This is the assurance that messages or data exchanged between two people or hosts on a network remains secret and is not read by third parties
Encryption
Integrity
This is the assurance that messages or data exchanged between two people or hosts on a network is not changed while it is being transmitted over the network
Hash Function
Message Authentication Codes (MAC)
Availability
This is the assurance that a host on a network is freely allowed to send and receive legitimate messages with other hosts on the network without interference.
Firewall
Backup Server
Minor
Entity Authentication
This is the general idea that a host on a network should be able to prove its identity.
Passwords
Nonces
Message Origin Authentication
This means that it can be established with certainty that a message came from a particular entity
Digital Signature
Non-Repudiation
This means that a host or other entity on a network cannot deny having sent/received a message.
Origin
Destination
Trusted Third Party
Confirmation
TImeliness
This means that a conversation between 2 hosts on a network cannot be watched by a third party who can use the record of the conversation to masquerade as one of parties and replay the prior conversation. To put it another way, each session where 2 hosts on a network exchange a set of messages is unique and cannot be replicated later.
Timestamps
Access Control
This is ability to restrict access to certain computing resources.
Firewall
Access Control List
Unix File Permission
Authorisation
This refers to the legitimate granting of access to computing resources to a human being or a host on a network.
Passwords
Encryption
2,3,4
Inputs
Plaintext
Encryption Key
Encryption Algorithm
Cryptology
Cryptanalysis
Cryptography
Algorithms Made Public
By being made public they will be open to scrutiny from a very wide adudience. It is much more likely that any weaknesses will be discovered
Making them publicly available means that they can be incorporated into networking protocols and other standards. This way their usefulness is maximised.
Terms
Ciphertext
Attack
Brute Force Attack
Given Enough TIme, can always break an encryption
Exploit a weakness of algorithm
Symmetric Encryption
Overview
Security depends on the secrecy of the key
the strength of encryption algorithm
Algorithms made public
Security Services
Confidentiality
Integrity
Feistel Cipher Structure
Block Size
Key Size
Number of Rounds
Subkey Generation Algorithm
Speed of Execution
DES
Feistel Product Cipher
3DES
This is achieved by making the middle step of 3DES a DES decryption.
AES
Rijndeal
Advanced Encryption Standard
Steps
Byte Substitution
Shift Rows
Mix Columns
Add Round Key
Cipher Block Modes
ECB
Electronic Code Book
CBC
Cipher Block Chain
Initialisation Vector
OFB
CFB
CTR
Issues
Key Management
Key Distribution Center
Kerberos
Authentication Protocol
Application Layer
Requirements
Secure
Reliable
Transparent
Scalable
Security Services
Entity Authentication
Authorisation
Access Control
Steps
Shortcoming
Server
Authentication Server
Ticket Granting Server
Secure Key Exchange Protocol
Diffie-Hellman
Key Exchange Protocol
Needham-Schroeder
Key Generation
The bit sequence in the key should be random
TRNG
True
Physical
PRNG
Pseudo
Asymmetric Encryption
Public Key Encryption
Security Services
Confidentiality
Message Authentication
Entity Authentication
Applications
Encryption/Decryption
Digital Signature
Applications
Time stamp, Nonce
Digital Certificate
Security Services
Message Origin Authentication
Integrity
Hash Functions
Unkeyed
Keyed
MAC
Message Authenticator Code
Operation
Hashed MAC
Hash Collision
Birthday Attack
Hash Standards
SHA-1, SHA-2, SHA-3
MD5
Message Origin Authentication
Non Repudiation (Origin)
Trusted Third Party
Key Exchange
RSA
Diffie Hellman
Key Exchange Protocol
No Built In Authentication
man in the middle attack
Trust Third Party
X.509 Certificate
Third Party Certificate
Applications
S/MIME
Secure Multipurpose Internet Email
IP Security
SSL/TLS
Secure Socket Layer / Transport Layer Security
SET
Secure Electronic Transaction
Comparison
Historical
Caesar CIpher
Frequency Analysis Attack
Brute Force Attack
Vigenere Cipher
PKI
Public Key Infrastructure
X.509 Authentication
Digital Signature
Certificate uses the Digital Signature of the CA to authenticate the certificate
Hashes
Public Key Encryption
Security Services
Message Origin Authentication
Integrity
Non-Repudiation
Digital Certificate
Used for
digital signature
message encryption
Characteristics
Any B with access to CA’s public key can recover A’s public key that was certified.
No party other than the CA can modify the certificate without this being detected.
Revocation
Validate Period
can be renewed
CA provides a list of revoked certificates
Reason?
Comparison
Kerberos
inside a large network
X.509
ideal for authentication and key exchange over the entire Internet
Public Key Certificate
Certificate Authorities
Subtopic 1
IETF
Internet Engineering Task Force
PKIX
PKI system involving an X.509 Certificate
System
Certificate Authority
A Certification Authority is charged with issuing Digital Certificates and Certificate Revocations Lists.
