Certified Information Systems Security Professional (CISSP)

Applying cryptography

encryption for confidentiality

hashed for integrity

digitally signed certificates for authentication

digital signatures can be used to ensure non-repudiation

(Nonrepudiation is the assurance that someone cannot deny something.)

cryptography : Science of secret writing

Authentication: Proves idenitiy

nonrepudiation: Proves sender

Cipher: cryptographic set of rules or technique

Ciphertext: transformed plaintext to unreadable form

Algorithm: Complex mathematical cipher

Key: crypto variable used with an algorithm

Keyspace: Number of possible key combinations

Encryption types:

Substitution : Replacing characters or bits

Transposition : Moving characters or bits

key stream: One bit at a time XOR function

Confusion: multiple rounds of substitution

Diffusion : multiple rounds of transposition

3 DES :  uses data encryption algorithm and 48 rounds

AES : used Rijndael and 3 key size options

DES: 16 round block symmetric algorithm

Keys:

symmetric : single shared key

asymmetric: key pair

session key : specific instance of symmetric key

ECC, RSA,EIGamel :asymmetric algorithm

AES,3DES,IDEA : symmetric key standard and algorithms

PKI:

Registration authority: manages digital certificates

Certificate authority: Issues and revoke digital certificates

Digital certificate: Identifier with embedded public key

X.509: ISO PKI standard framework

Public key: key that is distributed

Private key: key that is kept secure

CRL: certificate revocation list

OCSP: certificate revocation protocol

Hashing: Producing a one-way representation

Message digest: output of a hash function

SHA-x : NSA developed hash algorithm

HMAC: hash output with a symmetric key

Digital SIgnature: Digest encrypt its private key

DSA: Digital signature algorithm

Nonrepudiation: Proves sender

Salt: A rehash value added to a database

Link encryption: Payload + header encryption

End-to-end encryption: payload only encryption

IPsec: de facto vpn protocol

SSL/TLS: application layer cryptographic protocol

HTTPS: hyper text transfer protocol + SSL/TLS

SSH: used for secure remote authentication

SFTP : used for secure file transfer

S/MIME: use for secure email

Side channel attack: Measure execution time or power

brute force attack: Exhausting all possibilities

frequency analysis: looking for patterns

collision: Different input results in same hash values

birthday attack: Exploits probability to produce collisions

MiTM : Interception and modification

Replay: Capture and re-transmit

Crypto-retirement : DES (End of life)

SSL/TLS

SSL/TLS protocol is a set of rules governing client and server authentication and encrypted communications.

SSL/TLS requires the server to have a SSL digital certificate:

• The server authenticates itself to the client and provides its public keys (used to encrypt the session key)
• The client and server uses symmetric-key encryption to encryption the information exchanged in the session.
• The server may be optionally configured to require client-side authentication before an encrypted session can be established.

Secure Shell

Secure Shell (SSH) is a cross-platform cryptographic protocol that establishes a secure connection between an SSH server and an SSH client supporting asymmetric authentication, message authentication code and symmetric encryption.

SSH is used to administer systems remotely, provide a command shell on a remote network or tunnel other protocols.

• ssh is a replacement for cleartext telnet, login, rsh, and rsync
• SFTP is a file transfer protocol that uses SSH to transfer files.

Internet Protocol Security (IPsec):

Ipsec is a suite of protocols that used cryptographic security services to protect communications over internal protocol (IP) networks.

• Ipsec supports:
• network-level peer authentication
• data origin authentication
• data integrity
• data confidentiality(encryption)
• replay protection

Eavesdropping : violation of confidentiality

Tampering: violation of integrity

Spoofing: violation of authenticity

SSL/TLS : Secure client-server communication

SSH : secure telnet replacement

S/MIME: Used to digitally sign email

Encryption: used to ensure confidentiality

Digital Signatures : MD encrypted with private key

NAT :

NAT is a stateful process used by the firewall to change the source IP address of outgoing packets.

