CMIS 495 Test 3 Ch 8
Management protocols
Organize and manage communications among CAs, RAs, and end users. This includes functions and procedures for setting up new users, issuing keys, recovering keys, updating keys, revoking keys, and enabling the transfer of certificates, in the formalization of legal liabilities and limitations, and in actual business use.
VPN Negotiation
Phase 1 - Have to agree on authentication. Phase 2 - Agreement on what type of traffic can go through the VPN Tunnel. Agreement on how to authenticate and encrypt that traffic.
Encryption Key
Size does matter. Security does not depend on the secrecy of the cryptosystem, but the secrecy of the key.
Pretty Good Privacy (PGP)
uses IDEA Cipher for message encoding. Is a hybrid cryptosystem that combines some of the best available cryptographic algorithms. Used to encrypt and authenticate e-mail and file storage applications. Provides authentication by digital signatures, message encryption, compression, e-mail compatibility, segmentation, and key management.
PKI
Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely. Based on public-key cryptosystems.
Cryptography
Making and using codes to secure the transmission of information. Not built into TCP/IP Not built into OS
Hash Function
Mathematical algorithms that generate a message summary or message digest (sometimes called a fingerprint) to confirm message identity and integrity. - Not used to create ciphertext. - Hash value compared after transmission to ensure message is unmodified. - SHA-1 very popular.
vpn
Mobile VPN vs Site to site VPN (Branch Office)
PKI Protection
Need this because this isn't built into TCP/IP or the OS. - Authentication - Integrity - Privacy - Authorization - Nonrepudiation
Steganography
A data hiding method that involves embedding messages and information within other files, such as digital pictures or other images.
A registration authority (RA)
In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions.
Encrypt
(Encipher) - to encrypt, encode, or convert plaintext into the equivalent ciphertext.
Digital Certificates
- Issued by CA - Digital signature attached to certificate's container file certifies file's origin and integrity. -Electronic document/container file containing key value and identifying information about entity that controls key.
Internet Protocol Security (IPSec):
-an open-source protocol framework for security development within the TCP/IP family of protocol standards. -IPSec uses several different cryptosystems. --Diffie-Hellman key exchange for deriving key material between peers on a public network --Public key cryptography for signing the Diffie-Hellman exchanges to guarantee identity --Bulk encryption algorithms for encrypting the data --Digital certificates signed by a certificate authority to act as digital ID cards -Encrypts all traffic!
AES
Advanced Encryption Standard - The current federal standard for the encryption of data, as specified by NIST. AES is based on the Rijndael algorithm, which was developed by Vincent Rijmen and Joan Daemen. Is block cipher. Form of symmetric encryption.
Chemical plants, Tankers, Satellites
All of these devices are being controlled by network computers. The world itself is hackable. Hackers are always where the money is. Critical infrastructure is vulnerable. Worst case scenario is hacking a satellite because everyone uses GPS. Tankers in the sea are completely navigated automatically by the signals from the satellites.
Symmetric
Also known as private-key encryption. 1 Key, shared, simple. Sent "out of band." AES is popular. Out of band means in person, over the phone, sending a letter. Also means using a channel or band other than the one carrying the ciphertext.
Asymmetric
Also known as public-key encryption. An encryption method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Popular: RSA (bought by EMC Corp). Pro: 2 keys are better than 1. Con: Have to manage more keys; also not as fast.
Bit Stream Cypher
An encryption method that involves converting plaintext to ciphertext one bit at a time.
Block Cypher
An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext into ciphertext one block at a time.
Phishing for "certificate"
Hacker sent a phishing e-mail to Kevin Roose purporting to be Squarespace. E-mail linked to a typo squatting website that asked him to install a certificate that would improve his security. Ended up being a shell Dan used as a backdoor.
Monitoring via Cam
Hackers can install a program on your comp to take snapshots of you using your webcam. You can even take video.
Social Engineering
Hacking without any code. Just use a phone and an internet connection.
A certificate authority (CA)
In PKI, a third party that manages users' digital certificates.
Certificate directories
Central locations for certificate storage that provide a single access point for administration and distribution.
S/MIME
Secure Multipurpose Internet Mail Extensions - builds on Multipurpose Internet Mail Extensions (MIME) encoding format and uses digital signatures based on public-key cryptosystems to secure e-mail.
SSL
Secure Sockets Layer (SSL) protocol: uses public key encryption to secure channel over public Internet. Only secures web traffic! Developed by Netscape to use public-key encryption to secure a channel over the internet.
Secrecy of Key
Security does not depend on the secrecy of the cryptosystem, but the secrecy of the key.
Steve Gibson
Security expert does the Security Now PodCast on the TWIT Network every Wednesday. Coined the term spyware and wrote the first anti-spyware program.
Ciphertext
The encoded message resulting from encryption.
Paintext/Cleartext
The original unencrypted message, or a message that has been successfully decrypted.
Algorithm
The steps used to convert an unencrypted message into an encrypted sequence of bits that represent the message; sometimes refers to the programs that enable the cryptographic processes.
Encryption
The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text. There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.
Vishing
Voice elicitation. Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit.
Policies and procedures
Which assist an organization in the application and management of certificates, in the formalization of legal abilities and limitations, and in actual business use.
WPA2
Wi-fi protected access. Uses AES based encryption. Is backwards compatible with WPA.
Incompetant Hacker
Worst case scenario is someone who gets in and doesn't know what he/she is breaking into and will do something with a large or extensive collateral damage.
DEFCON
is one of the world's largest annual hacker conventions, held annually in Las Vegas, Nevada, with the first DEF CON taking place in June 1993. Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be "cracked." The event consists of several tracks of speakers about computer- and cracking-related subjects, as well as social events Wargames and contests in everything from creating the longest Wi-Fi connection and cracking computer systems to who can most effectively cool a beer in the Nevada heat. Other contests, past and present, include lockpicking, robotics-related contests, art, slogan, coffee wars, scavenger hunt and Capture the Flag. Capture the Flag (CTF) is perhaps the best known of these contests. It is a hacking competition where teams of crackers attempt to attack and defend computers and networks using certain software and network structures. CTF has been emulated at other cracking conferences as well as in academic and military contexts. Federal law enforcement agents from the FBI, DoD, United States Postal Inspection Service, and other agencies regularly attend DEF CON.[1][2]