Podcast
Questions and Answers
Which of the following scenarios exemplifies a man-in-the-middle attack?
Which of the following scenarios exemplifies a man-in-the-middle attack?
- An attacker cracks a password using a brute-force attack.
- An attacker intercepts communication between two parties, impersonating each to eavesdrop and potentially manipulate data. (correct)
- An attacker floods a server with SYN packets, causing a denial of service.
- An attacker exploits a buffer overflow vulnerability to execute arbitrary code on a server.
What is the primary purpose of Address Resolution Protocol (ARP) poisoning in a man-in-the-middle attack at Layer 2?
What is the primary purpose of Address Resolution Protocol (ARP) poisoning in a man-in-the-middle attack at Layer 2?
- To disable security features on network switches.
- To discover the IP addresses of all devices on the local network.
- To associate the attacker's MAC address with the IP address of the default gateway, intercepting traffic. (correct)
- To flood the network with ARP requests causing a denial of service.
What is a countermeasure against ARP spoofing attacks?
What is a countermeasure against ARP spoofing attacks?
- Implementing Dynamic ARP Inspection (DAI) on network switches. (correct)
- Enabling port security on network switches.
- Using static IP addresses for all devices.
- Disabling DHCP on the network.
How can an attacker leverage the Spanning Tree Protocol (STP) in a man-in-the-middle attack?
How can an attacker leverage the Spanning Tree Protocol (STP) in a man-in-the-middle attack?
What is the risk of using plaintext protocols such as Telnet or HTTP for network management?
What is the risk of using plaintext protocols such as Telnet or HTTP for network management?
Which protocols are recommended as secure alternatives to Telnet and HTTP?
Which protocols are recommended as secure alternatives to Telnet and HTTP?
What is the primary goal of a denial-of-service (DoS) attack?
What is the primary goal of a denial-of-service (DoS) attack?
What is the key difference between a DoS and a DDoS attack?
What is the key difference between a DoS and a DDoS attack?
What is a SYN flood attack, and how does it contribute to a denial-of-service condition?
What is a SYN flood attack, and how does it contribute to a denial-of-service condition?
How can attackers leverage cloud services to increase the cost impact of a DDoS attack on a victim?
How can attackers leverage cloud services to increase the cost impact of a DDoS attack on a victim?
What is a botnet, and how is it used in a DDoS attack?
What is a botnet, and how is it used in a DDoS attack?
In a reflected DDoS attack, how do attackers mask their identity and amplify the volume of attack traffic?
In a reflected DDoS attack, how do attackers mask their identity and amplify the volume of attack traffic?
What is an amplification attack in the context of DDoS, and how does it work?
What is an amplification attack in the context of DDoS, and how does it work?
What is DNS tunneling, and how is it used for data exfiltration?
What is DNS tunneling, and how is it used for data exfiltration?
How can DNS tunneling be detected?
How can DNS tunneling be detected?
In ARP cache poisoning, what is the attacker attempting to achieve?
In ARP cache poisoning, what is the attacker attempting to achieve?
What is the function of Dynamic ARP Inspection (DAI) on Cisco switches?
What is the function of Dynamic ARP Inspection (DAI) on Cisco switches?
What is the purpose of using a non-default VLAN for the native VLAN on network trunks?
What is the purpose of using a non-default VLAN for the native VLAN on network trunks?
What is the purpose of disabling Dynamic Trunking Protocol (DTP) negotiation on switch ports?
What is the purpose of disabling Dynamic Trunking Protocol (DTP) negotiation on switch ports?
How does port security enhance Layer 2 security on network switches?
How does port security enhance Layer 2 security on network switches?
What is the purpose of BPDU Guard and Root Guard features in Spanning Tree Protocol (STP)?
What is the purpose of BPDU Guard and Root Guard features in Spanning Tree Protocol (STP)?
Why is it recommended to disable Cisco Discovery Protocol (CDP) on ports facing untrusted networks?
Why is it recommended to disable Cisco Discovery Protocol (CDP) on ports facing untrusted networks?
When configuring a new switch, what is a recommended initial security measure?
When configuring a new switch, what is a recommended initial security measure?
