Pengenalan Keamanan Informasi

II3230 – Keamanan Informasi

Sem 1 2023/2024
[email protected]
Full Credits
- This slides are adapted from:

Pengenalan
Keamanan Informasi
II3230 – Keamanan Informasi
Sekolah Teknik Elektro dan Informatika, Institut Teknologi Bandung
Budi Rahardjo
2020
 Course Arrangement
▪ II3230 – Keamanan Informasi
▪ 3 SKS
▪ Pengampu
▪ Yudistira Asnar ([email protected])
▪ Yusuf Kurniawan ([email protected])
▪ Moda komunikasi
▪ MS Team/Edunex
▪ Jadwal
▪ Rabu 08.00-10.00
▪ Jumat 08.00-09.00
2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 3
 Definition
Information Security (ISO 27000-series 2018)
▪ Preservation of confidentiality, integrity and availability of
information
▪ Note : In addition, other properties, such as authenticity,
accountability, non-repudiation, and reliability can also be
involved.

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 4

 Pemanfaatan Teknologi Informasi

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 5

 Jumlah itu meningkat 6,78%
dibandingkan pada periode sebelumnya
yang sebesar 196,7 juta orang. Hal itu
pun membuat tingkat penetrasi internet di
Indonesia menjadi sebesar 77,02%
(210,03 juta orang).
https://dataindonesia.id/digital/detail/apj
ii-pengguna-internet-indonesia-tembus-
210-juta-pada-2022

Hootsuite/We are Social ©

2/22/2024 II3230 - Keamanan Informasi 6

2022 Keamanan Informasi 7
2022 Keamanan Informasi 8
 Pemanfaatan Teknologi Informasi
▪ Ojek online: Gojek, Grab, Uber, {berbagai layanan ojek lokal}
▪ Fintech: Gopay, Ovo, Dana, Jenius, ...
▪ E-commerce: Tokopedia, Shopee, Bukalapak, Blibli, Blanja.com,
Lazada, ...
▪ Travel: Traveloka, Tiket.com, ...
▪ Komunikasi: WhatsApp, Telegram, ...
▪ Media Sosial: Instagram, Facebook, Twitter, ...

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 9

2022 Keamanan Informasi 10
 NFT

2022 Keamanan Informasi 11

 Contoh Kasus Ke(tidak)amanan
di Indonesia

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 12

 https://www.bleepingcomputer.com/news/security/millions-of-
lion-air-passenger-records-exposed-and-exchanged-on-forums/

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 13

 https://www.cnbcindonesia.com/tech/20190911114223-37-
98591/lewat-aplikasi-kudo-mahasiswa-bobol-bank-bumn-rp-16-
miliar

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 14

 https://regional.kompas.com/read/2021/12/07/070023178/fakt
a-lengkap-sindikat-hacker-kartu-prakerja-fiktif-bobol-12-juta-data-
bpjs

2/22/2024 II3230 - Keamanan Informasi 15

2022 Keamanan Informasi 16
2022 Keamanan Informasi 17
2022 Keamanan Informasi 18
 Kebocoran data PLN, Indihome(?), BIN

2022 Keamanan Informasi 19

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 20
2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 21
 Log4J Security Holes (December 2021)
▪ Popular library for logging in Java language
▪ Developed by Apache Software Foundation
https://logging.apache.org/log4j/2.x/
▪ Used by many Java libraries / packages
▪ More than 60% use Log4J indirectly
▪ Security case: Remote Code Execution (RCE)
▪ Can be used to insert code to servers and access those servers from remote
▪ CVSS scale: 10
▪ CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
▪ CVE-2021-44228, CVE-2021-45105
▪ Log4J Vulnerability (Log4Shell) Explained - for Java developers
https://www.youtube.com/watch?v=uyq8yxWO1ls

2022 Keamanan Informasi 22

2022 Keamanan Informasi 23
2022 Keamanan Informasi 24
2022 Keamanan Informasi 25
https://www.youtube.com/watch?v=O5NuADuyq6M https://www.youtube.com/watch?v=b_uXaFqub_k

2022 Keamanan Informasi 26

 Kasus di Luar Negeri?

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 27

 500 million Starwood guest records stolen in
massive data breach
Starwood Hotels has confirmed its hotel guest database of about 500 million customers has
been stolen in a data breach.
The hotel and resorts giant said in a statement filed with U.S. regulators that the “unauthorized
access” to its guest database was detected on or before September 10 — but may date back as
far as 2014.
“Marriott learned during the investigation that there had been unauthorized access to the
Starwood network since 2014,” said the statement. “Marriott recently discovered that an
unauthorized party had copied and encrypted information, and took steps towards removing it.”
Specific details of the breach remain unknown. We’ve contacted Starwood for more and will
update when we hear back.
The company said that it obtained and decrypted the database on November 19 and “determined
that the contents were from the Starwood guest reservation database.”
Some 327 million records contained a guest’s name, postal address, phone number, date of birth,
gender, email address, passport number, Starwood’s rewards information (including points and
balance), arrival and departure information, reservation date and their communication
preferences
https://techcrunch.com/2018/11/30/starwood-hotels-says-500-million-guest-records-stolen-in-massive-data-
breach/
https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-
2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 28
 1.5 million affected by hack targeting Singapore’s
health data
▪ Singapore has been hit by what local media is calling the country’s “worst” cyber attack. Hackers
targeting Singapore’s largest health care institution, SingHealth, stole the personal profiles of some 1.5
million patients along with the details of prescriptions for 160,000 others. Included in the latter group
was Singapore’s prime minister, Lee Hsien Loong, who the Ministry of Health said was targeted
“specifically and repeatedly.”

▪ The attacks were outlined in a government briefing this morning, which stated that the hack was “not
the work of casual hackers or criminal gangs.” It’s not yet known who was behind the attack, but local
media reports that it’s believed to be state-sponsored. “This was a deliberate, targeted, and well-
planned cyberattack,” said the Singapore government.
▪ "“Perhaps they were hunting for some dark state secret”"

▪ Prime Minister Lee expanded on this in a Facebook post, saying: “I don’t know what the attackers were
hoping to find. Perhaps they were hunting for some dark state secret, or at least something to
embarrass me. If so, they would have been disappointed. My medication data is not something I would
ordinarily tell people about, but there is nothing alarming in it.” He added that whoever the hackers
were, they were “extremely skilled and determined” and had “huge resources” behind them.
https://www.theverge.com/2018/7/20/17594578/singapore-health-data-hack-sing-health-prime-minister-lee-targeted
2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 29
 WannaCry Ransomware (Mei 2017)

https://en.wikipedia.org/w/index.php?curid=54032765
2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 30
 DNS DDos Attack

https://www.secureworks.com/blog/dns-amplification-variation-used-in-recent-ddos-attacks-update
2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 31
 Masalah di (2014)
▪ bash bug
▪ heartbleed

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 32

 Mengapa Sekarang Banyak
Masalah Keamanan Informasi?

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 33

 Mengapa

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 34

 Beberapa Sebab Akar Masalah
Keamanan Informasi?

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 35

 Root Cause

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 36

Mungkinkah Aman?
▪ Sulit (tidak mungkin?) untuk mencapai 100% aman
▪ Spafford & Garfinkel, “Practical UNIX & Internet Security”:

A computer is secure if you can depend on it

and its software to behave as you expect

▪ Keamanan dikaitkan dengan risiko (yang siap diterima)

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 37

 Keamanan vs. Kenyamanan
▪ Semakin aman (biasanya) semakin tidak nyaman
▪ Ada juga masalah keamanan vs. kinerja (performance)
▪ Pengamanan (misal menggunakan kriptografi) membutuhkan
komputasi yang tinggi
▪ Layanan terasa lebih lambat

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 38

 Security Life Cycle

Crowther, K. G., & Rust, B. (2020). Built-In Cybersecurity: Insights Into Product Security
for Cyberphysical Systems at a Large Company. IEEE Security & Privacy, 18(5), 74–79.
2/22/2024 II3230 - Keamanan Informasi 39
 Beberapa Sebab Masalah
Keamanan Informasi Menjadi
“Populer”

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 40

 Meningkatnya Aplikasi Bisnis di Internet
▪ Internet mulai dibuka untuk publik tahun 1995
▪ Electronic commerce (e-commerce) mulai terjadi
▪ Statistik e-commerce yang meningkat
▪ Semakin banyak yang terhubung ke internet, semakin banyak
potensi untuk mendapatkan keuntungan (finansial)

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 41

 Desentralisasi Server
▪ Terkait dengan langkanya SDM yang handal
▪ Lebih banyak server yang harus ditangani dan butuh lebih
banyak SDM dan tersebar di berbagai lokasi. Padahal susah
mencari SDM
▪ Server remote seringkali tidak terurus
▪ Serangan terhadap server remote lebih susah ditangani (berebut
akses dan bandwidth dengan penyerang)

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 42

 Transisi dari Single Vendor ke Multi Vendor
▪ Banyak jenis perangkat dari berbagai vendor yang harus
dipelajari. Contoh:
▪ Router: Cisco, Juniper, Mikrotik, Bay Networks, Nortel, 3Com,
Linux/BSD-based router, ...
▪ Server: Windows Server, (berbagai variasi) Linux, SCO UNIX,
*BSD, Sun Solaris, AIX, HP-UX, …
▪ Mencari satu orang yang menguasai semuanya sangat sulit.
Apalagi jika dibutuhkan SDM yang lebih banyak

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 43

 Keamanan vs. Kenyamanan
▪ Semakin aman (biasanya) semakin tidak nyaman
▪ Ada juga masalah keamanan vs. kinerja (performance)
▪ Pengamanan (misal menggunakan kriptografi) membutuhkan
komputasi yang tinggi
▪ Layanan terasa lebih lambat

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 44

 Pemakai makin melek teknologi dan kemudahan
mendapatkan software
▪ Ada kesempatan untuk
menjajal. Tinggal download
software dari Internet (script
kiddies)
▪ Sistem administrator harus
selangkah di depan

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 45

 Kesulitan Penegakan Hukum
▪ Cyberlaw masih “tertinggal”
▪ Tingkat awareness masih belum memadai
▪ Kemampuan teknis masih belum optimal
▪ Perubahan teknologi yang terlalu cepat

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 46

 Meningkatnya kompleksitas sistem
(teknis & bisnis)
▪ Program menjadi semakin besar. Kilo bytes, Mega bytes. Giga
bytes. Tera bytes ...
▪ Pola bisnis berubah: partners, alliance, inhouse development,
outsource, …
▪ Potensi lubang keamanan juga semakin besar

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 47

 Contoh Peningkatan
Kompleksitas Operating System Year Lines Of Codes

▪ Lines of Code Windows 3.1 1990 3 milion

▪ Trennya akan makin terus Windows NT 1996 4 milion

naik
Windows 95 1997 15 milion

Windows NT 4.0 1998 16.5 milion

▪ Dahulu programmer dibayar Windows 98 1999 18 milion

berdasarkan jumlah baris Windows NT 5.0/2K

beta
2000 20 milion

kode Debian GNU/Linux 2.2 2000 55 milion

▪ Semakin banyak jumlah baris:
▪ makin meningkat potensi Windows 2000 2000 35 milion

lubang keamanan
Windows XP 2001 40 milion

Red Hat 7.1 2007 50 milion

▪ makin banyak insiden Windows Vista 2007 50 milion

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 48

 Vulnerability, Threat, Attack, and Control
▪ A vulnerability is a weakness in the security system
▪ A threat to a computing system is a set of circumstances that
has the potential to cause loss or harm
▪ A human who exploits a vulnerability perpetrates an attack on
the system
▪ We use a control as a protective measure

2/22/2024 II3230 - Keamanan Informasi 49

 Vulnerability, Threat, Attack, and Control

2/22/2024 II3230 - Keamanan Informasi 50

 Penutup
▪ Masalah keamanan akan tetap muncul dengan pola baru
▪ Masalah keamanan tetap menjadi prioritas
▪ Keamanan (security) merupakan sebuah proses

2/22/2024 II3230 - Keamanan Informasi - Budi Rahardjo (c) 51

Konsep Keamanan Informasi
II3230 – Keamanan Informasi
Sem 1 2023/2024
[email protected]
Full Credits
- This slides are adapted from:

Pengenalan
Keamanan Informasi
II3230 – Keamanan Informasi
Sekolah Teknik Elektro dan Informatika, Institut Teknologi Bandung
Budi Rahardjo
2020
 Enterprise Architecture

Organization

People Software System

Procedure Application
Framework Information
Software
Infrastructure
Policy Database
Engine
Computer Network
Data Process
External
Engine
Control

2/22/2024 II3230 - Keamanan Informasi 3

 Jenis Keamanan Informasi

2/22/2024 II3230 - Keamanan Informasi 4

 Klasifikasi Keamanan Sistem Informasi
(David Icove)

Fisik (physical security)

Manusia (people /
personel security)

Kebijakan dan prosedur

(policy and procedure)

Teknologi (Data, media,

software,teknik komunikasi)

2/22/2024 II3230 - Keamanan Informasi – Budi Rahardjo (c) 5

 Defense in Depth Strategy
• Data. An attacker’s ultimate target, including your
databases, Active Directory service information, documents,
and so on.
• Application. The software that manipulates the data that is
the ultimate target of attack.
• Host. The computers that are running the applications.
• Internal Network. The network in the corporate IT
infrastructure.
• Perimeter. The network that connects the corporate IT
infrastructure to another network, such as to external users,
partners, or the Internet.
• Physical. The tangible aspects in computing: the server
computers, hard disks, network switches, power, and so on.
• Policies, Procedures, Awareness. The overall governing http://technet.microsoft.com/en-us/library/cc512681.aspx
principles of the security strategy of any organization.
Without this layer, the entire strategy fails.

