Final study

What is IPsec and what security protections does it provide?

- Provides integrity, confidentiality and authentication. - IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. - IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). - IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.

What are the 5 phases of the 802.11 RSN operation used to establish a RSNA.

- Phase 1: Discovery. The STA identifies an AP for a WLAN with which it wishes to communicate. The STA locates an AP either by receiving one of the AP's periodic transmissions of Beacon frames, or by sending a Probe Request to solicit a Probe Response from an AP. After the STA has identified an AP, the STA and the AP exchange frames to negotiate various parameters for their communications. By the end of the phase, the STA and AP have established a security policy that specifies several key security capabilities, such as data confidentiality and integrity protocols for protecting traffic, an authentication method, and a key distribution approach. - Phase 2: During this phase, the STA and AS prove their identities to each other. The authentication frames pass through the AP, which also blocks non-authentication traffic from the STA using IEEE 802.1X port-based access control. The actual authentication mechanism is implemented by the STA and AS using EAP, which provides a framework that allows the use of multiple methods for achieving authentication, including static passwords, dynamic passwords, and public key cryptography certificates. After authentication has been completed, the AAA key is installed in the STA and AS; it serves as a root key to enable the generation of other keys used to secure communications between the STA and AP. - Phase 3: Key Generation and Distribution (KGD). During the KGD phase, the AP and the STA perform several operations that cause cryptographic keys to be generated and placed on the AP and the STA. The KGD phase employs two types of handshakes: a 4-Way Handshake and a Group Key Handshake. Both employ message encryption and integrity checking, using one of two confidentiality and integrity algorithms. For both types of handshakes, NIST requires the use of AES Key Wrap with HMAC-SHA-1-128 instead of RC4 encryption with HMAC-MD5 because AES and SHA-1 are FIPS-approved algorithms, and RC4 and MD5 are not. - Phase 4: Protected Data Transfer. Frames are exchanged between the STA and the end station through the AP. As denoted by the shading and the lock and key, secure data transfer occurs between the STA and the AP only; security is not provided end-to-end. - Phase 5: Connection Termination. The AP and STA exchange frames. During this phase, the secure connection is torn down and the connection is restored to the original state.

What is a honeypot and what advantages does it provide?

A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. A honeypot can: • Divert attackers from critical systems • Help detect intrusion attempts, as any connection to a honeypot can be viewed as unauthorized • Observe intrusion to gain information about the attacker, and about the intrusion method. Advantages: - Honeypots will only gather data if an interaction is taking place. the smaller data sets means there is less cost and that it is easier to recognize and act on unwarranted access. Other intrusion detection systems produce lots of warnings and use a lot more resources than honeypots. - A lot of the warnings produced by normal IDS' are generally false. If enough false alerts are produced, the system may be ignored by administrators. - Intrusion detection systems may have trouble recognizing undetermined behaviors or attacks. - Honeypots do not use as many resources as IDS' use. The bigger a network is, the more resources the IDS needs. Disadvantages: - They can only monitor activity if there is an interaction with it. This means any attacks on a different system are missed by the honeypot. -Cyber attackers can take control of them and use them to damage different systems on the network

What is a PKI?

A public key infrastructure (PKI) binds public keys to entities, enables other entities to verify public key bindings, and provides the services needed for ongoing management of keys in a distributed system. PKI integrates digital certificates, public key cryptography, and certification authorities into a complete enterprise-wide network security architecture. A typical enterprise's PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.

Revocation is withdrawing certificates (e.g., due to private key being compromised). Name the four approaches.

Alternative approaches: Certificate Revocation List (CRL) - Centralized or replicated Online certificate verification - Online Certificate Status Protocol (OCSP) - Server-based Certificate Validation Protocol (SCVP) Fast expiration - e.g., certificate lifetime between 5 minutes and 24 hours

DoS network based attack can be classified into three types. Name them!

