Network Security

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Cypher security

The security of a cipher (like a substitution cipher) may rest in the secrecy of its restricted algorithm. Whenever a user leaves a group, the algorithm must change.

Firewall restrictions

Restrict incoming and outgoing traffic by IP address, ports, or users. Block invalid packets. Concentrates security, but useless against insider attacks and has a single point of failure.

Botnet

A collection of compromised machines running programs. Used to DDoS etc.

Hash Functions

Map a message to a smaller value (hash). One way. Public description, No key. - Compression - Ease of computation MD5 hash function widely used: - Compute 128-bit message digest in 4-step process - Arbitrary 128-bit string x, appears difficult to construct message m whose MD5 hash is equal to x

Firewall: Screened subnet

Most secure. Two packet-filtering routers are used. Creation of an isolated sub-network which cannot construct direct routes to the internet, and the internet cannot see the subnet.

Network address translation

NAT is included as part of a router and is often part of a corporate firewall. Maps: •A local IP address to one global IP address statically •A local IP address to any of a rotating pool of global IP addresses that a company may have •A local IP address plus a particular TCP port to a global IP address or one in a pool of them •A global IP address to any of a pool of local IP addresses on a round-robin basis Users can see out, but the Internet cannot see in. Extra security measure.

Internet Key Exchange Phase 1

Negotiate protection suite by each peer agreeing on a common (shared) IKE policy, Use Diffie-Hellman to establish shared secret, unidirectional IKE SA Aggressive mode: 3 messages exchanged: -> list of protection suites, Diffie-Hellman public key value, his nonce and his identity <- selected protection suite, Diffie-Hellman public value, his nonce, his identity, and authentication payload -> authentication payload Main mode: • Negotiate crypto algorithms (2 rounds) • Alice and Bob do anonymous Diffie- Hellman key exchange (2 rounds) • Alice sends "Alice" plus a proof that she is Alice, all encrypted using g^(ab)

Non-repudiation

Offer of evidence that a party indeed is the sender or a receiver of certain information

Confidentiality

protection of any information from being exposed to unintended entities. Only sender, intended receiver can "understand" msg (encryption -> decryption)

Data Encryption Standard (DES)

• 64 bit block size cipher • 56 bit key size

Certificates

• Certificates ≠ Signature (certificates are implemented with sigs) • Certificates ≠ Authentication (authentication can be implemented with certificates)

Firewall design

• Default deny: everything not expressly permitted is prohibited. Not permissive. • Default permit: everything not expressly prohibited is permitted, sysadmin reacts to threats as discovered

Security Model

• Design an algorithm for performing the security-related transformation • Generate the security information to be used with the algorithm • Develop methods for the distribution and sharing of the security information • Specify a protocol to be used by the two principals

Outbound Packet Processing

• Form ESP payload • Pad as necessary • Encrypt result [payload, padding, pad length, next header] • Authenticate • Anti replay (uses a counter that increments, with a value attached to the packet)

Asymmetric key (aka public key) Cyphers

• Pair of keys: one encrypts and another decrypts • One key (the private key) must be kept secret; the other key (the public key) can be freely disclosed • Slow • Difficult key generation

Inbound Packet Processing

• Sequence number checking (number checked and duplicate packets discarded) • Packet decryption (Decrypt quantity [ESP payload,padding,pad length,next header] per SA specification) • Authentication verification

Replay Attack

1) A →B : { Pay Eve £5 }for kabab 2) E →B : { Pay Eve £5 }for kabab Attacker can repeat messages!

Monitor & response

Facilities for monitoring security attacks, generating indications, surviving (tolerating) and recovering from attacks.

Access control

Facilities to determine and enforce who is allowed access to what resources, hosts, software, network connections.