2/22/2024 II3230 - Keamanan Informasi 6

 Type of Information Security
▪ Data Security – protecting data from unauthorized access and
loss
▪ Application/Software Security – protecting the application (inc.
data that its managed) from hijacked, stolen, and misused
▪ Computer (endpoint) Security – protecting the
computer/endpoint from being exploited
▪ Network Security – protecting data being transmitted and the
network being usable & trustworthy
▪ Physical Security – protecting from unauthorized access to
information technology facilities
2/22/2024 II3230 - Keamanan Informasi 7
 Topologi Tipikial Sistem Saat Ini
ISP

Internet - Asset
- Vulnerability
- Threat
Web Site
Users

credential, Userid,
Password, www.bank.co.id
PIN, credit card #

2/22/2024 II3230 - Keamanan Informasi – Budi Rahardjo (c) 8

 Topologi Tipikial Sistem Saat Ini
Network
Lubang Keamanan
ISP
sniffed, • Computer / Host (OS)
attacked • Network
computer • Applications (db)
security

Internet
network
Network Network
security sniffed, flood, MiTM sniffed,
attacked
Web Site
Users application
Trojan horse security
Virus Applications
Malware (database,
Ransomware Web server)
credential, Userid, hacked
Password, www.bank.co.id OS hacked
PIN, credit card #
computer security
computer security
2/22/2024 II3230 - Keamanan Informasi – Budi Rahardjo (c) 9
 Information Security Definition
Information Security (ISO 27000-series 2018)
▪ Preservation of confidentiality, integrity and availability of
information
▪ Note : In addition, other properties, such as authenticity,
accountability, non-repudiation, and reliability can also be
involved.

2/22/2024 II3230 - Keamanan Informasi 10

 Security Concepts

2/22/2024 II3230 - Keamanan Informasi 12

 Confidentiality
▪ Goal: Keep the contents of communication or data on storage secret

▪ Example: Alice and Bob want their communications to be secret from

Eve

▪ Key – a secret shared between Alice & Bob

▪ Sometimes accomplished with

▪ Cryptography, Steganography, Access Controls, Database Views
2/22/2024 II3230 - Keamanan Informasi 13
 Confidentiality (Kerahasiaan)
▪ Data (sistem) tidak boleh (tidak dapat) diakses oleh orang yang
tidak berhak
▪ Perlu mendefinsikan data apa saja yang confidential
▪ Data pelanggan
▪ Data pribadi
▪ Data Kesehatan
▪ Data Sensitive
▪ Data Kritikal Bisnis
▪ Bagaimana melakukan kategorisasi data?

2020 II3230 - Keamanan Informasi 14

 Confidentiality
▪ Serangan
▪ Penyadapan (sniffing)
▪ Mengintip (shouldering)
▪ Cracking (mencoba memecahkan enkripsi)
▪ Social engineering (menipu, mencari-cari kelemahan SOP,
membujuk orang untuk membuka data)

2020 II3230 - Keamanan Informasi 15

 Confidentiality
▪ Perlindungan
▪ Memisahkan (separation) jaringan / aplikasi / VLAN
▪ Penerapan kriptografi (enkripsi, dekripsi)
▪ Memagari (firewall)
▪ SOP yang jelas (ketat?)
▪ Pemantauan log

2020 II3230 - Keamanan Informasi 16

 Privacy (Privasi)
▪ Dalam konteks confidentiality, kerahasiaan data, jika data yang
dilindungi terkait dengan data pribadi disebut privacy
▪ Data pribadi (personal data), termasuk data keluarga
▪ Data pelanggan (customer)
▪ Data kesehatan (health data)
▪ Data warga

2020 BR - Privasi 2020 17

 Contoh Kasus

2020 BR - Privasi 2020 18

 Data Penerima Bansos
▪ Data penerima bansos (bantuan sosial) ditampilkan secara utuh
dalam rangka transparansi dan untuk umpan balik
▪ Apakah ada penerima dana yang bukan orang miskin?
▪ Apakah semua dana disampaikan (ataukah dikorupsi)?
▪ Data menampilkan identitas (nama, alamat, NIK) secara lengkap
▪ Data dapat diabuse oleh pihak lain
▪ Untuk ”pembelian suara” dalam pemilihan umum (orang
miskin dibeli suaranya)
▪ Untuk diskriminasi

2020 BR - Privasi 2020 19

 Mengapa Perlu Dilindungi
Data pribadi perlu dilindungi dikarenakan
▪ Aib
▪ Digunakan oleh pihak lain untuk keuntungan finansial
(bisnis), diperjualbelikan, tanpa ijin dari pemilik data
▪ Menjadi bagian dari otentikasi (authentication)
▪ Tanggal lahir menjadi bagian dari password
▪ NIK dianggap sebagai rahasia; sesuatu yang hanya
diketahui oleh yang bersangkutan, padahal sudah tidak
lagi. Asumsi yang salah
2020 BR - Privasi 2020 20
 Mengapa Perlu Dilindungi
▪ Data menjadi lepas dari kendali dari kita
▪ Bagaimana jika terjadi kesalahan / ketidakakuratan data?
▪ Apakah kita memiliki hak untuk memperbaiki data tersebut? Apakah kita dapat
menutut pihak lain untuk menghapus data kita?
▪ Bagaimana kita tahu pihak mana yang memiliki data kita dan data apa yang
mereka miliki?
▪ Data digunakan tidak semestinya / di luar konteks
▪ Tiba-tiba asuransi kesehatan naik
▪ Diketahui memiliki penyakit tertentu atau terdapat pandemi di lingkungan
sekitar tempat tinggal
▪ Diskriminasi
▪ Karena memiliki agama yang berbeda atau pilihan (partai politik) yang
berbeda

2020 BR - Privasi 2020 21

 Konteks Pemberian Data
▪ Data diberikan kepada penyedia jasa / layanan untuk keperluan tertentu
▪ Identitas (untuk keperluan otentikasi)
▪ Bagaimana jika data digunakan untuk keperluan lain (diperjualbelikan)?
▪ Apabila perusahaan bangkrut, bagaimana status data?
▪ Data apa saja yang dianggap relevan?
▪ Apa ukuran secukupnya? Berlebihan?
▪ Contoh data Kartu Keluarga (KK) yang diminta oleh operator
telekomunikasi termasuk data yang berlebihan karena di dalamnya
terdapat individu lain yang tidak menggunakan jasa layanan dari
penyedia layanan tersebut
▪ Apa saja yang termasuk bisnis dari penyedia jasa?
▪ Apakah data dapat dianggap sebagai aset yang dapat diperjualbelikan?

2020 BR - Privasi 2020 22

 Keamanan Data di Penyedia Jasa
▪ Keamanan merupakan tanggungjawab dari penyedia jasa
▪ Kebocoran data (ketidakamanan data) harus mendapatkan
hukuman, sanksi, penalty
▪ Untuk memastikan bahwa proses pengamanan dilakukan,
penyedia jasa harus melakukan security audit secara berkala
(misal minimal setahun sekali) yang dilakukan oleh pihak ketiga
yang independen
▪ Adanya peraturan (regulasi) yang secara eksplisit mengatur ini
yang diterbitkan oleh instansi terkait
2020 BR - Privasi 2020 23
 Bagaimana Melindunginya?
▪ Secara teknis sama dengan perlindungan pada aspek
confidentiality
▪ Kriptografi (enkripsi, dekripsi)
▪ Pemisahan akses (jaringan, aplikasi)
▪ Kebijakan tentang akses data
▪ ...

2020 BR - Privasi 2020 24

 Remark
▪ Pengamanan data pribadi yang diberikan kepada penyedia jasa
merupakan tanggungjawab dari penyedia jasa
▪ Perlu ada hukuman / tindakan terhadap kelalaian dalam
mengamankan data yang diserahkan kepada penyedia jasa
▪ Keamanan informasi merupakan sebuah proses yang harus
dievaluasi terus menerus. Diperlukan regulasi agar proses ini
diimplementasikan

2020 BR - Privasi 2020 25

 Message/Data Integrity
▪ Data Integrity = No Corruption
▪ Man in the middle attack: Has Mallory tampered with the message that Alice
sends to Bob?
▪ Integrity Check: Add redundancy to data/messages

▪ Techniques:
▪ Hashing (MD5, SHA-1, …), Checksums (CRC…)
▪ Message Authentication Codes (MACs)
▪ Different From Confidentiality:
▪ A -> B: “The value of x is 1” (not secret)
▪ A -> M -> B: “The value of x is 10000” (BAD)
▪ A -> M -> B: “The value of y is 1” (BAD)
2/22/2024 IAS/YA/2-2022-2023 26
 Integrity (integritas)
▪ Data (sistem) tidak dapat dubah oleh pihak yang tidak berhak
▪ Sebagai contoh
▪ Saldo rekening bank kita tidak boleh berubah jika tidak ada
transaksi yang sah
▪ Pilihan di pemilu (e-voting) harus dapat dipastikan tetap
sampai di pusat
▪ Untuk sistem transaksi, aspek integritas ini merupakan aspek
yang sangat penting

2020 II3230 - Keamanan Informasi 27

 Integrity
▪ Serangan
▪ Spoofing (pemalsuan)
▪ Ransomware (mengubah berkas – dienkripsi – sehingga tidak
dapat diakses)
▪ Man-in-the-middle (MiTM): mengubah data di tengah
perjalanan sehingga data berubah di tujuan

2020 II3230 - Keamanan Informasi 28

 Integrity
▪ Perlindungan
▪ Message authentication code (MAC)
▪ Hash function
▪ Menggunakan digital signature

2020 II3230 - Keamanan Informasi 29

 Authentication
▪ Verification of Claim (e.g., identity, role)
▪ How can Bob be sure that he is communicating with Alice?
▪ Do they university’s students access the digilib?
▪ Authenticity of human, user, machine, computer, server, data source,
and data
▪ Lack of physical contact
▪ Three General Ways:
▪ Something you know (i.e., Passwords)
▪ Something you have (i.e., Tokens, Digital Certificate)
▪ Something you are (i.e., Biometrics)

2/22/2024 IAS/YA/2-2022-2023 30
 Authentication
▪ Meyakinkan keaslian identitas {seseorang / mesin / komputer / server /
sumber data}
▪ Masalah ketika tidak ada kontak fisik (lack of physical contact)
▪ Siapa yang mengakses layanan (internet banking)?
▪ Faktor otentikasi
▪ sesuatu yang dimiliki | what you have: kartu identitas, kunci
▪ sesuatu yang diketahui | what you know: userid (identitas), password,
PIN
▪ sesuatu yang melekat | what you are: biometric

▪ claimant at a particular place

▪ authentication is established by trusted third party

2021 II3230 - Keamanan Informasi 31

 Authentication - Serangan
▪ Serangan
▪ identitas palsu, KTP palsu
▪ terminal palsu, mesin ATM palsu, situs web gadungan (abal-
abal, plesetean)

2021 II3230 - Keamanan Informasi 32

 on the internet, nobody knows you’re a dog

2021 II3230 - Keamanan Informasi 33

 Something you KNOW

▪ Example: Passwords
▪ Pros:
▪ Simple to implement
▪ Simple for users to understand
▪ Cons:
▪ Easy to crack (unless users choose strong
ones)
▪ Passwords are reused many times

▪ One-time Passwords (OTP): different password used each

time, but it is difficult for user to remember all of them
2/22/2024 IAS/YA/2-2022-2023 34
 Something you HAVE
▪ OTP Cards (e.g. SecurID): generates new password each time
user logs in
▪ Smart Card: tamper-resistant, stores secret information, entered
into a card-reader

▪ Token / Key (i.e., iButton)

▪ ATM Card
▪ Strength of authentication depends on difficulty of forging

2/22/2024 IAS/YA/2-2022-2023 35
 Something you ARE
Technique Effectiveness Acceptance
▪ Biometrics Palm Scan 1 6
Iris Scan 2 1
Retinal Scan 3 7
Fingerprint 4 5
Voice Id 5 3
Facial Recognition 6 4
▪ Pros: “raises the bar” Signature Dynamics 7 2
▪ Cons: false negatives/positives, social acceptance, key management
▪ false positive: authentic user rejected
▪ false negative: impostor accepted

2/22/2024 IAS/YA/2-2022-2023 36
 Multi-Authentication
▪ Two-factor Authentication: Methods can be combined (i.e. ATM card &
PIN)
▪ Who is authenticating who?
▪ Person-to-computer?
▪ Computer-to-computer?
▪ Three types (e.g. SSL):
▪ Client Authentication: server verifies client’s id
▪ Server Authentication: client verifies server’s id
▪ Mutual Authentication (Client & Server)
▪ Authenticated user is a “Principal”
▪ How about OTP?