Application layer attacks, exploiting a weakness at the application layer - E.g., HTTP flood Protocol attacks, exploiting a weakness in the (network/transport layer) protocol - E.g., SYN flooding Volumetric (or volume based) attacks, exhausting the bandwidth capacity of the target through high volumes of traffic - E.g., DDoS flooding

What is DNS-based Authentication of Named Entities (DANE)?

DANE allows you (as a domain owner) to specify the possible CA's that are allowed to generate a certificate for your domain. This prevents rogue Ca's to issue a certificate (it will be invalidated by a client that uses DANE to validate the certificate). DANE allows for specifying within DNS records what certificate should be used for a given site, or what CA is allowed to issue certificates for that site - Relies on DNSSEC for authenticating DNS records - May replace or augment the use of CAs

What are advantages and disadvantages of using firewalls? What about limitations?

If everything on the internal network is secure, firewalls might not be needed...but generally firewalls are required Advantages: • May mitigate the consequences of configuration errors, user mistakes, etc. • Provides some protection against vulnerabilities being exploited before being patched/fixed • Provides protection against port scanning etc. • Facilitates network monitoring and intrusion detection (by "reducing noise" on the internal network) Limitations: • Provides limited protection against many threats (e.g., inside threats, malicious content, phishing,...) • Can not protect against attacks bypassing the firewall filter (e.g., through WLAN, cellular network, SSH/VPN tunnel,..)

What are the advantages and limitations of firewalls?

If everything on the internal network is secure, firewalls might not be needed...but generally firewalls are required Advantages: • May mitigate the consequences of configuration errors, user mistakes, etc. • Provides some protection against vulnerabilities being exploited before being patched/fixed • Provides protection against port scanning etc. • Facilitates network monitoring and intrusion detection (by "reducing noise" on the internal network) Limitations: • Provides limited protection against many threats (e.g., inside threats, malicious content, phishing,...) • Can not protect against attacks bypassing the firewall filter (e.g., through WLAN, cellular network, SSH/VPN tunnel,..)

What is the Calois Counter Mode (GCM) in symmetric cryptography?

In applications needing both integrity and privacy, the standard procedure used to be to first calculate a MAC on the message using one key, and then CBC encrypt it using a different key. (If the same key is used for both encryption and authentication, then the security of the latter is no longer guaranteed; cut-and-splice attacks are still possible.) In CBC mode, you encrypt a block of data by taking the current plaintext block and exclusive-oring that wth the previous ciphertext block (or IV), and then sending the result of that through the block cipher; the output of the block cipher is the ciphertext block. GCM mode provides both privacy (encryption) and integrity. To provide encryption, GCM maintains a counter; for each block of data, it sends the current value of the counter through the block cipher. Then, it takes the output of the block cipher, and exclusive or's that with the plaintext to form the ciphertext. • Mode of operation that combines encryption and authentication (i.e., authenticated encryption) • To be used with 128-bit block cipher (typically AES) • Uses a variation of CTR mode encryption for confidentiality • Uses a keyed hash function to create the authentication tag

SHA-1 and SHA-2 both make iterative use of a compression function (Merkle-Damgard construction). Describe it!

Merkle-Damgard construction is a method of building collision-resistant Cryptographic Hash Functions from collision-resistant one-way compression functions. Merkle-Damgard construction was used in the design of many popular hash algorithms such as MD5, SHA-1 and SHA-2. The Merkle-Damgård hash function first applies an MD-compliant padding function to create an input whose size is a multiple of a fixed number (e.g. 512 or 1024) — this is because compression functions cannot handle inputs of arbitrary size. The hash function then breaks the result into blocks of fixed size, and processes them one at a time with the compression function, each time combining a block of the input with the output of the previous round.

What is the Internet Key Exchange (IKE) protocol in IPsec?

Internet Key Exchange (IKE) is a protocol defined to allow hosts to specify which services are to be incorporated in packets, which cryptographic algorithms will be used to provide those services, and a mechanism for sharing the keys used with those cryptographic algorithms. Internet Key Exchange (IKE) provides key exchange and is used in establishing SA. - Based on Diffie-Hellman - Employs cookie mechanism to mitigate clogging/DoS attacks (similar to what we saw for DTLS) - Uses nonces to protect against replay attacks - Authenticated e.g., signature or MAC (using certificate or pre-shared key) NOTE: A security association (SA) is a relationship between two or more entities that describes how the entities will use security services to communicate securely.

