Українська   Русский
DonNTU   Masters' portal

Abstract

Content

Introduction

Wide introduction of automated control systems requires increased attention to the protection of information technologies and information directly used for automation of management. Admissions Committee of DonNTU annually carries out work on the organization of the reception of documents from people entering the educational institution.

An ACS-type system ensures the efficiency of management, saving time and human labor during the submission of documents by applicants for admission, which significantly affects the effectiveness of the selection committee.

The distortion or falsification, destruction or disclosure of a certain part of information, as well as the disorganization of the processes of its processing and transmission in information management systems cause serious material and moral damage.

There is a need for confidential and personal information to be easily accessible to the user and at the same time reliably protected.

1. Theme urgency

The relevance of the problem of protecting ACS in modern conditions is determined by the following factors:

2. The purpose and objectives of the study

The aim of master’s dissertation is research and development of effective solutions for protecting information in the automated control system of the admissions Committee of DonNTU, which includes: encryption of personal data, authentication and the possibility of differentiating access rights to confidential information between employees.

The created solution should ensure the protection of personal data from reading and unauthorized access within one organization, and the selected encryption method should have a high speed and a high degree of protection.

To achieve this goal, the following tasks must be completed:

  1. ACS architecture review;
  2. Analysis of existing databases;
  3. Analysis of existing encryption algorithms;
  4. Development of models, methods and algorithms for information protection in the ACS of the selection committee.

The alleged novelty of this work consists in the development of a new algorithm for the secure transmission of information, focused on the use of DonNTU admissions committee in ACS, which will eliminate some vulnerabilities and disadvantages of existing solutions.

Planned results: as the results of this work, it is planned to design and implement a new algorithm for the secure transmission of information to the ACS of the DonNTU admission committee based on an analysis of the currently used algorithms, and to implement a test system using the developed algorithm.

3. ACS architecture review

The program complex of the Admissions Committee of DonNTU is a system for automating the work of operators, members of the admissions committee, representatives of deans and other university services during the opening campaign. It is built on the basis of the client-server architecture. Client-server is a computing or network architecture in which tasks or network load are distributed between service providers, called servers, and service customers, called clients [1]. The client’s access to certain network services is characterized by the concept of thickness. It determines the hardware configuration and software available to the customer. The advantages of a thin client over a thick one are more significant in relation to the tasks facing the software complex of the selection committee [2]. A thin client only needs a computer with a browser, in the window of which the work with the web application is carried out. In its most general form, the request-response process consists of a request from a browser to a web server to send it a web page and fulfillment of this request [3]. For this reason, the browser is often called the universal client. The main language of the web client is HTML in combination with CSS and JavaScript. To write the server logic, which is able to display the necessary HTML and process the data, the PHP scripting language is used. To provide protection when transferring data between the client and the server, security is required at the transport level, which usually includes HTTPS, TLS and SSL.

The main objectives of protective measures [4]:

The database management system was selected in accordance with the criteria for organizing storage and work with data about applicants, namely:

  1. The ability to store a set of several objects in a table cell;
  2. The ability to organize procedures performed at the server level to minimize the time it takes to execute database queries;
  3. Due to the critical importance of stored information, the need to ensure maximum data protection;
  4. Providing differentiation of access to tables for different users;
  5. The ability to create a code that will be called automatically by the DBMS in response to certain events;
  6. The ability to store a selection of multiple tables as a virtual table.

ПроанализировавAfter analyzing the five most popular DBMS, according to the rating of the DB-Engines resource, we can conclude that the requirements for the DBMS of the software complex of the Admissions Committee are most fully satisfied by two of them - Oracle and PostgreSQL. However, the PostgreSQL DBMS has one significant advantage - PostgreSQL Pro is certified by the FSTEC of Russia [5].

4. Analysis of existing encryption algorithms

Cryptography is a science whose purpose is to ensure the confidentiality and integrity of information. Information encryption is the process of converting open information into encrypted information - ciphertext or cryptogram, and vice versa [6]. Open text is the original text or message that is sent to the recipient. Ciphertext is nothing but ciphertext that cannot be decrypted without a secret key. Clear text is converted to ciphertext using mathematical calculations that are defined in the algorithm. The secret key for encrypting and decrypting messages can be either the same or different. The process of breaking ciphertext is known as cryptanalysis.