What is the function of IP Source Guard (IPSG)?
What is the function of IP Source Guard (IPSG)?
What is the role of 802.1X authentication?
What is the role of 802.1X authentication?
How does DHCP snooping enhance network security?
How does DHCP snooping enhance network security?
What is the purpose of storm control on a network switch?
What is the purpose of storm control on a network switch?
In an IP address spoofing attack, what is the attacker attempting to do?
In an IP address spoofing attack, what is the attacker attempting to do?
What is a BGP hijacking attack, and how does it compromise network routing?
What is a BGP hijacking attack, and how does it compromise network routing?
Which password attack involves trying every possible combination of characters to crack a password?
Which password attack involves trying every possible combination of characters to crack a password?
What is a dictionary attack in the context of password cracking?
What is a dictionary attack in the context of password cracking?
How do rainbow tables facilitate password cracking?
How do rainbow tables facilitate password cracking?
What is the purpose of a keylogger?
What is the purpose of a keylogger?
In wireless networks, what is the purpose of a rogue access point?
In wireless networks, what is the purpose of a rogue access point?
What is war driving, and what information is typically gathered?
What is war driving, and what information is typically gathered?
What is an evil twin attack?
What is an evil twin attack?
Why is Web Encryption Protocol (WEP) considered a weak wireless security protocol?
Why is Web Encryption Protocol (WEP) considered a weak wireless security protocol?
What is the purpose of Common Vulnerabilities and Exposures (CVE)?
What is the purpose of Common Vulnerabilities and Exposures (CVE)?
In a buffer overflow vulnerability, what happens when a program attempts to write more data to a buffer than it can hold?
In a buffer overflow vulnerability, what happens when a program attempts to write more data to a buffer than it can hold?
What is a cross-site scripting (XSS) vulnerability, and how can attackers exploit it?
What is a cross-site scripting (XSS) vulnerability, and how can attackers exploit it?
What is a cross-site request forgery (CSRF) vulnerability, and how does it differ from XSS?
What is a cross-site request forgery (CSRF) vulnerability, and how does it differ from XSS?
What is an SQL injection vulnerability, and what are its potential consequences?
What is an SQL injection vulnerability, and what are its potential consequences?
Flashcards
Man-in-the-Middle Attack
Man-in-the-Middle Attack
An attack where attackers position themselves between two communicating devices to eavesdrop or manipulate data.
ARP Poisoning
ARP Poisoning
Compromising Layer 2 MAC addresses, making devices believe the attacker is the default gateway.
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
A security technique on switches to prevent Layer 2 address spoofing.
Layer 3 Man-in-the-Middle Attack
Layer 3 Man-in-the-Middle Attack
Signup and view all the flashcards
Denial-of-Service (DoS) Attack
Denial-of-Service (DoS) Attack
Signup and view all the flashcards
Distributed DoS (DDoS) Attack
Distributed DoS (DDoS) Attack
Signup and view all the flashcards
Direct DDoS Attack
Direct DDoS Attack
Signup and view all the flashcards
SYN Flood Attack
SYN Flood Attack
Signup and view all the flashcards
Botnet
Botnet
Signup and view all the flashcards
Reflected DDoS Attack
Reflected DDoS Attack
Signup and view all the flashcards
Amplification Attack
Amplification Attack
Signup and view all the flashcards
DNS Tunneling
DNS Tunneling
Signup and view all the flashcards
ARP Cache Poisoning
ARP Cache Poisoning
Signup and view all the flashcards
Dynamic ARP Inspection
Dynamic ARP Inspection
Signup and view all the flashcards
Port Security
Port Security
Signup and view all the flashcards
BPDU Guard
BPDU Guard
Signup and view all the flashcards
Root Guard
Root Guard
Signup and view all the flashcards
IP Source Guard
IP Source Guard
Signup and view all the flashcards
802.1X
802.1X
Signup and view all the flashcards
DHCP Snooping
DHCP Snooping
Signup and view all the flashcards
Storm Control
Storm Control
Signup and view all the flashcards
Spoofing Attack
Spoofing Attack
Signup and view all the flashcards
IP Address Spoofing Attack
