-
Security Goals
- 1
-
Major
-
Confidentiality
- This is the assurance that messages or data exchanged between two people or hosts on a network remains secret and is not read by third parties
- Encryption
-
Integrity
- This is the assurance that messages or data exchanged between two people or hosts on a network is not changed while it is being transmitted over the network
- Hash Function
- Message Authentication Codes (MAC)
-
Availability
- This is the assurance that a host on a network is freely allowed to send and receive legitimate messages with other hosts on the network without interference.
- Firewall
- Backup Server
-
Confidentiality
-
Minor
-
Entity Authentication
- This is the general idea that a host on a network should be able to prove its identity.
- Passwords
- Nonces
-
Message Origin Authentication
- This means that it can be established with certainty that a message came from a particular entity
- Digital Signature
-
Non-Repudiation
- This means that a host or other entity on a network cannot deny having sent/received a message.
- Origin
-
Destination
- Trusted Third Party
- Confirmation
-
TImeliness
- This means that a conversation between 2 hosts on a network cannot be watched by a third party who can use the record of the conversation to masquerade as one of parties and replay the prior conversation. To put it another way, each session where 2 hosts on a network exchange a set of messages is unique and cannot be replicated later.
- Timestamps
-
Access Control
- This is ability to restrict access to certain computing resources.
- Firewall
- Access Control List
- Unix File Permission
-
Authorisation
- This refers to the legitimate granting of access to computing resources to a human being or a host on a network.
- Passwords
-
Entity Authentication
-
Encryption
- 2,3,4
-
Inputs
- Plaintext
- Encryption Key
- Encryption Algorithm
-
Cryptology
- Cryptanalysis
- Cryptography
-
Algorithms Made Public
- By being made public they will be open to scrutiny from a very wide adudience. It is much more likely that any weaknesses will be discovered
- Making them publicly available means that they can be incorporated into networking protocols and other standards. This way their usefulness is maximised.
-
Terms
-
Ciphertext
-
Attack
- Brute Force Attack
- Given Enough TIme, can always break an encryption
- Exploit a weakness of algorithm
-
Attack
-
Symmetric Encryption
-
Overview
- Security depends on the secrecy of the key
- the strength of encryption algorithm
- Algorithms made public
-
Security Services
- Confidentiality
- Integrity
-
Feistel Cipher Structure
- Block Size
- Key Size
- Number of Rounds
- Subkey Generation Algorithm
- Speed of Execution
-
DES
- Feistel Product Cipher
-
3DES
- This is achieved by making the middle step of 3DES a DES decryption.
-
AES
- Rijndeal
- Advanced Encryption Standard
- Steps
- Byte Substitution
- Shift Rows
- Mix Columns
- Add Round Key
-
Cipher Block Modes
- ECB
- Electronic Code Book
- CBC
- Cipher Block Chain
- Initialisation Vector
- OFB
- CFB
- CTR
-
Issues
- Key Management
- Key Distribution Center
- Kerberos
- Authentication Protocol
- Application Layer
- Requirements
- Secure
- Reliable
- Transparent
- Scalable
- Security Services
- Entity Authentication
- Authorisation
- Access Control
- Steps
- Shortcoming
- Server
- Authentication Server
- Ticket Granting Server
- Secure Key Exchange Protocol
- Diffie-Hellman
- Key Exchange Protocol
- Needham-Schroeder
- Key Generation
- The bit sequence in the key should be random
- TRNG
- True
- Physical
- PRNG
- Pseudo
-
Overview
-
Asymmetric Encryption
- Public Key Encryption
-
Security Services
- Confidentiality
- Message Authentication
- Entity Authentication
-
Applications
- Encryption/Decryption
- Digital Signature
- Applications
- Time stamp, Nonce
- Digital Certificate
- Security Services
- Message Origin Authentication
- Integrity
- Hash Functions
- Unkeyed
- Keyed
- MAC
- Message Authenticator Code
- Operation
- Hashed MAC
- Hash Collision
- Birthday Attack
- Hash Standards
- SHA-1, SHA-2, SHA-3
- MD5
- Message Origin Authentication
- Non Repudiation (Origin)
- Trusted Third Party
- Key Exchange
- RSA
-
Diffie Hellman
- Key Exchange Protocol
- No Built In Authentication
- man in the middle attack
- Trust Third Party
- X.509 Certificate
- Third Party Certificate
- Applications
- S/MIME
- Secure Multipurpose Internet Email
- IP Security
- SSL/TLS
- Secure Socket Layer / Transport Layer Security
- SET
- Secure Electronic Transaction
- Comparison
-
Historical
-
Caesar CIpher
- Frequency Analysis Attack
- Brute Force Attack
- Vigenere Cipher
-
Caesar CIpher
-
Ciphertext
-
PKI
- Public Key Infrastructure
-
X.509 Authentication
-
Digital Signature
- Certificate uses the Digital Signature of the CA to authenticate the certificate
- Hashes
- Public Key Encryption
- Security Services
- Message Origin Authentication
- Integrity
- Non-Repudiation
-
Digital Certificate
- Used for
- digital signature
- message encryption
- Characteristics
- Any B with access to CA’s public key can recover A’s public key that was certified.
