Man-in-the-Middle (MITM) Attacks

Questions and Answers

Which of the following scenarios exemplifies a man-in-the-middle attack?

• An attacker cracks a password using a brute-force attack.
• An attacker intercepts communication between two parties, impersonating each to eavesdrop and potentially manipulate data. (correct)
• An attacker floods a server with SYN packets, causing a denial of service.
• An attacker exploits a buffer overflow vulnerability to execute arbitrary code on a server.

What is the primary purpose of Address Resolution Protocol (ARP) poisoning in a man-in-the-middle attack at Layer 2?

• To disable security features on network switches.
• To discover the IP addresses of all devices on the local network.
• To associate the attacker's MAC address with the IP address of the default gateway, intercepting traffic. (correct)
• To flood the network with ARP requests causing a denial of service.

What is a countermeasure against ARP spoofing attacks?

• Implementing Dynamic ARP Inspection (DAI) on network switches. (correct)
• Enabling port security on network switches.
• Using static IP addresses for all devices.
• Disabling DHCP on the network.

How can an attacker leverage the Spanning Tree Protocol (STP) in a man-in-the-middle attack?

By manipulating STP to become the root switch, gaining the ability to see network traffic. (C)

What is the risk of using plaintext protocols such as Telnet or HTTP for network management?

They transmit data, including usernames and passwords, in an unencrypted format, vulnerable to interception. (D)

Which protocols are recommended as secure alternatives to Telnet and HTTP?

SSH and HTTPS (D)

What is the primary goal of a denial-of-service (DoS) attack?

To disrupt the availability of a service or system to legitimate users. (B)

What is the key difference between a DoS and a DDoS attack?

A DoS attack uses a single source, while a DDoS attack uses multiple distributed sources. (B)

What is a SYN flood attack, and how does it contribute to a denial-of-service condition?

It floods the victim with TCP SYN packets, overwhelming its connection bandwidth or depleting system resources. (B)

How can attackers leverage cloud services to increase the cost impact of a DDoS attack on a victim?

By triggering autoscaling mechanisms, causing the victim to pay for increased usage during the attack. (D)

What is a botnet, and how is it used in a DDoS attack?

A network of compromised machines controlled by an attacker to launch attacks, including DDoS. (A)

In a reflected DDoS attack, how do attackers mask their identity and amplify the volume of attack traffic?

By sending spoofed packets that appear to be from the victim, causing intermediary servers to send responses to the victim. (D)

What is an amplification attack in the context of DDoS, and how does it work?

It leverages intermediary servers that respond with packets much larger than the initial request, flooding the victim with traffic. (B)

What is DNS tunneling, and how is it used for data exfiltration?

Encapsulating data within DNS packets to transmit sensitive information stealthily. (D)

How can DNS tunneling be detected?

By monitoring network traffic for unusual packet sizes and patterns, or analyzing the DNS packet payload. (C)

In ARP cache poisoning, what is the attacker attempting to achieve?

To associate the attacker's MAC address with the IP address of a legitimate host, intercepting traffic. (B)

What is the function of Dynamic ARP Inspection (DAI) on Cisco switches?

To validate ARP packets and prevent ARP spoofing attacks. (A)

What is the purpose of using a non-default VLAN for the native VLAN on network trunks?

To enhance security by preventing VLAN hopping attacks. (A)

What is the purpose of disabling Dynamic Trunking Protocol (DTP) negotiation on switch ports?

To prevent unauthorized devices from negotiating a trunk and gaining access to multiple VLANs. (C)

How does port security enhance Layer 2 security on network switches?

By limiting the number of MAC addresses learned on a given port. (B)

What is the purpose of BPDU Guard and Root Guard features in Spanning Tree Protocol (STP)?

To prevent unauthorized devices from manipulating the STP topology. (A)

Why is it recommended to disable Cisco Discovery Protocol (CDP) on ports facing untrusted networks?

To improve network security by preventing attackers from gathering information about the network infrastructure. (C)

When configuring a new switch, what is a recommended initial security measure?

Shut down all ports and assign them to an unused VLAN, then selectively enable them as needed. (D)

What is the function of IP Source Guard (IPSG)?