NAT can be used to:

• Anonymize(hide) internal address
• Transform non routable ip address to routable addresses
• Extend IPv4 address space

NAT mapping can be static, dynamic or PAT

Honeypots and Honeynets:

Honeypots are decoy(luring) servers or systems set up to gather information regarding attacks or intrusions.

• Honeypots work by fooling attackers into believing it is a legitimate system.
• Attackers attack the system without knowing that they are being observed covertly. 
• Honeypots can be set up inside, outside, or in the DMZ of a firewall

Honeynets are the networks of Honeypots

DMZ: Semi-trusted network segment

Enclave network: Segment within a trusted network

Honeypot: research decoy

Firewall: Enforces security policies

IDS/IPS: detective and corrective control

NAT: used to translate internal ip address

False positive: normal identified as abnormal

Proxy: Acting on behalf of 

Securing multimedia collaboration:

IP telephony: Telecommunications services using IP

SIP: use MD5, TLS, and privacy extensions

RTP: requests redelivery of VOIP packets

Codec: conversion of audio/video to digital frames

H.323 : First widely adopted VOIP protocol

SIP redirect server : Facilities SIP device portability

SIP registrar server : facilities SIP user portability

CDN: High performance content distribution

Securing virtual private networks:

VPN technologies includes:

• Point to point tunnelling protocol (PPTP)
• Layer 2 tunneling protocol (L2TP)
• Internet protocol security (IPsec)
• Secure Socket layer (SSL)

Ipsec Modes:

Ipsec can be implemented in two modes:

• Transport mode is used for end-to-end protection between client and server
• The IP payload is encrypted
• Transport is the default mode of Ipsec
• Tunnel mode is used between server-server, server-gateway, or gateway-gateway (two direct endpoints)
• The entire packet is encrypted

Ipsec components :

AH : Integrity, Origin Authentication, Replay Attack protection (HAMC)

ESP : Integrity, Origin Authentication, Replay Attack protection and Confidentiality (HMAC & Symmetric encryption)

IKE : Device authentication and establishing security association

SA : A negotiation that includes the algorithms that will be used (hashing and encryption), key length, and key information

SPI : Security association identifier

Ipsec uses AH and ESP

Ipsec Key Exchange:

Phase 1 : device authentication

Phase 2 : establish secure tunnel

Ipsec security Parameter Index (SPI)

• Security associations are identified by a security parameter index (SPI)
• Two separate SAs are established for each direction of data communication

Ipsec Security Filters

Ipsec filters can be used to filter (allow, restrict, and secure) traffic by source IP, destination IP, protocol, source port and destination port

SSL VPN

ssl vpn communicates at the OSI transport and session layer

• A user connects to an SSL gateway or endpoint using a web browser. SSL/TLS capabilities are embedded in most of web browsers.
• The traffic is encrypted with SSL/TLS
• An SSL VPN portal is a single connection to multiple services.
• The user is authenticated by a SSL VPN gateway
• The user is presented a web page
• The SSL VPN tunnel is used to access non web-based applications

VPN Comparisons:

PPTP : used when a PPP connection needs to be transmitted through a IP network

L2TP : used when a PPP connection needs to be transmitted through a non-IP network

IPSec: used for IP based traffic

HAIPE : used for high-security IPSec implementations

SSL VPN : mainly used for http traffic

PPTP: used to secure PPP on a IP network

L2TP: can be used on a non-IP network

Transport mode: Payload is encrypted

Tunnel mode: entire packet is encrypted

AH: Integrity and authentication only

ESP : integrity, authentication and confidentiality

Security Association : IPSec negotiated agreement

SSL VPN: uses client side browser

Securing Endpoints

NAC (network access control): Unified endpoint security enforcement

Proxy: Acts on behalf of endpoint

MDM(Mobile device management) : Usually includes a remote wipe feature

Malware : Code or script with malicious intent

HIDS(Host IDS): Monitors and analyses local host behaviour

Preventing and mitigating network attacks:

Opportunistic: influenced by an identified weakness

Spoofing: Impersonation

Poisoning: manipulating trusted data

MiTM: interjection between end points

Sniffing: Capturing network packets

Ransomware : class of malware

C&C: Command and control

DDos : Distributed consumption of resources

OSI Model : Seven layers of communication

TCP/IP Model: Four layers of connectivity

ARP : MAC to IP translation

IPv4: 32bit 4 octet ID

IPv6: 128-bit hexadecimal ID

Port : application ID

Well-known ports: 1-1023

DNSSEC: extensions to mitigate forged entries

VOIP : Transmission of voice traffic over IP

MPLS: Protocol-independent telecom support

DNP3: Process automation communications

SIP: Protocol used on VOIP networks

LER: Router used in a MPLS networks

Label: Replacement for a header in MPLS

FCoE : storage area network data channel over IP

Securing wireless networks

bluejacking : Injection attack

bluesnarfing: Unauthorized access

war driving : Hacking wireless networks

ad hoc mode: peer-to-pper connectivity

WEP : Broken encryption, no integrity

WPA2 : uses 802.1x, EAP, AES, and CBC-MAC

WWAN: uses point to point microwave links

GSM & CDMA : Cellular technologies

Security testing

Brute force : Trying every possible combination

Dictionary attack : Compares two sets of hashes

Work factor : Time and effort required

Hash : One-way fixed length fingerprint

Salt: Random string appended before hashing

Reverse lookup : Technique that assumes same input

Symmetric encryption : same key used to encrypt and decrypt

HMAC : hash value that includes a secret key

Operating and maintaining firewalls:

GeoIP : Ip address geographic location or range

Deny by default : Must be explicitly allowed

Allow by default : must be explicitly denied

Whitelist : known benign - proactively allowed

Blacklist : known malicious - proactively denied

Sanitation : Remove sensitive information

Sandbox: isolated environment

Honeypot : Decoy system

Source code security issues:

Buffer overflow : Overrun of allocated memory

Injection attack : Accepts and executes untrusted input

Convert channel: unauthorised flow of information

object reuse attack: Malicious repurpose of code

TOC|TOU : Race condition

Maintenance hook: Mechanism to bypass access controls

Fuzzing: Testing technique that uses invalid data

OAuth: Open authorisation protocol

Deciphering Ciphers and Algorithms

Cipher is a technique or set of rules that transforms cleartext(plaintext) into an unreadable form(cipher text or cryptogram) and back to cleartext

Algorithm is a set of steps to accomplish a task

Key(Cryptovariable)

- The key dictates what parts of the algorithm will be used, in what order, and with what values

- The key is secret

- keyspace is the number of possible key combinations

. 8 bit = 2*8 = 256 possible keys

. 256bit = 2*256 = 1.1.578*1077 possible keys

Cipher Characteristics

1. Stream

Stream cipher encodes the bits one at a time using a XOR key stream generator(resource-intensive)

-RC4 is the most well-known stream cipher.

2. Block 

- Substitution

- Transposition

Block cipher breaks the plaintext message into several blocks

- A block cipher algorithm puts the bits within these blocks through several rounds of substitution and transposition. The goal is confusion(changing values) and diffusion(changing order.