- No party other than the CA can modify the certificate without this being detected.
- Revocation
- Validate Period
- can be renewed
- CA provides a list of revoked certificates
- Reason?
-
Comparison
- Kerberos
- inside a large network
- X.509
- ideal for authentication and key exchange over the entire Internet
- Public Key Certificate
-
Certificate Authorities
- Subtopic 1
-
Digital Signature
-
IETF
- Internet Engineering Task Force
-
PKIX
- PKI system involving an X.509 Certificate
-
System
- Certificate Authority
- A Certification Authority is charged with issuing Digital Certificates and Certificate Revocations Lists.
- End User and Entities
- Certificate Registry or Repository
-
DIgital Documents
- Certificates
- Certificate Revocation Lists
- Effective Encryption
-
Encryption Algorithms
-
Operation
- Substitution
- Transposition
-
Keys
- Symmetric (SIngle Key)
- Asymmetric (Public Key and Private Key)
-
Way the plaintext processed
- Block
- Stream
-
Product Cipher
- Substitution
- Transposition
- Swap
- Bit Inversion
- Circular Shift
- XOR
-
Types
- Feistel Product Cipher
- Invertible and non invertible operation
- Non-Feistel Product Cipher
- only invertible operation
-
Operation
-
Confusion and Diffusion
-
Confusion
- Encryption Key
-
Diffusion
- Plaintext
-
Confusion
-
Attack Types
- Ciphertext Only
- Plaintext
- Chosen plaintext
- Chose ciphertext
- chosen text
-
Attack Methods
- Brute Force
- Exploit weakness in the encryption algorithm
-
Authentication
- 4
-
Access Restriction
- 6,11
-
Secure Networking & Protocols
- 5,7,8,9,10,12
-
Firewall
-
Security Services
- Access Control
-
Controls
- Service
- Direction
- User
- Behavior
-
Capabilities
-
Essential
- A single choke point for management of a network’s connection to the internet.
- A location for monitoring and logging security related events
-
Other
- Network Address Translation (NAT)
- IPSec tunnel mode station (the other is transport mode)
-
Essential
-
Limitations
- cannot protect against attacks bypass the firewall
- cannot protect against internal attacks
- cannot protect against the transfer of viruses
-
Types
-
Packet Filtering Firewall
- pro
- Simplicity
- Transparency To Users
- High Speed
- con
- Difficult of setting up packet filtering rules
- Lack of Authentication
- attacks
- IP Address Spoofing
- Fragmentation attacks
- Configuration
- Exclusive
- Inclusive
- Datalink, Network, Transport
-
Circuit Level Firewall
- pro
- con
- SOCKS
- Session
-
Apllication Level FIrewall
- pro
- Higher security than packet filters
- Only need to scrutinize a few allowable applications
- Easy to log and audit all incoming traffic
- caching web pages
- con
- additional processing overhead on each connection
- act as a replay of application-level traffic
- SQUID
- Application
-
Packet Filtering Firewall
-
Bastion Host
- critical strong point in the network’s security
- serves as a platform for an application‐level or circuit‐level gateway
- Single Purpose Device
-
Topology
- Packet Filtering Firewall Simple Topology
- SIngle Homed Bastion
- Dual Homed Bastion
- DMZ
-
Malicious
- attach itself to other programme and copy itself
-
Bacteria
- A malware program that deliberately replicates itself to consume large amounts of system resources
-
Worm
- A worm propagates itself like a virus, but requires a network to be transmitted
-
Trojan Horse
- masquerades as a useful legitimate program but which is actually designed for some other malevolent purpose
-
Logic Bomb
- Similar to a Trojan horse but usually involve a legitimate program that has been deliberately modified by someone with access to the source code
-
Trap Door
- A secret entry point into a program that allows access to resources controlled by the program
-
Easter Egg
- A piece of code put in by the programmers writing a particular application that does something harmless
-
Virus Type
- Parasitic
- Memory-Resident
- Boot Sector
- Stealth
-
Polymorphic
- Subtopic 1
-
Security Services
-
Email
-
PGP
- Pretty Good Privacy
-
Key Rings
- Own Public/Private Keys
- Other user’s Public Key
- How PGP works?
