Applying cryptography
encryption for confidentiality
hashed for integrity
digitally signed certificates for authentication
digital signatures can be used to ensure non-repudiation
(Nonrepudiation is the assurance that someone cannot deny something.)
(Nonrepudiation is the assurance that someone cannot deny something.)
cryptography : Science of secret writing
Authentication: Proves idenitiy
nonrepudiation: Proves sender
Cipher: cryptographic set of rules or technique
Ciphertext: transformed plaintext to unreadable form
Algorithm: Complex mathematical cipher
Key: crypto variable used with an algorithm
Keyspace: Number of possible key combinations
Encryption types:
Substitution : Replacing characters or bits
Transposition : Moving characters or bits
key stream: One bit at a time XOR function
Confusion: multiple rounds of substitution
Diffusion : multiple rounds of transposition
3 DES : uses data encryption algorithm and 48 rounds
AES : used Rijndael and 3 key size options
DES: 16 round block symmetric algorithm
Keys:
symmetric : single shared key
asymmetric: key pair
session key : specific instance of symmetric key
ECC, RSA,EIGamel :asymmetric algorithm
AES,3DES,IDEA : symmetric key standard and algorithms
PKI:
Registration authority: manages digital certificates
Certificate authority: Issues and revoke digital certificates
Digital certificate: Identifier with embedded public key
X.509: ISO PKI standard framework
Public key: key that is distributed
Private key: key that is kept secure
CRL: certificate revocation list
OCSP: certificate revocation protocol
Hashing: Producing a one-way representation
Message digest: output of a hash function
SHA-x : NSA developed hash algorithm
HMAC: hash output with a symmetric key
Digital SIgnature: Digest encrypt its private key
DSA: Digital signature algorithm
Nonrepudiation: Proves sender
Salt: A rehash value added to a database
Link encryption: Payload + header encryption
End-to-end encryption: payload only encryption
IPsec: de facto vpn protocol
SSL/TLS: application layer cryptographic protocol
HTTPS: hyper text transfer protocol + SSL/TLS
SSH: used for secure remote authentication
SFTP : used for secure file transfer
S/MIME: use for secure email
Side channel attack: Measure execution time or power
brute force attack: Exhausting all possibilities
frequency analysis: looking for patterns
collision: Different input results in same hash values
birthday attack: Exploits probability to produce collisions
MiTM : Interception and modification
Replay: Capture and re-transmit
Crypto-retirement : DES (End of life)
SSL/TLS
SSL/TLS protocol is a set of rules governing client and server authentication and encrypted communications.
SSL/TLS requires the server to have a SSL digital certificate:
- The server authenticates itself to the client and provides its public keys (used to encrypt the session key)
- The client and server uses symmetric-key encryption to encryption the information exchanged in the session.
- The server may be optionally configured to require client-side authentication before an encrypted session can be established.
Secure Shell
Secure Shell (SSH) is a cross-platform cryptographic protocol that establishes a secure connection between an SSH server and an SSH client supporting asymmetric authentication, message authentication code and symmetric encryption.
SSH is used to administer systems remotely, provide a command shell on a remote network or tunnel other protocols.
- ssh is a replacement for cleartext telnet, login, rsh, and rsync
- SFTP is a file transfer protocol that uses SSH to transfer files.
Internet Protocol Security (IPsec):
Ipsec is a suite of protocols that used cryptographic security services to protect communications over internal protocol (IP) networks.
- Ipsec supports:
- network-level peer authentication
- data origin authentication
- data integrity
- data confidentiality(encryption)
- replay protection
Eavesdropping : violation of confidentiality
Tampering: violation of integrity
Spoofing: violation of authenticity
SSL/TLS : Secure client-server communication
SSH : secure telnet replacement
S/MIME: Used to digitally sign email
Encryption: used to ensure confidentiality
Digital Signatures : MD encrypted with private key
NAT :
NAT is a stateful process used by the firewall to change the source IP address of outgoing packets.
NAT can be used to:
- Anonymize(hide) internal address
- Transform non routable ip address to routable addresses
- Extend IPv4 address space
NAT mapping can be static, dynamic or PAT
Honeypots and Honeynets:
Honeypots are decoy(luring) servers or systems set up to gather information regarding attacks or intrusions.
- Honeypots work by fooling attackers into believing it is a legitimate system.
- Attackers attack the system without knowing that they are being observed covertly.