- Electronic Codebook Mode (ECB) each block is independent (doesn’t hide patterns - not suitable for long messages)

- Cipher Block Chaining Mode(CBC) includes an initialization vector and a component of the previous cipher text to leverage randomization

Block ciphers null : DES, 3DES, AES, IDEA, Blowfish, RC5, RC6, Skipjack, CAST

symmetric and asymmetric encryption:

symmetric means the same key is used to encrypt and decrypt

also referred as 

- single key

- shared key

- session key(if used for a single session)

computationally efficient

key sharing is null

not scalable 

Asymmetric means two different but related keys are used :

- known as key-pair

- one key is used for encrypt; the other is used to decrypt

- The keys are referred as a private and public key

computationally intensive

smaller key sizes

null distribution system

scalable

Applying asymmetric encryption:

Since it is computationally intensive, in most cases we use both symmetric and asymmetric keys (also known as hybrid)

Plaintext message  - > symmetric cipher [session key] -> encrypted message - > symmetric cipher [session key] -> plaintext message

but the problem here is how to share session key between Bob and Alice. To accomplish this we use asymmetric algorithm

session key - > Asymmetric Cipher + Alice

now Alice can use this session key to decrypt original message in first case.

Understanding hashing:

A hash is a one-way representation (fingerprint) of a string of text

- A hash function takes input of any length and creates a fixed length output

- Hash value is used to prove integrity

Hash algorithms examples

Message Digest (Mdx), Secure hash algorithm (SHA), Havel, Tiger

Hash Process

sender puts message through  a hashing algorithm and generates a message digest (hash) value -> sender sends plain text message and message digest to receiver - > receiver puts message through a hashing algorithm and generates a message digest(hash) value -> Receiver compares both message digests -> if the message digests are the same - the message was not modified in transmission - > if the message digest are different - the message was modified in transmission

sender 

hello, this is my message + run thorough SHA-2 = 1HFBK2FR7

Receiver :

receiver gets original message and hashed output ie message digest (1HFBK2FR7)

it runs through same algorithm SHA-2 and output should be : 1HFBK2FR7

if outputs are same, message is not modified during transmission.

Hashed MAC

A hashed message authentication code(HMAC) is hashed value that includes a symmetric key.

- An HAMC cannot be reproduce without knowing the key.

- HAMC provides integrity and data origin authentication

- HMAC is used by cryptographic protocols such as the TLS and IPsec to verify the integrity of transmitted data during secure communications

HMAC process:

Sender concatenates message + secret key and puts the results through a hashing algorithm and generates a HMAC value ->Sender appends the HAMC value to the message and sends it to the receiver -> Receiver concatenates messages + secret key and puts a results through a hashing algorithm and generates a HMAC value -> Receiver compares both values -> if the values are the same then the message was not modified in transmission and the origin is known

This will accomplish both integrity and confidentiality

Sender :

hello, this is my message + secret key (1234567) + run through SHA-2 = 79HVGRST

Receiver:

it gets original message and message digest output i.e. 79HVGRST

Receiver needs to have knowledge of secret key (1234567) it is not send by sender

run this message and secret key through same SHA-2 algorithm, output should be same.

Digital Signatures:

A digital signature is a hash value (message digest) encrypted with the sender’s private key.

- A digital signature provides integrity and non-repudiation

Digital signatures require two algorithms:

- Hashing algorithm (e.g. SHA-x)

- Digital signature function such as RSA or DSA (Digital signature algorithm)

Digitally signed message:

Bob creates a message digest(hash value) of his message -> The message digest is encrypted with Bob’s private key -> The encrypted message digest and plaintext message are sent to Alice -> Alice decrypts the message digest using Bob’s public key (providing non-repudiation) -> Alice hashes the plaintext message using the same hash algorithm -> Alice compares the two hash values for a match (proving integrity)

Integrity(not changed during transmission), Confidentiality(only authorized person can see message) and non-repudiation (can’t deny it came from you)

- A message can be hashed, which provides for integrity

- A message can be digitally signed, which provides for non-repudiation and integrity

- A message can be encrypted, which provides for confidentiality.

- A message can be encrypted and digitally signed, which provides for confidentiality, nonrepudiation and integrity.

Deconstructing the Digital certificate lifecycle

A digital certificate is an electronic “passport” that identifies a person, device, domain. organization, or publisher (code).