What is the IEEE 802.11i amendment in wireless security

It introduces the concept of Robust Security Network (RSN). An RSN is defined as a wireless security network that only allows the creation of Robust Security Network Associations (RSNA). An RSNA is a logical connection between communicating IEEE 802.11 entities established through the IEEE 802.11i key management scheme, called the 4-Way Handshake, which is a protocol that validates that both entities share a pairwise master key (PMK), synchronizes the installation of temporal keys, and confirms the selection and configuration of data confidentiality and integrity protocols. The entities obtain the PMK in one of two ways—either the PMK is already configured on each device, in which case it is called a pre-shared key (PSK), or it is distributed as a side effect of a successful EAP authentication instance, which is a component of IEEE 802.1X port-based access control. The PMK serves as the basis for the IEEE 802.11i data confidentiality and integrity protocols that provide enhanced security over the flawed WEP.

How does MACsec work and what does it do?

MACsec adds a SecTag and an Integrity Check Value (CV) fields to the ethernet frame, and provides optional encryption. The SecTAG contains information that helps the recover identify the decryption key, as well as a packet number (for replay protection). The payload, along with EtherType and Headers are optionally encrypted. The ICV, generated by the GCM-AES, guarantees that the packet was indeed created by a node which was in possession of the key, and hasn't been modified on the way. A secure channel is established, unidirectional and point-to-(multi)point through a Secure Association. If an authenticated encryption mode is used the Integrity Check Value (ICV) may be omitted. The ICV is also omitted if integrity protection is not selected.

How can ARP poisoning attacks be prevented?

Not accepting unsolicited ARP replies prevents one way of performing ARP spoofing, but does not solve the problem. Intrusion detection like systems may also be utilized to detect ARP spoofing Secure Neighbor Discovery Protocol (SEND) for IPv6 provides a solution, but support/deployment is so far limited. (Use of IPsec would require manual key distribution due to IKE bootstrapping problem) • Proof of address ownership trough use of Cryptographically Generated Addresses (CGA) - I.e., address is generated from the nodes public key • Message authentication by signing messages using the private key corresponding to the public key used for generating the CGA • Replay protection through nonce (solicited) or timestamp (unsolicited) • Validation of router authorization based on certificate issued by third party

What are the main advantages of WPA3 compared to WPA2?

Official "Significant improvements include mandatory protection of control frames for both personal and enterprise networks, WPA3-SAE instead of WPA2-PSK for Personal networks and a 192- bit mode for WPA3-Enterprise. Also see the slides and reading assignments." WPA3 offers 128-bit encryption in WPA3-Personal mode (192-bit in WPA3-Enterprise) and forward secrecy. WPA3 also replaces the Pre-Shared Key (PSK) exchange with Simultaneous Authentication of Equals, a more secure way to do initial key exchange. - (EC)DHE key exchange, using RSA or ECDSA for authentication - AES256-GCM(GCMP-256) for authenticated encryption - HMAC-SHA384 for key derivation and confirmation WPA3 also uses AES-GCMP. With WPA3-Simultaneous Authentication of Equals (SAE) the attacker can only make one password guess per attack. The only information the attacker gains is whether this guess is corrector not. Cannot perform dictionary/brute-force attacks off-line. Gains no information about password through eavesdropping Also provides compromise of shared (session) secret won't help attacker in later sessions Also provides a variation of a the password authenticated key-exchange Dragonfly First up is its vulnerability to offline brute-force password-guessing attacks. With WPA2 an attacker is able to capture some of your Wi-Fi data, and take it away to repeatedly guess its password offline. WPA3 fixes this by only allowing you one offline password-guess, making brute force attacks almost impossible to conduct via this method. Next up is a feature called 'forward secrecy'. Under the current standard, if an attacker gets into your network, then they'll be able to uncover all your past data. WPA3's changes mean that in the future an attack will only compromise ongoing traffic. Obviously not ideal, but it's better than having access to everything.