To prevent IP address spoofing by hosts. (B)

What is the role of 802.1X authentication?

To authenticate and authorize users before granting network access. (D)

How does DHCP snooping enhance network security?

By preventing rogue DHCP servers from impacting the network. (D)

What is the purpose of storm control on a network switch?

To prevent denial-of-service attacks by limiting broadcast and multicast traffic. (B)

In an IP address spoofing attack, what is the attacker attempting to do?

To send IP packets from a fake source address to disguise their identity. (B)

What is a BGP hijacking attack, and how does it compromise network routing?

By injecting false routing information into the BGP network, redirecting traffic through the attacker's infrastructure. (B)

Which password attack involves trying every possible combination of characters to crack a password?

Brute-force attack (C)

What is a dictionary attack in the context of password cracking?

An attack that tries common words, phrases, and commonly used passwords. (A)

How do rainbow tables facilitate password cracking?

By providing precomputed tables of password hashes to quickly look up plaintext passwords. (B)

What is the purpose of a keylogger?

To capture keystrokes entered by a user. (A)

In wireless networks, what is the purpose of a rogue access point?

To create a backdoor for unauthorized access to the network and its systems. (D)

What is war driving, and what information is typically gathered?

A process of searching for wireless access points to gather information about network names, security settings, and locations. (C)

What is an evil twin attack?

An attack that involves creating a rogue access point that mimics a legitimate network. (C)

Why is Web Encryption Protocol (WEP) considered a weak wireless security protocol?

It uses a short and predictable initialization vector (IV), making it vulnerable to IV attacks. (B)

What is the purpose of Common Vulnerabilities and Exposures (CVE)?

To offer a dictionary of publicly known security vulnerabilities and exposures. (D)

In a buffer overflow vulnerability, what happens when a program attempts to write more data to a buffer than it can hold?

The excess data overwrites adjacent memory locations, potentially corrupting data or executing malicious code. (B)

What is a cross-site scripting (XSS) vulnerability, and how can attackers exploit it?

A vulnerability that enables attackers to inject malicious scripts into trusted websites. (A)

What is a cross-site request forgery (CSRF) vulnerability, and how does it differ from XSS?

CSRF forces an end user to execute malicious steps on a web application, while XSS injects malicious scripts. (A)

What is an SQL injection vulnerability, and what are its potential consequences?

A vulnerability that allows attackers to read sensitive data from the database, modify data, or execute administrative operations. (B)

Flashcards

Man-in-the-Middle Attack

An attack where attackers position themselves between two communicating devices to eavesdrop or manipulate data.

ARP Poisoning

Compromising Layer 2 MAC addresses, making devices believe the attacker is the default gateway.

Dynamic ARP Inspection (DAI)

A security technique on switches to prevent Layer 2 address spoofing.

Layer 3 Man-in-the-Middle Attack

Placing a rogue router to make other routers believe it has a better path, intercepting network traffic.

Denial-of-Service (DoS) Attack

Causing a service to be unavailable by overwhelming it with traffic or exploiting vulnerabilities.

Distributed DoS (DDoS) Attack

A DoS attack from multiple sources.

Direct DDoS Attack

Packets are sent directly from the attacker to the victim.

SYN Flood Attack

Flooding a victim with numerous TCP SYN packets.

Botnet

A collection of compromised machines controlled by an attacker.

Reflected DDoS Attack

An attack where spoofed packets are sent to sources, which then unintentionally send traffic to the victim.

Amplification Attack

A reflected attack where response traffic is much larger than initial requests.

DNS Tunneling

Stealing sensitive information by encapsulating data within DNS packets.

ARP Cache Poisoning

Attacking hosts, switches, and routers by injecting false IP-to-MAC address mappings.

Dynamic ARP Inspection

Validates ARP packets and discards those with invalid IP-to-MAC address bindings.

Port Security

Limiting MAC addresses learned on a switch port.

BPDU Guard

Protects against spanning tree manipulation by unauthorized devices.

Root Guard

Prevents ports from becoming root ports to remote switches.

IP Source Guard

Prevents spoofing of Layer 3 information by hosts.

802.1X

Authenticates and authorizes users before network communication.

DHCP Snooping

Prevents rogue DHCP servers from impacting the network.

