Certified
Information Systems Security Professional (CISSP)
=============================================
Applying cryptography
encryption for confidentiality
hashed for integrity
digitally signed certificates for
authentication
digital signatures can be used to ensure
non-repudiation
(Nonrepudiation is the assurance that someone cannot deny something.)
(Nonrepudiation is the assurance that someone cannot deny something.)
cryptography: Science of secret writing
Authentication: Proves identity
nonrepudiation: Proves sender
Cipher: cryptographic set of rules or
technique
Cipher text: transformed plaintext to
unreadable form
Algorithm: Complex mathematical cipher
Key: crypto variable used with an algorithm
Key space: Number of possible key
combinations
Encryption types:
Substitution: Replacing characters or bits
Transposition: Moving characters or bits
key stream: One bit at a time XOR function
Confusion: multiple rounds of substitution
Diffusion: multiple rounds of transposition
3 DES: uses data encryption
algorithm and 48 rounds
AES: used Rijndael and 3 key size options
DES: 16 round block symmetric algorithm
Keys:
symmetric: single shared key
asymmetric: key pair
session key: specific instance of symmetric
key
ECC, RSA, EIGamel: asymmetric algorithm
AES,3DES,IDEA : symmetric key standard and
algorithms
PKI:
Registration authority: manages digital
certificates
Certificate authority: Issues and revoke
digital certificates
Digital certificate: Identifier with embedded
public key
X.509: ISO PKI standard framework
Public key: key that is distributed
Private key: key that is kept secure
CRL: certificate revocation list
OCSP: certificate revocation protocol
Hashing: Producing a one-way representation
Message digest: output of a hash function
SHA-x : NSA developed hash algorithm
HMAC: hash output with a symmetric key
Digital SIgnature: Digest encrypt its private
key
DSA: Digital signature algorithm
Nonrepudiation: Proves sender
Salt: A rehash value added to a database
Link encryption: Payload + header encryption
End-to-end encryption: payload only
encryption
IPsec: de facto vpn protocol
SSL/TLS: application layer cryptographic
protocol
HTTPS: hyper text transfer protocol + SSL/TLS
SSH: used for secure remote authentication
SFTP : used for secure file transfer
S/MIME: use for secure email
Side channel attack: Measure execution time
or power
brute force attack: Exhausting all
possibilities
frequency analysis: looking for patterns
collision: Different input results in same
hash values
birthday attack: Exploits probability to
produce collisions
MiTM : Interception and modification
Replay: Capture and re-transmit
Crypto-retirement : DES (End of life)
SSL/TLS
SSL/TLS protocol is a set of rules governing
client and server authentication and encrypted communications.
SSL/TLS requires the server to have a SSL
digital certificate:
- The
server authenticates itself to the client and provides its public keys
(used to encrypt the session key)
- The
client and server uses symmetric-key encryption to encryption the
information exchanged in the session.
- The
server may be optionally configured to require client-side authentication
before an encrypted session can be established.
Secure Shell
Secure Shell (SSH) is a cross-platform
cryptographic protocol that establishes a secure connection between an SSH
server and an SSH client supporting asymmetric authentication, message
authentication code and symmetric encryption.
SSH is used to administer systems remotely,
provide a command shell on a remote network or tunnel other protocols.
- ssh
is a replacement for cleartext telnet, login, rsh, and rsync
- SFTP
is a file transfer protocol that uses SSH to transfer files.
Internet Protocol Security (IPsec):
Ipsec is a suite of protocols that used
cryptographic security services to protect communications over internal
protocol (IP) networks.
- Ipsec
supports:
- network-level
peer authentication
- data
origin authentication
- data
integrity
- data
confidentiality(encryption)
- replay
protection
Eavesdropping : violation of confidentiality
Tampering: violation of integrity
Spoofing: violation of authenticity
SSL/TLS : Secure client-server communication
SSH : secure telnet replacement
S/MIME: Used to digitally sign email
Encryption: used to ensure confidentiality
Digital Signatures : MD encrypted with
private key
NAT:
NAT is a statefull process used by the
firewall to change the source IP address of outgoing packets.