2/22/2024 IAS/YA/2-2022-2023 37
 Availability
▪ Uptime, Free Storage
▪ Ex. Dial tone availability, System downtime limit, Web server
response time

▪ Solutions:
▪ Add redundancy to remove single point of failure
▪ Impose “limits” that legitimate users can use

▪ Goal of DoS (Denial of Service) attacks are to reduce availability

▪ Malware used to send excessive traffic to victim site
▪ Overwhelmed servers can’t process legitimate traffic
2/22/2024 IAS/YA/2-2022-2023 38
 Availability (Ketersediaan)
▪ Data / informasi / sistem harus tersedia ketika dibutuhkan
▪ Disebabkan semakin tingginya ketergantungan kepada IT
▪ Tidak tersedianya data akan mengakibatkan kegagalan bisnis,
yang kemudian berdampak kepada aspek finansial

2020 II3230 - Keamanan Informasi 39

 Serangan
▪ Meniadakan layanan: Denial of Service (DoS)
▪ Jaringan
▪ Aplikasi
▪ Infrastruktur pendukung (misal: listrik)
▪ Menyerang dari berbagai tempat / lokasi: distributed
▪ Distributed Denial of Service (DDoS) attack

2020 II3230 - Keamanan Informasi 40

 DNS DDoS Attack

2020 II3230 - Keamanan Informasi 41

 Perlindungan
▪ Redundansi, duplikat
▪ Server di Data Center (DC) & di Disaster Recovery Center (DRC)
▪ Backup (& Restore)
▪ Filtering (network)
▪ BCP (Business Continuity Planning)
▪ Mengamati aspek-aspek yang kritikal terhadap kelangsungan
bisnis, baik secara teknis maupun non-teknis
▪ DRP: Disaster Recovery Plan
▪ Cyberdrill
2020 II3230 - Keamanan Informasi 42
 Accountability
▪ Able to determine the attacker or principal

▪ Logging & Audit Trails

▪ Requirements:
▪ Secure Timestamping (OS vs. Network)
▪ Data integrity in logs & audit trails, must not be able to
change trails, or be able to detect changes to logs
▪ Otherwise attacker can cover their tracks

2/22/2024 IAS/YA/2-2022-2023 43
 Non-Repudiation
▪ Undeniability of a transaction

▪ Alice wants to prove to Trent that she did communicate with

Bob

▪ Generate evidence / receipts (digitally signed statements)

▪ Often not implemented in practice, credit-card companies

become de facto third-party verifiers

2/22/2024 IAS/YA/2-2022-2023 44
 Non-repudiation
▪ Tidak dapat menyangkal (telah melakukan sebuah transaksi)
▪ Serangan
▪ Transaksi palsu, spoofing
▪ Menghapus jejak
▪ Perlindungan
▪ message authentication code, hash function
▪ digital signature
▪ logging

2021 II3230 - Keamanan Informasi 45

 Access Control
▪ Mekanisme untuk mengatur siapa boleh melakukan apa
▪ Roles, separation of duties
▪ Bersama dengan authentication memetakan seseorang ke
sebuah role
▪ Adanya kelas / klasifikasi data dan roles, misalnya:
▪ Public
▪ Private
▪ Confidential
▪ Top Secret

2021 II3230 - Keamanan Informasi 46

 Access Control
▪ Serangan
▪ Menerobos pembatasan
▪ Menaikkan tingkat pengguna
▪ Cracking, brute force
▪ Merusak kendali akses
▪ Perlindungan
▪ Segmentasi jaringan & fisik
▪ Membuat daftar siapa/apa yang dapat mengakses, filtering
▪ Ilegal access detection
▪ Logging
2021 II3230 - Keamanan Informasi 47
2/22/2024 II3230 - Keamanan Informasi 48
 Concepts at Work

B2B
Bob
PCs-R-US website
orders parts DVD-
Factory

Is DVD-Factory Secure?

2/22/2024 49
 Network Information Gathering
Yudistira Asnar
[email protected]

28/02/2024 1
 Full Credits
- This slides are adapted from:

Casing the Joint

II3230 – Keamanan Informasi
Sekolah Teknik Elektro dan Informatika, Institut Teknologi Bandung
Budi Rahardjo
2020

28/02/2024 2
 Definition of Casing the Joint
a Slang
▪ to look at a place with the intention of stealing from it later:
▪ He looked around shiftily, as if he was casing the joint.
▪ If they had been casing the joint, they'd have found that the
property was more secure than Fort Knox.
▪ I can't stand here for too long or they'll think I'm casing the
joint!
[Cambridge Dictionary]

28/02/2024 3
 Objective
▪ Students can perform information gathering on a security target
▪ Students can identify the challenges of profiling

28/02/2024 4
 Cyber Kill Chain
▪ Developed by Lockheed Martin
▪ https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

© https://medium.com/cycraft
28/02/2024 5
 Reconnaissance and Information Gathering
▪ Purpose: To discover as much information about a target
(individual or organization) as possible without actually making
network contact with said target.

▪ Methods:
▪ Organization info discovery
▪ Google search
▪ Website browsing
▪ OSINT

28/02/2024 6
 Various Types of Reconnaissance
▪ Scanning
▪ Finding some openings from the target
▪ Footprinting
▪ Collecting information about the target
▪ Profiling
▪ Analyzing the characteristics/behavior of the target

▪ Maintain the results in a table

28/02/2024 7
 Table Target
▪ Just an illustration

Nama No IP Alive OS Services

www.bank.co.id 10.10.1.80 ya Windows http
NT SP 6
file.bank.co.id 10.10.1.143 ya Windows NetBIOS, ftp, http (IIS)
2000, SP3
mail.bank.com 10.10.1.25 ya Linux SMTP

… …

28/02/2024 8
 WHOIS Results for itb.ac.id

28/02/2024 9
 Whois 167.205.59.96

28/02/2024 10
 Whois
▪ Identify the owner of domain or IP
▪ Identify
▪ Individual
▪ Organization
Who owned and managed the Internet Resources
▪ The results might vary depends on the WHOIS server that you
asked

28/02/2024 11
 Network Enumeration and Scanning
▪ Purpose: To discover existing networks owned by a target as
well as live hosts and services running on those hosts.
▪ Methods:
▪ Scanning programs that identify live hosts, open ports,
services, and other info (Nmap, autoscan)
▪ DNS Querying
▪ Route analysis (traceroute)

28/02/2024 12
 NMap Results
▪ nmap -sS 127.0.0.1
▪ 1
▪ 2
▪ 3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
▪ 4 Interesting ports on chaos (127.0.0.1):
▪ 5 (The 1668 ports scanned but not shown below are in state: closed)
▪ 6 PORT STATE SERVICE
▪ 7 21/tcp open ftp
▪ 8 22/tcp open ssh
▪ 9 631/tcp open ipp
▪ 10 6000/tcp open X11
▪ 11
▪ 12 Nmap finished: 1 IP address (1 host up) scanned in 0.207
▪ 13 seconds

28/02/2024 13
 NMap
▪ nmap -sn 167.205.0.0/24
▪ Sending syn package to check up hosts
▪ nmap -sS 167.205.0.1 or nmap -sV 167.205.0.1 -A
▪ To fingerprint OS
▪ It can be used to scan for some vulnerability
▪ vulnscan

28/02/2024 14
 A Tale of a Software System
APPLICATION
ATTACK Your security “perimeter” has huge holes
at the application layer
Application Layer

Legacy Systems

Human Resrcs
Web Services
Directories
Databases
Custom Developed

Billing
Application Code

App Server
Web Server
Network Layer

Hardened OS

Firewall
Firewall

You can’t use network layer protection (firewall, SSL, IDS, hardening)
to stop or detect application layer attacks
OWASP
28/02/2024 15
 Data-data dari domain name
▪ Menggunakan whois, dig, nslookup, host, bahkan search engine
▪ Data-data server dari target (Name Server), alamat kantor,
nomor IP, MX record
▪ Komputer-komputer dan nomor Ipnya
▪ Sebagian besar dari data-data ini tersedia untuk publik (sama
dengan alamat dari sebuah perusahaan)

28/02/2024 16
 Program “nslookup”
▪ Nslookup untuk mencari informasi domain
▪ Unix% nslookup ns @dns.server domain.name
▪ Zone transfer dengan nslookup
Unix% nslookup
> server 167.205.21.82
> set type=any
> ls –d Acme.net >> /tmp/zone_out
> ctrl-D

more /tmp/zone_out

28/02/2024 17
 Program “host”

▪ Mencari informasi mengenai name server (ns),

mail record (mx), dll.
▪ Unix% host www.indocisc.com
www.indocisc.com has address 202.138.225.178
▪ Unix% host –t ns indocisc.com
indocisc.com name server
home.globalnetlink.com.
Indocisc.com name server mx.insan.co.id.
▪ Unix% host –t mx indocisc.com
indocisc.com mail is handled by 5
mx.insan.co.id.
▪ Unix% host –l indocisc.com mx.insan.co.id

28/02/2024 18
 Masih Tentang DNS
▪ Zone transfer harusnya dibatasi
▪ Zone transfer via web
http://us.mirror.menandmice.com/cgi-bin/DoDig
Name server:
Domain name:
Query type: Zone Transfer (AXFR)

28/02/2024 19
 Routing
▪ Traceroute untuk mengetahui routing
▪ Unix
traceroute 167.205.21.82

▪ Windows
DOS> tracert 167.205.21.82

▪ Web
▪ http://visualroute.visualware.com

28/02/2024 20
 http://visualroute.visualware.com

28/02/2024 21
 Tabel target
▪ Mulai terisi

Nama No IP Alive OS Services

www.bank.co.id 10.10.1.80 … … …

Fileserver.bank. 10.10.1.143 … … …
co.id
mail.bank.com 10.10.1.25 … … …

… …

28/02/2024 22
 Server hidup?
▪ Ping, gping, hping
mencari host yang hidup (alive)
▪ Unix% gping 192 168 1 1 254 | fping –a
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.1 is alive
192.168.1.190 is alive
▪ Membutuhkan ICMP traffic
▪ Unix% hping 192.168.1.2 –S –p 80 -f

28/02/2024 23
 Masih tentang ping
▪ Unix% nmap –sP 192.168.1.0/24

▪ Kalau ICMP diblokir

nmap –sP –PT80 192.168.1.0/24
mengirimkan paket ACK dan menunggu paket RST untuk
menandakan host alive

28/02/2024 24
 ICMP Query
▪ Mencari informasi dengan mengirimkan paket ICMP
▪ Unix% icmpquery –t 192.168.1.1
192.168.1.1 : 11:36:19
▪ Unix% icmpquery –m 192.168.1.1
192.168.1.1 : 0xFFFFFFE0

28/02/2024 25
 Tabel target
▪ Mulai terisi

Nama No IP Alive OS Services

www.bank.co.id 10.10.1.80 ya … …

Fileserver.bank. 10.10.1.143 ? … …
co.id
mail.bank.com 10.10.1.25 ya … …

… …

28/02/2024 26
 Servis di Internet
▪ /etc/services
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
ftp 21/tcp
ssh 22/tcp
telnet 23/tcp

▪ Dijalankan melalui inetd atau sebagai daemon (di belakang

layar)

28/02/2024 27
 Servis via inetd
▪ Serivis dicatat dalam berkas /etc/inetd.conf :
# contoh
# <service_name> <sock_type> <proto> <flags> <user> <server_path>
<args>

ftp stream tcp nowait root /usr/sbin/tcpd

/usr/local/sbin/proftpd

pop-3 stream tcp nowait root /usr/sbin/tcpd

/usr/sbin/ipop3d

28/02/2024 28
 Scanning / Probing
▪ UNIX
▪ Strobe
strobe 192.168.1.10
▪ Nmap
nmap –sS 192.168.1.1
nmap –sF 192.168.1.0/24 –oN outfile
▪ Netcat:
nc –v –z –w2 192.168.1.1 1-140
nc –u –v –z –w2 192.168.1.1 1-140
▪ udp_scan

28/02/2024 29
 Scanning Tools: Windows
▪ NetScan Tools Pro 2000
▪ SuperScan

28/02/2024 30
 Jenis Scan

▪ TCP connect scan

▪ TCP SYN scan
▪ TCP FIN scan
▪ TCP Xmas Tree scan
▪ TCP Null scan
▪ TCP ACK scan
▪ TCP Window scan
▪ TCP RPC scan
▪ UDP scan

28/02/2024 31
 Deteksi Scanning
▪ Syslog, icmplog
▪ root# tail /var/log/syslog
May 16 15:40:42 epson tcplogd: "Syn probe"
notebook[192.168.1.4]:[8422]>epson[192.168.1.2]:[635]
May 16 15:40:42 epson tcplogd: "Syn probe"
notebook[192.168.1.4]:[8423]>epson[192.168.1.2]:ssl-ldap
May 16 15:40:42 epson tcplogd: "Syn probe"
notebook[192.168.1.4]:[8426]>epson[192.168.1.2]:[637]
May 16 15:40:42 epson tcplogd: "Syn probe"
notebook[192.168.1.4]:[8429]>epson[192.168.1.2