Storm Control

Limits broadcast or multicast traffic flowing through the switch.

Spoofing Attack

Impersonating another device to execute an attack.

IP Address Spoofing Attack

Faking the source IP address to disguise the origin of packets.

DNS Server Spoofing Attack

Modifying the DNS server to redirect a domain name to a different IP address.

BGP Hijacking Attack

An attacker configures a router to announce prefixes not assigned to them.

Password-Guessing Attack

Guessing passwords locally or remotely using manual or automated approaches.

Password-Resetting Attack

Resetting passwords instead of guessing them.

Password Cracking

Converting a password hash to its plaintext original.

Rainbow Tables

Using computed hashes from a system into a lookup table.

Password Sniffing

Sniffing authentication packets and extracting password hashes.

Password Capturing

Capturing passwords using key loggers or Trojan horses.

Installing a Rogue Access Point

Installing an access point to create a backdoor into the network.

Jamming Wireless Signals

Causing a denial-of-service by disrupting wireless signals.

War driving

Finding wireless access points.

Bluejacking

Sending unsolicited messages to a device via Bluetooth.

Evil Twin Attack

Creating rogue access points that mimic existing networks.

IV Attack

Causing modification on the initialization vector of a wireless packet.

WEP/WPA Attack

Exploiting vulnerabilities in WEP/WPA to gain network access.

WPS Attack

Using password-guessing tools to obtain WPS passwords for access.

API-Based Vulnerabilities

Exploiting flaws in application programming interfaces (APIs).

Study Notes

• Man-in-the-middle (MITM) attacks involve an attacker positioning themselves between two communicating devices to eavesdrop or manipulate data.
• MITM attacks can occur at Layer 2 or Layer 3 of the OSI model.
• The primary goal of a MITM attack is typically eavesdropping, allowing the attacker to monitor all traffic between the devices.

Layer 2 MITM Attacks

• An attacker spoofs MAC addresses to make devices on a LAN believe the attacker's MAC address is the default gateway's.
• This technique is known as ARP poisoning.
• Frames intended for the default gateway are then sent to the attacker, who may forward them to the correct destination to avoid detection.
• Mitigation techniques include dynamic ARP inspection (DAI) on switches.
• Attackers may also introduce a rogue switch and manipulate the Spanning Tree Protocol (STP) to become the root switch, gaining visibility into network traffic.

Layer 3 MITM Attacks

• A rogue router is placed on the network to trick other routers into thinking it offers a better path.
• Network traffic is then directed through the rogue router.
• Mitigation involves routing authentication protocols and filtering advertised information on specific interfaces.

Malware-Based MITM Attacks

• An attacker compromises a victim's machine and installs malware to intercept packets.
• This malware can capture packets before encryption, even with SSL/TLS/HTTPS.

Preventing MITM Attacks

• Encryption should be used to ensure data confidentiality during transit.
• Avoid plaintext protocols like Telnet or HTTP for management, as they expose usernames and passwords.
• Using encrypted protocols like SSH and HTTPS is a best practice.
• VPNs can also protect sensitive data transmitted in plaintext.

Denial-of-Service (DoS) and Distributed DoS (DDoS) Attacks

• These attacks aim to disrupt network services by overwhelming them with traffic or exploiting vulnerabilities.
• DDoS attacks are categorized into direct, reflected, and amplification attacks.

Direct DDoS Attacks

• The attacker directly sends packets to the victim, flooding it with traffic to exhaust bandwidth or system resources.
• A SYN flood attack is a type of direct DDoS attack that overwhelms the victim with TCP SYN packets.
• DDoS attacks can increase cloud service costs for the victim due to pay-per-usage models.
• Exploiting vulnerabilities such as buffer overflows can crash servers or network devices, leading to a DoS condition.

Botnets in DDoS Attacks

• Attackers often use botnets which are a collections of compromised machines controlled by a command and control (C2) system.
• The attacker sends instructions to the C2 server, which then directs the bots to launch a DDoS attack against the victim.

Reflected DDoS Attacks

• Attackers send spoofed packets that appear to originate from the intended victim to intermediary sources.
• These sources then unintentionally flood the victim with response traffic.
• UDP is commonly used due to its ease of spoofing.
• An attacker sends packets (e.g., NTP requests) to a source, which then responds to the victim.