NAT can be used to:
- Anonymize(hide)
internal address
- Transform
non routable ip address to routable addresses
- Extend
IPv4 address space
NAT mapping can be static, dynamic or PAT
Honeypots and Honey nets:
Honeypots are decoy(luring) servers or
systems set up to gather information regarding attacks or intrusions.
- Honeypots
work by fooling attackers into believing it is a legitimate system.
- Attackers
attack the system without knowing that they are being observed covertly.
- Honeypots
can be set up inside, outside, or in the DMZ of a firewall
Honey nets are the networks of Honeypots
DMZ: Semi-trusted network segment
Enclave network: Segment within a trusted
network
Honeypot: research decoy
Firewall: Enforces security policies
IDS/IPS: detective and corrective control
NAT: used to translate internal ip address
False positive: normal identified as abnormal
Proxy: Acting on behalf of
Securing multimedia collaboration:
IP telephony: Telecommunications services using
IP
SIP: use MD5, TLS, and privacy extensions
RTP: requests redelivery of VOIP packets
Codec: conversion of audio/video to digital
frames
H.323 : First widely adopted VOIP protocol
SIP redirect server : Facilities SIP device
portability
SIP registrar server : facilities SIP user
portability
CDN: High performance content distribution
Securing virtual private networks:
VPN technologies includes:
- Point
to point tunnelling protocol (PPTP)
- Layer
2 tunneling protocol (L2TP)
- Internet
protocol security (IPsec)
- Secure
Socket layer (SSL)
Ipsec Modes:
Ipsec can be implemented in two modes:
- Transport
mode is used for end-to-end protection between client and server
- The
IP payload is encrypted
- Transport
is the default mode of Ipsec
- Tunnel
mode is used between server-server, server-gateway, or gateway-gateway
(two direct endpoints)
- The
entire packet is encrypted
Ipsec components:
AH : Integrity, Origin Authentication, Replay
Attack protection (HAMC)
ESP : Integrity, Origin Authentication,
Replay Attack protection and Confidentiality (HMAC & Symmetric encryption)
IKE : Device authentication and establishing
security association
SA : A negotiation that includes the
algorithms that will be used (hashing and encryption), key length, and key
information
SPI : Security association identifier
Ipsec uses AH and ESP
Ipsec Key Exchange:
Phase 1 : device authentication
Phase 2 : establish secure tunnel
Ipsec security Parameter Index (SPI)
- Security
associations are identified by a security parameter index (SPI)
- Two
separate SAs are established for each direction of data communication
Ipsec Security Filters
Ipsec filters can be used to filter (allow,
restrict, and secure) traffic by source IP, destination IP, protocol, source
port and destination port
SSL VPN
ssl vpn communicates at the OSI transport and
session layer
- A
user connects to an SSL gateway or endpoint using a web browser. SSL/TLS
capabilities are embedded in most of web browsers.
- The
traffic is encrypted with SSL/TLS
- An
SSL VPN portal is a single connection to multiple services.