IP Address Spoofing Attack
Signup and view all the flashcards
DNS Server Spoofing Attack
DNS Server Spoofing Attack
Signup and view all the flashcards
BGP Hijacking Attack
BGP Hijacking Attack
Signup and view all the flashcards
Password-Guessing Attack
Password-Guessing Attack
Signup and view all the flashcards
Password-Resetting Attack
Password-Resetting Attack
Signup and view all the flashcards
Password Cracking
Password Cracking
Signup and view all the flashcards
Rainbow Tables
Rainbow Tables
Signup and view all the flashcards
Password Sniffing
Password Sniffing
Signup and view all the flashcards
Password Capturing
Password Capturing
Signup and view all the flashcards
Installing a Rogue Access Point
Installing a Rogue Access Point
Signup and view all the flashcards
Jamming Wireless Signals
Jamming Wireless Signals
Signup and view all the flashcards
War driving
War driving
Signup and view all the flashcards
Bluejacking
Bluejacking
Signup and view all the flashcards
Evil Twin Attack
Evil Twin Attack
Signup and view all the flashcards
IV Attack
IV Attack
Signup and view all the flashcards
WEP/WPA Attack
WEP/WPA Attack
Signup and view all the flashcards
WPS Attack
WPS Attack
Signup and view all the flashcards
API-Based Vulnerabilities
API-Based Vulnerabilities
Signup and view all the flashcards
Study Notes
- Man-in-the-middle (MITM) attacks involve an attacker positioning themselves between two communicating devices to eavesdrop or manipulate data.
- MITM attacks can occur at Layer 2 or Layer 3 of the OSI model.
- The primary goal of a MITM attack is typically eavesdropping, allowing the attacker to monitor all traffic between the devices.
Layer 2 MITM Attacks
- An attacker spoofs MAC addresses to make devices on a LAN believe the attacker's MAC address is the default gateway's.
- This technique is known as ARP poisoning.
- Frames intended for the default gateway are then sent to the attacker, who may forward them to the correct destination to avoid detection.
- Mitigation techniques include dynamic ARP inspection (DAI) on switches.
- Attackers may also introduce a rogue switch and manipulate the Spanning Tree Protocol (STP) to become the root switch, gaining visibility into network traffic.
Layer 3 MITM Attacks
- A rogue router is placed on the network to trick other routers into thinking it offers a better path.
- Network traffic is then directed through the rogue router.
- Mitigation involves routing authentication protocols and filtering advertised information on specific interfaces.
Malware-Based MITM Attacks
- An attacker compromises a victim's machine and installs malware to intercept packets.
- This malware can capture packets before encryption, even with SSL/TLS/HTTPS.
Preventing MITM Attacks
- Encryption should be used to ensure data confidentiality during transit.
- Avoid plaintext protocols like Telnet or HTTP for management, as they expose usernames and passwords.
- Using encrypted protocols like SSH and HTTPS is a best practice.
- VPNs can also protect sensitive data transmitted in plaintext.
Denial-of-Service (DoS) and Distributed DoS (DDoS) Attacks
- These attacks aim to disrupt network services by overwhelming them with traffic or exploiting vulnerabilities.
- DDoS attacks are categorized into direct, reflected, and amplification attacks.
Direct DDoS Attacks
- The attacker directly sends packets to the victim, flooding it with traffic to exhaust bandwidth or system resources.
- A SYN flood attack is a type of direct DDoS attack that overwhelms the victim with TCP SYN packets.
- DDoS attacks can increase cloud service costs for the victim due to pay-per-usage models.
- Exploiting vulnerabilities such as buffer overflows can crash servers or network devices, leading to a DoS condition.
Botnets in DDoS Attacks
- Attackers often use botnets which are a collections of compromised machines controlled by a command and control (C2) system.
- The attacker sends instructions to the C2 server, which then directs the bots to launch a DDoS attack against the victim.
Reflected DDoS Attacks
- Attackers send spoofed packets that appear to originate from the intended victim to intermediary sources.
- These sources then unintentionally flood the victim with response traffic.
- UDP is commonly used due to its ease of spoofing.
- An attacker sends packets (e.g., NTP requests) to a source, which then responds to the victim.