DDoS Amplification Attacks

• An amplification attack is a reflected attack where the response traffic is much larger than the initial requests.
• DNS queries, where the DNS responses are significantly larger than the queries, serve as an example.
• The victim is flooded with large packets without ever initiating the requests.

Data Exfiltration Attack Methods

• Attack methods for data exfiltration include techniques like DNS tunneling.
• DNS tunneling involves encapsulating data within DNS packets to extract sensitive information.

DNS Tunneling Tools:

• DNS2TCP: Uses the KEY and TXT DNS record types.
• DNScat-P: Uses the A and CNAME DNS record types.
• Iodine Protocol v5.00: Uses the NULL DNS record type.
• Iodine Protocol v5.02: Uses the A, CNAME, MX, NULL, SRV, and TXT DNS record types.
• OzymanDNS: Uses the A and TXT DNS record types.
• SplitBrain: Uses the A and TXT DNS record types.
• TCP-Over-DNS: Uses the CNAME and TXT DNS record types.
• YourFreedom: Uses the NULL DNS record type.
• DNS tunneling is detected by analyzing DNS packet payloads and traffic patterns (byte count and frequency).

ARP Cache Poisoning

• Threat actors target hosts, switches, and routers on Layer 2 networks by poisoning ARP caches.
• This allows them to intercept traffic intended for other hosts.
• Cisco switches offer dynamic ARP inspection (DAI) to validate ARP packets and discard invalid ones.

Dynamic ARP Inspection ensures:

• Interception of ARP requests and responses on untrusted ports.
• Verification of IP-to-MAC address bindings before updating the ARP cache or forwarding packets.
• Dropping of invalid ARP packets.
• Validation of ARP packets against a trusted database (DHCP snooping binding database).
• DAI is enabled per-VLAN using the ip arp inspection vlan vlan-range command.
• ARP access control lists can be configured for static IP addresses.

Layer 2 Security Best Practices:

• Use an unused VLAN (other than VLAN 1) as the native VLAN for trunks and don't use it for access ports.
• Avoid using VLAN 1.
• Configure switch ports as access ports and disable trunking negotiation (no DTP).
• Limit MAC addresses learned on a port using port security.
• Control spanning tree using BPDU Guard and Root Guard features.
• Disable CDP on ports facing untrusted networks.
• On a new switch, shut down all ports and assign them to an unused "parking lot" VLAN then enable them and assign appropriate VLANS as needed.

Additional Layer 2 Security Features:

• Port Security: Limits MAC addresses learned on access ports.
• BPDU Guard: Protects the switch if BPDUs appear on unauthorized ports.
• Root Guard: Prevents unauthorized ports from becoming root ports.
• Dynamic ARP inspection: Validates ARP packets.
• IP Source Guard: Prevents Layer 3 spoofing.
• 802.1X: Authenticates and authorizes users before network access.
• DHCP snooping: Prevents rogue DHCP servers.
• Storm control: Limits broadcast and multicast traffic.
• Access control lists: Provides Layer 3 and Layer 2 ACLs for traffic control.

Spoofing Attacks

• Occur when an attacker impersonates another device.

Types of Spoofing Attacks:

• IP address spoofing: Sending IP packets with a fake source address. DDoS attacks often use this.
• ARP spoofing: Sending spoofed ARP packets to link the attacker's MAC address to a legitimate IP address.
• DNS server spoofing: Modifying the DNS server to reroute a domain name to a different IP address, often used for spreading malware.

Route Manipulation Attacks

• Exploits vulnerabilities in routing protocols to redirect traffic.
• A common example is BGP hijacking.
• An attacker announces prefixes not assigned to them, redirecting traffic if the announcement is more specific or presents a shorter path.

Password Attacks

• Aim to compromise user accounts through various methods.