- The certificate is issued by a trusted certification authority, a web of trust or self-signed.

X.509 v3 digital certificates fields

version : version of certificate

serial number : unique identifier

Signature : Algorithm used to sign the certificate

Issuer : Name of issuer

Validity: valid data of cert

Subject : Name of owner

Public key : Public  key of named owner

Issuer Unique id : ID of certificate authority

Subject unique id : ID of subject

Obtaining a Digital Certificate:

Applicant requests a certificate from a Registration Authority (RA) ->

The RA process the request and validates the applicant ->

The RA forward the request to a certification Authority (CA) ->

The CA requests the public key from the applicant ->

The key-pair is locally generated and the public key is sent to the CA ->

The CA creates and signs the digital certificate -> 

The certificate includes the public key ->

The CA issues the digital certificate to the applicant ->

The CA maintains and, if necessary, revokes the certificate

Digital certificate Revocation:

Certificate revocation list (CRL)

- CA maintained list of certificates that have been revoked

Online certificate status Protocol (OCSP)

- Client receives certificate

- Client sends OCSP request to a OCSP responder

- OCSP responder replies with a certificate status

Both are only enforced for extended validation (EV) certificates

Understanding Cryptographic Protocols:

Cryptographic communication protocols (rules) are designed to secure information flow

Information flow is vulnerable to 

- Eavesdropping and packet capture, which is a violation of confidentiality

- Tampering which is violation of intergrity

- Spoofing and misrepresentation, which can be a violation of authentication, integrity, and availability

Transmission Modes

Link Encryption

- All control information (header, trailers, and routing information) is encrypted along with the payload

needs dedicated communication channel between A and B

End-to-end encryption

- only the payload is encrypted

- Intermediary devices do not have encryption related functions

communication channel in this case is public i.e. internet. Trailer, header and routing information is visible.

Common cryptographic Protocols:

SSL | TLS : 

Use : Securing web based protocols and transmissions,

Purpose : confidentiality, Authentication, Integrity

Cryptographic components : Encryption, HAMC

HTTPS : 

Use: layer SSL | TLS on top of HTTP

Purpose : confidentiality, Authentication, Integrity

Cryptographic components : Encryption, HAMC

FTPS : 

Use : layer SSL | TLS on top of FTP

Purpose : confidentiality

Cryptographic components : Encryption

SSH : 

Use:  Secure channel between a local an remote device (telnet replacement)

Purpose: confidentiality, Integrity

Cryptographic components : Encryption, HAMC

SFTP: 

Use : Layer SSH on top of FTP

Purpose : confidentiality

Cryptographic components : Encryption

S/MIME: 

Use: Secure email communications

Purpose : confidentiality, Integrity, Nonrepudiation

Cryptographic components : Encryption, HAMC

Non-IP networking Protocols:

- MPLS : operates in between L2 and L3

- DNP3 : L2 protocol

- FCoE  : L2 protocol 

Attacks techniques

Scanning: probing for information

Sniffing: Packet capture

Poisoning : Manipulating trusted data

Spoofing : Impersonation

Session Hijacking : Unauthorized insertion

Sniffing can happen at any layer of OSI model

Application: user id/password sniffing

Presentation: SSL/TLS session sniffing

Session:Telnet and FTP sniffing

Transport: TCP session sniffing, UDP sniffing

Network:IP, Port sniffing

Datalink :MAC/ARP sniffing

Physical:Surveillance sniffing

Poisoning:

A poisining attack is when a trusted source of data is manipulated:

- ARP cache

- Routing table

- DNS pharming

- Website

Session Hijacking:

A session hijacking attack intercepts communication between two systems

- Man in middle (may use spoofing and/or poisoning)

- Replay Attack

Spoofing:

A spoofing attack is when an attacker impersonates(pretend to be) an address, system, or person

- MAC address

- IP address

- Domain

- Hyperlink

- Email sender

- Trusted source