Means to scramble, mix up, or change data in such a way that bad guys can’t read it. Of course, this scrambled-up data must also be easily descrambled by the person receiving the data
Integrity
Is the process that guarantees that the data received is the same as originally sent. Integrity is designed to cover situations in which someone intercepts your data on-the-fly and makes changes.
Nonrepudiation
Means that a person cannot deny he or she took a specific action. Mike sends a message; that message can be traced back specifically to Mike.
Authentication
Means to verify that whoever is trying to access the data is the person you want accessing that data. The most classic form of authentication is the username and password combination, but there are plenty more ways to authenticate.
Authorization
Defines what an authenticated person can do with that data. Different operating systems and applications provide different schemes for authorization, but the classic scheme for Windows is to assign permissions to a user account. An administrator, for example, can do a lot more after being authenticated than a limited user can do.
TCP/IP Security
For example, you shouldn’t send a credit card number or password over the Internet without encrypting it to keep the bad guys from reading it.
Similarly, if you send someone the “secret decoder ring” she needs to unscramble the encryption, she’ll need a way to confirm that the decoder ring actually came from you.
When it comes to TCP/IP security, protocols combine encryption, integrity, nonrepudiation (sometimes), authentication, and authorization to create complete security solutions in a way that makes sense for their specific purpose.
Encryption
A packet of data on the Internet often comes with a port number encapsulated in the segment or datagram, for example, so a bad guy quickly knows what type of data he’s reading.
All data starts as cleartext, which roughly means the data hasn’t been encrypted yet. If you want to take some data and make figuring out what it means difficult for other people, you need a cipher.
Encryption
A cipher is a general term for a way to encrypt data. An algorithm is the mathematical formula that underlies the cipher.
In cryptography, any data you pass through a cipher— even if it is already encrypted—is called the plaintext. When you run plaintext through a cipher algorithm using a key, you get the encrypted ciphertext
Substitution
One of the earliest forms of cryptography used substitution, swapping letters of the alphabet for other letters of the alphabet. E.g. Caesar Cipher
Caesar ciphers are very easy to crack by using word patterns, frequency analysis, or brute force. The code “WKH” shows up twice, which means it’s the same word (word patterns). The letters W and H show up fairly often too.
Certain letters of the alphabet are used more than others, so a code-breaker can use that to help decrypt the code (frequency analysis).
Substitution
Assuming that you know this is a Caesar cipher, a computer can quickly go through every different code possibility and determine the answer (brute force). Incredibly, even though it’s not as obvious, binary code also suffers from the same problem.
Substitution is used in modern computing encryption, although in a much more sophisticated way than in a Caesar cipher.
XOR
01001101010010010100101101000101
This string may not mean much to you, but if it is part of an HTTP segment, a Web browser instantly knows that this is Unicode—that is, numbers representing letters and other characters—and converts it into text: mike
So let’s create a cipher to encrypt this cleartext. All binary encryption requires some interesting binary math. You could do something really simple such as add 1 to every value (and ignore carrying the 1): 0 + 1 = 1 and 1 + 1 = 0
10110010101101101011010010111010
XOR
Let’s try something harder to break by bringing in a second value (a key) of any eight binary numbers (let’s use 10101010 for this example) and doing some math with every sequence of eight binary values using this algorithm:
This calculation (also called an operation) is known as a bitwise XOR (eXclusive OR).
Line up the key against the first eight values in the cleartext
XOR
Then do the next eight binary values. Then the next eight. Then the final eight
If you want to decrypt the data, you need to know the algorithm and the key. This is a very simple example of how to encrypt binary data. At first glance, you might say this is good encryption, but the math is simple, and a simple XOR is easy for someone to decrypt.
As a bitwise operation, XOR operates on each pair of corresponding bits. At this level, letters and numbers are all just binary ones and zeroes—XOR works on any data you can throw at it.
Encryption
Any encryption that uses the same key for both encryption and decryption is called symmetric-key encryption or a symmetric key algorithm. If you want someone to decrypt what you encrypt, you have to make sure they have some tool that can handle the algorithm and you have to give them the key
Any encryption that uses different keys for encryption and decryption is called asymmetric-key encryption or an asymmetric-key algorithm.
Symmetric-Key Encryption
Symmetric-key algorithms are either block ciphers or stream ciphers.
Block ciphers, which encrypt data in single “chunks” of a certain length at a time, are the most common. Let’s say you want to encrypt a 100,000-byte Microsoft Word document.
An approach that uses a block cipher would take the file, split it into 128-bit chunks, and encrypt each one separately
Symmetric-Key Encryption
Advanced Encryption Standard (AES), the most-common block cipher, uses a 128-bit block size and 128-, 192-, or 256-bit key size.
AES is incredibly secure, practically uncrackable, and so fast even applications that traditionally used stream ciphers are switching to AES.