Common Password Attacks:

• Password-guessing attack: Trying various combinations of characters manually or with automated tools like Hydra.
  • Brute-force attack: Tries every possible character combination.
  • Dictionary attack: Uses a dictionary of common words, phrases, and passwords.
• Password-resetting attack: Resetting passwords instead of guessing them, often using bootable USB devices with Linux distributions.
• Password cracking: Converting password hashes to plaintext using tools like extractors, rainbow tables, and password sniffers. Mitigated by disabling LM hashes and using complex passwords.
  • Rainbow tables: Precomputed tables of possible passwords and their hashes.
• Password sniffing: Intercepting authentication packets and extracting password hashes.
• Password capturing: Using keyloggers or Trojan horses to capture passwords.

Wireless Attacks

• Target vulnerabilities in wireless networks.

Types of Wireless Attacks:

• Installing a rogue access point: Creating a backdoor for network access.
• Jamming wireless signals: Causing a denial-of-service condition.
• War driving: Finding wireless access points.
• Bluejacking: Sending unsolicited messages via Bluetooth.
• Evil twin attack: Creating rogue access points with the same configuration as the existing network.
• IV attack: Modifying the initialization vector (IV) of a wireless packet to decrypt other packets.
• WEP/WPA attacks: Exploiting vulnerabilities in WEP and older WPA versions. WPA3 is the latest version offering fixes to known vulnerabilities.
• WPS attack: Guessing WPS passwords to gain network access.

Types of Vulnerabilities

• Understanding vulnerabilities is crucial for implementing countermeasures.
• Network vulnerabilities often result from policy flaws, design errors, protocol weaknesses, misconfigurations, software vulnerabilities, human factors, malicious software, hardware vulnerabilities, or physical access.
• Databases like Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) categorize publicly known vulnerabilities.

Common Vulnerabilities:

• API-based vulnerabilities: Exploiting flaws in application programming interfaces (APIs).
• Authentication and authorization bypass vulnerabilities: Bypassing authentication mechanisms.
• Buffer overflow: Writing more data to a buffer than it can hold, potentially executing malicious code.
• Cross-site scripting (XSS) vulnerability: Injecting malicious scripts into trusted websites. Exploitation can result in malicious code execution, account compromise, or site redirection.
• Cross-site request forgery (CSRF) vulnerability: Forcing an end user to execute malicious actions on a web application.
• Cryptographic vulnerability: Flaws in cryptographic protocols or implementations.
• Deserialization of untrusted data vulnerability: Abusing application logic by using malformed or unexpected data.
• Double free: Calling free() more than once with the same memory address (common in C and C++).
• Insufficient entropy: Cryptographic applications lacking proper entropy.
• SQL injection vulnerability: Injecting SQL queries via input data to read, modify, or delete database data or execute OS commands.
• The Open Web Application Security Project (OWASP) provides resources and best practices for mitigating vulnerabilities.

Exam Key Terms:

• SQL injection.
• CSRF.
• XSS.
• Buffer overflow.
• War driving.
• Rainbow tables.
• DNS tunneling.
• Botnet.
• Backdoors.

Chapter 5: Fundamentals of Cryptography and Public Key Infrastructure (PKI):

Cryptography

• Cryptography originates from the Greek word "kryptós," which means secret.
• It's the study of encryption techniques and secure communications.
• Cryptographers create protocols that prevent unauthorized access to private messages

Cryptography's main goals include:

• Data confidentiality.
• Data integrity.
• Authentication.
• Nonrepudiation.
• It brings together fields like mathematics and computer science for use in VPNs, e-commerce, secure email, etc.
• Cryptanalysis: the study of cracking encryption algorithms.

Ciphers and Keys:

• A cipher, or algorithm, is a set of rules for performing encryption or decryption.
• Common methods used by ciphers:
  • Substitution: Replacing one character with another.
  • Polyalphabetic: Using multiple alphabets and switching based on a trigger.
  • Transposition: Rearranging letters.

Keys

• Keys are instructions for reassembling characters.
• One-time pad (OTP): Uses a key only once to encrypt messages.
• Key Management: Proper generation, exchange, storage, and usage of keys.
• Key management involves securely choosing and storing keys. Strong keys increase security.
• Key Exchanges: Key wrapping, key indicators, asymmetric session key exchange.
• Keys must be replaced frequently.

Keyspace

• Keyspace refers to all possible values for a key.
• Larger keys offer more security but require more CPU processing during decryption and encryption.

