Summary
Wireless Network Security has the 802.11i RNS protocol (WPA2 when used with CCMP). Describe its Post-based access control.
"An unauthenticated station is only allowed to communicate with the authentication server over an uncontrolled port (using the Extensible Authentication Protocol), while its access to other wireless stations or the distribution system is blocked by so called controlled ports. See the reading assignment and slides." Until successful authentication occurs between a STA and the AS, the STA's communications are blocked by the AP. Because the AP sits at the boundary between the wireless and wired networks, this prevents the unauthenticated STA from reaching the wired network. The technique used to block the communications is known as port-based access control. IEEE 802.1X can control data flows by distinguishing between EAP and non-EAP frames, then passing EAP frames through an uncontrolled port and non-EAP frames through a controlled port, which can block access. IEEE 802.11i extends this to block the AP's communication until keys are in place as well. Thus, the IEEE 802.11i extensions prevent a rogue access point from exchanging anything but EAP traffic with the STA's host.
Six of the security design principles are economy of mechanism, least privilege principle, complete mediation, fail-safe defaults, defense in depth, separation of privilege/duty. Describe them briefly!
- Economy of mechanism: The economy of mechanism principle states that one should keep the design as simple as possible, in other words that one should avoid unnecessary complexity. This is an important principle as complexity is prone to lead to errors (e.g., design/ implementation/ configuration/ usage errors due to misunderstandings, oversights or simple mistakes). - Least privilege principle: The least privilege principle states that each entity (e.g., user or process) should only have the least set of privileges necessary. (See the slides for some examples.) This also implies that an entity should only operate with given privileges for the duration required. This is a good design principle because it limits the potential damage of a security breach (malicious or accidental). - Complete mediation: Authorization should be verified on every access (implies that the source of the request must be authenticated) - Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. - Defense in depth: True defense in depth requires that the security measures provide overlapping (i.e., redundant security) and that the breach of one is independent from breaching the others! - Separation of privilege / duty: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them.
Name some attacks on cryptosystems and cryptographic design/software vulnerabilities in symmetric encryption.
- In a known plaintext attack, if the same key+IV combination is used, OFB is then vulnerable to the known-plaintext attack. The idea is that if you were to get a hold of the plaintext and ciphertext, by performing the xor operation as pictured above to the right, you get the cipher. If a future message is encrypted using the same key+IV combination, you'll be able to decipher future messages. - In a chosen plaintext attack, chosen plaintext attack is the same thing except you get to choose the plaintext which can be useful. In this case the attacker determines what will be encrypted and then uses the result to determine the key (or perhaps other less useful information) of the encryption. Example: A good example here is XOR encryption. If you can choose the plaintext and get to see the result, you can use those to easily determine the key being used.
Wireless Network Security has the 802.11i RNS protocol (WPA2 when used with CCMP). Describe its authentication and key management protocols.
- Pre-Shared Key (PSK), which is a static key delivered to the AS and the STA through an out-of- band mechanism. The IEEE 802.11 standard does not specify how PSKs are to be generated or distributed, so these decisions are left to implementers. The security of the WLAN is compromised if any of the PSKs does not possess sufficient cryptographic strength. As a result, organizations should review any PSK approach carefully for possible vulnerabilities and evaluate its performance implications. Distributing PSKs in a large network might be infeasible. - Authentication, Authorization, and Accounting (AAA) Key (AAAK), also known as the Master Session Key (MSK), which is delivered to the AP through the Extensible Authentication Protocol (EAP) during the process of establishing an RSNA. Each time a user authenticates to the WLAN, the AAA key changes; the new key is then used for the duration of the user's session.
What are the changes of TLS 1.3 over TLS 1.2?
- The list of supported symmetric algorithms has been pruned of all legacy algorithms. - A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties. It means that if the client has connected to the server before, TLS 1.3 permits a zero-round trip handshake. This is accomplished by storing secret information (typically, Session ID or Session Tickets) of previous sessions and using them when both parties connect with each other in future. - Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy. - The handshake state machine has been restructured to be more consistent and remove superfluous messages. - TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension. - The TLS 1.3 handshake process involves only one round-trip as opposed to three in TLS 1.2. This results in reduced latency.
Security Design uses separation to simplify security enforcement. This entails a means for separation, and modular design. Describe it!
- Trusted modules (e.g., security mechanisms) are protected from manipulation - Unnecessary complexity is avoided in trusted modules - Required communication between modules is provided through well defined interfaces Separation can be - Physical, e.g., separate networks, computers, chips, or devices - Logical, e.g., OS provided, programming language provided, virtual machines, virtual network, sandbox, or separation kernel - Cryptographic, e.g., encryption or signature - Temporal Different approaches differ in strength (e.g., separation mechanisms in (or on top of) typical OS provide limited assurance)
What is a MAC in message authentication?
A message authentication code (MAC) is a cryptographic checksum on data that uses a session key to detect both accidental and intentional modifications of the data. A MAC requires two inputs: a message and a secret key known only to the originator of the message and its intended recipient(s). This allows the recipient of the message to verify the integrity of the message and authenticate that the messege's sender has the shared secret key. If a sender doesn't know the secret key, the hash value would then be different, which would tell the recipient that the message was not from the original sender.
What is the difference between passive and active security attacks, and what are the attack types?
A passive attack is one where the attacker eavesdrops or observes but does not modify the message stream in any way. - Difficult to detect, and the aim to prevent this type of attack. An active attack is one where the attacker transmits messages, replays old messages, modifies messages, and/or delete selected messages - Difficult to prevent completely - Aim to detect and recover. Passive - Interception/information disclosure (read content), prevented by data encryption. - Traffic analysis (observe pattern). Very hard to counter. Might need to send more data than usual to hide the content. Active - Spoofing/impersonation (message appears to be from Darth, man-in-the-middle), mitigated by data encryption and authentication. - Replay (capture and replay later), use one-off session key that expires. Replay attacks can be prevented by tagging each encrypted component with a session ID and a component number. In this case an attacker would be unable to perform the replay because on a new run the session ID would have changed. - Modification (tampering), use digital signatures, hashes and authentication. - Denial-of-service (Suppress message, overloading). Use firewall filtering.