What are the security goals for the Chromium security architecture?

Preventing: • Persistent malware (malware must not survive browser close) • Transient keylogger (keylogger must not survive browser close) • File theft/writing Out of scope: • Phishing • Origin isolation (an attacker who compromise the rendering engine may act on behalf of any web site) • Firewall circumvention (supposed to be prevented by SOP) • Web site vulnerabilities (e.g., XSS or CSRF)

What is RSA (symmetric)?

RSA is an asymmetric system , which means that a key pair will be generated , a public key and a private key , obviously you keep your private key secure and pass around the public one. RSA is rather slow so it's hardly used to encrypt data , more frequently it is used to encrypt and pass around symmetric keys which can actually deal with encryption at a faster speed. - Generate two large random primes p and q, and compute n=p·q - Choose integers e and d such that: e·d = 1 (mod (p-1)(q-1)) - The resulting keypair is: Public key = (e,n) and Private key = (d,n) - Encryption: C = Me (mod n) - Decryption: M = Cd (mod n)

With the addition of the IEEE 802.11i, IEEE 802.11 offers two general classes of security capabilities for IEEE 802.11 WLANs. The first class, pre-RSN security, includes the legacy security capabilities developed in the original IEEE 802.11 specification: open system or shared key authentication for validating the identity of a wireless station, and WEP for the confidentiality protection of traffic. The second class of security capabilities includes a number of security mechanisms to create RSNs. Describe the RSN and its three features.

RSN's security features apply only to the wireless portion of the overall network, not to communications on wired networks. The RSN provides these three features - Access control: this is provided through the iEE 802.1X port-based access control. The RSNA relies on this to provide an authentication framework. - Authentication and key generation: This is provided through the EAP, a means to providing mutual authentication between STAs and the WLAN infrastructure, as well as performing automatic cryptographic key distribution. - Confidentiality, Data origin authentication and integrity and replay protection: This is provided either through the TKIP (WPA1) or CCMP (WPA2). TKIP was created to allow already-deployed devices to address the numerous inadequacies of WEP.

What security is provided by STARTTLS, DKIM, SPF, and DMARC?

STARTTLS: An SMTP command initiating a TLS handshake - Relay-to-relay(i.e.,hop-by-hop) opportunistic encryption - Provides protection against passive eaves droppers - Also defined for other protocols (e.g., IMAP and POP) Domain Keys Identified Mail (DKIM): Sender appends a DKIM- signature to the email enabling the receiver to authenticate the sending domain - public key published through DNS Sender Policy Framework (SPF): allows an organization to publish a range of servers that are authorized to send mail for its domain Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on DKIM and SPF - Provides for senders publishing a DNS record specifying whether it supports DKIM and/or SPF, thereby suggesting a policy for authenticating received mail

What are the advantages and disadvantages of different detection approaches (signature, anomaly, stateful, network behavior analysis)?

Signature-based: + Effective at detecting known attacks (or known improper events) - May be fooled by evasion techniques - Does not consider more complex interrelations between events - May require access to encrypted payload Anomaly-based: + May detect previously unknown intrusions/attacks - May create a high amount of false positives - Profile (dynamic or static) may be tainted Stateful protocol analysis: + Identifies unexpected use of protocols (but that's it) - Resource intensive - Must be tailored to the specific protocol/application Network behavior analysis (flow based): + Can support high data rates and encrypted traffic is not a problem - Not a replacement for other intrusion detection approaches

List four active attacks!

Spoofing/masquerade/fabrication/impersonation. Man-in-the middle attacks may be seen as a special case of masquerade (where Darth masquerades as Bob to Alice and as Alice to Bob). Replay: Capture message from Bob to Alice; later play message to Alice. Can be repeated. Modification of messages (Tampering). Darth modifies message from Bob to Alice. Denial-of-Service attacks. This is caused by suppressing selected message, and depleting, disabling or overloading (network or end-system) resources. This includes distributed denial-of-service (DDoS) attacks. Overly restrictive or resource expensive security mechanisms may contribute to DoS.