- The
user is authenticated by a SSL VPN gateway
- The
user is presented a web page
- The
SSL VPN tunnel is used to access non web-based applications
VPN Comparisons:
PPTP : used when a PPP connection needs to be
transmitted through a IP network
L2TP : used when a PPP connection needs to be
transmitted through a non-IP network
IPSec: used for IP based traffic
HAIPE : used for high-security IPSec
implementations
SSL VPN : mainly used for http traffic
PPTP: used to secure PPP on a IP network
L2TP: can be used on a non-IP network
Transport mode: Payload is encrypted
Tunnel mode: entire packet is encrypted
AH: Integrity and authentication only
ESP : integrity, authentication and
confidentiality
Security Association : IPSec negotiated
agreement
SSL VPN: uses client side browser
Securing Endpoints
NAC (network access control): Unified
endpoint security enforcement
Proxy: Acts on behalf of endpoint
MDM(Mobile device management) : Usually
includes a remote wipe feature
Malware : Code or script with malicious
intent
HIDS(Host IDS): Monitors and analyses local
host behaviour
Preventing and mitigating network attacks:
Opportunistic: influenced by an identified
weakness
Spoofing: Impersonation
Poisoning: manipulating trusted data
MiTM: interjection between end points
Sniffing: Capturing network packets
Ransomware : class of malware
C&C: Command and control
DDos : Distributed consumption of resources
OSI Model : Seven layers of communication
TCP/IP Model: Four layers of connectivity
ARP : MAC to IP translation
IPv4: 32bit 4 octet ID
IPv6: 128-bit hexadecimal ID
Port : application ID
Well-known ports: 1-1023
DNSSEC: extensions to mitigate forged entries
VOIP : Transmission of voice traffic over IP
MPLS: Protocol-independent telecom support
DNP3: Process automation communications
SIP: Protocol used on VOIP networks
LER: Router used in a MPLS networks
Label: Replacement for a header in MPLS
FCoE : storage area network data channel over
IP
Securing wireless networks
bluejacking : Injection attack
bluesnarfing: Unauthorized access
war driving : Hacking wireless networks
ad hoc mode: peer-to-pper connectivity
WEP : Broken encryption, no integrity
WPA2 : uses 802.1x, EAP, AES, and CBC-MAC
WWAN: uses point to point microwave links
GSM & CDMA : Cellular technologies
Security testing
Brute force : Trying every possible
combination
Dictionary attack : Compares two sets of
hashes
Work factor : Time and effort required
Hash : One-way fixed length fingerprint
Salt: Random string appended before hashing
Reverse lookup : Technique that assumes same
input
Symmetric encryption : same key used to
encrypt and decrypt
HMAC : hash value that includes a secret key
Operating and maintaining firewalls:
GeoIP : Ip address geographic location or
range
Deny by default : Must be explicitly allowed
Allow by default : must be explicitly denied
Whitelist : known benign - proactively
allowed
Blacklist : known malicious - proactively
denied
Sanitation : Remove sensitive information
Sandbox: isolated environment
Honeypot : Decoy system
Source code security issues:
Buffer overflow : Overrun of allocated memory
Injection attack : Accepts and executes
untrusted input
Convert channel: unauthorised flow of
information
object reuse attack: Malicious repurpose of
code
TOC|TOU : Race condition
Maintenance hook: Mechanism to bypass access
controls
Fuzzing: Testing technique that uses invalid
data
OAuth: Open authorisation protocol
Deciphering Ciphers and Algorithms
Cipher is a technique or set of rules that
transforms cleartext(plaintext) into an unreadable form(cipher text or
cryptogram) and back to cleartext
Algorithm is a set of steps to accomplish a
task
Key(Cryptovariable)
- The
key dictates what parts of the algorithm will be used, in what order, and with
what values
- The
key is secret
-
keyspace is the number of possible key combinations
. 8
bit = 2*8 = 256 possible keys
.
256bit = 2*256 = 1.1.578*1077 possible keys
Cipher Characteristics
1. Stream
Stream
cipher encodes the bits one at a time using a XOR key stream
generator(resource-intensive)
-RC4
is the most well-known stream cipher.
2. Block
-
Substitution
-
Transposition
Block
cipher breaks the plaintext message into several blocks
- A
block cipher algorithm puts the bits within these blocks through several rounds
of substitution and transposition. The goal is confusion(changing values) and
diffusion(changing order.