- Honeypots can be set up inside, outside, or in the DMZ of a firewall
Honeynets are the networks of Honeypots
DMZ: Semi-trusted network segment
Enclave network: Segment within a trusted network
Honeypot: research decoy
Firewall: Enforces security policies
IDS/IPS: detective and corrective control
NAT: used to translate internal ip address
False positive: normal identified as abnormal
Proxy: Acting on behalf of
Securing multimedia collaboration:
IP telephony: Telecommunications services using IP
SIP: use MD5, TLS, and privacy extensions
RTP: requests redelivery of VOIP packets
Codec: conversion of audio/video to digital frames
H.323 : First widely adopted VOIP protocol
SIP redirect server : Facilities SIP device portability
SIP registrar server : facilities SIP user portability
CDN: High performance content distribution
Securing virtual private networks:
VPN technologies includes:
- Point to point tunnelling protocol (PPTP)
- Layer 2 tunneling protocol (L2TP)
- Internet protocol security (IPsec)
- Secure Socket layer (SSL)
Ipsec Modes:
Ipsec can be implemented in two modes:
- Transport mode is used for end-to-end protection between client and server
- The IP payload is encrypted
- Transport is the default mode of Ipsec
- Tunnel mode is used between server-server, server-gateway, or gateway-gateway (two direct endpoints)
- The entire packet is encrypted
Ipsec components :
AH : Integrity, Origin Authentication, Replay Attack protection (HAMC)
ESP : Integrity, Origin Authentication, Replay Attack protection and Confidentiality (HMAC & Symmetric encryption)
IKE : Device authentication and establishing security association
SA : A negotiation that includes the algorithms that will be used (hashing and encryption), key length, and key information
SPI : Security association identifier
Ipsec uses AH and ESP
Ipsec Key Exchange:
Phase 1 : device authentication
Phase 2 : establish secure tunnel
Ipsec security Parameter Index (SPI)
- Security associations are identified by a security parameter index (SPI)
- Two separate SAs are established for each direction of data communication
Ipsec Security Filters
Ipsec filters can be used to filter (allow, restrict, and secure) traffic by source IP, destination IP, protocol, source port and destination port
SSL VPN
ssl vpn communicates at the OSI transport and session layer
- A user connects to an SSL gateway or endpoint using a web browser. SSL/TLS capabilities are embedded in most of web browsers.
- The traffic is encrypted with SSL/TLS
- An SSL VPN portal is a single connection to multiple services.
- The user is authenticated by a SSL VPN gateway
- The user is presented a web page
- The SSL VPN tunnel is used to access non web-based applications
VPN Comparisons:
PPTP : used when a PPP connection needs to be transmitted through a IP network
L2TP : used when a PPP connection needs to be transmitted through a non-IP network
IPSec: used for IP based traffic
HAIPE : used for high-security IPSec implementations
SSL VPN : mainly used for http traffic
PPTP: used to secure PPP on a IP network
L2TP: can be used on a non-IP network
Transport mode: Payload is encrypted
Tunnel mode: entire packet is encrypted
AH: Integrity and authentication only
ESP : integrity, authentication and confidentiality
Security Association : IPSec negotiated agreement
SSL VPN: uses client side browser
Securing Endpoints
NAC (network access control): Unified endpoint security enforcement
Proxy: Acts on behalf of endpoint
MDM(Mobile device management) : Usually includes a remote wipe feature
Malware : Code or script with malicious intent
HIDS(Host IDS): Monitors and analyses local host behaviour
Preventing and mitigating network attacks:
Opportunistic: influenced by an identified weakness
Spoofing: Impersonation
Poisoning: manipulating trusted data
MiTM: interjection between end points
Sniffing: Capturing network packets
Ransomware : class of malware
C&C: Command and control
DDos : Distributed consumption of resources
OSI Model : Seven layers of communication
TCP/IP Model: Four layers of connectivity
ARP : MAC to IP translation
IPv4: 32bit 4 octet ID
IPv6: 128-bit hexadecimal ID
Port : application ID
Well-known ports: 1-1023
DNSSEC: extensions to mitigate forged entries
VOIP : Transmission of voice traffic over IP
MPLS: Protocol-independent telecom support
DNP3: Process automation communications
SIP: Protocol used on VOIP networks
LER: Router used in a MPLS networks
Label: Replacement for a header in MPLS
FCoE : storage area network data channel over IP
Securing wireless networks
bluejacking : Injection attack
bluesnarfing: Unauthorized access
war driving : Hacking wireless networks
ad hoc mode: peer-to-pper connectivity
WEP : Broken encryption, no integrity
WPA2 : uses 802.1x, EAP, AES, and CBC-MAC
WWAN: uses point to point microwave links
GSM & CDMA : Cellular technologies
Security testing
Brute force : Trying every possible combination
Dictionary attack : Compares two sets of hashes
Work factor : Time and effort required
Hash : One-way fixed length fingerprint
Salt: Random string appended before hashing
Reverse lookup : Technique that assumes same input
Symmetric encryption : same key used to encrypt and decrypt
HMAC : hash value that includes a secret key
Operating and maintaining firewalls:
GeoIP : Ip address geographic location or range
Deny by default : Must be explicitly allowed
Allow by default : must be explicitly denied
Whitelist : known benign - proactively allowed
Blacklist : known malicious - proactively denied
Sanitation : Remove sensitive information
Sandbox: isolated environment
Honeypot : Decoy system
Source code security issues:
Buffer overflow : Overrun of allocated memory
Injection attack : Accepts and executes untrusted input
Convert channel: unauthorised flow of information
object reuse attack: Malicious repurpose of code
TOC|TOU : Race condition
Maintenance hook: Mechanism to bypass access controls
Fuzzing: Testing technique that uses invalid data
OAuth: Open authorisation protocol
Deciphering Ciphers and Algorithms
Cipher is a technique or set of rules that transforms cleartext(plaintext) into an unreadable form(cipher text or cryptogram) and back to cleartext
Algorithm is a set of steps to accomplish a task
Key(Cryptovariable)
- The key dictates what parts of the algorithm will be used, in what order, and with what values
- The key is secret
- keyspace is the number of possible key combinations
. 8 bit = 2*8 = 256 possible keys
. 256bit = 2*256 = 1.1.578*1077 possible keys
Cipher Characteristics
1. Stream
Stream cipher encodes the bits one at a time using a XOR key stream generator(resource-intensive)
-RC4 is the most well-known stream cipher.