Firewall configurations

Firewall systems often support NAT. Bastion Host: - A system identified by the administrator as a critical strong point in the network's security - The bastion host serves as a platform for an application level gateway • Screened host dual-homed • Screened subnet

RSA Security

- Relation to factoring • n = pxq • given n, p and q are hard to calculate (NP) - Discrete logarithm • C = M^e mod n • given C, e, and n, M is hard to calculate (NP) - Long keys

Public Key Infrastructure (PKI)

- Secure, reliable, and scalable method for distributing public keys. - "Binds" the owner to the public key using a digital certificate. PKI is a key management solution.

Authenticated Header

- Data integrity (entire packet has not been tampered with) - Authentication (Can "trust" IP address source,uses MAC to authenticate) - Anti-replay feature - Integrity check BEING MADE OBSOLETE BY ESP

Password Guessing

- Dictionary attack - Brute force

Firewall: Screened host dual-homed

- In single-homed, if packet-filtering router is completely compromised, traffic flow directly to private network - In dual-homed, traffic between the Internet and other hosts on the private network has to flow through the bastion host too

Firewall: Screened host single-homed

- A packet-filtering router, only packets from and to the bastion host are allowed to pass through the router - A bastion host performs authentication and proxy function • Greater security than single configurations

Digital Signature Verification

- hash the data - decrypt the signature with the sender's public key - the result of which should match the hash

Digital Signatures

- hash the data - encrypt the hash with the sender's private key to get a signature - send data with the signature

Security Parameter Index

A 32 bit entry that uniquely identifies an SA at the receiver end. Sent with the packet

Security Association

A Security Association (SA) is the establishment of shared security attributes between two network entities to support secure communication. Includes attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data. Data flows one way.

Security Association Bundle

A group of Security Associations. Can apply to a single packet.

Firewall

A mechanism that acts to restrict access to a network according to a set of defined rules. Only authorised traffic should be allowed to pass, but all traffic must be checked.

Message Authentication Code (MAC)

A message digest is created with a key. This adds security to the message digest, by requiring a secret key to be possessed by both parties in order for the receiver to validate the message. The same message and key always produces an identical authentication code.

Threat

A potential violation of security (design flaws etc)

Packet sniffing

A program running in a network-attached device that passively receives all data link-layer frames passing by a device's network adapter.

Security Policy

A statement of what is, and is not allowed.

Certificate Authority

A trusted agent who certifies public keys for general use - User has to decide which CAs can be trusted. - Verifies and vouches for the identity information in a Certificate

Attack

Action that violates security. Active adversary.

Message Authentication

An authenticator, signature, or message authentication code (MAC) is sent along with the message. Authenticator comes from hash function or MAC.

Ciphertext

An encrypted message.

Diffie-Hellman key agreement protocol

Allows two users to exchange a secret key over an insecure medium without any prior secrets Public parameters: - p: prime number - q: an integer less than p, with the following property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = g^k mod p (i.e. primitive root of p) - Based on the difficulty of computing discrete logarithm of large numbers • the hosts next generate the public keys • the two host now exchange the public keys and the exchanged numbers are converted into a secret key

Authentication

Assurance that an entity of concern or the origin of a communication is authentic. Everyone is who they say they are.

Integrity

Assurance that the information has not been tampered with.

TCP session hijacking

B initiates a connection with A and is authenticated by a malignant application on A.

CA Hierarchy

CAs usually certify each other. There is often one root CA, with many CA children.

IPSec

Confidentiality, Integrity, Data source authentication, Replay protection, Access control. Mandatory for IPv6

Passive attacks

Data Interception, Traffic Analysis. Difficult to detect.

Certificate Revocation

Key compromise, CA compromise, affiliation changed (changing DN or other attribute), superseded (replaced), cessation - no longer needed

Firewall: Stateful packet inspection

Highly advanced and secure. • Examines all parts of the IP packet • Determine the state of each packet • Filters packets at the network layer • Secure and fast, but complex and expensive

IPSec Key Management

IPSec = heavy consumer of symmetric keys, one for each SA SAs for: {ESP,AH} x {tunnel,transport} x {sender, receiver}. Keys come either from manual typing, or the Internet Key Exchange.