-
Secure Services
- Confidentiality
- encryption
- Integrity
- digital signature
- Message Origin Authentication
- digital signature
- Timeliness
- one time keys
-
Email Services
- Compression
- pkzip
- Base 64/ Radix 64 Encoding
- Segmentation
-
Techniques
- symmetric encryption
- public key encryption
- digital signatures
- genuine random numbers
-
Keys and Key Rings
- One time session key used for symmetric encryption
- Public Key of Users
- Private key of Users
- Passphase based symmetric keys
-
Key Distribution Mehtod
- Physical Deliver
- Mutual trusted friend
- Certifying Authority(CA) to verify the public key
-
Certificates
- X.509
-
Introducers
- a person sending a PGP certificate
-
Trust Levels
- Full
- Partial
- None
-
S/MIME
- Secure Multipurpose Internet Mail Extension
-
Algorithms
- Message Digesting
- SHA-1
- MD5
- Digital Signatures
- DSS
- Secret Key Encryption
- Triple DES
- RC2/40
- Public-Private Key Encryption
- RSA
- Diffie Hellman
-
PGP
-
Web
-
Common Security Concerns
- Confidentiality of Communication
- Integrity of Communication
- Message Origin Authentication
- Non Repudiation Origin and Destination
- TImeliness
- User/Client Specific Concerns
- Webmaster Specific Concerns
-
SSL/TLS
-
Security Services
- Confidentiality
- Encryption
- Integrity
- HMAC
- Entity Authentication
- X.509 Certificate
- Message Origin Authentication
- Non-Repudiation (Server) (Origin)
- Timeliness
- Sequence Numbers,
-
SSL
- Netscape
-
TLS
- IETF
- Can receive data from any application layer program and pass it down to the transport layer.
-
Communication Phases
- Establishment of the parameters for secure communication
- Handshake Protocol
- the secure exchange itself
- Record Protocol
-
Protocols
- Handshake
- Cipherchange
- Alert
- SSL Record
- How Works?
-
Security Services
-
IPSec
- IPSec is the most widely used layer 3 (network layer) protocol for VPN implementation
-
Security Services
- Confidentiality
- Integrity
- Data Origin Authentication
- TImeliness
- Traffic Flow Confidentiality
- Access Control
-
Modes
- Transport
- Tunnel
-
Layer
- Network
-
Protocols
- Authentication Header (AH) Protocol (Provides Authentication Services)
- Encapsulating Security Protocol (ESP Protocol) (Provides Authentication and Encryption
-
Algorithms
- Encryption
- 3DES
- RC5
- Rivest Cipher 5
- IDEA
- Three Key Triple IDEA
- CAST
- Blowfish
- Authentication
- HMAC-MD5-96
- HMAC-SHA-1-96
-
Default automated Key Management Protocol
- Oakley Key Determination Protocol
- Internet Security and Key Management Protocol (ISAKMP )
-
Benefits
- Transparent to application
- provide security to users
- Can provide security for all programs in and above layer 3
-
VPN
- Virtual Private Network
-
Essential Features
- Tunnelling
- Encapsulate
- Security
- Confidentiality
- Integrity
- Message Origin Authentication
-
SSL / SSH
- Transport Layers
-
Set Up Keys
- Manual Setup in a configuration file
- Key Exchange using the Oakley Key Exchange Protocol
-
Common Security Concerns
-
Intrusion
-
Password
- One-way encryption
- Access Control
-
Protection
- The purpose of salt
- Duplicate password don’t look the same in the password file
- Effective password length is increased by 2 characters
- Prevents hardware implementations of DES which could crack the password by a brute force attack
-
Password
-
Wireless
-
Benefits
- Flexibility
- Reduce cost in some case
- Facilitate WiFi only device
-
Disadvantages
- Security
- Possible Heath Effects
-
CSMA/CD
- Carrier Sense Multiple Access With Collision Detection
-
Wireless LAN Standards
-
IEEE 802.11
- a,b,g,n,i
-
IEEE 802.11
-
Ethernet
- IEEE 802.3
-
Organizations
- ITU-R
- IEEE
- Wi-FI Alliance
-
Configurable Wireless Parameters
- 802.11x protocols
-
Network Type
- Ad Hoc
- 1 Access Point
- BSS
- Basic Service Set
- Multiple Access Points
- ESS
- Extended Service Set
-
Authentication
- Open
- Shared
- WEP
- Wired Equivalent Privacy
- Problems
- Master keys are used directly
- Key Management and updating is poorly provided
- Message integrity checking is ineffective
- WPA
- WiFi Protected Access
- PSK(Pre-sharedKey)
- WPA2
- SSID
- Shared Service Set Identifier
-
Types of Attacks
- Rogue Access Points
- Man in the Middle Attacks.
- Denial Of Service
-
Association
- Beacons
- Probes
- Authentication
-
Stages of Process
- Probing
- Authentication
- Association
-
Benefits