What is a PKI (part of asymmetric key distribution)? And what is revocation?
A public key infrastructure (PKI) supports the distribution, revocation and verification of public keys used for public key encryption, and enables linking of identities with public key certificates. A PKI enables users and systems to securely exchange data over the internet and verify the legitimacy of certificate-holding entities, such as webservers, other authenticated servers and individuals. The PKI enables users to authenticate digital certificate holders, as well as to mediate the process of certificate revocation, using cryptographic algorithms to secure the process. PKI certificates include a public key used for encryption and cryptographic authentication of data sent to or from the entity that was issued the certificate. Other information included in a PKI certificate includes identifying information about the certificate holder, about the PKI that issued the certificate, and other data including the certificate's creation date and validity period. Without PKI, sensitive information can still be encrypted, ensuring confidentiality, and exchanged between two entities, but there would be no assurance of the identity of the other party. Any form of sensitive data exchanged over the internet is reliant on the PKI for enabling the use of public key cryptography because the PKI enables the authenticated exchange of public keys. Revocation is withdrawing certificates (e.g., due to private key being compromised) There are four methods: Certificate Revocation List (CRL) - a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. Online certificate verification - Online Certificate Status Protocol (OCSP), used to determine the state of an identified certificate. - Server-based Certificate Validation Protocol (SCVP), used for determining the path between a X.509 digital certificate and a trusted root (Delegated Path Discovery) and the validation of that path (Delegated Path Validation) according to a particular validation policy. Fast expiration - e.g., certificate lifetime between 5 minutes and 24 hours
What is STRIDE?
A threat model, or threat risk model, is a process that reviews the security of any web-based system, identifies problem areas, and determines the risk associated with each area. - Spoofing Identity - Tampering - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege
BGP is part of protocol security. , What is it, what are the vulnerabilities it faces, and what are the mitigations? HINT: There are two attacks.
An internet is an interconnection of autonomous systems (ASs), and the Border Gateway Protocol (BGP) is the de- facto interdomain (i.e., inter-AS) routing protocol. BGP is a Path Vector routing protocol, and an AS can announce or withdraw address prefixes through updates. BGP has two vulnerabilities: prefix hijacking and AS Path manipulation. - BGP hijacking is when an attacker disguises itself as another network; it announces network prefixes belonging to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks and propagated further using BGP, it distorts the "roadmap" of the Internet. As a result, traffic is forwarded to the attacker instead of its legitimate destination, causing Denial of Service (DoS) attacks or traffic interception. For example, in the MyEtherWallet attack, traffic went to the attacker instead of to Amazon. - AS Path manipulation: modify the path along the way. To combat both we use RPKI and BGPsec. The hosted Resource Certification (RPKI) service allows you authorise all legitimate BGP announcements that are made with your address space in an intuitive web interface. A Route Origin Authorisation (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorised to originate a certain prefix. This means ROAs say something about the BGP announcements that are done with your address space. A ROA contains three informational elements: - The AS Number that is authorised - The prefix that may be originated from the AS - The Maximum Length of the prefix Origin validation based on RPKI is not sufficient, as the authenticity of the entire AS path must be validated. We use BGPsec in addition. BGPsec validates that the sequence of ASs in the AS Path represents the actual propagation of the BGP route announcement. Each AS on the path signs: - the signature of the received BGP update, - the local AS number, - the next AS number - the hash of the signing router's public key The AS originating the route additionally signs - the address prefix - the expiry time of the route.
What is the browser enforced same origin-policy (SOP)?
Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form. But of course Facebook wants to use JavaScript to enhance the user experience. So it is important that the browser can detect that this JavaScript is trusted to access Facebook resources. That's where the same origin policy comes into play: If the JavaScript is included from a HTML page on facebook.com, it may access facebook.com resources. Now replace Facebook with your online banking website, and it will be obvious that this is an issue. • Origin is defined by protocol/scheme, hostname and port number • A script in a webpage is only allowed to access content from the same origin (as that webpage) • It does not prevent cross-domain inclusion of content (e.g., images or javascript) through HTML-tags in the webpage The same origin-policy may be relaxed, e.g., using the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header
Security is not only the security measures that you place, but the assurance is gives you. Elaborate!
Assurance is the grounds for confidence that the implemented measures fulfills the security objectives under all relevant circumstances.
Protocol security consists of three parts. What are they?
BGP, DNS and ARP.
In asymmetric key distribution, what is certificate transparency?
CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out details on certificates that have been issued to anyone, by anyone. For example, a company could check to see what certificates have been created using its domains and details. In a nutshell, Certificate Transparency is a 3rd party auditing log required by Google/Chrome to display certificate ownership information. The information is publicly audible. Once the CT logging is enabled, that information will be public and can not be deleted from the log. With CT, all certificates are publicly disclosed, providing greater insight and transparency into the Web PKI ecosystem as a whole. Certificates that are not logged should not be trusted - Log inclusion proof can be included in e.g., certificate or TLS handshake - May require certificates to be present in multiple logs
What are the advantages to IPsec? And what are its characteristics?
Characteristics: - Applied at the IP (network) layer to IP packets. - Can be used over LAN, Internet, WAN etc. - Can be used with both IPv4 and IPv6. - Can be used with multicast, but we only consider unicast traffic in this lecture. - Can be used to provide security between both hosts and networks, transparent to higher layers. - Provides integrity, confidentiality and authentication. Advantages: • An IPsec gateway (acting as a proxy to the real host) can provide strong and non-bypassable security applied to all traffic crossing the perimeter • Is transparent to applications as it resides at the network layer • Can be transparent (easy to detect) to end users • Can provide security for individual users (e.g., off-site) • Can be used to secure routing protocols • Protects the transport layer protocols
Web browser security has ADINT. What is it?