DDoS Amplification Attacks
- An amplification attack is a reflected attack where the response traffic is much larger than the initial requests.
- DNS queries, where the DNS responses are significantly larger than the queries, serve as an example.
- The victim is flooded with large packets without ever initiating the requests.
Data Exfiltration Attack Methods
- Attack methods for data exfiltration include techniques like DNS tunneling.
- DNS tunneling involves encapsulating data within DNS packets to extract sensitive information.
DNS Tunneling Tools:
- DNS2TCP: Uses the KEY and TXT DNS record types.
- DNScat-P: Uses the A and CNAME DNS record types.
- Iodine Protocol v5.00: Uses the NULL DNS record type.
- Iodine Protocol v5.02: Uses the A, CNAME, MX, NULL, SRV, and TXT DNS record types.
- OzymanDNS: Uses the A and TXT DNS record types.
- SplitBrain: Uses the A and TXT DNS record types.
- TCP-Over-DNS: Uses the CNAME and TXT DNS record types.
- YourFreedom: Uses the NULL DNS record type.
- DNS tunneling is detected by analyzing DNS packet payloads and traffic patterns (byte count and frequency).
ARP Cache Poisoning
- Threat actors target hosts, switches, and routers on Layer 2 networks by poisoning ARP caches.
- This allows them to intercept traffic intended for other hosts.
- Cisco switches offer dynamic ARP inspection (DAI) to validate ARP packets and discard invalid ones.
Dynamic ARP Inspection ensures:
- Interception of ARP requests and responses on untrusted ports.
- Verification of IP-to-MAC address bindings before updating the ARP cache or forwarding packets.
- Dropping of invalid ARP packets.
- Validation of ARP packets against a trusted database (DHCP snooping binding database).
- DAI is enabled per-VLAN using the
ip arp inspection vlan vlan-range
command. - ARP access control lists can be configured for static IP addresses.
Layer 2 Security Best Practices:
- Use an unused VLAN (other than VLAN 1) as the native VLAN for trunks and don't use it for access ports.
- Avoid using VLAN 1.
- Configure switch ports as access ports and disable trunking negotiation (no DTP).
- Limit MAC addresses learned on a port using port security.
- Control spanning tree using BPDU Guard and Root Guard features.
- Disable CDP on ports facing untrusted networks.
- On a new switch, shut down all ports and assign them to an unused "parking lot" VLAN then enable them and assign appropriate VLANS as needed.
Additional Layer 2 Security Features:
- Port Security: Limits MAC addresses learned on access ports.
- BPDU Guard: Protects the switch if BPDUs appear on unauthorized ports.
- Root Guard: Prevents unauthorized ports from becoming root ports.
- Dynamic ARP inspection: Validates ARP packets.
- IP Source Guard: Prevents Layer 3 spoofing.
- 802.1X: Authenticates and authorizes users before network access.
- DHCP snooping: Prevents rogue DHCP servers.
- Storm control: Limits broadcast and multicast traffic.
- Access control lists: Provides Layer 3 and Layer 2 ACLs for traffic control.
Spoofing Attacks
- Occur when an attacker impersonates another device.
Types of Spoofing Attacks:
- IP address spoofing: Sending IP packets with a fake source address. DDoS attacks often use this.
- ARP spoofing: Sending spoofed ARP packets to link the attacker's MAC address to a legitimate IP address.
- DNS server spoofing: Modifying the DNS server to reroute a domain name to a different IP address, often used for spreading malware.
Route Manipulation Attacks
- Exploits vulnerabilities in routing protocols to redirect traffic.
- A common example is BGP hijacking.
- An attacker announces prefixes not assigned to them, redirecting traffic if the announcement is more specific or presents a shorter path.
Password Attacks
- Aim to compromise user accounts through various methods.
Common Password Attacks:
- Password-guessing attack: Trying various combinations of characters manually or with automated tools like Hydra.
- Brute-force attack: Tries every possible character combination.
- Dictionary attack: Uses a dictionary of common words, phrases, and passwords.
- Password-resetting attack: Resetting passwords instead of guessing them, often using bootable USB devices with Linux distributions.
