Week 2 - #4 - IT Security - Defense Against Digital Arts
Similar to a TPM, what is installed in mobile devices?
a secure element is a tamper resistant chip often embedded in the microprocessor or integrated into the mainboard of a mobile device. It supplies secure storage of cryptographic keys and provides a secure environment for applications.
entropy pool
a source of random data to help seed random number generators
What port does OpenVPN operate over?
port 1194
VPN
A _____ allows a secure private connection over a public network, using an encrypted 'tunnel'. For example, a remote computer can securely connect to a LAN, as though it were physically connected.
Why are random numbers important?
If your number selection process isn't truly random, there can be some kind of pattern that an adversary can discover through close observation and analysis of encrypted messages over time.
IP packet, header, payload, and all
In tunnel mode, the entire ___________, is encrypted and encapsulated inside a new IP packet with new headers.
IPsec
Internet Protocol Security. Used to encrypt traffic and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.
What encryption through the OpenSSL library does OpenVPN support?
256-bit
TLS handshake
1) ClientHello + cipher suites supported + version 2) ServerHello + highest shared protocol version + chosen cipher + digital certificate transmission + ServerHelloDone 3) Client validates certificate + ClientKeyExchange message + ChangeCipherSpec (to indicate switching to secure communications) + encrypted Finished message (verifies handshake complete) 4) Server + ChangeCipherSpec + encrypted Finished message (shared message rec'd) 5) Application data flows over secured channel
What two interfaces for networking does OpenVPN support?
1) a Layer 3 IP tunnel 2) a Layer 2 Ethernet tap (more flexible, allowing it to carry a wider range of traffic)
What 3 things does TLS grant?
1) a secure communication line, with transmitted data protected from potential eavesdroppers 2) the ability to authenticate both parties communicating (but usually only the server is authenticated by the client) 3) the integrity of communications, with checks to ensure messages aren't lost or altered in transit
pseudo random
A series which appears to be random but is in fact generated according to some prearranged sequence.
forward secrecy
__________ ensures that if one key is compromised, subsequent keys will not also be compromised.
OpenVPN
An open source VPN software that is available for multiple platforms. It uses the OpenSSL library to handle key exchange and encryption of data, along with control channels. This also enables OpenVPN to make use of all the cyphers implemented by the OpenSSL library.
remote attestation
Ann, a software developer, wants to publish her newly developed software to an online store. Ann wants to ensure that the software will not be modified by a third party or end users before being installed on mobile devices. Which of the following should Ann implement to stop modified copies of her software from running on mobile devices? A. Single sign-on B. Identity propagation C. Remote attestation D. Secure code review
data binding and sealing
Data binding involves using the secret key to derive a unique key that's then used for encryption of data. Basically, this binds encrypted data to the TPM and by extension, the system the TPM is installed in, since only the keys stored in hardware in the TPM will be able to decrypt the data. Data sealing is similar to binding since data is encrypted using the hardware backed encryption key. But, in order for the data to be decrypted, the TPM must be in a specified state.
TLS
__________ is a generic protocol to permit secure communications and authentication over a network.
Full Disk Encryption
FDE - System that encrypts all data saved to a hard disk automatically and transparently.
How can you boot a FDE?
FDE configurations have a small unencrypted boot partition that contains elements like the kernel, bootloader and a netRD. At boot time, these elements are loaded which then prompts the user to enter a passphrase to unlock the disk and continue the boot process.
How does IPsec work?
IPsec works by encrypting an IP packet and encapsulating the encrypted packet inside an IPsec packet. This encrypted packet gets routed to the VPN endpoint where the packet is de-encapsulated and decrypted then sent to the final destination.
L2TP IPsec
L2TP is used in conjunction with IPsec when data confidentially is needed, since L2TP doesn't provide encryption itself. 1) Works by first negotiating an IPsec security association which negotiates the details of the secure connection, including key exchange, if used and can share secrets and public keys. 2) Secure communication established using Encapsulating Security Payload. 3) Once secure encapsulation has been established, negotiation and establishment of the L2TP tunnel can proceed. L2TP packets are now encapsulated by IPsec, protecting information about the private internal network.
L2TP
Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/ IPsec). L2TP uses port 1701.
HTTPS
___________ is the secure version of HTTP, the Hypertext Transfer Protocol. It can also be called HTTP over SSL or TLS since it's essentially encapsulating the HTTP traffic over an encrypted, secured channel utilizing SSL or TLS.
PGP
Pretty Good Privacy. Commonly used to secure email communications between two private individuals but also used in companies. Provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt email. It uses both asymmetric and symmetric encryption. Developed by Phil Zimmerman in 1991.
What do TPMs offer?
Secure generation of keys, random number generation, remote attestation, and data binding and sealing. A TPM has unique secret RSA key burned into the hardware at the time of manufacture, which allows a TPM to perform things like hardware authentication to detect unauthorized hardware changes to a system.
SSH
_______ is a secure network protocol, commonly used for remote login to command line base systems, that uses encryption to allow access to a network service over unsecured networks. It uses public key cryptography to authenticate remote machines and has provisions to allow user authentication via client certificates.
Encapsulating Security Payload
_________ encapsulates IP packets, providing confidentiality, integrity, and authentication of the packets. ESP
session key
The ____________ is the shared symmetric encryption key using TLS sessions to encrypt data being sent back and forth. A compromised private key leaves potential for an attacker to decode prior transmitted messages.
What is the difference between the tunnel and the secure channel in L2TP IPsec?
The tunnel is provided by L2TP, which permits the passing of unmodified packets from one network to another. The secure channel is provided by IPsec, which provides confidentiality, integrity, and authentication of data being passed.
TEE
Trusted Execution Environment provides a full-blown isolated execution environment that runs alongside the main OS. This provides isolation of the applications from the main OS and other applications installed there. It also isolates secure processes from each other when running in the TEE.
TPM
Trusted Platform Module. This is a hardware chip on a computer motherboard. It includes a unique RSA asymmetric key, and can generate and store other keys used for encryption, decryption, and authentication. It provides full disk encryption.
payload
When transport mode is used, only the _________ of the IP packet is encrypted, leaving the IP headers untouched. Authentication headers are also used. Header values are hashed and verified, along with the transport and application layers to prevent the use of anything that would modify these values, like NAT or PAT.
What authentication methods are supported by OpenVPN?
pre-shared secrets, certificate-based, and username password Certificate-based authentication would be the most secure option, but requires more support and management overhead since every client must have a certificate. Username and password authentication can be used in conjunction with certificate authentication, providing additional layers of security.
How can you implement FDE?
the commercial product PGP, Bitlocker from Microsoft, which integrates very well with TPMs, Filevault 2 from Apple, and the open source software dm-crypt, which provides encryption for Linux systems
What is the most secure implementation of TPM?
the discrete chip, since these chip packages also incorporate physical tamper resistance to prevent physical attacks on the chip
What two modes of operations does VPN support?
transport mode and tunnel mode
What are criticisms of TPM?
trusting the manufacturer Since the secret key is burned into the hardware at the time of manufacture, the manufacturer has access to this key making it possible to store the keys that could then be used to duplicate a TPM, that could break the security the module is supposed to provide. A physical attack on a TPM allowed a security researcher to view and access the entire contents of a TPM. The attack required the use of an electron microscope and micron precision equipment for manipulating a TPM circuitry.
ClientKeyExchange
when the client chooses a key exchange mechanism to securely establish a shared secret with the server, which will be used with a symmetric encryption cipher to encrypt all further communications.