Symmetric-Key Encryption
The alternative to a block cipher is the much quicker stream cipher, which takes a single bit at a time and encrypts on-the-fly.
Stream ciphers used to be very popular for data that comes in long streams (such as with older wireless networks or cell phones), but they’ve been largely displaced by block ciphers (with the help of faster hardware) and are rare in the wild.
Asymmetric-Key Cryptography
Symmetric-key encryption has one serious weakness: anyone who gets a hold of the key can encrypt or decrypt data with it.
The nature of symmetric-keyencryption forces us to send the key to the other person in one way or another, making it a challenge to use symmetric-key encryption safely by itself.
The answer is to bundle the symmetric key up inside another encrypted message via an asymmetric-key algorithm that uses two different keys— one to encrypt and one to decrypt.
Asymmetric-Key Cryptography
Public-key cryptography—the primary asymmetric implementation—works. Imagine two people, Bob and Alice, want to exchange Alice’s symmetric key
Before Alice can send her symmetric key to Bob, Bob first generates two keys. Bob keeps one of these keys (the private key) on his computer, and sends the other key (the public key) to Alice
These two keys—called a key pair—are generated at the same time and are designed to work together. Data encrypted with the public key, for example, must be decrypted with the private key, and vice versa.
Asymmetric-Key Cryptography
Alice encrypts her symmetric key with Bob’s public key, enabling her to send it to Bob securely for him to decrypt with his private key.
Now that Bob and Alice have the same symmetric key, they can establish a connection and exchange encrypted data using symmetric encryption.
Some asymmetric cryptographic algorithms you will see these days are RSA (for its creators—Rivest, Shamir, and Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve DSA).
Encryption and the OSI Model
Layer 1: Encryption is not common at this layer, until you get to some of the bigger WAN technologies, like SONET.
Layer 2: Encryption is not common at this layer.
Layer 3: Only one common protocol encrypts at Layer 3: IPsec. IPsec is typically implemented via software that encrypts the IP packet. A new outer packet completely encapsulates and encrypts the inner packet.
Encryption and the OSI Model
Layer 4: Neither TCP nor UDP offers any encryption methods, so nothing happens security-wise at Layer 4.
Layers 5, 6, and 7 Important encryption standards (such as TLS used in e-commerce) happen within these layers, but they don’t fit cleanly into the OSI model.
Hash
In computer security, a hash (or more accurately, a cryptographic hash function) is a mathematical function that you run on a string of binary digits of any length that results in a value of some fixed length (often called a checksum or a message digest).
No matter how long or how short the input, the hash’s message digest will always be the same length (usually around 100 to 500 bits long, depending on the type of hash used).
Hash
A cryptographic hash function is a one-way function. One-way means the hash is irreversible in that you cannot recreate the original data from the hash, even if you know the hashing algorithm and the checksum.
A cryptographic hash function should also have a unique message digest for any two different input streams
Hash
Cryptographic hash functions have a huge number of uses, but a common one is for verifying file integrity. If you download a file from a reputable source, there are two main threats to its integrity: accidental damage caused by networking/storage issues, and tampering by an attack that has compromised the site or your connection.
When the download provider hashes the contents of the file— called file hashing—and publishes the resulting message digest, you can hash the copy downloaded and compare the digests to verify the file on your system is most likely identical
Hash
Operating systems and applications store hashes of passwords. It’s not a good idea to store plaintext passwords, and encrypting a password always leaves a chance that a bad actor can find the key and decrypt it.
When a user creates a password, the operating system hashes the password and only stores the hash.
From then on, when anyone provides a password, the operating system just hashes the value entered and compares the hash to the stored hash. If they match, the password is correct.
Hash
The main way to recover (or crack) a hashed password is to guess a password, hash it, and see if the hash matches.
Attackers speed this up by saving each guess and hash and looking up hashes they find to see if they already know the answer
Operating systems (especially old ones, or ones using legacy compatibility settings) may use hashes that are much easier to reverse.
Hash Algorithms
The first commonly used hash algorithm was called Message-Digest Algorithm version 5—best known as MD5. MD5 was introduced in 1991, creating a 128-bit message digest.
These days, Secure Hash Algorithm (SHA) is the primary family of cryptographic hash functions. It includes SHA-1, SHA-2, and SHA-3. SHA-1 produces a 160-bit message digest. SHA-2 has six variants
Hash Algorithms
SHA-224: SHA-2 with a 224-bit message digest
SHA-256: SHA-2 with a 256-bit message digest
SHA-384: SHA-2 with a 384-bit message digest
SHA-512: SHA-2 with a 512-bit message digest
SHA-512/224: SHA-2 with a 512-bit message digest truncated to 224 bits
SHA-512/256: SHA-2 with a 512-bit message digest truncated to 256 bits
Hash Algorithms
One thing to keep in mind about cryptographic functions is that we err on the side of caution. Once someone demonstrates a practical attack against an algorithm, recommendations shift quickly to newer functions with improved security.