28/02/2024 32
 Penangkal Scanning
▪ Langsung melakukan pemblokiran
▪ access control list (/etc/hosts.deny)
▪ mengubah routing table (drop)
▪ mengubah rule dari firewall
▪ Contoh software: portsentry

28/02/2024 33
 Tabel target
▪ Mulai terisi

Nama No IP Alive OS Services

www.bank.co.id 10.10.1.80 ya … web

Fileserver.bank. 10.10.1.143 ? … File sharing, web, ftp

co.id
mail.bank.com 10.10.1.25 ya … SMTP

… …

28/02/2024 34
 OS Fingerprinting
▪ Menentukan jenis OS dengan melihat implementasi TCP/IP
stack
▪ Queso
▪ Nmap
nmap –O 192.168.1.1
▪ ICMP
▪ X (passive OS detection)

28/02/2024 35
 Application fingerprinting
▪ Banner grabbing: dari aplikasi (misal SMTP)
telnet server.name 25
▪ echo -e "GET /index.html HTTP/1.0\n\n" | nc 192.168.1.3 80 |
less

Date: Sat, 27 Apr 2002 02:34:10 GMT

Server: Apache/1.3.24 (Unix) Debian GNU/Linux PHP/4.1.2
Last-Modified: Thu, 19 Jul 2001 13:21:07 GMT
ETag: "fa59-ffe-3b56dec3“
Accept-Ranges: bytes
Content-Length: 4094
Connection: close
Content-Type: text/html; charset=iso-8859-1

28/02/2024 36
 Deteksi melalui SNMP
▪ indocisc% snmpget 192.168.0.1 public system.sysDescr.0
system.sysDescr.0 = Linux agumon 2.4.18 #1 SMP Web Apr
24 04:33:13 WIT 2002 i686
▪ Syntax: snmpwalk target community oid
▪ indocisc% snmpwalk 192.168.0.1 public system
indocisc% snmpwalk 192.168.0.1 public
interfaces.ifTable.ifEntry.ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = lo
interfaces.ifTable.ifEntry.ifDescr.2 = eth0

28/02/2024 37
 Enumerasi di sistem Windows
▪ C:\WINDOWS> net view
\\KOMPUTERKU Pentium III
C:\WINDOWS> net view \\komputerku
Sharename Type Comment
-------------------------
C Disk
▪ C:\WINDOWS> nbtstat –a 192.168.1.1
▪ C:\WINDOWS> nbtscan 192.168.1.0/24

28/02/2024 38
 Langkah Selanjutnya?
▪ Memenuhi “tabel” target data-data
Nama No IP Alive OS Services
www.bank.com 10.10… ya Win NT SP 6 http
xyz. 10.10.10.1 Ya Win 2000, NetBIOS, ftp, http (IIS)
SP3
mail.bank.com SMTP
▪ Melakukan searching untuk membandingkan target dengan daftar eksploitasi. Atau
melakukan vulnerabiliy mapping
▪ Selanjutnya: initial access (mulai masuk)
▪ Issues
▪ Security policy. Apakah scanning termasuk hal yang illegal? Di beberapa tempat:
ya

28/02/2024 39
Cryptography
Yudistira Asnar
[email protected]
Adapted From

Keamanan Informasi

Pengantar Kriptografi
Ir. Budi Rahardjo, M. Sc., Ph.D

Teknik Komputer – STEI ITB II3230 - Keamanan Informasi

 Dark Art!
▪ Sebelum tahun 1970-an,
kriptografi merupakan
sebuah dark art – ilmu yang
tidak diajarkan secara umum
▪ Sampai munculnya buku “The
Code Breakers” dari David
Kahn.

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 3

 Buku Lainnya
▪ Code Book
Simon Singh
▪ Crypto
Steven Levy

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 4

 Security & Intelligence
▪ Signal Security ▪ Signal Intelligence
▪ Steganography ▪ Interception & Direction-Finding
▪ Traffic security (call sign changes, ▪ Traffic Analysis
dummy msg, radio silence)
▪ Cryptanalysis
▪ Cryptography
▪ Electronic Intelligence
▪ Electronic Security ▪ Electronic reconnaissance
▪ Emission security (shifting radar (eavesdroping on radar emission)
freq.)
▪ Countermeasures (jamming, false
▪ Counter -Countermeasures radar echoes)
(looking through jammed radar)

Source: David Kahn, The Code Breakers

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 5

 Keamanan Negara
▪ Kemampuan mengamankan data dan menangkap data
merupakan kepentingan negara
▪ Privacy vs keamanan negara?
▪ Spy vs spy?

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 6

 Penyadapan Internasional
Sumber: IEEE Spectrum April 2003

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 7

 Sadap, Filter, Simpan

Sumber: IEEE Spectrum April 2003

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 8

 The Athens Affair
▪ 9 March 2005, Costas Tsalikidis (38 thn)
bunuh diri
▪ Besoknya diberitakan telepon PM Yunani
disadap (+ 100 orang lainnya)
▪ Pelanggan Vodafone-Panafon (Vodafone
Greek)

http://www.spectrum.ieee.org/print/5280/

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 9

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 10
 Evolusi pengamanan data
⚫ Steganography
⚫ Membuat seolah-olah pesan tidak ada
⚫ Hiding a message within another medium, such as an
image
⚫ Film: “Mercury rising”, “Beautiful mind”
⚫ Cryptography
⚫ Transposition (letters arranged)
⚫ Substitution (letters substituted with other letters)

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 11

 Steganography
▪ Yunani (Greek) vs Persia
▪ Pesan disembunyikan di meja yang dilapisi lilin
▪ Histalaeus
▪ Pesan ditato di kepala budak yang telah digunduli

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 12

 Steganography saat ini
▪ Digital watermarking
▪ Menandai kepemilikan gambar digital, misalnya
dengan menggunakan LSB (least significant bit) dari
pixel sebagai bagian dari pesan
▪ Bisa juga diterapkan di audio (MP3), video, dan format
digital lainnya untuk menjadi bagian dari Digital
Rights Management (DRM)

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 13

 MSB LSB 1 pixel = 8 bit
Tapi hanya digunakan 7 bit saja
1 0 1 0 1 0 1 0
1 1 1 0 1 0 1 1
0 0 1 1 1 0 1 0
1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1
1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0
1 1 1 1 1 1 1 1
8 bit LSB (dari 8 pixel) digabung menjadi
satu data lagi: 01001001
14

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI

 Tugas Steganography
▪ Tugas dari Nur Alimah
▪ Setelah engkau rasakan apa nikmatnya gula, hisap
aroma rokok ini sampai engkau nyaman ingin
nambah.

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 15

 Pesan untuk (Homer) Simpson dari ibunya
(Mona)

“My Mother the Carjacker”

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 16

 Cryptography
▪ Cryptography (or cryptology; derived from Greek κρύπτω
kryptó "hidden" and the verb γράφω gráfo "to write" or λέγειν
legein "to speak") is the practice and study of hiding
information. In modern times, cryptography is considered to be
a branch of both mathematics and computer science, and is
affiliated closely with information theory, computer security,
and engineering.
[sumber: wikipedia]

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 17

 Kripto penentu hidup mati
▪ Mary, Queen of Scots dipancung
▪ Menggunakan cipher messages
untuk mengirimkan berita kepada
kelompok anti Queen Elizabeth I
▪ Dituduh merencanakan
pembunuhan Queen Elizabeth I
▪ Lawannya: Walsingham yang
menggunakan Thomas Phelippes,
seorang pakar pemecah kode
▪ Dihukum mati 8 Februari 1587
2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 18
 Kriptografi: Transposition
▪ Contoh transposition http://www.unmuseum.org/excoded.htm

▪ Rail fence asimplekin

▪ Simple transposition: doftranspo

sitionciph
pesan ditulis mendatar erwritesth
emessagein
dikirimkan vertikal
toarectang
▪ Spartan Scytale (5 BC) lebyrowsan
dreadsitou
tbycolumns

http://en.wikibooks.org/wiki/Cryptography:Transposition_ciphers

http://www.ccisource.com/content/resources/articles/Jan01/symmetric.htm

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 19

 Kriptografi: Substitution
▪ Contoh substitution
▪ Caesar cipher (geser 3 huruf)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
d e f g h i j k l m n o p q r s t u v w x y z a b c

BUDI = exgl
Tabel dapat digeser n huruf ke kiri
atau ke kanan. n dan arah menjadi kunci
▪ Monoalphabetical cipher, satu huruf selalu digantikan
oleh huruf yang sama
Dalam contoh di atas, huruf “B” selalu menjadi “e”
2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 20
 Pemecahan Caesar Cipher
▪ Al Kindi menggunakan statistik untuk memecahkan
Caesar Cipher
▪ Cari huruf yang paling sering muncul dalam ciphertext
dan luruskan (align) dengan huruf yang paling sering
muncul dalam plaintext
▪ Huruf apa yang sering muncul dalam
▪ Bahasa Inggris
▪ Bahasa Indonesia
▪ Bahasa Daerah lainnya?
2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 21
 ROT13
▪ Menggeser huruf sebanyak 13 huruf
▪ Karena jumlah huruf ada 26, maka algoritma (geser13)
bisa digunakan untuk enkripsi dan dekripsi
▪ Lihat situs http://www.rot13.com
▪ Dapat digunakan untuk tebak-tebakan

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 22

 Contoh ROT13
Apa bedanya handphone dan monyet?

Jawaban:
Xnynh unaqcubar, abxvn. Xnynh zbalr, ah xvrh

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 23

 Cipher dengan banyak tabel
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

d e f g h i j k l m n o p q r s t u v w x y z a b c
g h i j k l m n o p q r s t u v w x y z a b c d e f
m n o p q r s t u v w x y z a b c d e f g h i j k l

▪ Huruf pertama dengan tabel pertama

▪ Huruf kedua dengan tabel kedua
▪ Huruf ketiga dengan tabel ketiga
▪ Huruf keempat dengan tabel pertama
▪ … dan seterusnya …

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 24

 Film tentang Enigma …

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 25

 Alan Turing

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 26

 Enigma Rotor
▪ Digunakan Jerman pada Perang Dunia 2
▪ Memiliki rotor yang berubah
posisinya setelah setiap huruf
dikirim
▪ Posisi awal dari rotor merupakan
kunci
▪ Dipecahkan oleh pihak Sekutu
dengan bantuan Alan Turing dan
komputer

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 27

 Enigma-E

http://www.xat.nl/enigma-e/desc/index.htm

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 28

 Crypto Component
▪ Plaintext – A message in its natural format readable by an
attacker
▪ Ciphertext – Message altered to be unreadable by anyone
except the intended recipients
▪ Key – Sequence that controls the operation and behavior of the
cryptographic algorithm
▪ Keyspace – Total number of possible values of keys in a crypto
algorithm

3/8/2024 29
 Crypto Component (2)
▪ Initialization Vector – Random values used with ciphers to
ensure no patterns are created during encryption
▪ Cryptosystem – The combination of algorithm, key, and key
management functions used to perform cryptographic
operations

3/8/2024 30
 Cryptography
▪ Encryption algorithm also called a cipher
▪ Cryptography has evolved so that modern encryption and
decryption use secret keys
▪ Cryptographic algorithms can be openly published
▪ Only have to protect the keys
plaintext ciphertext plaintext
Encryption Decryption

Key KA Key KB

3/8/2024 31
Cryptography
▪ Symmetric Cryptography
▪ KA and KB is the same
▪ ! Key distribution problem
▪ Asymmetric Cryptography
▪ KA and KB is different
plaintext ciphertext plaintext
Encryption Decryption

Key KA Key KB
Cryptography
▪ Hybrid
▪ Combines strengths of both methods
▪ Asymmetric distributes symmetric key
▪ Also known as a session key
▪ Symmetric provides bulk encryption
▪ Example:
▪ SSL negotiates a hybrid method
 Public key cryptography

+ Bob’s public
K
B key

- Bob’s private
K
B key

plaintext encryption ciphertext decryption plaintext

message, m algorithm + algorithm message
K (m) - +
B m = K B(K (m))
B

3/8/2024 IAS/YA/2-2020-2021 34
 Illustration
▪ Public Key
▪ Motivation
▪ Key Proliferation – adding 1 user need in n user system
requires 5 key generation
▪ Schema
▪ P = D(kPRIV, E(kPUB, P))
▪ P = D(kPUB, E(kPRIV, P)
▪ Example
▪ RSA, DSA

3/8/2024 IAS/YA/2-2020-2021 35
Symmetric vs Asymmetric Cryptography
Symmetric vs Asymmetric Cryptography

Symmetric Asymmetric
▪ DES
▪ Modes: ECB, CBC, CFB, OFB, CM
▪ RSA
▪ 3DES ▪ DES
▪ AES
▪ IDEA ▪ Deffie Helman
▪ Blowfish
▪ RC4
▪ Elliptic Curve Cryptography
▪ RC5
▪ CAST
▪ SAFER
▪ Twofish
 Penggunaan Kripto Kunci Publik
▪ Secure Socket Layer (SSL)
▪ HTTPS
▪ SSH
▪ STUNNEL
▪ Pretty Good Privacy (PGP) dan GNU Privacy Guard
(GPG)