-
Electronic Codebook Mode (ECB) each block is independent (doesn’t hide patterns
- not suitable for long messages)
-
Cipher Block Chaining Mode(CBC) includes an initialization vector and a
component of the previous cipher text to leverage randomization
Block ciphers null : DES, 3DES, AES, IDEA,
Blowfish, RC5, RC6, Skipjack, CAST
Symmetric and asymmetric encryption:
symmetric means the same key is used to
encrypt and decrypt
also referred as
- single key
- shared key
- session key(if used for a single session)
computationally efficient
key sharing is null
not scalable
Asymmetric means two different but related
keys are used :
- known as key-pair
- one key is used for encrypt; the other is
used to decrypt
- The keys are referred as a private and
public key
computationally intensive
smaller key sizes
null distribution system
scalable
Applying asymmetric encryption:
Since it is computationally intensive, in
most cases we use both symmetric and asymmetric keys (also known as hybrid)
Plaintext message - > symmetric
cipher [session key] -> encrypted message - > symmetric cipher [session
key] -> plaintext message
but the problem here is how to share session
key between Bob and Alice. To accomplish this we use asymmetric algorithm
session key - > Asymmetric Cipher + Alice
now Alice can use this session key to decrypt
original message in first case.
Understanding hashing:
A hash is a one-way representation
(fingerprint) of a string of text
- A hash function takes input of any length
and creates a fixed length output
- Hash value is used to prove integrity
Hash algorithms examples
Message Digest (Mdx), Secure hash algorithm
(SHA), Havel, Tiger
Hash Process
sender puts message through a
hashing algorithm and generates a message digest (hash) value -> sender
sends plain text message and message digest to receiver - > receiver puts
message through a hashing algorithm and generates a message digest(hash) value
-> Receiver compares both message digests -> if the message digests are
the same - the message was not modified in transmission - > if the message
digest are different - the message was modified in transmission
sender
hello, this is my message + run thorough
SHA-2 = 1HFBK2FR7
Receiver :
receiver gets original message and hashed
output ie message digest (1HFBK2FR7)
it runs through same algorithm SHA-2 and
output should be : 1HFBK2FR7
if outputs are same, message is not modified
during transmission.
Hashed MAC
A hashed message authentication code(HMAC) is
hashed value that includes a symmetric key.
- An HAMC cannot be reproduce without knowing
the key.
- HAMC provides integrity and data origin
authentication
- HMAC is used by cryptographic protocols
such as the TLS and IPsec to verify the integrity of transmitted data during
secure communications
HMAC process:
Sender concatenates message + secret key and
puts the results through a hashing algorithm and generates a HMAC value
->Sender appends the HAMC value to the message and sends it to the receiver
-> Receiver concatenates messages + secret key and puts a results through a
hashing algorithm and generates a HMAC value -> Receiver compares both
values -> if the values are the same then the message was not modified in
transmission and the origin is known
This will accomplish both integrity and
confidentiality
Sender :
hello, this is my message + secret key
(1234567) + run through SHA-2 = 79HVGRST
Receiver:
it gets original message and message digest
output i.e. 79HVGRST
Receiver needs to have knowledge of secret
key (1234567) it is not send by sender
run this message and secret key through same
SHA-2 algorithm, output should be same.
Digital Signatures:
A digital signature is a hash value (message
digest) encrypted with the sender’s private key.
- A digital signature provides integrity and
non-repudiation
Digital signatures require two algorithms:
- Hashing algorithm (e.g. SHA-x)
- Digital signature function such as RSA or
DSA (Digital signature algorithm)
Digitally signed message:
Bob creates a message digest(hash value) of
his message -> The message digest is encrypted with Bob’s private key ->
The encrypted message digest and plaintext message are sent to Alice ->
Alice decrypts the message digest using Bob’s public key (providing
non-repudiation) -> Alice hashes the plaintext message using the same hash
algorithm -> Alice compares the two hash values for a match (proving
integrity)
Integrity(not changed during transmission),
Confidentiality(only authorized person can see message) and non-repudiation
(can’t deny it came from you)
- A message can be hashed, which provides for
integrity
- A message can be digitally signed, which
provides for non-repudiation and integrity
- A message can be encrypted, which provides
for confidentiality.
- A message can be encrypted and digitally
signed, which provides for confidentiality, nonrepudiation and integrity.
Deconstructing the Digital certificate lifecycle
A digital certificate is an electronic
“passport” that identifies a person, device, domain. organization, or publisher
(code).
- The certificate is issued by a trusted
certification authority, a web of trust or self-signed.