Encapsulating Security Payload

IPSec protocol providing authentication, integrity and confidentially of network packets data/payload.

Trojan Horse

Innocuous program containing additional malignant code.

Active attacks

Interruption (DoS), Modification (Trojan, Virus), Fabrication (Spoofing, man-in-the-middle).

Internet Key Exchange

Invoked when the two nodes wish to communicate securely but the SAs are yet to be established. IKE solves generation of a symmetric key for a session of IPsec but without PKI man-in-the-middle attack is possible. IKE creates bidirectional SAs (not the same as IPsec SAs, but they can be converted to them)

Key

It is a variable value that is used by cryptographic algorithms to produce encrypted text, or decrypt encrypted text. Longer keys are more secure.

Nonces

Locally generated pseudorandom numbers.

Security Association Database

Maintains a lists of active SA's for inbound and outbound processing. Contains lifetime of SA, AH and ESP information, tunnel or transport mode. Every host or gateway participating in IPSec has their own SA database

Security Policy Database

Policy entries define which SA or SA Bundles to use on IP traffic. Each host or gateway has their own SPD. Contains a list of rules. Can either discard a packet, bypass it (do not apply security) or protect.

Phishing

Scam by which an e-mail user is duped into revealing sensitive information such as passwords and credit card details.

Distinguished names (DN)

Single, globally unique names that everyone could use when referring to an entity - legally meaningful. Country//Locality name//Organisation name//Organisation unit name//Common name

Security Parameters Index

The SPI allows the destination to select the correct SA under which the received packet will be processed (according to the agreement with the sender) The SPI is sent with the packet by the sender.

Encryption

The process of disguising a message in such a way as to hide its substance.

Decryption

The process of returning an encrypted message back into plaintext.

Transport Mode

The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.

Registration Authority

Trusted agent for the CA. Performs certification etc for a CA.

Tunnel Mode

Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers. ESP applies only to the tunneled packet.

Internet Key Exchange Phase 2

Two session keys (for encryption+decryption) defined in phase 1. Negotiates Security Associations on behalf of other services like IPsec. Only in quick mode.

Manual Key Management

Useful when IPSec developers are debugging. Exchanged via email etc.

Virus behaviour

Viruses attach themselves to other programs.

Worm behaviour

Worms copy themselves computer to computer.

Security Mechanism

a procedure, tool, or method of enforcing a policy. (prevent, detect, and respond to recovery from attacks)

IP Spoofing

can generate "raw" IP packets directly from application, putting any value into IP source address field. Receiver can't tell if source is spoofed.

Denial of Service (DoS)

flood of maliciously generated packets to "swamp" receiver to prevent or inhibit the normal use or management of communications facilities. DDoS is distributed.

Symmetric key (aka secret key) Cyphers

• Use same key to encrypt and decrypt • One key shared and kept secret • All keys need to be replaced, if one key is compromised • Fast to encrypt, used for personal data. • Key maintenance is expensive. When new user joins group, everyone involved in key generation.

Firewall: Application level proxy server (application layer)

• What are you trying to do? (rarer) • Block all unless specifically allowed • Resource intensive, and must write new proxy application for new protocols • Poor performance and scalability but secure

Firewall: Packet filters (network layer)

• Where did you come and where are you going? Don't care what you do once you get there. • Decisions made on a per-packet basis • No state information saved • High performance but low security

RSA

• de-facto standard • Public-key cryptosystem: encryption and Authentication Encryption: - (a) Obtain Alice's authentic public key (n, e). - (b) Represent the message as an integer m in the interval [0; n -1]. - (c) Compute c = m^e mod n - (d) Send the cipher text c to Alice Decryption: - Use the private key d to recover m = c^d mod n


Ensembles d'études connexes

Chapter 7: Entrepreneurship and Starting a Small Business

View Set

Health assessment exam 3 Fall 2023

View Set

Soc Final Exam - Comprehensive Review

View Set