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 38

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 39
 Sertifikat Digital X.509 versi 3

Versi
Nomor Seri Sertifikat
Signature Algorithm Identifier (untuk signature dari CA)
Nama X.500 dari CA
Digital
Perioda validitas (mulai dan berakhirnya) Signature
Nama X.500 dari Subjek Sertifikat dibuat
dengan
Informasi Kunci Publik milik Subjek
menggunakan
Agoritma yang digunakan kunci
privat CA
Isi Kunci Publik

Identifier Unik dari Penerbit (optional)

Identifier Unik dari Subjek (optional)
Extensions (optional)

Digital Signature yang dibuat CA

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 40

 Contoh Sertifikat

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 41

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 42
 Protokol SSL

1 Client Hello / Connection Request

Daftar algoritma / cipher suite
Pemilihan cipher suite

2 Sertifikat Digital Server

Encrypted secret / key / nonce
Client Server
Decrypted secret

3 Sertifikat Digital Client

Encrypted secret / key / nonce
Decrypted secret

4
Kunci simteris disepakati

Transfer data dengan enkripsi kunci simetris

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 43

 PENGGUNAAN ENKRIPSI
▪ Mengamankan data dengan mengacak data sehingga sulit untuk
dibaca
Confidentiality
▪ Meyakinkan tidak ada perubahan data
Integrity
▪ Memastikan identitas seseorang dengan digital signature
Authentication
▪ Mem

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 44

 SSL/TLS Protection
▪ Protect sensitive information
▪ Encrypt/Decrypt data
▪ Key Exchange

▪ Protect integrity of data

▪ Cryptographic Hash Function
▪ Digital Signature
3/8/2024 IAS/YA 45
 SSL/TLS Protection
▪ Public Key Protocol
▪ example: SSL

3/8/2024 IAS/YA 46
 SSL/TLS Protection
▪ Certificate
▪ Proof/Credential about what/who you are
▪ Require
▪ Structure/Hierarchy
▪ Infrastructure

3/8/2024 IAS/YA 47
 Message Digest
▪ Menghasilkan rangkuman (summary, digest) dari
sebuah pesan (file, stream data)
▪ Menggunakan hash function untuk menghasilkan digest
tersebut
large
H: Hash
message
Function
m

H(m)

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 48

 Fungsi Hash (Hash Function)
▪ Merupakan fungsi satu arah (one way function) yang
dapat menghasilkan ciri (signature) dari data (berkas,
stream)
▪ Mudah dihitung untuk satu arah (forward)
▪ Sulit (hard) dihitung inverse-nya
▪ Perubahan satu bit saja akan mengubah keluaran hash
secara drastis
▪ Digunakan untuk menjamin integritas dan digital
signature
2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 49
 Fungsi Hash Sederhana
▪ Menjumlahkan nilai ASCII dari karakter
▪ Pesan: BUDI

no Karakter ASCII Total

0 B 66 66
1 U 85 151
2 D 68 219
3 I 73 292
▪ Punya masalah dengan collision

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 50

 Hash Function
▪ Contoh yang lazim digunakan:
MD5, SHA-1, SHA-256, RIPEMD

unix$ md5sum /bin/login

af005c0810eeca2d50f2904d87d9ba1c /bin/login
unix$ md5sum /etc/passwd
a3eeed3854a930c97a125378785045f9 /etc/passwd
unix$ shasum README.md
75d2ba77c401d7df44b79093db004e358f663db6 README.md

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 51

 Hashing Algorithms
▪ MD5
▪ Computes 128-bit hash value
▪ Widely used for file integrity checking
▪ SHA-1
▪ Computes 160-bit hash value
▪ NIST approved message digest algorithm
▪ HAVAL
▪ Computes between 128 and 256 bit hash
▪ Between 3 and 5 rounds
▪ RIPEMD-160
▪ Developed in Europe published in 1996
▪ Patent-free
3/8/2024 IAS/YA/2-2020-2021 52
 Hash Function
▪ Jacksum (a collection of hash functions)
▪ http://jacksum.net/en/index.html

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 53

 Penggunaan Hash: Pengirim
Isi email tidak dirahasiakan.
Diinginkan terjaganya integritas
dan non-repudiation
Keduanya disatukan dan dikirimkan

From: Budi From: Budi

Subject: Kiriman Subject: Kiriman

Kiriman Kiriman
datang datang
Senin Senin
pagi pagi

ohx76@#
hash af005c0810eeca2d5
Enkripsi (dg kunci privat pengirim)
ohx76@#

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 54

 Pada Penerima

Jika keduanya tidak sama,

patut dicurigai.
Integritas tidak terjamin.

From: Budi Jika keduanya sama, integritas

terjamin.
Subject: Kiriman Jika enkripsi menggunakan
public key cryptosystem,
pengirim tidak dapat menyangkal.
Kiriman
datang
Senin
pagi hash af005c0810eeca2d5

sama?
dekripsi
ohx76@# af005c0810eeca2d5

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 55

 Contoh Penggunaan Hash
▪ Hasil hash dienkripsi untuk menjamin keamanannya (integritas)
▪ Ukuran hasil hash yang lebih kecil dibandingkan ukuran pesan asalnya
membutuhkan waktu enkripsi yang lebih singkat (dibandingkan jika
mengenkripsi seluruh pesan)
▪ Basis dari konsep digital signature
▪ Pesan juga dapat dienkripsi jika diinginkan kerahasiaan
▪ Contoh aplikasi lain: hash encrypted password, blockchain (yang
merupakan fondasi dari Bitcoin)

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 56

 Permasalahan Hash
▪ Karena range (space) dari hasil hash lebih kecil (dalam
jumlah bit) dari sumber informasinya, maka
dimungkinkan adanya “collision” – yaitu dua data
dipetakan ke nilai hash yang sama

image from wikipedia

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 57

 Birthday Attack
▪ Collisions
▪ Two messages with the same hash value
▪ Based on the “birthday paradox”
▪ Hash algorithms should be resistant to this attack

3/8/2024 IAS/YA/2-2020-2021 58
 Permasalahan Hash
▪ Ini sudah dibuktikan dengan pecahnya MD5 dan SHA-1
▪ http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
▪ MD5 (1992) merupakan penyempurnaan dari MD4 (1990)
▪ SHA merupakan buatan NSA (1993) yang mirip dengan MD5
▪ http://shattered.it
▪ Meskipun dua data yang dipetakan itu tidak mudah dibuat dan
kadang-kadang completely useless
▪ Pernyataan di atas sudah tidak tepat untuk pemecahan SHA-1

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 59

 Latihan
▪ Efek perubahan pada image
▪ Buat sebuah image (BMP, GIF, JPG)
▪ Ubah sedikit (1 pixel, beberapa pixels, rotate, crop, dll.)
▪ Lihat efeknya pada hash function
▪ Lakukan hal yang sama dengan berkas yang lain; MP3,
AVI

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 60

 Hash & Aplikasi Database
▪ Bagaimana cara menyimpan pasangan “userid” dan “password”
dalam database?
▪ Umumnya “password” disimpan dalam bentuk plain text
sehingga dapat dilihat oleh DB admin
▪ Simpan password dalam bentuk hashed
▪ Next level: beri salt

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 61

 Message Authentication Codes (MAC)
▪ Small block of data generated with a secret key and appended to
a message
▪ HMAC (RFC 2104)
▪ Uses hash instead of cipher for speed
▪ Used in SSL/TLS and IPSec

3/8/2024 IAS/YA/2-2020-2021 62
 Hash-based MAC
▪ Popular MAC standard
▪ Addresses some subtle security flaws

1. Concatenates secret to front of message.

2. Hashes concatenated message
3. Concatenates the secret to front of digest
4. Hashes the combination again.

3/8/2024 IAS/YA/2-2020-2021 63
 Hash-based Message Authentication Code (HMAC)
s
s = shared secret

message
s

message
message
H( )

H( ) compare

▪ Authenticates sender
▪ Verifies message integrity
▪ No encryption !
▪ Also called “keyed hash”
▪ Notation: MDm = H(s||m) ; send m||MDm
3/8/2024 IAS/YA/2-2020-2021 64
 End-point authentication
▪ Want to be sure of the originator of the message – end-point
authentication.
▪ Assuming Alice and Bob have a shared secret, will MAC provide
message authentication.
▪ We do know that Alice created the message.
▪ But did she send it?

3/8/2024 IAS/YA/2-2020-2021 65
 Playback/Replay Attack
MAC =
f(msg,s) Transfer $1M
from Bill to Trudy MAC

Transfer $1M from

Bill to Trudy MAC

3/8/2024 IAS/YA/2-2020-2021 66
 Defending against playback attack: nonce

“I am Alice”

R
MAC =
f(msg,s,R) Transfer $1M
from Bill to Susan MAC

3/8/2024 IAS/YA/2-2020-2021 67
 Digital Signature
▪ Hash of message encrypted with private key
▪ Digital Signature Standard (DSS)
▪ DSA/RSA/ECD-SA plus SHA
▪ DSS provides
▪ Sender authentication
▪ Verification of message integrity
▪ Nonrepudiation

3/8/2024 IAS/YA/2-2020-2021 68
 Digital Signature
▪ It must be unforgeable. If person P signs message M with signature S(P,M), it is
impossible for anyone else to produce the pair [M, S(P,M)].
▪ It must be authentic. If a person R receives the pair [M, S(P,M)], R can check that the
signature is really from P. Only P could have created this signature, and the signature
is firmly attached to M.
▪ It is not alterable. After being transmitted, M cannot be changed by S, P, or an
interceptor.
▪ It is not reusable. A previous message
presented again will be instantly detected by R.

3/8/2024 IAS/YA/2-2020-2021 69
 Digital Signature
▪ Cryptographic technique analogous to hand-written signatures.
▪ sender (Bob) digitally signs document, establishing he is
document owner/creator.
▪ Goal is similar to that of a MAC, except now use public-key
cryptography
▪ verifiable, nonforgeable: recipient (Alice) can prove to someone
that Bob, and no one else (including Alice), must have signed
document

3/8/2024 IAS/YA/2-2020-2021 70
 Digital Signature
Simple digital signature for message m:
▪ Bob signs m-by encrypting with his private
- key KB, creating
“signed” message, KB(m)
-
Bob’s message, m KB Bob’s private -
KB(m) = s
key
Dear Alice
Bob’s message,
Oh, how I have missed Public key
you. I think of you all the
m, signed
time! …(blah blah blah) encryption (encrypted) with
algorithm his private key
Bob
Dear Alice
Oh, how I have missed you. I think of
you all the time! …(blah blah blah) s
Bob

3/8/2024 IAS/YA/2-2020-2021 71
Digital Signature = signed message digest
Alice verifies signature and integrity
Bob sends digitally signed
of digitally signed message:
message:
large
message H: Hash encrypted
m function H(m)
msg digest
-
KB(H(m))
Bob’s digital large
private signature message
- m Bob’s digital
key KB (encrypt)
public
+ signature
key KB
encrypted H: Hash (decrypt)
msg digest function
-
+ KB(H(m))
H(m) H(m)

equal
?
72
 E-mail Security Protocols
▪ Privacy Enhanced Email (PEM)
▪ Pretty Good Privacy (PGP)
▪ Based on a distributed trust model
▪ Each user generates a key pair
▪ S/MIME
▪ Requires public key infrastructure
▪ Supported by most e-mail clients

3/8/2024 IAS/YA/2-2020-2021 73
 Attributes of Strong Encryption
▪ Confusion
▪ Change key values each round
▪ Performed through substitution
▪ Complicates plaintext/key relationship
▪ Diffusion
▪ Change location of plaintext in ciphertext
▪ Done through transposition

3/8/2024 IAS/YA/2-2020-2021 74
 Masalah Seputar Kripto
▪ Memastikan keamanan algoritma enkripsi
▪ Algoritma harus dievaluasi oleh pakar
▪ Algoritma yang tertutup (tidak dibuka kepada publik)
dianggap tidak aman
▪ Membuat algoritma yang aman tidak mudah
▪ Code maker vs code breakers akan terus berlangsung

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 75

 Cryptanalysis
▪ The study of methods to break cryptosystems
▪ Often targeted at obtaining a key
▪ Attacks may be passive or active

3/8/2024 IAS/YA/2-2020-2021 76
 Cryptanalysis
▪ Kerckhoff’s Principle
▪ The only secrecy involved with a cryptosystem should be the
key
▪ Cryptosystem Strength
▪ How hard is it to determine the secret associated with the
system?