- Password cracking: Converting password hashes to plaintext using tools like extractors, rainbow tables, and password sniffers. Mitigated by disabling LM hashes and using complex passwords.
- Rainbow tables: Precomputed tables of possible passwords and their hashes.
- Password sniffing: Intercepting authentication packets and extracting password hashes.
- Password capturing: Using keyloggers or Trojan horses to capture passwords.
Wireless Attacks
- Target vulnerabilities in wireless networks.
Types of Wireless Attacks:
- Installing a rogue access point: Creating a backdoor for network access.
- Jamming wireless signals: Causing a denial-of-service condition.
- War driving: Finding wireless access points.
- Bluejacking: Sending unsolicited messages via Bluetooth.
- Evil twin attack: Creating rogue access points with the same configuration as the existing network.
- IV attack: Modifying the initialization vector (IV) of a wireless packet to decrypt other packets.
- WEP/WPA attacks: Exploiting vulnerabilities in WEP and older WPA versions. WPA3 is the latest version offering fixes to known vulnerabilities.
- WPS attack: Guessing WPS passwords to gain network access.
Types of Vulnerabilities
- Understanding vulnerabilities is crucial for implementing countermeasures.
- Network vulnerabilities often result from policy flaws, design errors, protocol weaknesses, misconfigurations, software vulnerabilities, human factors, malicious software, hardware vulnerabilities, or physical access.
- Databases like Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) categorize publicly known vulnerabilities.
Common Vulnerabilities:
- API-based vulnerabilities: Exploiting flaws in application programming interfaces (APIs).
- Authentication and authorization bypass vulnerabilities: Bypassing authentication mechanisms.
- Buffer overflow: Writing more data to a buffer than it can hold, potentially executing malicious code.
- Cross-site scripting (XSS) vulnerability: Injecting malicious scripts into trusted websites. Exploitation can result in malicious code execution, account compromise, or site redirection.
- Cross-site request forgery (CSRF) vulnerability: Forcing an end user to execute malicious actions on a web application.
- Cryptographic vulnerability: Flaws in cryptographic protocols or implementations.
- Deserialization of untrusted data vulnerability: Abusing application logic by using malformed or unexpected data.
- Double free: Calling free() more than once with the same memory address (common in C and C++).
- Insufficient entropy: Cryptographic applications lacking proper entropy.
- SQL injection vulnerability: Injecting SQL queries via input data to read, modify, or delete database data or execute OS commands.
- The Open Web Application Security Project (OWASP) provides resources and best practices for mitigating vulnerabilities.
Exam Key Terms:
- SQL injection.
- CSRF.
- XSS.
- Buffer overflow.
- War driving.
- Rainbow tables.
- DNS tunneling.
- Botnet.
- Backdoors.
Chapter 5: Fundamentals of Cryptography and Public Key Infrastructure (PKI):
Cryptography
- Cryptography originates from the Greek word "kryptós," which means secret.
- It's the study of encryption techniques and secure communications.
- Cryptographers create protocols that prevent unauthorized access to private messages
Cryptography's main goals include:
- Data confidentiality.
- Data integrity.
- Authentication.
- Nonrepudiation.
- It brings together fields like mathematics and computer science for use in VPNs, e-commerce, secure email, etc.
- Cryptanalysis: the study of cracking encryption algorithms.
Ciphers and Keys:
- A cipher, or algorithm, is a set of rules for performing encryption or decryption.
- Common methods used by ciphers:
- Substitution: Replacing one character with another.
- Polyalphabetic: Using multiple alphabets and switching based on a trigger.
- Transposition: Rearranging letters.
Keys
- Keys are instructions for reassembling characters.
- One-time pad (OTP): Uses a key only once to encrypt messages.
- Key Management: Proper generation, exchange, storage, and usage of keys.
- Key management involves securely choosing and storing keys. Strong keys increase security.
- Key Exchanges: Key wrapping, key indicators, asymmetric session key exchange.
- Keys must be replaced frequently.
Keyspace
- Keyspace refers to all possible values for a key.
- Larger keys offer more security but require more CPU processing during decryption and encryption.