X.509 v3 digital certificates fields
version : version of certificate
serial number : unique identifier
Signature : Algorithm used to sign the
certificate
Issuer : Name of issuer
Validity: valid data of cert
Subject : Name of owner
Public key : Public key of named
owner
Issuer Unique id : ID of certificate
authority
Subject unique id : ID of subject
Obtaining a Digital Certificate:
Applicant requests a certificate from a
Registration Authority (RA) ->
The RA process the request and validates the
applicant ->
The RA forward the request to a certification
Authority (CA) ->
The CA requests the public key from the
applicant ->
The key-pair is locally generated and the
public key is sent to the CA ->
The CA creates and signs the digital
certificate ->
The certificate includes the public key ->
The CA issues the digital certificate to the
applicant ->
The CA maintains and, if necessary, revokes
the certificate
Digital certificate Revocation:
Certificate revocation list (CRL)
- CA
maintained list of certificates that have been revoked
Online certificate status Protocol (OCSP)
-
Client receives certificate
-
Client sends OCSP request to a OCSP responder
- OCSP
responder replies with a certificate status
Both are only enforced for extended validation
(EV) certificates
Understanding Cryptographic Protocols:
Cryptographic communication protocols (rules)
are designed to secure information flow
Information flow is vulnerable to
- Eavesdropping and packet capture, which is
a violation of confidentiality
- Tampering which is violation of intergrity
- Spoofing and misrepresentation, which can
be a violation of authentication, integrity, and availability
Transmission Modes
Link Encryption
- All
control information (header, trailers, and routing information) is encrypted
along with the payload
needs dedicated communication channel between
A and B
End-to-end encryption
- only
the payload is encrypted
-
Intermediary devices do not have encryption related functions
communication channel in this case is public
i.e. internet. Trailer, header and routing information is visible.
Common cryptographic Protocols:
SSL | TLS :
Use : Securing web based protocols and
transmissions,
Purpose : confidentiality, Authentication, Integrity
Cryptographic components : Encryption, HAMC
HTTPS :
Use: layer SSL | TLS on top of HTTP
Purpose : confidentiality, Authentication,
Integrity
Cryptographic components : Encryption, HAMC
FTPS :
Use : layer SSL | TLS on top of FTP
Purpose : confidentiality
Cryptographic components : Encryption
SSH :
Use: Secure channel between a
local an remote device (telnet replacement)
Purpose: confidentiality, Integrity
Cryptographic components : Encryption, HAMC
SFTP:
Use : Layer SSH on top of FTP
Purpose : confidentiality
Cryptographic components : Encryption
S/MIME:
Use: Secure email communications
Purpose : confidentiality, Integrity,
Nonrepudiation
Cryptographic components : Encryption, HAMC
Non-IP networking Protocols:
- MPLS : operates in between L2 and L3
- DNP3 : L2 protocol
- FCoE : L2 protocol
Attacks techniques
Scanning: probing for information
Sniffing: Packet capture
Poisoning : Manipulating trusted data
Spoofing : Impersonation
Session Hijacking : Unauthorized insertion
Sniffing can happen at any layer of OSI model
Application: user id/password sniffing
Presentation: SSL/TLS session sniffing
Session:Telnet and FTP sniffing
Transport: TCP session sniffing, UDP sniffing
Network:IP, Port sniffing
Datalink :MAC/ARP sniffing
Physical:Surveillance sniffing
Poisoning:
A poisining attack is when a trusted source
of data is manipulated:
- ARP cache
- Routing table
- DNS pharming
- Website
Session Hijacking:
A session hijacking attack intercepts
communication between two systems
- Man
in middle (may use spoofing and/or poisoning)
-
Replay Attack
Spoofing:
A spoofing attack is when an attacker
impersonates(pretend to be) an address, system, or person
- MAC
address
- IP
address
-
Domain
-
Hyperlink
-
Email sender
-
Trusted source
No comments:
Post a Comment
Note: only a member of this blog may post a comment.