Still, existing uses of the old functions can linger for a long time. As the result of a number of attacks, MD5 and SHA-1 have both ended up on this list of hash functions that are no longer recommended as safe. Don’t use them in the real world
Hash Algorithms
SHA-2 is the most popular set of cryptographic hash functions used and SHA-2 continues to resist any attacks. The SHA-256 variant is used all over the place, such as in TLS, SSH, IPsec, even Bitcoin
NIST adopted a new family of hash algorithms called SHA-3. Like SHA-2, SHA3 comes in six variants, each with a different message digest length.
SHA-3 variants include SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, and SHAKE256. SHA-3 is not widely used yet.
Non-Repudiation
In network security, nonrepudiation is typically enabled by a combination of encryption and hashing called a digital signature.
Digital signatures—much like the signatures put on contracts and other legal documents—play a role in bringing nonrepudiation to IT contexts where older approaches like physical signatures aren’t practical.
Digital Signatures
To create a digital signature, the sender hashes a message (or part of one) and then encrypts the hash with their private key.
The receiver decrypts the signature with the sender’s public key and computes the hash of the message itself. If the hash the receiver computes matches the one inside the digital signature, all is well.
The sender can’t deny sending the signed message, because the computed hash matches the hash decrypted with their public key—the signature could only have been encrypted with the sender’s private key.
PKI: Certificates
A certificate is a standardized type of file that includes a public key, some information about the certificate, and the digital signature of a trusted third party—a person or a company that vouches for the identity of whoever requested the certificate.
The information about the certificate includes goodies like the exact date and time, who is issuing it, who they’re issuing it to, when it will expire, and so on
PKI: Certificates
A company called DigiCert issued this certificate. That’s great, but how does your computer check all this? DigiCert is a certificate authority (CA). Every Web browser keeps a list of CA certificates that it checks against when it receives a digital certificate.
When an organization wants to create a secure Web site, the organization buys a certificate signed by a certificate authority, such as DigiCert. DigiCert acts as the root, and the new Web site’s certificate contains DigiCert’s signature.
PKI: Certificates
In most situations, DigiCert doesn’t directly sign these certificates with its root certificate—it keeps that under lock and key (we hope).
Instead, they’ll use an intermediate certificate, which they’ve signed with their own root certificate, to sign the buyer’s certificate.
This creates a tree of certificate authorization, with the root certificate authorities at the top and issued certificates at the bottom.
PKI: Certificates
You can also have additional intermediate certificate authorities, although these are not as heavily used.
A CA that directly issues certificates to organizations or devices is also sometimes called an issuing certificate authority.
Together, this hierarchy is called a public-key infrastructure (PKI)
PKI: Certificates
You don’t have to use PKI to use certificates. First, you can create and self-sign your own certificates.
These are perfectly fine for lower-security situations (such as e-mail among friends), but don’t expect anyone to buy products on a Web site or send highly sensitive e-mail without a signed certificate from a well-known certificate authority like Sectigo, DigiCert, or Let’s Encrypt.
Digital certificates and asymmetric cryptography are closely linked because digital certificates verify the ownership of public keys.
Authentication
The first exposure to authentication for most users is local authentication, coming across a login screen prompting you to enter a username and password, to log into a Windows or macOS computer
Passwords create as many problems as they solve—especially the problems of how to store, transfer, and verify passwords securely. Because of these problems, passwords get compromised all the time.
Some second forms of authentication include items you carry (like a smart card) or something physical that uniquely identifies you (such as your retinal patterns or fingerprints—biometrics)
Authentication
Multifactor authentication (MFA) means using two or more distinctly different methods for authentication: Factors:
Something you know • Something you have • Something you are
Something you know (a knowledge factor) is a username, a password, a passphrase, or a personal identification number (PIN). Something you have (a possession factor) is an object, like a key fob you scan to get into your gym at night. Something you are (an inherent or inherence factor) indicates some distinguishing, unique characteristic, like the biometrics just mentioned.
Authorization
At a high level, networking exists to enable one computer to request something from another computer. A Web client, for example, might ask for a Web page.
A computer far away might ask another computer for access to a private network. Whatever the scenario, you should carefully assign levels of access to your resources.
This is authorization and an essential part of network hardening techniques. To help define how to assign levels of access, you use an access control list.
Authorization
Network access control (NAC) defines a newer series of protection applications that combine the features of what traditionally was done by separate applications.
A NAC application usually prevents computers lacking anti-malware and patches from accessing the network. NACs also create policies (their own policies, not Windows policies) that define what individual systems can do on the network, including network access, segregation of portions of the network, etc
Authorization
An access control list (ACL) is a clearly defined list of permissions that specifies what an authenticated user may perform on a shared resource.
. To help you to understand these changes, the security industry likes to use the idea of ACL access models. There are three types of ACL access models: mandatory, discretionary, and role based.