Block Ciphers

• Block Ciphers: Symmetric key ciphers that operate on fixed-size blocks of bits.
• Block cipher encryption algorithms may take a 64-bit block of plaintext and generate a 64-bit block of ciphertext.
• Examples: AES, 3DES, Blowfish, DES, IDEA
• Block ciphers might need padding, adding overhead.

Stream Ciphers

Stream ciphers encrypt plaintext data bit by bit against a key stream or cipher digit stream.

Symmetric Algorithms

• Symmetric Encryption: Uses the same key for encryption and decryption.
• Symmetric encryption requires both devices to have the key.
  • Examples: DES, 3DES, AES, IDEA, RC2, RC4, RC5, RC6, Blowfish
• They are usually faster and require less CPU power than asymmetric algorithms.
• Longer key length (112 to 256 bits) results in better security, with at least 128 bits recommended.

Asymmetric Algorithms

• Asymmetric algorithms use two mathematically related keys: a public key and a private key.
• If you use the small keyhole with its respective key to lock the container, the only way to unlock it is to use the big keyhole with its larger key. Another option is to initially lock the container using the big key in the big keyhole, and then the only way to unlock it is to use the small key in the small keyhole.
• Asymmetric algorithms have a high CPU cost but are used for peer authentication and key generation.
• The public key is available to anyone, while the private key is kept secret.

Examples of asymmetric algorithms:

• RSA (Rivest, Shamir, Adleman): Used for authentication.
  • Key lengths: 512 to 2048 bits (minimum 1024 for good security).
  • Works well with credit card security and TLS/SSL.
• DH (Diffie-Hellman): Key exchange protocol.
  • Generates symmetric keys for use with algorithms such as 3DES and AES.
• ElGamal: Encryption system based on DH exchange.
• DSA: Digital Signature Algorithm.
• ECC: Elliptic curve cryptography based on algebraic structure of elliptic curves.

Elliptic Curve Cryptography (ECC)

• Public-key cryptography based on elliptic curves.
• ECC utilizes smaller keys than other encryption methods.
• Diffie-Hellman version: ECDH. (Elliptic Curve Diffie-Hellman), which uses elliptic curve public-private key pairs to establish the secret key.
• Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) runs in ephemeral mode, which makes sure that a compromised message won’t start a chain reaction and that other messages maintain their integrity.
• DSA version: ECDSA . (Elliptic Curve Diffie-Hellman)
• Reduced computational power compared to other asymmetric algorithms.
• Used with smart cards, wireless security, VoIP, and IPsec.
• Potential vulnerabilities: Side-channel attacks (SCAs), fault attacks, backdoors in random generator.

Quantum Cryptography

• It builds on quantum mechanics.
• Bits of the key can be encoded as quantum data, impossible in classical encryption.
• Current form: quantum key distribution (QKD).
• Uses fiber channel, costly.

One-Time Pad

• Encryption program used primarily for signing, encrypting, and decrypting emails in an attempt to increase the security of email communications.
• A stream cipher that encrypts plaintext with a secret random key of the same length as the plaintext.
• Achieved by combining keystream with plaintext using the bitwise XOR operator to produce ciphertext.
• Requires perfect randomness, which is challenging.
• Exchange of one-time pad data must equal the length of the message.

Pretty Good Privacy (PGP)

• Primarily to secure communications.
• Relies on symmetric session keys (PSK) but also uses asymmetric RSA for digital signatures and key sending.
• Key sizes: At least 128 bits, RSA/DSA keys ranging from 512 to 2048 bits.
• Uses a combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography.
• OpenPGP standard: enables others to write software to integrate with PGP.
• GNU Privacy Guard (GPG, or GNuPG) is another standard.
• Offers methods of symmetric key encrytion and public key encryption for file encryption.
• It is owned by Symantec.

Pseudorandom Number Generators

Pseudorandom Number Generators (PRNGs)

• Used by cryptographic applications that require unpredictable output.
• Coded in C or Java and developed within cryptography applications.
• A programmer will increase entropy, often by collecting system noise.
• Threats: Random number generator attacks.