Collecting sensitive information about targets through purchasing ads (ADINT). The attack relies on the fact that major "Demand Side Platform" ad brokers like Google Adwords allow you to target an ad to a specific place and a specific person. By placing ads that only get served if a target is on a given block, the attacker can trace the target's movements in space and time. Ad networks also allow attackers to enumerate the apps installed on the target's device and retrieve sensitive demographic data. • Determine victims daily routine • Determine sensitive visits - ad targeted at victim (using MAID) and specific locations of interest • Crowd enumeration - ad targeted for the location only and to be served to each device once-per-day • Sensitive app enumeration - target victim and DSP reports which app or website the ad is shown on - or determine how many at a location use a specific app • Determine when a victim uses a specific app • Obtain other information about victim
What are the threats to web browsing/browsers?
Communication is compromised (confidentiality/integrity/availability/..) - Plaintext communication? - TLS connection compromised? - Certificatetrustchaincompromised? Underlying OS is compromised Browser is "compromised", e.g.,"man-in-the-browser": modification, fabrication, eavesdropping, ... Web page/server is compromised or intentionally malicious
Name five different security objectives and define/explain their meaning.
Confidentiality: preventing unauthorised disclosure of data. Supported by TLS, crypto, TWO factor, access controls, tokens etc. Integrity: preventing (or detecting) unauthorised modification or destruction of data (Data integrity and System integrity). File permissions, user access, checksums, crypto, signatures. Availability: ensuring resources (i.e., services and data) are accessible and usable upon demand by authorised entities. Good bandwidth. Use firewalls. Authenticity: ensuring genuineness - Entity (user) authentication: ensuring that the identity of an entity is as claimed -Data origin authentication (message authentication): ensuring that the source of the data/message is as claimed. Use hashes, symmetric encryptions, keys. Accountability (supports nonrepudiation and traceability): - Ensure that the actions of an entity can be traced uniquely to that entity (e.g., cannot later falsely deny sending/receiving a message). Use digital signatures.
Cross-site script inclusion (XSSI) is a threat to web browsers. What is it?
Cross-Site Script Inclusion (XSSI) is a web application security vulnerability which exploits the exception or relaxation provided to same-origin-policy in relation to script inclusion from different websites. In this relation, recall that a browser, when it loads a website from its hosted server, ends up loading several scripts, such as Bootstrap, JQuery, Angular, and so on, from different servers such as Google CDN (Content Delivery Network). This flexibility acts as a security vulnerability for an XSSI attack. XSSI is a fancy way of saying: you are including in your program, someone elses code; You don't have any control over what is in that code, and you don't have any control over the security of the server on which it is hosted. For example, let's say i include in my html page a script tag. That script will run in my webapp with the same level of trust as any of my own javascript code. It will have access to the the full page content and DOM, it will be able to read all my app's cookies and read the users keypresses and mouse movements, and everything else that javascript can do. If my mate dave, then decides to put something malicious in his cool widget (say, a sniffer/keylogger that sends all the user's cookies, form data and keypresses to his server) then I won't necessarily know. Also, the security of my app now depends on the security of dave's server. If dave's server gets compromised and coolwidget.js is replaced by the attacker, i again won't necessarily know and the malicious code will run as part of my app.
Cross-site request forgery (CSRF) is a threat to web browsers. Explain it!
Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. A Cross-Site Request Forgery (CSRF) aims to invoke a side effect by tricking the browser into sending a specific HTTP request • Exploits the authorization/authentication of the user at the target site • E.g., https://sikkerbank.no/transfer.do?amount=99999999&to=nils, e.g., hidden in link or in <img src> tag etc. • Should use random session/CSRF token to protect state changing operations, but this may be defeated by XSS/XSSI
XSS is a threat so web browsers. Explain it!
Cross-site scripting attacks happen when an untrusted source is allowed to inject its own code into a web application, and that malicious code is included with dynamic content delivered to a victim's browser. Malicious scripts are often delivered in the form of bits of JavaScript code executed by the victim's browser, but exploits can incorporate malicious executable code in many other languages, including Java, Ajax, Flash and HTML. XSS vulnerabilities are due to insufficient input validation in cases where user input is used as part of output. Attacker injects script into web page: • Reflected (input from request used in response), g.g., old vulnerability in google when using specific encoding: - If http://www.google.com/url?q=USER_INPUT (e.g., provided in e- mail from attacker) was requested, the output would be: - "Your client does not have permission to get URL /url?q=USER_INPUT from this server.", where USER_INPUT includes an (non-escaped) reference to a script on attacker controlled server May be used e.g., to steal sensitive content/cookies or modify page.
DTLS is part of the Transport Layer Security. What are the main differences between it and TLS?
DTLS needs to handle loss and rendering of datagrams in a different way than TLS. DTLS is similar to TLS intentionally except that DTLS has to solve two problems: packet lost and reordering. DTLS implements - packet retransmission - assigning sequence number within the handshake - replay detection. In order to be able to decrypt each record independently, DTLS does not allow the use of stream-ciphers (as opposed to TLS where RC4 is commonly used). Also, the sequence number is explicitly included within each record (as opposed to TLS where the implicit sequence number is included in the MAC calculation to detect loss or re-ordering). DTLS is not insensitive to loss of handshake messages, however, and therefore uses a timeout and retransmission mechanism to provide a reliable handshake."
DTLS is part of the Transport Layer Security. What is the motivation behind it?
Datagram Transport Layer Security (DTLS) is based on TLS but does not require reliable or in-order delivery. Datagram Transport Layer Security (DTLS) is a communications protocol designed to protect data privacy and preventing eavesdropping and tampering. It is based off the Transport Layer Security (TLS) protocol, which is a protocol that provides security to computer-based communications networks. The main difference between DTSL and TLS is that DTLS uses UDP and TLS uses TCP. It is used across web browsing, mail, instant messaging and VoIP. To enable reuse and reduce the risk of introducing new vulnerabilities, DTLS is only different from TLS where required.
What is a digital signature and how does it work?
Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm, such as RSA, one can generate two keys that are mathematically linked: one private and one public. Digital signatures work because public key cryptography depends on two mutually authenticating cryptographic keys. The individual who is creating the digital signature uses their own private key to encrypt signature-related data; the only way to decrypt that data is with the signer's public key. This is how digital signatures are authenticated. Digital signature technology requires all the parties to trust that the individual creating the signature has been able to keep their own private key secret. If someone else has access to the signer's private key, that party could create fraudulent digital signatures in the name of the private key holder.
