cspp Chapter 22 - Internet Security Protocols and Standards - Stalling 4th ed.
What are the general categories of attacks against SSL/TLS?
+ Attacks on the Handshake protocol + Attacks on the record and application data protocols + attacks on the PKI + Other attacks
What are the four new general functions that S/MIME provides?
+ Enveloped Data + Signed Data + Clear-Signed Data + Signed and enveloped Data
What are the additional content types that S/MIME provides
+ Enveloped Data + Signed Data + Clear-signed Data + Signed and Enveloped Data
What are the key components of the Internet Mail Architecture?
+ Message User Agent (MUA) + Mail Submission Agent (MSA) + Message Transfer Agent (MTA) + Mail Delivery Agent (MDA) + Message Store (MS)
Benefits of IPSec
+ when implemented in a FW, it provides strong security that can be applied to all traffic crossing the perimeter + IPSec in a firewall is resistant to bypass if all traffic from the outside must use IP + IPSec is below the transport layer (TCP/UDP) and so is transparent to applications + IPSec can be transparent to end users. There is no need to revoke credentials from users when they leave + IPSec can provide security for individual users if needed. This is useful for off-site workers and for setting up a secure virtual subnet.
What are the four TLS-specific protocols that use the TLS Record protocol?
1. Change Cipher Spec Protocol 2. Alert Protocol 3. Handshake Protocol 4. Heartbeat Protocol
What are the two services that the SSL Record Protocol provides for SSL connections?
1. Confidentiality - defines a shared secret key to symmetrically encrypt SSL payloads. 2. Message Integrity - defines a shared secret key to firm a message authentication code (MAC).
What are the steps of the SSL Record Protocol?
1. Fragment data into blocks 2. Compress data (optional) 3. Compute a message authentication code (MAC) 4. Encrypt the MAC and [compressed] data using symmetric encryption 5. Append SSL Record Header (prepend) Finally, the data is then transmitted in a TCP segment, where it is reverse engineered once received (decrypted, verified, decompressed, reassembled).
What are the purpose(s) of the heartbeat of the Heartbeat Protocol?
1. It assures the sender that the recipient is still alive. 2. The heartbeat generates activity across the connection during idle periods, which avoids closure by a firewall that does not tolerate idle connections.
What parameters is an SA (security association) identified by?
1. SPI - Security Parameter Index 2. IP Destination Address 3. Protocol Identifier
What is a security association?
A *one-way* relationship between a sender and a receiver that affords security services on the traffic carried on it, defined by IPSec parameters, stored in a SADB (Security Association Database)
What is the Heartbeat Protocol typically used for?
A Heartbeat Protocol is typically used to monitor the availability of a protocol entity, the use of this protocol is established during Phase 1 of the Handshake Protocol.
TLS session
A TLS session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
TLS connection
A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For TLS, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session.
Signed data
A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. The content plus signature are then encoded using base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability.
Domain Name System (DNS)
A directory lookup service that provides a mapping between the name of a host on the internet and its numerical address.
What is a heartbeat?
A periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a system.
What is a TLS Connection?
A transport-layer connection that provides a service, like email. They are peer-to-peer relationships. TLS connections are short-lived and each connection is associated with one session.
_______ is a list that contains the combinations of cryptographic algorithms supported by the client.
A.Compression method B.Session ID C.CipherSuite
The ______ field in the outer IP header indicates whether the association is an AH or ESP security association.
A.protocol identifier
Mail Submission Agent (MSA)
Accepts the message submitted by an MUA and enforces the policies of the hosting domain and requirements of internet standards. SMTP is used between the MUA and the MSA.
Message Store (MS)
An MUA can employ a long-term MS. An MS can be located on a remote server, or on the same machine as the MUA. Typically, an MUA retrieves messages from a remote server using POP (Post Office Protocol) or IMAP (Internet Message Access Protocol).
What is a TLS Session?
An association between a client and a server, created by the Handshake Protocol. A TLS session defines a set of cryptographic security parameters that can be shared among multiple connections, which avoids the negotiation of new security parameters for each connection.
Administrative Management Domain (ADMD)
An internet e-mail provider. Each ADMD can have different operating policies and trust-based decision making.
Clear-signed data
As with signed data, a digital signature of the content is formed. However, in this case, only the digital signature is encoded using Base64. As a result, recipients without S/MIME capability can view the message content, although they cannot verify the signature.
ESP supports two modes of use: transport and ________.
B.tunnel
The SSL record Protocol provides two services for SSL connections:
Confidentiality (The Handshake Protocol defines a shared secret key that is used for symmetric encryption of SSL payloads.) and Message integrity (The Handshake Protocol also defines a shared secret key that is used to form a message authentication code, or MAC.)
Enveloped data
Consists of encrypted content of any type and encrypted-content encryption keys for one or more recipients.
The most complex and important part of TLS is the ________.
D.handshake protocol
S/MIME (Secure/Multipurpose Internet Mail Extensions)
Defined as a set of additional MIME content types and provides the ability to sign and/or encrypt e-mail messages. (MIME provides a number of new header fields that determine information about the body of the message including the format of the body and any encoding that is done to facilitate transfer.)
DKIM
Domain Keys Identified Mail
What is DKIM?
DomainKeys Identified Mail (DKIM) is a specification for cyptographically signing e-mail messages, permitting a signing domain to claim responsibility for a message in the mail stream.