Hashes

• Used to check data integrity
• Example: SHA-512 checksum (512 bits) output is represented by 128 characters in hex format, whereas Message Digest 5 (MD5) produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.
• A cryptographic hash function takes data and creates a small, fixed-sized hash value.
• It is a one-way function.

Types of Hashes:

• Message Digest 5 (MD5): Creates a 128-bit digest.
• Secure Hash Algorithm 1 (SHA-1): Creates a 160-bit digest.
• Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
• Bigger is better.
• Several vulnerabilities in MD5 hashingprotocol, including collision and pre-image vulnerabilities.
• Collison Attacks occur when two input strings of a hash function produce the same hash result.
• Recommend that SHA-2 with 512 bits be used when possible.

Hashed Message Authentication Code (HMAC)

• Uses a secret key of some type.
• Only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash.
• MD5 is a hash function that is insecure and should be avoided.
• SHA-1 is a legacy algorithm and therefore is adequately secure.
• SHA-256 provides adequate protection for sensitive information.
• SHA-384 is required to protect classified information of higher importance.

Digital Signatures

• Provide authentication, data integrity, and nonrepudiation.
• Used in conjunction with public and private key pairs, hashing and encryption for verification.
• Alice and Bob/Batman and Robin send an encrypted message over a public or untrusted network, and Eve/The Joker tries to steal the information being exchanged.

Digital Signature Verification:

• Batman and Robin both verify that the other party is correct. B&R have public-private keypairs and were given digital certificates.
• Batman takes a packet and generates a hash, then encrypts it using Batman’s private key (digital signature).
• Robin can receive the packet, decrypt the encrypted hash via Batman's Public Key, and set the decrypted hash off to the side for one moment.
• Robin runs the same hash algorithm on the packet it just received. If the hash Robin matches the hash just received then: -- the only person who could have encrypted it was Batman; so authentication.
• • the data integrity on the packet is good; so data integrity.
• This implies for Robin to verify the Digital signatures by Batman then:
• -Robin also got Batman's Public Key; but from where.
• -Both need the CA’s public key.

Next-Generation Encryption Protocols

• The U.S. government selected and recommended a set of cryptographic standards called Suite B because it provides a complete suite of algorithms designed to meet future security needs.
• Suite B has been approved for protecting classified information at both the secret and top-secret levels.
• Elliptic curve cryptography replaces RSA signatures with the ECDSA algorithm and replaces the DH key exchange with ECDH.
• AES in the GaRobin/Counter Mode (GCM) of operation. ECC digital signature algorithm.
• SHA-256, SHA-384, and SHA-512.

Protocols

• Ipsec and SSL/TLS protocols create protection for IP and web packets at various levels.

IP Security (IPsec (

• Protects IP packets at Layer 3. Offers confidentiality with encryption, data integrity with hashing and HMAC, and authentication using digital signatures.
• Has anti-replay support as well.

SSL/TLS)

• Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): are cryptographic protocols that provide secure Internet communications such as web browsing, instant messaging, email, and VoIP. These protocols rely on a PKI for obtaining and validating certificates.
• SSL/TLS work in much the same manner. -- Two types of keys are required.
• • a public key -- and a session key.
• Your organization might have a policy stating that SSL/TLS-encrypted data needs to be decrypted when it reaches the internal network and then analyzed for malware and potential attacks. It is often then re-encrypted and sent to its final destination. This process is also very CPU intensive, and an SSL/TLS accelerator can provide the additional power required. SSL/TLS decryption and re-encryption can be a security risk and a privacy issue (especially for users bringing their own devices to the corporate network [BYOD users]). Careful consideration is required regarding where the decryption/re-encryption will take place, how it is implemented, and how people are notified about this policy.

Protocol HTTPS

• Hypertext Transfer Protocol Secure (HTTPS).
• a combination of HTTP and TLS. Web servers that enable HTTPS inbound connections must have inbound port 443 open (although web services using TLS can be configured in any TCP port). HTTPS should not be confused with Secure HTTP (SHTTP). SHTTP is an alternative to HTTPS that works in much the same way. Numerous websites now use HTTPS using TLS.

Tip: One attack to watch for is the downgrade attack—when a protocol is downgraded from a high-quality mode or higher version to a low-quality mode