2. Block
- Substitution
- Transposition
Block cipher breaks the plaintext message into several blocks
- A block cipher algorithm puts the bits within these blocks through several rounds of substitution and transposition. The goal is confusion(changing values) and diffusion(changing order.
- Electronic Codebook Mode (ECB) each block is independent (doesn’t hide patterns - not suitable for long messages)
- Cipher Block Chaining Mode(CBC) includes an initialization vector and a component of the previous cipher text to leverage randomization
Block ciphers null : DES, 3DES, AES, IDEA, Blowfish, RC5, RC6, Skipjack, CAST
symmetric and asymmetric encryption:
symmetric means the same key is used to encrypt and decrypt
also referred as
- single key
- shared key
- session key(if used for a single session)
computationally efficient
key sharing is null
not scalable
Asymmetric means two different but related keys are used :
- known as key-pair
- one key is used for encrypt; the other is used to decrypt
- The keys are referred as a private and public key
computationally intensive
smaller key sizes
null distribution system
scalable
Applying asymmetric encryption:
Since it is computationally intensive, in most cases we use both symmetric and asymmetric keys (also known as hybrid)
Plaintext message - > symmetric cipher [session key] -> encrypted message - > symmetric cipher [session key] -> plaintext message
but the problem here is how to share session key between Bob and Alice. To accomplish this we use asymmetric algorithm
session key - > Asymmetric Cipher + Alice
now Alice can use this session key to decrypt original message in first case.
Understanding hashing:
A hash is a one-way representation (fingerprint) of a string of text
- A hash function takes input of any length and creates a fixed length output
- Hash value is used to prove integrity
Hash algorithms examples
Message Digest (Mdx), Secure hash algorithm (SHA), Havel, Tiger
Hash Process
sender puts message through a hashing algorithm and generates a message digest (hash) value -> sender sends plain text message and message digest to receiver - > receiver puts message through a hashing algorithm and generates a message digest(hash) value -> Receiver compares both message digests -> if the message digests are the same - the message was not modified in transmission - > if the message digest are different - the message was modified in transmission
sender
hello, this is my message + run thorough SHA-2 = 1HFBK2FR7
Receiver :
receiver gets original message and hashed output ie message digest (1HFBK2FR7)
it runs through same algorithm SHA-2 and output should be : 1HFBK2FR7
if outputs are same, message is not modified during transmission.
Hashed MAC
A hashed message authentication code(HMAC) is hashed value that includes a symmetric key.
- An HAMC cannot be reproduce without knowing the key.
- HAMC provides integrity and data origin authentication
- HMAC is used by cryptographic protocols such as the TLS and IPsec to verify the integrity of transmitted data during secure communications
HMAC process:
Sender concatenates message + secret key and puts the results through a hashing algorithm and generates a HMAC value ->Sender appends the HAMC value to the message and sends it to the receiver -> Receiver concatenates messages + secret key and puts a results through a hashing algorithm and generates a HMAC value -> Receiver compares both values -> if the values are the same then the message was not modified in transmission and the origin is known
This will accomplish both integrity and confidentiality
Sender :
hello, this is my message + secret key (1234567) + run through SHA-2 = 79HVGRST
Receiver:
it gets original message and message digest output i.e. 79HVGRST
Receiver needs to have knowledge of secret key (1234567) it is not send by sender
run this message and secret key through same SHA-2 algorithm, output should be same.
Digital Signatures:
A digital signature is a hash value (message digest) encrypted with the sender’s private key.