Availability in networks is susceptible to DoS attacks, especially Flooding attacks. What is it?
DoS network based attack can be classified into three types. They are: Application layer attacks, exploiting a weakness at the application layer - E.g., HTTP flood Protocol attacks, exploiting a weakness in the (network/transport layer) protocol - E.g., SYN flooding Volumetric (or volume based) attacks, exhausting the bandwidth capacity of the target through high volumes of traffic - E.g., DDoS flooding
Explain the problem of false positives and false negatives in the context of intrusion detection.
False positives may result in denial of service for authorized users. There is a trade-off between false positives and false negatives. Somewhere in the middle is where we want to be.
What are cryptographic hash functions, and what are their properties and requirements.
I. H can be applied to a block of data of any size. II. H produces a fixed-length output. III. H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical. IV. Preimage resistance (one-way): For any given output y, it is computationally infeasible to find x such that H(x) = y. V. Second preimage resistance (weak collision resistance): it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′). VI. (Strong) collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y), i.e. district inputs.
Firewalls are a part of web browser security. What are the types, advantages and limitations?
Firewalls are an important part of perimeter security. All traffic from inside to outside, and vice versa, must pass through. The security policy defines what traffic is allowed to pass. The firewall itself should be immune to penetration. If everything on the internal network is secure, firewalls might not be needed...but generally firewalls are required Advantages: • May mitigate the consequences of configuration errors, user mistakes, etc. • Provides some protection against vulnerabilities being exploited before being patched/fixed • Provides protection against port scanning etc. • Facilitates network monitoring and intrusion detection (by "reducing noise" on the internal network) Limitations: • Provides limited protection against many threats (e.g., inside threats, malicious content, phishing,...) • Can not protect against attacks bypassing the firewall filter (e.g., through WLAN, cellular network, SSH/VPN tunnel,..) Firewalls can either allows biased, or deny biased. There are many types. Packet filtering firewalls based on the information in the packet, such as IP address, destination, source port number etc. There's also stateful packet filtering. Application-level gateway, which uses a proxy server.
IPSec has the IKE (key management) protocol. What is it?
IKE can be used to create Security Associations (SAs) on-demand (including negotiation of SA attributes) and to exchange keys for SAs. As such, it plays an important role for the applicability of IPsec on a larger scale.
ARP is part of protocol security. What are its attacks and mitigations?
In IPv4 networks, the Address Resolution Protocol (ARP) is used to map from an IP-address at the network layer to the MAC (i.e., link layer) address. Each node maintains a cache of recently resolved addresses. Address resolution is performed by sending a broadcast request for the link layer address for a given IP address, where the owner of that IP address responds with its MAC address. ARP spoofing can be performed by sending a false response to such a request or by sending an unsolicited ARP announcement (specifying an incorrect IP - MAC address pair) to the target computer. The attack works for IPv6 as well, although the protocol is then called Neighbour Discovery (ND). Secure Neighbor Discovery Protocol (SEND Protocol) is a security extension of Neighbor Discovery Protocol (NDP) used in IPv6 for the discovery of neighboring nodes on the local link. NDP determines the link layer addresses of other nodes, finds available routers, maintains reachability information, performs address resolution and detects address duplication. SEND enhances this insecure protocol by employing cryptographically generated addresses (CGA) to encrypt NDP messages. This method is independent of IPSec, which is typically used to secure IPv6 transmissions. The introduction of CGA helps to nullify neighbor/ solicitation/ advertisement spoofing, neighbor unreachability detection failure, DOS attacks, router solicitation, and advertisement and replay attacks. The current lack of robust implementations of SEND at the end user devices limits its deployment and leave the door open for the attacks against NDP.
What characterizes targeted attacks and how can one defend against such attacks?
In a targeted attack, your organisation is singled out because the attacker has a specific interest in your business, or has been paid to target you. The groundwork for the attack could take months so that they can find the best route to deliver their exploit directly to your systems (or users). A targeted attack is often more damaging than an un-targeted one because it has been specifically tailored to attack your systems, processes or personnel, in the office and sometimes at home. First, implement the basic controls, such as firewalls, malware protection, patch management, server configuration, password policy etc. Then, look at each stage of an attack, from survey, to delivery, to breach and to affect. To protect against each, survey, deliver, breach and then affect.
What is message authentication?
In information security, message authentication or data origin authentication is a property that a message has not been modified while in transmission (data integrity) and that the receiving party can verify the source of the message.[1] Message authentication does not necessarily include the property of non-repudiation. Message authentication is typically achieved by using message authentication codes (MACs), authenticated encryption (AE) or digital signatures. The message authentication code, also known as digital authenticator, is used as an integrity check based on a secret key shared by two parties to authenticate information transmitted between them. It is based on using a cryptographic hash or symmetric encryption algorithm.
What are the security threats concerning wireless networks and mobile devices?
In wireless networks, attacks can be performed with low risk from a distance without access to network components. Passive attacks (non-invasive and basically impossible to detect) - Eavesdropping - Traffic analysis Active attacks (hard to trace) - Masquerade (including rogue AP) - Replay - Message modification - Denial of service (including jamming) - Unauthorized use (misappropriation) Emission is also a thing.
WPA3 is the newest version a wireless network protocol. What are its advantages compared to WPA2?
It includes WPA3-Personal and WPA3-Enterprise versions. The 128-bit AES encryption employed with WPA2 is still in effect with WPA3, but the enterprise version requires 192-bit AES support. It's optional for the personal edition. WPA3 uses the Simultaneous Authentication of Equals (SAE) to replace WPA2's Pre-Shared Key (PSK) exchange protocol. SAE is a more secure protocol for handling the initial key exchange addressed with the KRACK. SAE, also known as Dragonfly Key Exchange, uses forward secrecy and is resistant to offline decryption attacks. WPA2's 4-way handshake was susceptible to offline dictionary-based attacks, especially when short passwords under 16 characters were employed. WPA3's handshake protocol forces real-time attacks, essentially eliminating dictionary attack techniques. Forward secrecy, used with WPA3, prevents an attacker from recording the encrypted transmission of a session and then decoding it in the future, should the wireless network password be obtained in some fashion.