Block Ciphers
- Block Ciphers: Symmetric key ciphers that operate on fixed-size blocks of bits.
- Block cipher encryption algorithms may take a 64-bit block of plaintext and generate a 64-bit block of ciphertext.
- Examples: AES, 3DES, Blowfish, DES, IDEA
- Block ciphers might need padding, adding overhead.
Stream Ciphers
Stream ciphers encrypt plaintext data bit by bit against a key stream or cipher digit stream.
Symmetric Algorithms
- Symmetric Encryption: Uses the same key for encryption and decryption.
- Symmetric encryption requires both devices to have the key.
- Examples: DES, 3DES, AES, IDEA, RC2, RC4, RC5, RC6, Blowfish
- They are usually faster and require less CPU power than asymmetric algorithms.
- Longer key length (112 to 256 bits) results in better security, with at least 128 bits recommended.
Asymmetric Algorithms
- Asymmetric algorithms use two mathematically related keys: a public key and a private key.
- If you use the small keyhole with its respective key to lock the container, the only way to unlock it is to use the big keyhole with its larger key. Another option is to initially lock the container using the big key in the big keyhole, and then the only way to unlock it is to use the small key in the small keyhole.
- Asymmetric algorithms have a high CPU cost but are used for peer authentication and key generation.
- The public key is available to anyone, while the private key is kept secret.
Examples of asymmetric algorithms:
- RSA (Rivest, Shamir, Adleman): Used for authentication.
- Key lengths: 512 to 2048 bits (minimum 1024 for good security).
- Works well with credit card security and TLS/SSL.
- DH (Diffie-Hellman): Key exchange protocol.
- Generates symmetric keys for use with algorithms such as 3DES and AES.
- ElGamal: Encryption system based on DH exchange.
- DSA: Digital Signature Algorithm.
- ECC: Elliptic curve cryptography based on algebraic structure of elliptic curves.
Elliptic Curve Cryptography (ECC)
- Public-key cryptography based on elliptic curves.
- ECC utilizes smaller keys than other encryption methods.
- Diffie-Hellman version: ECDH. (Elliptic Curve Diffie-Hellman), which uses elliptic curve public-private key pairs to establish the secret key.
- Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) runs in ephemeral mode, which makes sure that a compromised message won’t start a chain reaction and that other messages maintain their integrity.
- DSA version: ECDSA . (Elliptic Curve Diffie-Hellman)
- Reduced computational power compared to other asymmetric algorithms.
- Used with smart cards, wireless security, VoIP, and IPsec.
- Potential vulnerabilities: Side-channel attacks (SCAs), fault attacks, backdoors in random generator.
Quantum Cryptography
- It builds on quantum mechanics.
- Bits of the key can be encoded as quantum data, impossible in classical encryption.
- Current form: quantum key distribution (QKD).
- Uses fiber channel, costly.
One-Time Pad
- Encryption program used primarily for signing, encrypting, and decrypting emails in an attempt to increase the security of email communications.
- A stream cipher that encrypts plaintext with a secret random key of the same length as the plaintext.
- Achieved by combining keystream with plaintext using the bitwise XOR operator to produce ciphertext.
- Requires perfect randomness, which is challenging.
- Exchange of one-time pad data must equal the length of the message.
Pretty Good Privacy (PGP)
- Primarily to secure communications.
- Relies on symmetric session keys (PSK) but also uses asymmetric RSA for digital signatures and key sending.
- Key sizes: At least 128 bits, RSA/DSA keys ranging from 512 to 2048 bits.
- Uses a combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography.
- OpenPGP standard: enables others to write software to integrate with PGP.
- GNU Privacy Guard (GPG, or GNuPG) is another standard.
- Offers methods of symmetric key encrytion and public key encryption for file encryption.
- It is owned by Symantec.
Pseudorandom Number Generators
Pseudorandom Number Generators (PRNGs)
- Used by cryptographic applications that require unpredictable output.
- Coded in C or Java and developed within cryptography applications.
- A programmer will increase entropy, often by collecting system noise.
- Threats: Random number generator attacks.
Hashes
- Used to check data integrity
- Example: SHA-512 checksum (512 bits) output is represented by 128 characters in hex format, whereas Message Digest 5 (MD5) produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.