Describe ESP Transport Mode
ESP Transport Mode provides protection for upper-layer protocols and extends to the *payload* of an IP packet. ESP Transport Mode is typically used for end-to-end communication between two hosts.
Describe ESP Tunnel Mode
ESP Tunnel Mode provides protection to the *entire IP packet*. ESP Tunnel Mode usually protects between one point of an IP network to another; such as a firewall or router that implements IPSec.
What is ESP?
Encapsulating Security Payload This is used by IPSec, and provides confidentiality services and optionally an authentication service.
IPsec provides two main functions: a combined authentication/encryption function called ____ and a key exchange function.
Encapsulation Security Payload (ESP)
Four new functions resulting from new S/MIME content types...
Enveloped data, signed data, clear-signed data, signed an enveloped data.
In Android, all apps have to be reviewed and signed by Google.
False
In Android, an app will never be able to get more permission than what the user has approved.
False
In IPSec, if A uses DES for traffic from A to B, then B must also use DES for traffic from B to A.
False
In IPSec, packets can be protected using ESP or AH but not both at the same time.
False
In iOS, an app can run its own dynamic, run-time generated code.
False
Since Android is open-source, each handset vendor can customize it, and this is good for security (hint: consider security updates).
False
The App Store review process can guarantee that no malicious iOS app is allowed into the store for download.
False
iOS has no vulnerability.
False
_____ refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server.
HTTPS
What does HTTPS refer to?
HTTPS refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server. An HTTPS connection uses port 443, which invokes SSL.
Protocols that make up the TLS architecture are...
Handshake Protocol, Change Cipher Spec Protocol, Alert Protocol, HTTP, Heartbeat Protocol, Record protocol, TCP, IP
IP-level security encompasses three functional areas: authentication, confidentiality, and _____
Key management
What is MIME and what does it do?
MIME (Multipurpose Internet Mail Extension) is an extension to the Internet standard for e-mail to support non-text attachments, multiple character encodings, new header fields that define information about the body of the message.
What does MUA stand for?
Mail User Agent (i.e., Thunderbird)
What does MHS stand for?
Message Handling Service
What does MTA stand for?
Message Transfer Agents
What are the 4 phases of the Handshake Protocol?
Phase 1: Initiates a connection and establishes security capabilities, initiated by the client by sending a client_hello message. The client waits for the server_hello message, containing the security capabilities of the server. Phase 2: The server sends info related to the public-key encryption scheme such as a certificate, key exchange, and request certificate. The server sends the server_hello_done/server_done message. Phase 3: The client verifies the items sent by the server (such as certificate). If satisfactory, the client sends messages about the key exchange, depending on the underlying public-key scheme. Phase 4: Completes the setting up of a secure connection; the client and server both send their own change_cipher_spec message, and sends a finished message.
The preferred algorithms used for signing S/MIME messages use either an _____ or a ____ signature of an SHA-256 message hash.
RSA, DSA (digital signature algorithm)
Message Transfer Agent (MTA)
Relays mail for one application-level hop. It is like a packet switch or IP router in that its job is to make routing assessments and to move the message closer to the recipients. Routing is performed by a series of MTA until it reaches the destination MDA.
Message Delivery Agent (MDA)
Responsible for transferring the message from the MHS to the MS.
What is S/MIME?
S/MIME is an additional set of MIME content types and provides the ability to sign and/or encrypt e-mail messages.
Signed and enveloped data
Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.
What is the message structure and purpose of the Alert Protocol?
The Alert Protocol is used to convey TLS-related alerts to the peer entity. Each message consists of 2 bytes: The first byte can be 1 (warning) or 2 (fatal). If the severity is fatal, TLS terminates the connection, but not the session. The second byte contains a code that indicates the alert type.
What is the message structure and purpose of the Change Cipher Spec Protocol?
The Change Cipher Spec Protocol causes the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. The message consists of a single byte with a value 1.
What does the Handshake Protocol establish?
The Handshake Protocol establishes a TLS session, allows the server and client to authenticate each other and to negotiate an encryption, MAC algorithm and cryptographic keys to be used to protect data send in a TLS record. The Handshake Protocol is used before any application data is transmitted.
What are the two modes of ESP?
Transport and Tunnel Modes
Compared with WEP, WPA2 has more flexible authentication and stronger encryption schemes.
True
Even web searches have (often) been in HTTPS.
True
In IPSec, the sequence number is used for preventing replay attacks.
True
In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic.
True
In iOS, each app runs in its own sandbox.
True
In iOS, each file is encrypted using a unique, per-file key.
True
Most browsers come equipped with SSL and most Web servers have implemented the protocol.
True
True of false: The principle feature of IPsec that enables it to support these varied applications is that it can encrypt and/or authenticate all traffic at the IP level.
True
True or false: TLS is not a single protocol but rather two layers of protocols.
True
Message User Agent (MUA)
Works on behalf of user actors and user applications. It is their representative within the e-mail service. Typically, this function is housed in the user's computer and is referred to as a client e-mail program or a local network e-mail server.
DKIM (domainKeys identified mail)
means to assert that valid mail is sent by an org thru verification of domain name sec
DomainKeys Identified Mail (DKIM)
Is a specification for cryptographically signing e-mail messages, permitting a signing domain to claim responsibility for a message in the mail stream. DKIM is designed to provide an e-mail authentication technique that is transparent to the end user.
IPSec
Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.