3/8/2024 IAS/YA/2-2020-2021 77
 Cryptanalysis Attacks
▪ Brute force
▪ Trying all key values in the keyspace
▪ Frequency Analysis
▪ Guess values based on frequency of occurrence
▪ Dictionary Attack
▪ Find plaintext based on common words

3/8/2024 IAS/YA/2-2020-2021 78
 Cryptanalysis Attacks
▪ Replay Attack
▪ Repeating previous known values
▪ Factoring Attacks
▪ Find keys through prime factorization
▪ Ciphertext-Only
▪ Known Plaintext
▪ Format or content of plaintext available

3/8/2024 IAS/YA/2-2020-2021 79
 Cryptanalysis Attacks
▪ Chosen Plaintext
▪ Attack can encrypt chosen plaintext
▪ Chosen Ciphertext
▪ Decrypt known ciphertext to discover key
▪ Differential Power Analysis
▪ Side Channel Attack
▪ Identify algorithm and key length

3/8/2024 IAS/YA/2-2020-2021 80
 Cryptanalysis Attacks
▪ Social Engineering
▪ Humans are the weakest link
▪ RNG Attack
▪ Predict IV used by an algorithm
▪ Temporary Files
▪ May contain plaintext

3/8/2024 IAS/YA/2-2020-2021 81
 Bahan Bacaan
▪ Simon Singh, "Code Book: the secret history of codes & code-breaking," Fourth Estate,
1999.
▪ Bruce Schneier, "Applied Cryptography: protocols, algorithms, and source code in C,"
2nd edition, John Wiley & Sons, Inc., 1996.
▪ Steven Levy, "crypto: how the code rebels beat the government - saving privacy in the
digital age," penguin books, 2001
▪ Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, “Handbook of Applied
Cryptography”
http://www.cacr.math.uwaterloo.ca/hac/
▪ Cryptography Research Crypto FAQ:
http://www.cryptography.com/faq/index.html
▪ Basic Cryptanalysis
http://www.umich.edu/~umich/fm-34-40-2/

2021 BUDI RAHARDJO - PENGANTAR KRIPTOGRAFI 82

Blockchain
Yudistira Asnar
[email protected]
 Credits
▪ Some slides are taken or adapted from Budi Rahardjo’s Slides
on Blockchain

22/03/2024 Yudistira Asnar @ Blockchain 2

 Objective
▪ Participants understand foundation on blockchain
▪ Participants able to design a secure system using blockchain

22/03/2024 Yudistira Asnar @ Blockchain 3

22/03/2024 Yudistira Asnar @ Blockchain 4
 Have you heard of Cryptocurrency?

22/03/2024 Yudistira Asnar @ Blockchain 5

 Blockchain ≠ Bitcoin

3/22/2024 @rahard - Blockchain 6

 Old Days – Trust Assumption
▪ Trust is the core element of any secure system
▪ HTTPS → Certificate → Certificate Authority

22/03/2024 Yudistira Asnar @ Blockchain 7

 Old Days – Trust Assumption
▪ API Call → API Key → Vendor

22/03/2024 Yudistira Asnar @ Blockchain 8

 Old Days – Trust Assumption
▪ User → Login → Identity Provider

22/03/2024 Yudistira Asnar @ Blockchain 9

 Old Days – Sending Information
▪ How to transfer a valuable entity?
▪ Intermediary
▪ Trusted Third Party

22/03/2024 Yudistira Asnar @ Blockchain 10

 Blockchain
▪ Blockchains are a novel approach to the distributed database that a
group of individuals controls and that store and share information
▪ Main characteristics
▪ Distributed
▪ Fault-Tolerant
▪ Immutable
▪ Autonomy
▪ Transparent
▪ (Pseudo) Privacy
20/11/2019 Yudis - Trend on Blockchain 11
 A Brief history of Blockchain
▪ 1991, Stuart Haber & W. Scott Stornetta proposed a chain of blocks that is secure
by cryptography
▪ 1998, Nic Szabo works on ‘bit gold’ as a decentralized digital currency
▪ 2000, Stafan Konst publishes his cryptographic secure chain (with its
implementation)
▪ On October 31, 2008, Satoshi Nakamoto released the Bitcoin White Paper outlining
a purely peer to peer electronic cash/digital asset transfer system.
▪ On January 3, 2009, Bitcoin is run and the first block was mined by Nakamoto
(50BTC) and the 1st recipuient is Hal Finnley (10 BTC) at January 12, 2009
▪ This is the first popular implementation of Blockchain and is attributed as
birthing today’s Blockchain industry.
▪ 2014, Blockchain 2.0 proposes its usage beyond currency.
▪ Ethereum, various Hyperledger project solutions, as well as numerous others
including “Blockchain like” solutions
20/11/2019 Yudis - Trend on Blockchain 12
 @rahard - Blockchain
3/22/2024 13
3/22/2024 @rahard - Blockchain 14
 Conventional Transaction

3/22/2024 @rahard - Blockchain 15

3/22/2024 @rahard - Blockchain 16
 Transaksi Konvensional
▪ Asumsi awal, A (ANI123) memiliki saldo sebesar 1.000.000
▪ Misal A akan mengirimkan uang sebanyak 5000 ke B (BUDI789)
▪ A akan meminta bantukan kepada pihak ketiga yang terpercaya
(trusted third party), yaitu bank untuk menjadi perantara
▪ Bank dapat mengidentifikasi identitas ANI123 dan BUDI789
▪ Bank dapat memverifikasi bahwa transaksi ini legal (karena ANI123
memiliki saldo yang cukup)
▪ Bank mencatatkan ini dalam ledger yang dimilikinya
▪ Bank meminta biaya atas jasanya ini
▪ Bank menentukan kecepatan (waktu) transaksi
▪ Semuanya bergantung kepada (kepercayaan terhadap) BANK
3/22/2024 @rahard - Blockchain 17
 Blockchain Technology
▪ Remove centralized ledger, make it distributed
▪ Create lower transaction fee
▪ Faster transaction reconciliation

22/03/2024 @rahard - Blockchain 18

 Immutable
▪ As with existing databases, Blockchain retains data via
transactions
▪ The difference is that once written to the chain, the blocks can
be changed, but it is extremely difficult to do so. Requiring
rework on all subsequent blocks and consensus of each.
▪ The transaction is, immutable, or indelible
▪ In DBA terms, Blockchains are Write and Read only
▪ Like a ledger written in ink, an error would be be resolved with
another entry
20/11/2019 Yudis - Trend on Blockchain 19
 Illustration

20/11/2019 Yudis - Trend on Blockchain 20

 Chain Principle

20/11/2019 Yudis - Trend on Blockchain 21

 Example of Block #1

previous hash

ANI123 BUDI789 15000 current transactions

34d5853c02351999525194d0c9a69345 hash of this block

(becomes ”previous
hash” in next block)

3/22/2024 @rahard - Blockchain 22

 Example of Block #2

34d5853c02351999525194d0c9a69345 previous hash

ANI123 BUDI789 20000 current transactions

CECEP234 BUDI789 10000
BUDI789 DEDI 5000

41cff38a782117a21817cd493f1958ff hash of this block

(becomes ”previous
hash” in next block)

3/22/2024 @rahard - Blockchain 23

 Example of Block #3

41cff38a782117a21817cd493f1958ff previous hash

BUDI789 ANI123 5000
current
... transactions

hash of this block

(becomes ”previous
hash” in next block)
3/22/2024 @rahard - Blockchain 24
 Blockchain = chain of blocks

34d5853c02351999525194d0c9a69345 41cff38a782117a21817cd493f1958ff

ANI123 BUDI789 15000 ANI123 BUDI789 20000 BUDI789 ANI123 5000

CECEP234 BUDI789 10000 ...
BUDI789 DEDI 5000

34d5853c02351999525194d0c9a69345 41cff38a782117a21817cd493f1958ff

3/22/2024 @rahard - Blockchain 25

 Nonce
▪ Adalah sebuah bilangan atau kata yang kita ambil dari “langit”
secara random
▪ Dalam blockchain, nonce digunakan sebagai bagian dari data yang
akan di-hash-kan
▪ Kriteria: cari nilai hash tertentu, misalnya nilai hash yang paling kecil
(ditandai dengan banyaknya jumlah nol di depan angkanya). Ubah-
ubah nonce sehingga menemukan hash dengan kriteria ini
▪ Diperebutkan (oleh miner). Yang paling dahulu menemukan nonce
yang menghasilkan hash dengan kriteria tersebut akan diberikan
“honor”, proof of work
3/22/2024 @rahard - Blockchain 26
 MD5 Generator: https://passwordsgenerator.net/md5-hash-generator/

3/22/2024 @rahard - Blockchain 27

3/22/2024 @rahard - Blockchain 28
 Encryption
▪ Standard encryption practices
▪ Some Blockchains allow for “BYOE” (Bring Your Own Encryption)
▪ Only as good as the next hardware innovation
▪ All blocks are encrypted
▪ Some Blockchains are public, some are private
▪ Public Blockchains are still encrypted, but are viewable to the public, e.g.
https://www.blockchain.com/explorer/
▪ Private Blockchains employ user rights for visibility, e.g.
▪ Customer – Writes and views all data
▪ Auditors – View all transactions
▪ Supplier A – Writes and views Partner A data
▪ Supplier B – Writes and views Partner B data
20/11/2019 Yudis - Trend on Blockchain 29
 Consensus

▪ Ensures that the next block in a blockchain is the

one and only version of the truth
▪ Keeps powerful adversaries from derailing the Consensus Mechanism
system and successfully forking the chain Proof of Work
▪ Many Consensus mechanisms, each with pros Proof of Stake
and cons Proof of Elapsed Time
Proof of Activity
Proof of Burn
Proof of Capacity
Proof of Importance
And others….

20/11/2019 Yudis - Trend on Blockchain 30

 Consensus

20/11/2019 Yudis - Trend on Blockchain 31

 Smart Contracts
▪ Computer code
▪ Provides business logic layer prior to block submission

Blockchain Smart Contracts? Language

Bitcoin Yes-No
Ethereum Yes Solidity
Hyperledger Yes Various GoLang, JS, C++,
etc, depends
Others Depends Depends

20/11/2019 Yudis - Trend on Blockchain 32

 Smart Contracts

33 20/11/2019 Yudis - Trend on Blockchain

 Conventional Contracts

Paper Contract
Cory agrees to pay $20K for the
car. Once Claire gets the deposit,
she will transfer the vehicle
ownership to Cory by handling him
over the car documents and the
car.

Signature

34 20/11/2019 Yudis - Trend on Blockchain

 Smart Contract
Bill leaves the boat and a key on the lot
with a smart contract controlled lock.
That boat has a (pk) =123456 ❷
❶ Bill wants to sell a boat. He
identifies himself with his public (pk)=
730484) and uses a smart contract to
define the terms of the sale with his
private key. ❻
❷
Phyllis can
Smart Contract unlock smart
contract with (sk)
If $20K is sent to account (pk The smart contract is verified by each and pick up boat
730484) then automatically node on the network if Bill is the owner
of the boat and if Phyllis have enough
transfer boat ID 4920x8 and
money to pay. ❹
smart access to the account
that transferred the funds.
❺ Network agrees, all conditions are true.
Digital Signature Phyllis automatically gets access to
the smart garage lock. Money
exchanges and a new block is created.

❸ Phyllis wants to buy the boat. She finds the boat

on the internet. She signs the contract with her
private key transferring $20K from her blockchain
20/11/2019
address (sk) to Bill’s blockchain address 730484
Yudis - Trend on Blockchain 35
 Core Capabilities of Blockchain Technology

Record Transfer of Smart

Keeping Value Contracts

20/11/2019 Yudis - Trend on Blockchain 36

 Type of Blockchian
▪ Public blockchains are large distributed networks that are run through Internet. Public
blockchains are open for anyone to participate at any level and have opensource code that
their community maintains.

▪ Private blockchains tend to be smaller and do not utilize a token or cryptocurrency. Their
membership is closely controlled. These types of blockchains are
favored by consortiums that have trusted members and trade confidential
information.
▪ ---
▪ Permissioned blockchains control roles that individuals can play within the network. They’re
still large and distributed systems that use a native token. Their core code may or may not be
open source.

20/11/2019 Yudis - Trend on Blockchain 37

Types of Blockchain
Read Write Commit Example
• Main types of blockchains
segmented by permission
Public Open to Bitcoin,
model: Read (can access the
permissionless anyone
Anyone Anyone*
Ethereum ledger and see transactions),
Write (who can generate
Public Open to
All or
Authorized subset of
transactions and send them
permissioned anyone participants authorized
Sovrin to the network), and ‘Commit’
participants (who can update the state of
Restricted to All or
Multiple the ledger).
banks
Consortium
an authorized Authorized subset of
operating a • The terms ‘private’,
set of participants authorized
participants participants
shared ‘permissioned’, and ‘closed’
ledger
are often used
Internal bank
interchangeably
Fully private ledger
or restricted shared
Private Network Network
to a limited between
permissioned operator operator
set of parent
(‘enterprise’) authorized
only only
company
nodes and
subsidiaries

38
 Crypto Currency
▪ Cryptocurrency
A special kind of digital currency. The most popular Cryptocurrency
is Bitcoin.

▪ "Crypto" refers to the cryptographic method used in the

currency to secure transactions and create new unit of the
currency.
▪
This kind of digital money is a revolutionary technology that allows
people or institutions to transfer funds instantly, securely and
without a middleman
20/11/2019 Yudis - Trend on Blockchain 39
 Bitcoin
▪ Bitcoin is a decentralized, public ledger. This ledger is known as a
blockchain.
▪ There is no trusted third party controlling the Bitcoin blockchain.
▪ Anyone can read it, write to it, and hold a copy.
▪ The blockchain has rules, one of which states that there will only ever be
21M bitcoin.
▪ All participants must agree to Bitcoin’s rules in order to use it.
▪ Incentive: The first miner to verify transactions and devote immense
computing power to secure the blockchain can append a block of
transactions to the chain of previous blocks. This miner is rewarded with
bitcoin, and the race starts over every ten minutes.
▪ Disincentive: Bad actors are dissuaded from attacking the blockchain,
because it’s effectively a money-losing proposition.
20/11/2019 Yudis - Trend on Blockchain 40
 Altcoin
▪ Because Bitcoin's code is open-source, anyone can use Bitcoin’s
code to create an altcoin. Many of them seek to improve on
Bitcoin or expand its capabilities.
▪ Altcoins use different rules and engage with other economic
models.