- A cryptographic hash function takes data and creates a small, fixed-sized hash value.
- It is a one-way function.
Types of Hashes:
- Message Digest 5 (MD5): Creates a 128-bit digest.
- Secure Hash Algorithm 1 (SHA-1): Creates a 160-bit digest.
- Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
- Bigger is better.
- Several vulnerabilities in MD5 hashingprotocol, including collision and pre-image vulnerabilities.
- Collison Attacks occur when two input strings of a hash function produce the same hash result.
- Recommend that SHA-2 with 512 bits be used when possible.
Hashed Message Authentication Code (HMAC)
- Uses a secret key of some type.
- Only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash.
- MD5 is a hash function that is insecure and should be avoided.
- SHA-1 is a legacy algorithm and therefore is adequately secure.
- SHA-256 provides adequate protection for sensitive information.
- SHA-384 is required to protect classified information of higher importance.
Digital Signatures
- Provide authentication, data integrity, and nonrepudiation.
- Used in conjunction with public and private key pairs, hashing and encryption for verification.
- Alice and Bob/Batman and Robin send an encrypted message over a public or untrusted network, and Eve/The Joker tries to steal the information being exchanged.
Digital Signature Verification:
- Batman and Robin both verify that the other party is correct. B&R have public-private keypairs and were given digital certificates.
- Batman takes a packet and generates a hash, then encrypts it using Batman’s private key (digital signature).
- Robin can receive the packet, decrypt the encrypted hash via Batman's Public Key, and set the decrypted hash off to the side for one moment.
- Robin runs the same hash algorithm on the packet it just received. If the hash Robin matches the hash just received then: -- the only person who could have encrypted it was Batman; so authentication.
-
- the data integrity on the packet is good; so data integrity.
- This implies for Robin to verify the Digital signatures by Batman then:
- -Robin also got Batman's Public Key; but from where.
- -Both need the CA’s public key.
Next-Generation Encryption Protocols
- The U.S. government selected and recommended a set of cryptographic standards called Suite B because it provides a complete suite of algorithms designed to meet future security needs.
- Suite B has been approved for protecting classified information at both the secret and top-secret levels.
- Elliptic curve cryptography replaces RSA signatures with the ECDSA algorithm and replaces the DH key exchange with ECDH.
- AES in the GaRobin/Counter Mode (GCM) of operation. ECC digital signature algorithm.
- SHA-256, SHA-384, and SHA-512.
Protocols
- Ipsec and SSL/TLS protocols create protection for IP and web packets at various levels.
IP Security (IPsec (
- Protects IP packets at Layer 3. Offers confidentiality with encryption, data integrity with hashing and HMAC, and authentication using digital signatures.
- Has anti-replay support as well.
SSL/TLS)
- Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): are cryptographic protocols that provide secure Internet communications such as web browsing, instant messaging, email, and VoIP. These protocols rely on a PKI for obtaining and validating certificates.
- SSL/TLS work in much the same manner. -- Two types of keys are required.
-
- a public key -- and a session key.
- Your organization might have a policy stating that SSL/TLS-encrypted data needs to be decrypted when it reaches the internal network and then analyzed for malware and potential attacks. It is often then re-encrypted and sent to its final destination. This process is also very CPU intensive, and an SSL/TLS accelerator can provide the additional power required. SSL/TLS decryption and re-encryption can be a security risk and a privacy issue (especially for users bringing their own devices to the corporate network [BYOD users]). Careful consideration is required regarding where the decryption/re-encryption will take place, how it is implemented, and how people are notified about this policy.
Protocol HTTPS
- Hypertext Transfer Protocol Secure (HTTPS).
- a combination of HTTP and TLS. Web servers that enable HTTPS inbound connections must have inbound port 443 open (although web services using TLS can be configured in any TCP port). HTTPS should not be confused with Secure HTTP (SHTTP). SHTTP is an alternative to HTTPS that works in much the same way. Numerous websites now use HTTPS using TLS.
Tip: One attack to watch for is the downgrade attack—when a protocol is downgraded from a high-quality mode or higher version to a low-quality mode
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.