What is the one-mime pad in symmetric encryption, and why is it most secure?
It's a very simple system and is unbreakable if used correctly. To use a one-time pad, you need 2 copies of the "pad" which is a block of random data equal in length to the message you wish to encode. The word "random" is used in its most literal possible sense here. If the data on the pad is not TRULY RANDOM, the security of the pad is reduced, potentially to near zero. One-time pads are used in pairs. The more copies of a given pad, the greater the likelihood is that one may be captured, in which case the system is completely broken. One copy of the pad is kept by each user, and pads must be exchanged via a secure channel [e.g.: face to face on floppy disks]. The pad is used by XORing every bit of the pad with every bit of the original message. Once the message is encoded with the pad, the pad is destroyed and the encoded message is sent. On the recipient's side, the encoded message is XORed with the duplicate copy of the pad and the plaintext message is generated. The system is not very practical since the amount of key bits that are needed must be equal to or larger than the number of plaintext bits, and these key bits must be securely distributed. This requires use of another confidential channel, e.g. using manual key couriers.
What is MACSec, and what is its difference to IPSec?
MACsec works at the link layer. - MACsec is a Layer 2 protocol - Uses GCM-AES-128 to offer integrity and confidentiality. - As a layer 2 specification, MACsec can protect not only IP traffic, but also ARP, neighbour discovery, and DHCP. - It is an extension to 802.1X provides secure key exchange and mutual authentication for MACsec nodes. - IPsec (a Layer 3 security protocol) and TLS (a Layer 4 security protocol) offer different guarantees and can be a better fit, depending on the use case.
Monitoring and detection uses machine learning. Explain this!
Machine learning is gaining increased attention for intrusion and data loss detectionTypical machine learning approach: • Identify classes and features to be used for classification • Learn the model using training data (unsupervised, semi-supervised or supervised learning) • Use the trained model to classify unknown data The relevance and quality of the trained model is highly dependent on the training data Uses the MADE application.
Application Layer Security has XACML. What is it?
Markup Language (XACML) is a specification for defining access control policies using XML. In addition to defining a policy language for expressing policies, XACML also provides an architectural model. The basic architectural model is shown in Figure 10. As illustrated in the figure, policy enforcement is performed by one or more policy enforcement points (PEPs). A policy enforcement point again relies on a policy decision point (PDP) for deciding the outcome of a request, based on the policies applicable to the request. A XACML rule may contain: - A target: Defines the subjects, resource, actions, and environment to which the rule applies. - An effect : permit or deny (mandatory). - A condition - (and in XACML 3.0 also an obligation)
What is TLS inspection in monitoring and detection?
More and more traffic (malicious and non-malicious) is encrypted, either requiring the traffic to be decrypted or rendering payload (e.g., signature) based detection approaches less effective TLS inspection: • Incoming connections can be decrypted with access to the internal server's private key (may require acting as MitM) • Outgoing connections can be decrypted by inspection point acting as MitMand dynamically creating certificates for external server (requires that internal client trusts inspection point as Certificate Authority) An alternative is to use an application or circuit level proxy that serves as the end-point of the TLS connection
There are several types of Intrusion Detection Systems, such as NIDS/HIDS, signature-based, anomaly-based, stateful protocol analysis, network behavior analysis. List their advantages and disadvantages.
Network-based IDS (NIDS) - A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. Host-based IDS (HIDS) - Monitor events (e.g., logs) at hosts to detect intrusion. Monitors a computer system on which it is installed to detect an intrusion and/or misuse, and responds by logging the activity and notifying the designated authority. Signature-based: + Effective at detecting known attacks (or known improper events) - May be fooled by evasion techniques - Does not consider more complex interrelations between events - May require access to encrypted payload Anomaly-based: + May detect previously unknown intrusions/attacks - May create a high amount of false positives - Profile (dynamic or static) may be tainted Stateful protocol analysis: + Identifies unexpected use of protocols (but that's it) - Resource intensive - Must be tailored to the specific protocol/application Network behavior analysis (flow based): + Can support high data rates and encrypted traffic is not a problem - Not a replacement for other intrusion detection approaches
What security services foes RSN provide?
Official: "Confidentiality, integrity, authentication, and access control. See the reading assignment and lecture slides for more details." RSN's security features apply only to the wireless portion of the overall network, not to communications on wired networks. The RSN provides these three features - Access control: this is provided through the iEE 802.1X port-based access control. The RSNA relies on this to provide an authentication framework. - Authentication and key generation: This is provided through the EAP, a means to providing mutual authentication between STAs and the WLAN infrastructure, as well as performing automatic cryptographic key distribution. - Confidentiality, Data origin authentication and integrity and replay protection: This is provided either through the TKIP or CCMP. TKIP was created to allow already-deployed devices to address the numerous inadequacies of WEP.
Wireless Network Security has the 802.11i RNS protocol (WPA2 when used with CCMP). Describe its architecture.
Official: "The Robust Security Network (RSN) architecture is defined by the use of RSN Associations (RSNA) between stations (STA) and access points (AP). In addition, the RSN also introduces the Authentication Server (AS). The RSNA only provides protection of the traffic between a STA and the AP." In infrastructure mode, an IEEE 802.11 WLAN comprises one or more Basic Service Sets (BSS), the basic building blocks of a WLAN. A BSS includes an AP and one or more STAs. The AP in a BSS connects the STAs to the DS. The DS is the means by which STAs can communicate with the organization's wired LANs and external networks such as the Internet. The DS and use of multiple BSSs and their associated APs allow for the creation of wireless networks of arbitrary size and complexity. In the IEEE 802.11 specification, this type of multi-BSS network is referred to as an extended service set (ESS). - Station (STA). A STA is a wireless endpoint device, such as a laptop, PDA, or mobile phone. - Access Point (AP). An AP logically connects STAs with a distribution system, which is typically an organization's wired network infrastructure. - Infrastructure Mode. This wireless network configuration requires APs and is the most commonly used mode for WLANs. - Basic Service Set (BSS). A BSS is composed of an AP and one or more STAs configured in infrastructure mode. - Distribution System (DS). A DS is an infrastructure, typically a wired LAN, that connects individual BSSs to each other. - Extended Service Set (ESS). An ESS is a WLAN comprising more than one BSS connected by a DS.