End User and Entities
Certificate Registry or Repository
DIgital Documents
Certificates
Certificate Revocation Lists
Effective Encryption
Encryption Algorithms
Operation
Substitution
Transposition
Keys
Symmetric (SIngle Key)
Asymmetric (Public Key and Private Key)
Way the plaintext processed
Block
Stream
Product Cipher
Substitution
Transposition
Swap
Bit Inversion
Circular Shift
XOR
Types
Feistel Product Cipher
Invertible and non invertible operation
Non-Feistel Product Cipher
only invertible operation
Confusion and Diffusion
Confusion
Encryption Key
Diffusion
Plaintext
Attack Types
Ciphertext Only
Plaintext
Chosen plaintext
Chose ciphertext
chosen text
Attack Methods
Brute Force
Exploit weakness in the encryption algorithm
Authentication
4
Access Restriction
6,11
Secure Networking & Protocols
5,7,8,9,10,12
Firewall
Security Services
Access Control
Controls
Service
Direction
User
Behavior
Capabilities
Essential
A single choke point for management of a network’s connection to the internet.
A location for monitoring and logging security related events
Other
Network Address Translation (NAT)
IPSec tunnel mode station (the other is transport mode)
Limitations
cannot protect against attacks bypass the firewall
cannot protect against internal attacks
cannot protect against the transfer of viruses
Types
Packet Filtering Firewall
pro
Simplicity
Transparency To Users
High Speed
con
Difficult of setting up packet filtering rules
Lack of Authentication
attacks
IP Address Spoofing
Fragmentation attacks
Configuration
Exclusive
Inclusive
Datalink, Network, Transport
Circuit Level Firewall
pro
con
SOCKS
Session
Apllication Level FIrewall
pro
Higher security than packet filters
Only need to scrutinize a few allowable applications
Easy to log and audit all incoming traffic
caching web pages
con
additional processing overhead on each connection
act as a replay of application-level traffic
SQUID
Application
Bastion Host
critical strong point in the network’s security
serves as a platform for an application‐level or circuit‐level gateway
Single Purpose Device
Topology
Packet Filtering Firewall Simple Topology
SIngle Homed Bastion
Dual Homed Bastion
DMZ
Malicious
attach itself to other programme and copy itself
Bacteria
A malware program that deliberately replicates itself to consume large amounts of system resources
Worm
A worm propagates itself like a virus, but requires a network to be transmitted
Trojan Horse
masquerades as a useful legitimate program but which is actually designed for some other malevolent purpose
Logic Bomb
Similar to a Trojan horse but usually involve a legitimate program that has been deliberately modified by someone with access to the source code
Trap Door
A secret entry point into a program that allows access to resources controlled by the program
Easter Egg
A piece of code put in by the programmers writing a particular application that does something harmless
Virus Type
Parasitic
Memory-Resident
Boot Sector
Stealth
Polymorphic
Subtopic 1
Email
PGP
Pretty Good Privacy
Key Rings
Own Public/Private Keys
Other user's Public Key
How PGP works?
Secure Services
Confidentiality
encryption
Integrity
digital signature
Message Origin Authentication
digital signature
Timeliness
one time keys
Email Services
Compression
pkzip
Base 64/ Radix 64 Encoding
Segmentation
Techniques
symmetric encryption
public key encryption
digital signatures
genuine random numbers
Keys and Key Rings
One time session key used for symmetric encryption
Public Key of Users
Private key of Users
Passphase based symmetric keys
Key Distribution Mehtod
Physical Deliver
Mutual trusted friend
Certifying Authority(CA) to verify the public key
Certificates
X.509
Introducers
a person sending a PGP certificate
Trust Levels
Full
Partial
None
S/MIME
Secure Multipurpose Internet Mail Extension
Algorithms
Message Digesting
SHA-1
MD5
Digital Signatures
DSS
Secret Key Encryption
Triple DES
RC2/40
Public-Private Key Encryption
RSA
Diffie Hellman
Web
Common Security Concerns
Confidentiality of Communication
Integrity of Communication
Message Origin Authentication
Non Repudiation Origin and Destination
TImeliness
User/Client Specific Concerns
Webmaster Specific Concerns
SSL/TLS
Security Services
Confidentiality
Encryption
Integrity
HMAC
Entity Authentication
X.509 Certificate
Message Origin Authentication
Non-Repudiation (Server) (Origin)
Timeliness
Sequence Numbers,
SSL
Netscape
TLS
IETF
Can receive data from any application layer program and pass it down to the transport layer.
Communication Phases
Establishment of the parameters for secure communication
Handshake Protocol
the secure exchange itself
Record Protocol
Protocols
Handshake
Cipherchange
Alert
SSL Record
How Works?
IPSec
IPSec is the most widely used layer 3 (network layer) protocol for VPN implementation