The Handshake Protocol is initiated when a client creates a connection to a server. Describe the TLS 1.2 session establishment.

Step 1: The entire connection/handshake begins with the client sending a "client hello" message to the server. This message consists of cryptographic information such as supported protocols and supported CipherSuites. It's also comprised of a random value or random byte string. Step 2: In response to the client's "client hello" message, server responds with "server hello" message. This message includes the CipherSuite that the server has chosen out of the ones offered by the client. The server also sends its certificate along with the session ID and another random value. Step 3: Now the client verifies the certificate sent by the server. Once the verification is done, it sends a random byte string, also called "pre-master secret," and encrypts it using the public key of server's certificate. Step 4: Once the server receives the pre-master secret, the client, and server both generate a master key along with session keys (ephemeral keys). These session keys will be used to symmetrically encrypt the data. Step 5: Now the client sends a "Change Cipher Spec" message to the server to let it know that it's going to switch to symmetric encryption with the help of session keys. Along with it, it also sends "Client Finished" message. Step 6: In reply to the client's "Change Cipher Spec" message, the server does the same and switches its security state to symmetric encryption. The server concludes the handshake by sending "server finished" message.

What are the main changes in TLS 1.3 compared to previous versions?

TLS 1.3 contains improved security and speed. The major differences include: - The list of supported symmetric algorithms has been pruned of all legacy algorithms. The remaining algorithms all use - A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties. - Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy. - All handshake messages after the ServerHello are now encrypted. Key derivation functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive. - Compression, custom DHE groups, and DSA have been removed, RSA padding now uses PSS. - TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension.

The IEEE 802.11i amendment defines an RSN as a wireless network that allows the creation of RSN Associations (RSNA) only. An RSNA is a security relationship established by the IEEE 802.11i 4-Way Handshake. Briefly describe the 4-way handshake.

The 4-Way Handshake validates that the parties to the protocol instance both possess a pairwise master key (PMK), synchronizes the installation of temporal keys, and confirms the selection of cipher suites. The PMK is the cornerstone for a number of security features absent from WEP. With RSNAs there are several inter-related keys that underlie the security functions of encryption, authentication, and integrity. IEEE 802.11i defines two key hierarchies for RSNAs that specify the inter-relations of the keys. The two key hierarchies are the Pairwise Key Hierarchy, which is designed for unicast traffic protection, and the Group Key Hierarchy, which is intended for multicast/broadcast traffic protection

What is DNSSEC?

The Domain Name Security Extension (DNSSEC) provides message authentication to DNS messages through the use of digital signatures. Thus, DNSSEC protects against DNS cache poisoning, and can also be used to authenticate other data published through DNS (e.g., public keys).

How and to what extent do RPKI and BGPsec mitigate BGP vulnerabilities?

The hosted Resource Certification (RPKI) service allows you authorise all legitimate BGP announcements that are made with your address space in an intuitive web interface. A Route Origin Authorisation (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorised to originate a certain prefix. This means ROAs say something about the BGP announcements that are done with your address space. A ROA contains three informational elements: - The AS Number that is authorised - The prefix that may be originated from the AS - The Maximum Length of the prefix Origin validation based on RPKI is not sufficient, as the authenticity of the entire AS path must be validated. We use BGPsec in addition. BGPsec validates that the sequence of ASs in the AS Path represents the actual propagation of the BGP route announcement. Each AS on the path signs: - the signature of the received BGP update, - the local AS number, - the next AS number - the hash of the signing router's public key The AS originating the route additionally signs - the address prefix - the expiry time of the route

Both AH and ESP support two protocol modes: Transport and Tunnel mode. Explain them!

