guessable passwords, such as
"password1."

8. Software and Data Integrity Failures (A08:2021)

This is a new category introduced in 2021 that emphasizes the importance of verifying
the integrity of software updates, critical data, and CI/CD pipelines. It also includes
insecure deserialization, which is a flaw that lets an attacker execute code remotely
within the system.

Example: An application deserializes malicious objects provided by an attacker, making it

vulnerable to exploitation.

9. Security Logging and Monitoring Failures (A09:2021)

Previously called insufficient logging and monitoring, this category has risen from
number 10 and now covers a broader range of failures. Regular logging and monitoring
are essential for a website; failing to implement these measures increases the risk of
serious security breaches.

Example: Important events that should be recorded, such as logins, failed login attempts, and
other significant activities, are not logged, which puts the application at risk.

10. Server-Side Request Forgery (A10:2021)

This is a new category introduced this year. A server-side request forgery (SSRF) occurs
when a web application retrieves a remote resource without checking the user-provided

9
Study Notes-Cyber Security

URL. This flaw allows an attacker to trick the application into sending a request to an
unintended destination, even if the system has protections like firewalls, VPNs, or
additional network controls. The frequency and severity of SSRF attacks are rising due to
the prevalence of cloud services and the growing complexity of network architectures.

Example: In an unsegmented network setup, attackers can use the response times or
connection results to manipulate SSRF payload connections, helping them to map internal
networks and identify whether ports on internal servers are open or closed.

10