20/11/2019 Yudis - Trend on Blockchain 41

 Other
Blockchains

42 20/11/2019 Yudis - Trend on Blockchain

 Bitcoin Mining Farm

20/11/2019 Yudis - Trend on Blockchain 43

22/03/2024 Yudistira Asnar @ Blockchain 44
 What obstacles inhibit Trust?
▪ Tampering
▪ Lack of Transparency
▪ Confirmation
▪ Double spending problem

20/11/2019 Yudis - Trend on Blockchain 45

 Characteristics for Blockchain Application

Shared Multiple Limited Multiple

repository writers trust Intermediaries

Characteristics of a high potential blockchain use case

22/03/2024 Yudistira Asnar @ Blockchain 46

 Participants, Transactions & Contracts
▪ A participant is a member of a business network
▪ Customer, Supplier, Government, Regulator
▪ Usually reside in an organization
▪ Have specific identities and roles
▪ A transaction is an asset transfer between two or
more participants, for example
▪ John gives a car to Anthony (simple)
▪ John gives a car to Anthony, Anthony gives money
to John (more complex) $
▪ A contract is set of conditions under which transactions
occur, for example
▪ If Anthony pays John money, then car passes from
John to Anthony (simple)
▪ If car won't start, funds do not pass to John (as
decided by independent third party arbitrator)

47 20/11/2019 Yudis - Trend on Blockchain

 Blockchain Potential Application

48 20/11/2019 Yudis - Trend on Blockchain

 Blockchain 2.0: sample use-cases
Banking and
Manufacturing Retail Insurance Government Health
Capital Markets

Asset tracking Loyalty tracking Claims management Bond Issuance Licensing and ID Personalized
medicine
Real time auction for Product provenance MBS/Property Trade Finance Benefit distribution
supplier contracts Payments Records sharing
Logistics Loan Syndication Aid tracking
Supply chain management Fraud detection Compliance
transparency Post Trade Military security
Automated Settlement
underwriting
Cross Border
Payments

20/11/2019 Yudis - Trend on Blockchain 49

 Potential Use Cases
Use Case Description
Identity Establishing and maintaining identities for citizens and residents (birth certificates,
marriage licenses, visas, death records).
Personal records Interoperable health records, insurance records, etc.

Land title registry Details and historic records related to real estate and property transactions.

Supply chain management, inventorying Tracking an asset from its creation, transportation, purchase, and inventorying.

Benefits, entitlements, and aid Social security, medical benefits payments, domestic and international aid.
Anticipatory/automated payments could be automated through Smart Contracts.
Contract and vendor management Tracking and paying vendors, managing purchase commitments and transactions,
and monitoring schedule performance. Can allow for perfect transparency of
government expenditures.
Voting Enabling new methods of digital voting, ensuring eligibility, accurate counting, and
auditing (e.g., to avoid ballot-rigging).
Streamlining interagency processes Blockchains and smart contracts can automate transaction handling and improve
information sharing – allows each agency to better focus on their own mission and
tech without as much need to consider others tech.
 Potential Use Cases

Notable transaction use cases

Land registration – Replacing requirements for research of Deeds (Sweden Land Registration)
Personal Identification – Replacement of Birth/Death certificates, Driver’s Licenses, Social Security Cards (Estonia)
Transportation – Bills of Lading, tracking, Certificates of Origin, International Forms (Maersk/IBM)
Banking – Document storage, increased back office efficiencies (UBS, Russia’s Sberbank)
Manufacturing – Cradle to grave documentation for any assembly or sub assembly
Food distribution – Providing location, lot, harvest date Supermarkets can pin point problematic food (Walmart)
Audits – Due to the decentralized and immutable nature of Blockchain, audits will fundamentally change.

20/11/2019 Yudis - Trend on Blockchain 51

 Blockchain Adoption in
Financial Service

Source: Lets talk Payments

52 20/11/2019 Yudis - Trend on Blockchain
 Blockchain for Healtcare
• EHR
• Clinical Research
• Drug Supply Chain
• Claim & Billing Management

53 20/11/2019 Yudis - Trend on Blockchain

 DLT/Blockchain and Telemedicine
▪ DLT apps to facilitate consultations by
patients with a specialist located
anywhere in the country or further afield.
▪ Telemedicine hitherto hampered by
costly video-based telecommunication
and inaccessibility of a patient’s medical
records to the consulting physician
▪ Ability to deliver services remotely is a
strategic asset for any healthcare
provider
20/11/2019 Yudis - Trend on Blockchain 54
 The Estonia experience
▪ Estonia is the first country in the world to deploy blockchain
technology to secure health records for each of its inhabitants
▪ Runs a national health service providing universal healthcare to its
citizens and residents financed through general taxation
▪ The Estonia eHealth Foundation launched in 2005 runs the ENHIS
whose projects include EHR, Digital Registration, Digital Images, and
Digital Prescription
▪ Deployed Guardtime’s Keyless Signature Infrastructure (KSI)
blockchain technology to secure health records in 2007
▪ KSI uses hash-function cryptography providing data authentication
without reliance on centralised trust authorities
20/11/2019 Yudis - Trend on Blockchain 55
Example 1: Vehicle Wallet (Denmark)
▪ Problem:
▪ During a car’s lifecycle it undergoes various phases and activities (tests, repair, loan,
insurance and changes in ownership). When a car is sold from one person to another, there
can be a lack of information from either the buyer or seller. On the seller’s side, the car could
have undergone an undesirable re-build or even be stolen. On the buyer’s side, the buyer could
never re-register the car, which could result in continuous taxes for the original seller.

▪ Solution:
▪ Vehicle Wallet is a partnership between payment service provider and the Danish Tax
Administration. It is a supply chain management tool where data concerning the car is saved
in one distributed ledger and creates one agreed and shared record of the vehicle history as it
is transferred across the supply chain. This reduces risks for buyers and sellers, and helps
ensure Denmark receives all proper taxes.
 Example 2: BenBen (Ghana)
▪ Problem:
▪ For land property, Ghana lacked a systemic way to determining the legal existence of parcels
and to track land ownership titles. This prevented authorities and property owners from having
clear certainty and visibility over what belongs to whom, resulting in regular disputes. In
addition, because previous processes were on paper, it could take over a year to register the
sale/purchase of a property, which was a fraud risk for both sellers and buyers.

▪ Solution:
▪ BenBen provides an Ethereum-run digital register system of all land registries across Ghana. It
is able to certify land information through the cross-cutting of satellite imagery and on-the-
ground verifications, working hand-in-hand with local stakeholders in the land market. It
aggregates all the information such that financial institutions and the Lands Commission have
real-time access to the data. Property transaction times have been reduced by 75% and court
disputes have been reduced.

22/03/2024 Yudistira Asnar @ Blockchain 57

 Example 3: Project Ubin (Singapore)
▪ Problem:
▪ The Monetary Authority of Singapore (MAS) conducted a study that found that
Inter-bank payments within Singapore and cross-border financial transactions
were inefficient and slow.

▪ Solution:
▪ MAS partnered with R3– a consortium of banks and regulators to create a
prototype for a Blockchain-based digital Singaporean dollar to facilitate digital
transactions. This would allow for incorruptibility of records through a
decentralised trust system, but also 24 hour processing with no centralised – i.e.
human-based – checks required. The partnership has successfully developed
software prototypes of three different models for decentralised inter-bank
payment that are now being explored. MAS has published the source code as open
source software on GitHub.

22/03/2024 Yudistira Asnar @ Blockchain 58

 Future of Blockchain
for Real Estate
▪ Blockchain can ensure more reliable title insurance records,
increasing efficiency and lowering costs.
▪ The simplicity of the Torrens title system may provide the optimal
legal framework for a blockchain registry (at higher levels) - since it
mirrors the architecture of BC.
▪ Blockchain-based real estate markets can help drive financial
inclusion within developing countries.
▪ Blockchain registries and other stores of data can create an
unprecedented tool for studying the impact of land governance
policies, bringing land into big data.
▪ States will retain the power to regulate and tax land transactions.
20/11/2019 Yudis - Trend on Blockchain 59
 Current Examples of
Registries and Blockchain
Company Product Geographic Location of Pilot

Exonum Republic of Georgia, Ukraine

Postchain Sweden, India, Australia

Landstream, Pangea Dubai

Unnamed SaaS, OpenTitle Honduras

Propy Registry Ukraine, Vermont

Parallel Registry Utilizing Colu

Brazil
Colored Coin Protocol
20/11/2019 Yudis - Trend on Blockchain 60
Smart contract based

Blockchain Registry consists of a set of

smart contracts connected to each other in
a relational manner.
 Various Use Case

Exploring how payments can be instantaneously swapped by Verifying customer identity by creating a permissioned blockchain to
incorporating blockchain into virtual trade settlements comply with Know Your Customer (KYC) requirements

Building a business network for global certification system that Exploring blockchain to transform logistics value and IoT through
tracks life span of diamonds, art and luxury goods tracing cargo

Developing application for securities lending using blockchain to PoC to reduce post-trade settlements by automating the end-to-end
securely trade and transfer assets multi party interactions from execution to settlement on the
blockchain
64 20/11/2019 Yudis - Trend on Blockchain
22/03/2024 Yudistira Asnar @ Blockchain 65
 Common issues in having Production-scale
Blockchain

Uncertain and unharmonized Nascent collective An absence of formal

regulatory environment standardization efforts legal frameworks

66 20/11/2019 Yudis - Trend on Blockchain

 Hambatan (Don Tapscott)
1. The technology is not ready 6. The blockchain is a job killer
for prime time 7. Governing the protocols is like
2. The energy consumed is herding cats
unsustainable 8. Distributed autonomous
3. Government will stifile or agents will form skynet
twist it 9. Big brother is (still) watching
4. Powerful incumbents of the you
old pardigm will usurp it 10. Criminals will use it
5. The incentives are
unadequate for distributed
mass collaboration
3/22/2024 @rahard - Blockchain 67
 Pre-requiste
▪ Accurate data.
▪ Digitized records.
▪ Digital identity solution.
▪ Trusted blockchain platform.
▪ Permissioned or hybrid.
▪ Connectivity and tech aware population.
▪ A trained professional community.

20/11/2019 Yudis - Trend on Blockchain 68

 Challenges in Application

Public Network Private Network

Business Adoption Challenges Business Adoption Challenges

1. Designed for public network 1. Incomplete & usually untested

2. Slow and inefficient 2. Usually too simple & inflexible
3. Built-in virtual currency 3. Still lack critical enterprise features
4. Difficult to push upgrades such as identity management system
5. Heavily forked 4. Generally lack community support
6. Lack enterprise support 5. Not standardized

69 20/11/2019 Yudis - Trend on Blockchain

 How to use Blockchain by NIST-
DHS

20/11/2019 Yudis - Trend on Blockchain 70

 By Hyperledger

20/11/2019 Yudis - Trend on Blockchain 71

 Final Remarks
• Blockchain is a new emerging technology
• Decide carefully and wisely
• Choose “which” is the best suited for your case
• Start with a small and solid case study
• Work with relevant stakeholders and regulators

20/11/2019 Yudis - Trend on Blockchain 72

Email Security
Yudistira Asnar
[email protected]
 Credit
▪ This slide is adapted from Pak Budi Rahardjo’s in II3230 – Sem
2 2021/2022

II3230 – Keamanan Informasi

Keamanan Email
Ir. Budi Rahardjo, M. Sc., Ph. D

KK SIK - Teknik Informatika – STEI ITB Keamanan Informasi

22/03/2024 II3230 - Email 2
 Tentang Email
▪ Email masih merupakan aplikasi yang paling populer di Internet
▪ Bahkan sebagai basis berkomunikasi formal
▪ Aplikasi populer lainnya: web, chat (instant messaging)
▪ Email juga digunakan sebagai identitas
▪ Akun / identitas kita biasanya adalah alamat email
▪ Layanan didaftarkan berdasarkan alamat email
▪ Reset password aplikasi membutuhkan konfirmasi via email

22/03/2024 II3230 - Email 3

 Komponen Sistem Email
▪ Mail User Agent (MUA)
Program yang digunakan pengguna.
Contoh: outlook, thunderbird, mutt, Mail.app, web-based mail
▪ Mail (Message) Transfer Agent (MTA)
Program yang melakukan pengiriman email. Mail server
Tanggungjawab Admin
Contoh: sendmail, qmail, postfix, exchange, exim
▪ Mail Delivery Agent (MDA)
Program yang menyimpan email ke mailbox penerima lokal

22/03/2024 II3230 - Email 4

 Topologi Sistem Email

MUA MUA
SMTP

internet
POP MTA MTA
IMAP

mailbox MDA MDA mailbox

22/03/2024 II3230 - Email 5

 https://www.oasis-open.org/
nixCraft

22/03/2024 II3230 - Email 6

22/03/2024 II3230 - Email 7
 Format Email
▪ Standar format email didefinisikan oleh RFC 822
(“Standard for the format of Arpa Internet Text Messages”)
kemudian digantikan oleh RFC 2822 “Internet Message Format”

▪ Header
Seperti amplop dalam email konvensional
Berisi informasi tentang alamat pengirim dan yang dituju

▪ Body
Isi dari surat
Dipisahkan dari header dengan sebuah baris kosong

22/03/2024 II3230 - Email 8

 Contoh Email: Header & Body
From: Budi Rahardjo <[email protected]>
To: [email protected]
Subject: Kelas II3230 hari Senin dibatalkan

Kelas hari ini dibatalkan dan akan

digantikan pada hari lain.