There are three main types of encryption algorithms:

  1. Symmetrical;
  2. Asymmetric;
  3. Hash functions.

Information confidentiality is ensured by symmetric and asymmetric encryption algorithms. The integrity of the information and the authenticity of the parties is achieved using hash functions.

Symmetric algorithms are encryption algorithms in which the encryption key can be calculated using the decryption key and vice versa. The security of a symmetric algorithm is determined by the key, the disclosure of the key means that anyone can encrypt and decrypt messages. Symmetric algorithms are divided into two groups: stream and block.

Symmetric encryption scheme

Figure 1 - Symmetric encryption scheme

The main purpose of symmetric algorithms is to encrypt large amounts of data at high speed. Symmetric Ciphers:

In asymmetric algorithms, the key used for encryption is different from the decryption key, and the decryption key cannot be calculated using the encryption key. Public key - used by the sender to encrypt data that can be freely distributed, while the private key is secret and is needed for decryption. The main purpose of asymmetric encryption algorithms is to ensure the effective functioning of modern cryptosystems. For example, they are used to exchange keys and verify their authenticity. Asymmetric Ciphers:

A cryptographic hash function is a function defined on bit strings of arbitrary length with values in bit strings of fixed length [7]. There are two types of cryptographic hash functions - key and keyless. Key hash functions make it possible without additional tools to guarantee both the correctness of the data source and the integrity of the data in systems with users who trust each other. Keyless hash functions are called error detection codes. They make it possible by additional means (encryption, for example) to guarantee data integrity. These hash functions can be used on systems with both trusting and non-trusting users.

The most common hash functions used in user password protection systems are the following algorithms:

The best effect is achieved with a combination of different types of encryption. For example, SSL uses both asymmetric and symmetric cryptography. By means of an asymmetric algorithm, mutual authentication of the client and server occurs and a session key is sent for symmetric encryption, after which data is exchanged according to the symmetric algorithm.

The principle of operation of the SSL protocol

Figure 2 - The principle of operation of the SSL protocol
(animation: 50 frames, 5 cycles of repetition, 52 kilobytes)

5. Cryptographic attack analysis

Cryptanalysis is the science of getting clear text without a key. Successful cryptanalysis can reveal plaintext or key. It can also detect weaknesses in cryptosystems, which ultimately leads to the previous result [8]. Having analyzed various types of encryption, one should consider various types of cryptographic attacks. Examples of cryptographic attacks:

  1. Brute-force attack - breaking the password by enumerating all possible key options. Its feature is the ability to use against any practically used cipher [9]. This method is not practical to use for attacking modern encryption systems, since unrealistic time and resource costs will be required.
  2. Time attack - based on the assumption that various operations are performed at different times, depending on the input data. Thus, by measuring the time of calculations and conducting statistical analysis of the data, you can get complete information about the secret key. The most effective approach when dealing with this type of attack is to make time measurements so inaccurate that the attack becomes ineffective. For example, in the program code, you can specify time delays that will have a random length.
  3. Text-based attack - the attacker knows only various encrypted messages that were encrypted using the same encryption algorithm. The task of the attacker is to determine the "key", which can then be used to decrypt all messages. This option corresponds to the model of an external intruder who has physical access to the communication line, but does not have access to encryption equipment.
  4. An attack based on plaintext - an attacker knows some fragments of plaintext and encrypted text. On the basis of which, using reverse engineering, the key is calculated. This cryptanalysis method was effective against simple ciphers, such as the replacement cipher, but it is ineffective for breaking modern ciphers.
  5. Intermediary attack - a type of attack in cryptography, based on the fact that the attacker connects to the data channel, thereby violating the cryptographic protocol [10]. He can actively interfere with the transmission algorithm and impersonate one of the recipients [11]. Correctly configured encryption protocols, such as SSL / TLS, are a way to protect against this type of attack.
  6. Replay attack - a type of network attack in which an attacker receives some information (for example, authentication information) and retransmits it to the recipient. This allows an attacker to use immutable information, such as a password, to simulate authenticity. The main idea when protecting against replay attacks is that each authentication session should use the original parameters (the key’s time and life label or a randomly generated number).