SSL/TLS is a component of Transport Layer Security. What is the TLS handshake protocol (key exchange and authentication)?
Official: "The TLS Handshake Protocol is used for the TLS handshake, to negotiate the (pending) session state. Also provides the protocol mentioned in the SSL/TLS question." The TLS Handshake Protocol is layered on top of the TLS Record Protocol. It is used to authenticate the client and the server, to exchange cryptographic keys and to negotiate the used encryption and data integrity algorithms before the applications start to communicate with each other. Figure 18.1 illustrates the actual handshake message flow. First, the client and server exchange Hello messages. The client sends a ClientHello message, which is followed by the server sending a ServerHello message. These two messages establish the TLS protocol version, the compression mechanism used, the cipher suite used, and possibly the TLS session ID. Additionally, both a random client nonce and a random server nonce are exchanged, both of which are used in the handshake later on.
DNS is a part of protocol security. What is it, what are the attack types and mitigations for them.
One attack type is DNS cache poisoning. Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. Once there, users are prompted to login into (what they believe to be) their account, giving the perpetrator the opportunity to steal their access credentials and other types of sensitive information. Furthermore, the malicious website is often used to install worms or viruses on a user's computer, giving the perpetrator long-term access to it and the data it stores. Methods for executing a DNS spoofing attack include: - Man in the middle (MITM) - The interception of communications between users and a DNS server in order to route users to a different/malicious IP address. - DNS server compromise - The direct hijacking of a DNS server, which is configured to return a malicious IP address. Cache poisoning can be mitigated by DNSSEC. DNS servers do not validate the IP addresses to which they are redirecting traffic. DNSSEC is a protocol designed to secure your DNS by adding additional methods of verification. The protocol creates a unique cryptographic signature stored alongside your other DNS records, e.g., A record and CNAME. This signature is then used by your DNS resolver to authenticate a DNS response, ensuring that the record wasn't tampered with. While DNSSEC can help protect against DNS spoofing, it has a number of potential downsides, including: lack of data confidentiality (it authentication, but doesn't encode).
What are the block cipher modes of operation in block ciphers, and name some examples!
One of the main issues with block ciphers is that they only allow you to encrypt messages the same size as their block length. If you're using TEA, which has a block size of 64 bits, to encrypt a 65 bit message, you need a way to define how the second block should be encrypted. The solution to this is called block cipher modes of operation. Block ciphers only allow us to encrypt entire blocks. What if our message is longer/shorter than the block size? When this happens, we use modes of operations. Block ciphers operate on a fixed sized blocks. DES on 64, AES on 128. What if you have a file larger than 64 BITS? What if you have a MB file? Need to break it into blocks, and encrypt them in blocks. Add padding if shorter than b-bit. - ECB: The user takes the first block of plaintext and encrypts it with the key to produce the first block of ciphertext. He then takes the second block of plaintext and follows the same process with same key and so on so forth. Identical plaintext blocks (encrypted with the same key) result in identical ciphertext blocks - may be insecure. Very fast. Any of the following are secure: - Cipher Block Chaining (CBC): Take an IV and a Plaintext block, and XOR them. Encrypt it then together with the the key. Take the resulting cipher text and use it as an IV for the next block. Does not provide integrity protection. Correct decryption depends on correct receipt of the corresponding and previous ciphertext block. Can not be parallelized well (decryption can to some extent). Needs to pad last block if the plaintext is not a multiple of the block size. - Counter (CTR): Take a key and encrypt with the counter value. Then take a block of plaintext and xor it. Encryption/decryption can be done in parallel. The underlying encryption algorithm does not depend on plaintext or ciphertext input. The serious disadvantage of CTR mode is that it requires a synchronous counter at sender and receiver. Loss of synchronization leads to incorrect recovery of plaintext. - Output feedback mode (OFB): Encrypt key with IV, and then xor the result with the plaintext. Instead of sending the cipher text to the next block, cent the encrypted portion. - Cipher Feedback (CFB): Take key and encrypt it alongside the IV. Then xor the result wit hate plaintext. Use the resulting cipher text as the next IV.
SSL/TLS is a component of Transport Layer Security. What is Perfect Forward Secrecy?
PFS is an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. If one of these session keys is compromised, data from any other session will not be affected. Therefore, past sessions and the information within them are protected from any future attacks. 1. Eaves dropper records conversation 2. Later gains access to the (long term) secret 3. If it is still impossible for the eavesdropper to decrypt the conversation, the protocol is said to provide PFS - Also provides protection against passive attackers after the long term key has been compromised Supported in TLS through ephemeral Diffie-Hellmann (DHE), i.e., where the DH parameters are signed with a certificate so that the parameters can be changed each time
Symmetric keys can be distributed either through the Kerberos or using asymmetric encryption. Explain public key certificates in asymmetric key distribution and revocation.
Public-key encryption can be used to distribute secret keys - Requires authenticity of public-key Public-key infrastructures - Certificates enable the authenticity of public-keys to be verified, binding a public-key and the ID of its owner - Certificates must be issued by a trusted Certificate Authority (CA). Public-key certificates are issued to authenticate the association between a public-key and an identity, and assumes that the issuing CA is trusted. - Alice sends a message signed with her private key to Bob. - Bob, who trusts the CA, requests her public key. The CA has her certificate, with her identity, public key and signature of the CA. - Bob sends Alice a message with her public key.
Application layer security has a few protocols to protect email, including SMARTTLS, DKIM, SPF, and DMARC. Describe them!