- A digital signature provides integrity and non-repudiation
Digital signatures require two algorithms:
- Hashing algorithm (e.g. SHA-x)
- Digital signature function such as RSA or DSA (Digital signature algorithm)
Digitally signed message:
Bob creates a message digest(hash value) of his message -> The message digest is encrypted with Bob’s private key -> The encrypted message digest and plaintext message are sent to Alice -> Alice decrypts the message digest using Bob’s public key (providing non-repudiation) -> Alice hashes the plaintext message using the same hash algorithm -> Alice compares the two hash values for a match (proving integrity)
Integrity(not changed during transmission), Confidentiality(only authorized person can see message) and non-repudiation (can’t deny it came from you)
- A message can be hashed, which provides for integrity
- A message can be digitally signed, which provides for non-repudiation and integrity
- A message can be encrypted, which provides for confidentiality.
- A message can be encrypted and digitally signed, which provides for confidentiality, nonrepudiation and integrity.
Deconstructing the Digital certificate lifecycle
A digital certificate is an electronic “passport” that identifies a person, device, domain. organization, or publisher (code).
- The certificate is issued by a trusted certification authority, a web of trust or self-signed.
X.509 v3 digital certificates fields
version : version of certificate
serial number : unique identifier
Signature : Algorithm used to sign the certificate
Issuer : Name of issuer
Validity: valid data of cert
Subject : Name of owner
Public key : Public key of named owner
Issuer Unique id : ID of certificate authority
Subject unique id : ID of subject
Obtaining a Digital Certificate:
Applicant requests a certificate from a Registration Authority (RA) ->
The RA process the request and validates the applicant ->
The RA forward the request to a certification Authority (CA) ->
The CA requests the public key from the applicant ->
The key-pair is locally generated and the public key is sent to the CA ->
The CA creates and signs the digital certificate ->
The certificate includes the public key ->
The CA issues the digital certificate to the applicant ->
The CA maintains and, if necessary, revokes the certificate
Digital certificate Revocation:
Certificate revocation list (CRL)
- CA maintained list of certificates that have been revoked
Online certificate status Protocol (OCSP)
- Client receives certificate
- Client sends OCSP request to a OCSP responder
- OCSP responder replies with a certificate status
Both are only enforced for extended validation (EV) certificates
Understanding Cryptographic Protocols:
Cryptographic communication protocols (rules) are designed to secure information flow
Information flow is vulnerable to
- Eavesdropping and packet capture, which is a violation of confidentiality
- Tampering which is violation of intergrity
- Spoofing and misrepresentation, which can be a violation of authentication, integrity, and availability
Transmission Modes
Link Encryption
- All control information (header, trailers, and routing information) is encrypted along with the payload
needs dedicated communication channel between A and B
End-to-end encryption
- only the payload is encrypted
- Intermediary devices do not have encryption related functions
communication channel in this case is public i.e. internet. Trailer, header and routing information is visible.
Common cryptographic Protocols:
SSL | TLS :
Use : Securing web based protocols and transmissions,
Purpose : confidentiality, Authentication, Integrity
Cryptographic components : Encryption, HAMC
HTTPS :
Use: layer SSL | TLS on top of HTTP
Purpose : confidentiality, Authentication, Integrity
Cryptographic components : Encryption, HAMC
FTPS :
Use : layer SSL | TLS on top of FTP
Purpose : confidentiality
Cryptographic components : Encryption
SSH :
Use: Secure channel between a local an remote device (telnet replacement)
Purpose: confidentiality, Integrity
Cryptographic components : Encryption, HAMC
SFTP:
Use : Layer SSH on top of FTP
Purpose : confidentiality
Cryptographic components : Encryption
S/MIME:
Use: Secure email communications
Purpose : confidentiality, Integrity, Nonrepudiation
Cryptographic components : Encryption, HAMC
Non-IP networking Protocols:
- MPLS : operates in between L2 and L3
- DNP3 : L2 protocol
- FCoE : L2 protocol
Attacks techniques
Scanning: probing for information
Sniffing: Packet capture
Poisoning : Manipulating trusted data
Spoofing : Impersonation
Session Hijacking : Unauthorized insertion
Sniffing can happen at any layer of OSI model
Application: user id/password sniffing
Presentation: SSL/TLS session sniffing
Session:Telnet and FTP sniffing
Transport: TCP session sniffing, UDP sniffing
Network:IP, Port sniffing
Datalink :MAC/ARP sniffing
Physical:Surveillance sniffing
Poisoning:
A poisining attack is when a trusted source of data is manipulated:
- ARP cache
- Routing table
- DNS pharming
- Website
Session Hijacking:
A session hijacking attack intercepts communication between two systems
- Man in middle (may use spoofing and/or poisoning)
- Replay Attack
Spoofing:
A spoofing attack is when an attacker impersonates(pretend to be) an address, system, or person
- MAC address
- IP address
- Domain
- Hyperlink
- Email sender
- Trusted source