Tunnel mode (typically used for gateway-to-gateway/host security, VPN): - ESP: Protects the entire inner IP packet (including header), but not the outer IP header. - AH: Authenticates the entire inner IP packet (including header), and selected parts of the outer IP header (including selected IPv6 extension headers). In tunnel mode, a new IP packet is generated to include the AH or ESP packet containing itself the unchanged original IP packet. In this mode, there are always two IP headers. The outer header is used for routing the packet and the inner header, which can be encrypted when using ESP with the privacy service, is only processed by the recipient (of the outer packet). The inner header will be ignored by the network equipment located between the transmitter and receiver. This provides a "tunnel" through the network. Usually used between secured network gateways, IPsec tunnel mode enables hosts behind one of the gateways to communicate securely with hosts behind the other gateway. Transport mode (typically used for end-to-end security): - ESP: Protects the IP payload, but not the IP header (except IPv6 extension headers following the ESP header) - AH: Authenticates the IP payload and selected parts of the IP header (including selected IPv6 extension headers) - Less overhead than tunnel mode, but does not provide traffic flow confidentiality. In transport mode, the data associated with AH or ESP are directly inserted into the original IP packet (i.e. the one that would have been sent in the absence of IPsec). The resulting IP packet contains an AH or ESP packet itself containing the initial payload of the packet (e.g., a TCP segment). When two individual hosts set up a directly connected IPsec VPN connection, the circuit can be said to be an example of a transport mode IPsec circuit.

Let A be a user who needs to access a service from B, and let C be the KDC in a Kerberos Realm. A simplified version of the Kerberos protocol has 5 messages as follows. Let NA denote a nonce from A, let TE denote Time Expiry, let TS denote Time Stamp, let kAB denote a symmetric key shared between A and B, and let {}kAB denote encryption of by kAB. 1. A → C : A,B, TE,NA 2. C → A : {TE,NA,B, kAB}kAC, {kAB,A, TE}kBC 3. A → B : {kAB,A, TE}kBC, {TS1}kAB 4. B→ A:{TS2}kAB 5. A → B : {f(TS2)}kAB This protocol is intended to achieve three properties: a. key authentication: only Alice and Bob can be in possession of kAB b. key confirmation: Alice and Bob actually possess kAB c. key freshness: key kAB has not been used before For each of these three properties, identify which message fields are designed to provide that property for Alice (A). Explain how Alice can check these properties using the messages she receives.

a) Key authentication is provided by the encryption of the session key kAB from C for only Alice and Bob. For Alice, inclusion of Bob's identity B in the encrypted: {TE,NA,B, kAB}kAC in message 2 tells Alice that the key is sent only to Bob (as well as Alice). b) The authenticators in messages 3 and 4 provide key confirmation. For Alice, the authenticator {TS2}kAB in message 4 from Bob allows Alice to check that Bob really has the session key kAB since he cannot form a valid authenticator without it. c) Key (i.e., ticket) freshness is provided by the nonce NA returned in message 2 (for Alice) and the expiry time TE in the ticket , {kAB,A, TE}kBC (for Bob). When Alice gets back the encrypted field: {TE,NA,B, kAB}kAC in message 2, she checks that the nonce NA is the same as the one she sent to C in message 1.

What are the requirements for cryptographic hash functions, i.e., what they supposed to do.

n cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage. - Preimage resistance (one-way): For any given output y, it is computationally infeasible to find x such that H(x) = y - Second preimage resistance (weak collision resistance): it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′). - (Strong) collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y), i.e. district inputs. With presage attack, you already know one X. With collision resistance, you have more freedom, for you need to find any pair that matches.

Machine learning based detection approaches may be subject to specific attacks. What are these attacks?

• Causative/poisoning attacks: The attacker tries to influence the training set of the classifier in order to cause later misclassification, especially a concern when continuous training is performed • Evasion attack: the attacker (potentially with knowledge of the training set and classifier?) tries to shape the data to be classified in such a way as to escape detection • Model data leakage: The attacker may be able to infer data from the training set by probing the classifier - especially a concern if the training data is sensitive