STARTTLS: An SMTP command initiating a TLS handshake - Relay-to-relay(i.e.,hop-by-hop) opportunistic encryption - Provides protection against passive eaves droppers - Also defined for other protocols (e.g., IMAP and POP) Domain Keys Identified Mail (DKIM): Sender appends a DKIM- signature to the email enabling the receiver to authenticate the sending domain - public key published through DNS Sender Policy Framework (SPF): allows an organization to publish a range of servers that are authorized to send mail for its domain Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on DKIM and SPF - Provides for senders publishing a DNS record specifying whether it supports DKIM and/or SPF, thereby suggesting a policy for authenticating received mail
Application Layer Security has SAML and XACML. What are they.
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). What that jargon means is that you can use one set of credentials to log into many different websites. It's much simpler to manage one login per user than it is to manage separate logins to email, customer relationship management (CRM) software, Active Directory, etc. SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user's identity and the authorization to use a service. XACML on the other hand is used to define access control policies in XML, and may be used to define access control policies for any type of resource.
Explain asymmetric cryptography (encryption and key exchange). Name some examles of algorithms to establish private-public keys.
Take a plaintext P, and encrypt it using the public key PU. The cipher text is send to the receiver. The receiver decrypts the packet with the corresponding private key. The authenticity (and validity) of the public key must be assured. Because asymmetric cryptography is slow it is typically used to encrypt a secret key, that is used to encrypt the data using symmetric encryption. RSA is used for distributing public/private key combos. A user of RSA creates and then publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers must be kept secret. Anyone can use the public key to encrypt a message, but with currently published methods, and if the public key is large enough, only someone with knowledge of the prime numbers can decode the message feasibly Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. That's an important distinction: You're not sharing information during the key exchange, you're creating a key together.
In DoS attacks, volumetric attacks, i.e. exhausting capacity of the target through high volumes of traffic, has two types of flooding attacks. Name them!
TL;DR: amplification attack is a reflection attack where the reply is larger than the the request. Reflection attacks are attacks that use the same protocol in both directions. The attacker spoofs the victim's IP address and sends a request for information via UDP to servers known to respond to that type of request. The server answers the request and sends the response to the victim's IP address. All the data from those servers piles up, congesting the target's Internet connectivity. With the maximized bandwidth, normal traffic cannot be serviced and clients cannot connect. Any server open to the Internet and running UDP-based services can be used as a reflector. Amplification is if the reply is larger then the request. An amplification attack is a kind of reflection attack, where the attacker sends a small request with a spoofed source IP address and then this results in a big (i.e. amplified) reply to the claimed source of the request, i.e. the victim. By using this amplification an attacker can use few resources to attack a large target - the higher the amplification factor is the less resources are needed by the attacker. DNS amplification attacks for example use DNS requests with a spoofed source address as the target. As you can see, an attacker uses a modest number of machines with little bandwidth to send fairly substantial attacks. This is done by spoofing the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim. Using very simple tools the attacker can send many thousands of spoofed requests to open revolvers, and the responses — which are much lager than the request — amplify the amount of bandwidth sent to the victim.
SSL/TLS is a component of Transport Layer Security. What is its advantages and disadvantages?
TLS is a cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications and online transactions. It is an IETF standard intended to prevent eavesdropping, tampering and message forgery. Common applications that employ TLS include Web browsers, instant messaging, e-mail and voice over IP. TLS is more efficient and secure than SSL as it has stronger message authentication, key-material generation and other encryption algorithms. For example, TLS supports pre-shared keys, secure remote passwords, elliptical-curve keys and Kerberos whereas SSL does not. TLS and SSL are not interoperable, but TLS does offer backward compatibility for older devices still using SSL.
Symmetric keys can be distributed either through the Kerberos or using asymmetric encryption. Briefly explain kerberos/KDC.
The Kerberos protocol is designed to provide reliable authentication over open and insecure networks where communications between the hosts belonging to it may be intercepted. Kerberos provides entity (e.g., user or server) authentication and key distribution using a KDC approach. - Kerberos itself does not enforce authorization, but may provide a basis to do so. The Key Distribution Center can be part of Kerberos. A key distribution center (KDC) in cryptography is a system that is responsible for providing keys to the users in a network that shares sensitive or private data. Each time a connection is established between two computers in a network, they both request the KDC to generate a unique password which can be used by the end system users for verification.
SSL/TLS is a component of Transport Layer Security. What is its architecture, services and protocols?
The primary goal of TLS is to provide a secure channel between two communicating peers; the only requirement from the underlying transport is a reliable, in-order data stream. Specifically, the secure channel should provide the following properties: - Authentication: The server side of the channel is always authenticated; the client side is optionally authenticated. Authentication can happen via asymmetric cryptography or PSK. - Confidentiality: Data sent over the channel after establishment is only visible to the endpoints. TLS does not hide the length of the data it transmits, though endpoints are able to pad TLS records in order to obscure lengths and improve protection against traffic analysis techniques. Symmetric. - Integrity (HMAC): Data sent over the channel after establishment cannot be modified by attackers without detection. SSL/TLS has a layered architecture consisting of the following protocols: • Record protocol: Performs fragmentation and applies confidentiality protection, integrity protection and compression as specified by the current state. • Handshake protocol: provides negotiation/exchange of SSL/TLS version, session identifier (session resumption), certificate(s), compression method, cipher spec (i.e., cryptographic algorithms), master secret, etc. (for the pending state). During the handshake, one- or two-way authentication may be performed. • Alert protocol: used to convey SSL/TLS related alerts (closure alerts, fatal error alerts, and warning error alerts). • Change cipher spec protocol: a fixed one byte message used to signal a switch from the current to the pending state
Describe the stream and block ciphers, their strengths and weaknesses, and example of each.
They are stream and block. A stream cipher convert one symbol of plaintext directly into a symbol of ciphertext, whereas a block cipher encrypt a group of plaintext symbols as one block. Simple substitution is an example of a stream cipher. Columnar transposition is a block cipher. Stream ciphers are fast (linear in time), and have low propagation errors, but they susceptible too insertions. Examples of stream are one-time pad, RC4 (uses permutations of a key). Block ciphers have high diffusion (information from one plaintext symbol is diffused into several ciphertext symbols), and imitate to tampering, but they are slow, and one symbol corruption will corrupt an entire block. Examples of block are DES, Triple DES, AES etc.