Conclusion

The analysis allows us to conclude that the safety issues of the ACS of the selection committee are of paramount importance and should be carefully considered. Modern encryption tools are capable of providing fairly reliable protection, but they must certainly be used as part of an integrated approach to information protection. An adequate measure of encryption is also important, which means choosing in favor of an invisible, fast algorithm without objective risks of data disclosure. At the same time, modern algorithms can be improved to enhance their resistance to possible attacks.

Improving existing methods of information protection will increase the overall reliability of ACS, eliminate existing vulnerabilities and ensure a secure exchange of information.

References

  1. Бройдо, В. Л. Вычислительные системы, сети и телекоммуникации / В.Л. Бройдо, О.П. Ильина. - М.: Питер, 2016. - 560 c.
  2. Исаков А.Ю., Чередникова О.Ю., Щедрин С.В., Ногтев Е.А. Технологии клиент-серверного взаимодействия в АСУ приемной комиссии ДонНТУ [Электронный ресурс] / А.Ю. Исаков, О.Ю. Чередникова, С.В. Щедрин, Е.А. Ногтев // 69-я МЕЖДУНАРОДНАЯ СТУДЕНЧЕСКАЯ НАУЧНО-ТЕХНИЧЕСКАЯ КОНФЕРЕНЦИЯ (Астрахань, 15–19 апреля 2019 года) : материалы (тез. докл., сб. ст.). – Астрахань : Изд-во АГТУ, год. – Режим доступа : 1 CD-диск. – № гос. 0321902694
  3. Никсон, Р. Создаем динамические веб-сайты с помощью PHP, MySQL, JavaScript, CSS и HTML5 / Р. Никсон. - М.: Питер, 2017. - 698 c.
  4. Книга Безопасность в PHP (часть 4). Недостаток безопасности на транспортном уровне (HTTPS, TLS и SSL) // Хабрахабр. [Электронный ресурс]. – Режим доступа:https://habr.com/...
  5. Чередникова О.Ю., Щедрин С.В., Ногтев Е.А., Исаков А.Ю. (Донецк, ДонНТУ) ВЫБОР СИСТЕМЫ УПРАВЛЕНИЯ БАЗАМИ ДАННЫХ ДЛЯ ПРОГРАММНОГО КОМПЛЕКСА ПРИЕМНОЙ КОМИССИИ ДОННТУ // Программная инженерия: методы и технологии разработки информационновычислительных систем (ПИИВС-2018): сборник научных трудов II Международной научно-практической конференции, Том. 1. 14-18 ноября 2018 г. – Донецк, ГОУВПО Донецкий национальный технический университет, 2018. — с.120–126.
  6. Панасенко С.П. Алгоритмы шифрования [Текст]/ С.П. Панасенко. – Спб.: БХВ-Петербург, 2009. – 576 с.
  7. Смарт, Н. Криптография / Н. Смарт. - М.: Техносфера, 2015. - 528 c.
  8. Брюс Шнайер Прикладная криптография. Протоколы, алгоритмы и исходный код на C / Брюс Шнайер. - М.: Вильямс, 2016. - 842 c.
  9. Preneel B. Understanding cryptography: a textbook for students and practitioners / B. Preneel, C. Paar, J. Pelzl. — Springer, 2010. — P. 1292.
  10. Тилборг, Х. К. ван А. ван Тилборг Основы криптологии. Профессиональное руководство и интерактивный учебник (+ CD-ROM) / Х. К. Тилборг А. ван ван Тилборг. - М.: Мир, 2006. - 472 c.
  11. Брассар, Ж. Современная криптология. Руководство. / Ж. Брассар. - М.: Полимед, 1999. - 176 с.