-- budi
--

22/03/2024 II3230 - Email 9

 Standar Amplop Surat Konvensional

22/03/2024 II3230 - Email 10

 Tentang Header Email
▪ Field di header berupa kata dan diakhiri dengan titik dua (:)
From:
To:
Subject:
▪ Isi boleh lebih dari satu baris. Baris berikutnya dimulai dengan
white space (spasi, tab)
▪ Adakah header lain yang Anda ketahui?

22/03/2024 II3230 - Email 11

 Received: from nic.cafax.se (nic.cafax.se [192.71.228.17])
by alliance.globalnetlink.com (8.9.1/8.9.1) with ESMTP id QAA31830
for <[email protected]>; Mon, 26 Mar 2001 16:18:01 -0600
Received: from localhost (localhost [[UNIX: localhost]])
by nic.cafax.se (8.12.0.Beta6/8.12.0.Beta5) id f2QLSJVM018917
for ietf-provreg-outgoing; Mon, 26 Mar 2001 23:28:19 +0200 (MEST)
Received: from is1-55.antd.nist.gov (is1-50.antd.nist.gov [129.6.50.251])
by nic.cafax.se (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f2QLSGiM018912
for <[email protected]>; Mon, 26 Mar 2001 23:28:17 +0200 (MEST)
Received: from barnacle (barnacle.antd.nist.gov [129.6.55.185])
by is1-55.antd.nist.gov (8.9.3/8.9.3) with SMTP id QAA07174
for <[email protected]>; Mon, 26 Mar 2001 16:28:14 -0500 (EST)
Message-ID: <[email protected]>
From: "Scott Rose" <[email protected]>
To: <[email protected]>
Subject: confidentiality and transfers
Date: Mon, 26 Mar 2001 16:24:05 -0500
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Sender: [email protected]
Precedence: bulk
22/03/2024 II3230 - Email 12
 Field di Header Email
▪ Setiap field memiliki fungsi tertentu
▪ To, From, Subject, ...
▪ Ada field yang standar dan ada yang kita buat sendiri
▪ Field yang tidak standar dimulai dengan “X-”
X-mailer:
X-pesan:
▪ Mari kita lihat contoh beberapa field

22/03/2024 II3230 - Email 13

 Mengirimkan Berkas Biner (Binary)
▪ Dikarenakan bervariasinya sistem email, maka body menggunakan format
ASCII
▪ Berkas biner harus dikonversikan ke berkas ASCII
▪ uuencode / uudecode
▪ base64
▪ Tugas/contoh: encode sebuah berkas biner dengan menggunakan
base64. Perhatikan hasil konversi yang berupa berkas ASCII

base64 –i inputfile –o outputfile

▪ Berkas dimasukkan (attach) ke dalam body dengan pembatas (oleh MUA)

22/03/2024 II3230 - Email 14

 Standar Lain Terkait Email
▪ RFC 2045: MIME Part One: Format of Internet Message
Bodies
▪ RFC 2046: MIME Part Two: Media Types
▪ RFC 2047: MIME Part Three: Message Header Extensions
for Non-ASCII Text
▪ RFC 2048: MIME Part Four: Registration Procedures
▪ RFC 2049: MIME Part Five: Conformance Criteria and
Examples
http://www.mhonarc.org/~ehood/MIME/
22/03/2024 II3230 - Email 15
 Penutup
▪ Email merupakan aplikasi yang paling penting
▪ Mail server down membuat sejumlah masalah
▪ Authentication
▪ Authorization
▪ Identification
▪ Communication
▪ Ada banyak masalah yang terkait dengan security & reliability
dari sistem email
▪ Masalah terbesar saat ini adalah spam, phising, dan malware

22/03/2024 II3230 - Email 16

 Tugas
▪ Kirimkan email ke diri sendiri (atau ke kawan) dengan 3
attachment dalam ukuran kecil
▪ Perhatikan bagaimana pembatasan / pembagian 3 attachment
tersebut
▪ Show headers di program MUA Anda
▪ Tunjukkan bagian-bagian tersebut
▪ Identifikasi Ancaman yang berasal dari Email

22/03/2024 II3230 - Email 17

 Masalah Email
▪ Disadap (intercept)
▪ Dipalsukan (forgery)
▪ Disisipi malware (virus, ransomware)
▪ Spamming
▪ Phsising
▪ Disalahgunakan (take over)
▪ mailbomb
▪ Digunakan sebagai mail relay

22/03/2024 II3230 - Email 18

 Penyadapan Email (Confidentiality Attack)
▪ Analogi yang tepat dari email adalah seperti kartu pos
(postcard) yang dapat dibaca oleh siapa saja. Terbuka
▪ Dikarenakan protokol yang digunakan (SMTP) tidak
menggunakan enkripsi
▪ Email dikirimkan oleh MTA ke “kantor pos” terdekat untuk
diteruskan ke “kantor pos” berikutnya. Meloncat dari satu
tempat ke tempat lainnya. Hopping. Sampai akhirnya di tujuan
▪ Potensi penyadapan dapat terjadi di setiap titik (jaringan) yang
dilalui
▪ Network sniffing: tcpdump, wireshark, mailsnarf
22/03/2024 II3230 - Email 19
 Proteksi Terhadap Penyadapan
▪ Menggunakan enkripsi untuk isi (body) dari email
▪ Header tetap terbuka
▪ Potensi terhadap serangan traffic analysis
▪ Otomatisasi dengan program: PGP (Pretty Good Privacy)
▪ Menggunakan protokol yang lebih aman
▪ Transport layer dienkripsi
▪ SMTPS, POPS, ...

22/03/2024 II3230 - Email 20

 Email Palsu
▪ Mudah membuat email palsu dengan membuat header sesuka
anda.
▪ Email palsu ini kemudian dikirimkan via MTA atau langsung via
SMTP
▪ Tapi, aktivitas tercatat di server dalam berkas log

22/03/2024 II3230 - Email 21

 isi berkas ‘email-palsu.txt’

To: [email protected]
From: [email protected]
Subject: email palsu

Saya akan coba kirim email palsu. Perhatikan

header dari email ini

$ /usr/sbin/sendmail [email protected] < email-palsu.txt

22/03/2024 II3230 - Email 22

 melalui SMTP server
Unix% telnet mailserver 25
HELO localhost
MAIL FROM: [email protected]
RCPT TO: user01
DATA
354 Enter mail, end with "." on a line by itself
To: [email protected]
From: [email protected]
Subject: palsu

nih palsu
.

250 HAA20290 Message accepted for delivery

QUIT

22/03/2024 II3230 - Email 23

 Perlindungan dari email palsu
▪ Menggunakan digital signature (PGP/GnuPG)
▪ Mengamati header
▪ Keduanya jarang dilakukan

22/03/2024 II3230 - Email 24

 Disisipi Malware
▪ Email sering dijadikan media yang paling efektif untuk
menyebarkan virus (melalui attachment)
▪ Isi email pada mulanya tidak diperiksa oleh firewall (karena
firewall konvensional bukan pada layer aplikasi)
▪ Email langsung menuju pengguna yang seringkali teledor. (The
weakest link)
▪ Email client langsung mengeksekusi program berdasarkan jenis
berkas yang diterima untuk kenyamanan pengguna.
▪ Kepercayaan ini diabuse oleh virus
22/03/2024 II3230 - Email 25
 Proteksi Disisipi Malware
▪ Menggunakan anti virus dengan data terbaru
▪ Tidak memperkenankan email client langsung menjalankan
aplikasi
▪ Melakukan pemeriksaan virus di level mail server

22/03/2024 II3230 - Email 26

 Spamming
▪ Mengirim satu email ke banyak orang
▪ Biasanya digunakan untuk melakukan promosi (MLM, jualan)
▪ Cost untuk mengirim email sangat murah
▪ Tidak bisa terfilter oleh anti-virus
▪ Asal kata “spam” dari skit Monty Python
▪ Kemudian digunakan untuk menjual layanan greencard

22/03/2024 II3230 - Email 27

 Proteksi Terhadap Spam
▪ MTA dipasang proteksi terhadap spamming
▪ Dengan keyword dan karakteristik khusus
▪ Dengan statistik, Bayesian. Tapi email diubah secara dinamik dan
mengandung huruf / karakter yang mengacaukan statistik
▪ Tools: spamassasin, spamd
▪ Jumlah sangat banyak sehingga mail server kewalahan
▪ Masih merupakan masalah besar
▪ Spamhaus Project: RBL
▪ CAUCE.org – (Coalition Against Unsolicited Commercial
Email)

22/03/2024 II3230 - Email 28

 Phising
▪ Send out bait to fool victims into
▪ To give away their information
▪ To steal user data
including login credentials, personally
identifiable information or credit card
numbers. It occurs when an attacker
poses as a trusted entity, dupes a victim
into opening an email or instant message

▪ Means: email, SMS (smishing),

Phone/Voice (Vhising)

22/03/2024 II3230 - Email 29

 Phising Email

22/03/2024 II3230 - Email 30

 Common Signs of Phishing
Too Good To Be True

• Eye-catching or attention-grabbing offers designed to attract people’s attention immediately. For instance, a
claim that you have won an iPhone, a lottery, or some other prize.

Sense of Urgency

• Act fast because the super deals are only for a limited time.
• Your account will be suspended unless you update your personal details immediately.

Hyperlinks

• Click here to claim your offer.

• Click here to change your login credentials.

Attachments

• Often contain ransomware, malware or other viruses.

22/03/2024 II3230 - Email 31

 Other Forms of Phishing
Spear Phishing

• Similar to phishing, spear phishing is an email or electronic communications scam

targeted towards a specific individual, organization or business.

Vishing (Voice Phishing)

• An attacker calls their target and uses an automated recording designed to generate
fear. The recording will ask the target to call a number to resolve the issue.

Smishing (SMS Phishing)

• An attacker tries to trick you into giving them your private information by sending you
a text message.

22/03/2024 II3230 - Email 32

 Proteksi Phising
▪ Email server scanning for phising
▪ Web filtering for malicious URL (or DNS Filtering)

22/03/2024 II3230 - Email 33

 Email Take Over
▪ Previously stolen credentials
▪ Brute force attacks
▪ Phising email
▪ Web browser infections
▪ Spyware
▪ Protection
▪ Multi-Factor Authentication
▪ Password good practices

22/03/2024 II3230 - Email 34

 (Some) Characteristics of strong passwords
▪ Strong Passwords
▪ contain at least one of each of the following:
▪ digit (0..9)
▪ letter (a..Z)
▪ punctuation symbol (e.g., !)
▪ control character (e.g., ^s, Ctrl-s)
▪ are based on a verse (e.g., passphrase) from an obscure work where the
password is formed from the characters in the verse
▪ e.g., “ypyiyp” derived from the title of this module
▪ sometimes referred to as a virtual password
▪ are easily remembered by you but very difficult (preferably impossible)
for others to guess

22/03/2024 II3230 - Email 35

 Mailbomb
▪ Mengirim banyak email ke satu orang
▪ Proteksi:
▪ membatasi ukuran email,
▪ quota disk (di direktori spool),
▪ menggunakan filter khusus yang mendeteksi duplikasi isi
(content) email

22/03/2024 II3230 - Email 36

 Contoh Skrip Mailbomb

#! /usr/bin/perl
#
for ($i=0; $i < 10 ; $i++) {
system(“/usr/sbin/sendmail
[email protected] < junkmail.txt”);
}

22/03/2024 II3230 - Email 37

 Mail relay
▪ Menggunakan server orang lain untuk mengirimkan email
▪ Akibat:
▪ Bandwidth orang lain (pemilik server yang dapat di-relay)
terpakai untuk mengirim email tersebut (yang biasanya
jumlahnya sangat banyak)
▪ Mengelabui penerima email dengan alamat palsu
▪ Kena marah (dan terfilter) karena server kita digunakan untuk
melakukan spamming

22/03/2024 II3230 - Email 38

 Proteksi Mail Relay
▪ Mail Abuse Prevention System
http://mail-abuse.org/
▪ ORBZ – Open Relay Blackhole Zone
http://www.orbz.org/
▪ ORDB – Open Relay Database
http://www.ordb.org/
▪ RBL-type services
http://www.ling.helsinki.fi/users/reriksso/rbl/rbl.html
▪ SPF-Sender Policy Framework
22/03/2024 II3230 - Email 39