What are the services and protocols that IPsec offers, specifically ESP and AH?
They are two protocols used to provide security in IPSsec: an authentication protocol designated by the header of the protocol, Authentication Header (AH); and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). The services they provide are: • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality • Limited traffic flow confidentiality. AH provides the first four but not confidentiality as the data is not encrypted, whereas ESP has two cases: one in which integrity and authentication is not provided (i.e. encryption only), and one where authentication and integrity is provided. Both AH and ESP are vehicles for access control, based on the distribution of cryptographic keys and the management of traffic flows relative to these security protocols. The AH protocol, less frequently used than ESP, ensures the integrity of IP packets, and, combined with IKE, the authentication of the peers. In other words, AH firstly ensures that exchanged packets have not been altered during transit, and secondly guarantees the identity of a packet's sender. It also provides protection against replayed packets. The ESP protocol provides confidentiality and integrity of IP packets and, used with IKE, authentication of the peers. It also provides protection against replay attacks. One can also set up ESP to provide integrity and authentication without encryption, which suits almost all the use cases where AH was used, justifying the withdrawal of the latter.
There are three notions of cryptographic security in symmetric encryption. What are they?
Unconditional security - The system cannot be broken even with infinite computational resources Computational security - It is impossible to break the system in practice due to the computational resources required by the best known algorithms for breaking the system Provable security - Breaking the system is equivalent to solving a difficult problem (factoring, discrete logarithm)
What is WS-Security? This is targeted exclusively at Web services, whereas the ones before were targeted at XML.
WS-Security is a message-level standard that is based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens. The web services security specification defines the facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. WS-Security provides a general-purpose mechanism for associating security tokens with messages. No specific type of security token is required by WS-Security. It is designed to be extensible, for example, to support multiple security token formats. WS-Security also describes how to encode binary security tokens and attach them to SOAP messages. Specifically, the WS-Security profile specifications describe how to encode the following tokens: - Username tokens - X.509 certificates - SAML assertions - Kerberos tickets - LTPA binary tokens
In IPSec, ESP and AH support two modes of transportation. What are they?
When using ESP you can specify one of two modes, in which ESP operates in. Tunnel mode encrypts the whole packet. Tunnel mode is used for site to site VPN, when securing communication between security gateways, concentrators, firewalls, etc. Tunnel mode provides security for the entire original IP packet, that is the headers and the payload. The other mode ESP can operate in is Transport mode, which is not as secure as it only encrypts the data portion and not the whole packet unlike tunnel tunnel mode. Foe example, the new IP header is appended outside the encrypted inner IP header, in tunnel model. With transport mode, the ESP header is inserted inside the original packet, and no outside IP header. The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.
What is WEP, WPA, and what are the known main differences between the two?
Wired Equivalent Privacy (WEP) - part of 802.11 standard (1999): - Flawed authentication. Pre-RSN IEEE 802.11 performs access control through either open system or shared key authentication. Open system authentication does not verify any claimed credentials from the STA, so it is generally suitable only for providing public access to a WLAN. - Weak/flawed encryption(key reuse due to 24-bit IV) - Flawed integrity (RC4 encrypted CRC). WEP attempts to perform data integrity checking for messages and reject messages that have been changed in transit. WEP uses a simple non-cryptographic checksum to detect errors in data transmission and protects this checksum with a stream cipher. Unfortunately, stream ciphers offer no protection against bit-flipping attacks, which means that in many cases a determined adversary can alter both data and the corresponding checksums without detection. WPA was based on a subset of the 802.11i draft and was intended as an interim solution to be usable on older "WEP hardware". WPA uses the Temporal Key Integrity Protocol (TKIP). TKIP makes use of the same encryption algorithm as WEP (i.e., RC4), but generates a new key for each frame. Another difference from WEP is that TKIP use the Michael message integrity code.
Briefly describe XKMS, Ws-Policy and WS-Security Policy, WS-Trust and WS-SecureConversation. These are not central to the course, but should be known.
XKMS: Consists of two parts: XKISS (XML Key Information Service Specification) and XKRSS (XML Key Registration Service Specification). XKISS defines a protocol for resolving or validating public keys contained in a signed and encrypted XML documents, while XKRSS defines a protocol for public key registration, revocation, and recovery. WS-Policy: WS-Policy may be used by service providers and consumers to express interoperability requirements and capabilities. WS-Policy defines a general-purpose XML-based model and syntax that may be used to describe and communicate the policies that inhere to any Web-based service. WS-SecurePolicy: WS-SecurityPolicy defines policy assertions for use with WS-Policy to express security interoperability requirements and capabilities: Signed parts/elements, Encrypted parts/elements, Required parts/elements, Token assertion. WS-Trust: WS-Trust is a WS-specification that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure message exchange. WS-SecureConversation: WS-Security by itself has no notion of a communication session (i.e., it is only concerned with a SOAP request/response or a single message). WS-SecureConversation builds on WS-Security and WS-Trust to provide a security context.
Application Layer Security has XML Signature that secures SOAP messages. What is it?
XML Encryption defines how to represent encrypted data in an XML document and can be used to encrypt binary resources or selected parts of an XML document. Typically uses a block-cipher (e.g., AES) for encryption. XML Encrytion combined with CBC may be vulnerable to chosen-ciphertext attacks, and XML Encryption therefore recommends using AES-GCM instead.
Application Layer Security has XML Encryption that secures SOAP messages. What is it?
XML Signature defines how to represent digital signatures (or MACs) in XML documents, and can be used to sign XML documents (or selected parts thereof) and binary resources. The XML digital signature is designed to be used in XML transaction and provides authentication, data integrity, and non-repudiation. XML digital signature offers flexibility by allowing for one or more items to be signed, as well as both XML and non-XML data. Additionally, it is used to sign only specific portions of the XML tree, rather than the complete document.