Security

Cards (186)

  • Encryption
    • Means to scramble, mix up, or change data in such a way that bad guys can’t read it. Of course, this scrambled-up data must also be easily descrambled by the person receiving the data
    Integrity
    • Is the process that guarantees that the data received is the same as originally sent. Integrity is designed to cover situations in which someone intercepts your data on-the-fly and makes changes.
    Nonrepudiation
    • Means that a person cannot deny he or she took a specific action. Mike sends a message; that message can be traced back specifically to Mike.
  • Authentication
    • Means to verify that whoever is trying to access the data is the person you want accessing that data. The most classic form of authentication is the username and password combination, but there are plenty more ways to authenticate.
    Authorization
    • Defines what an authenticated person can do with that data. Different operating systems and applications provide different schemes for authorization, but the classic scheme for Windows is to assign permissions to a user account. An administrator, for example, can do a lot more after being authenticated than a limited user can do.
  • TCP/IP Security
    • For example, you shouldn’t send a credit card number or password over the Internet without encrypting it to keep the bad guys from reading it.
    • Similarly, if you send someone the “secret decoder ring” she needs to unscramble the encryption, she’ll need a way to confirm that the decoder ring actually came from you.
    • When it comes to TCP/IP security, protocols combine encryption, integrity, nonrepudiation (sometimes), authentication, and authorization to create complete security solutions in a way that makes sense for their specific purpose.
  • Encryption
    • A packet of data on the Internet often comes with a port number encapsulated in the segment or datagram, for example, so a bad guy quickly knows what type of data he’s reading.
    • All data starts as cleartext, which roughly means the data hasn’t been encrypted yet. If you want to take some data and make figuring out what it means difficult for other people, you need a cipher.
  • Encryption
    • A cipher is a general term for a way to encrypt data. An algorithm is the mathematical formula that underlies the cipher.
    • In cryptography, any data you pass through a cipher— even if it is already encrypted—is called the plaintext. When you run plaintext through a cipher algorithm using a key, you get the encrypted ciphertext
  • Substitution
    • One of the earliest forms of cryptography used substitution, swapping letters of the alphabet for other letters of the alphabet. E.g. Caesar Cipher
    • Caesar ciphers are very easy to crack by using word patterns, frequency analysis, or brute force. The code “WKH” shows up twice, which means it’s the same word (word patterns). The letters W and H show up fairly often too.
    • Certain letters of the alphabet are used more than others, so a code-breaker can use that to help decrypt the code (frequency analysis).
  • Substitution
    • Assuming that you know this is a Caesar cipher, a computer can quickly go through every different code possibility and determine the answer (brute force). Incredibly, even though it’s not as obvious, binary code also suffers from the same problem.
    • Substitution is used in modern computing encryption, although in a much more sophisticated way than in a Caesar cipher.
  • XOR
    • 01001101010010010100101101000101
    • This string may not mean much to you, but if it is part of an HTTP segment, a Web browser instantly knows that this is Unicode—that is, numbers representing letters and other characters—and converts it into text: mike
    • So let’s create a cipher to encrypt this cleartext. All binary encryption requires some interesting binary math. You could do something really simple such as add 1 to every value (and ignore carrying the 1): 0 + 1 = 1 and 1 + 1 = 0
    • 10110010101101101011010010111010
  • XOR
    • Let’s try something harder to break by bringing in a second value (a key) of any eight binary numbers (let’s use 10101010 for this example) and doing some math with every sequence of eight binary values using this algorithm:
    • This calculation (also called an operation) is known as a bitwise XOR (eXclusive OR).
    • Line up the key against the first eight values in the cleartext
  • XOR
    • Then do the next eight binary values. Then the next eight. Then the final eight
    • If you want to decrypt the data, you need to know the algorithm and the key. This is a very simple example of how to encrypt binary data. At first glance, you might say this is good encryption, but the math is simple, and a simple XOR is easy for someone to decrypt.
    • As a bitwise operation, XOR operates on each pair of corresponding bits. At this level, letters and numbers are all just binary ones and zeroes—XOR works on any data you can throw at it.
  • Encryption
    • Any encryption that uses the same key for both encryption and decryption is called symmetric-key encryption or a symmetric key algorithm. If you want someone to decrypt what you encrypt, you have to make sure they have some tool that can handle the algorithm and you have to give them the key
    • Any encryption that uses different keys for encryption and decryption is called asymmetric-key encryption or an asymmetric-key algorithm.
  • Symmetric-Key Encryption
    • Symmetric-key algorithms are either block ciphers or stream ciphers.
    • Block ciphers, which encrypt data in single “chunks” of a certain length at a time, are the most common. Let’s say you want to encrypt a 100,000-byte Microsoft Word document.
    • An approach that uses a block cipher would take the file, split it into 128-bit chunks, and encrypt each one separately
  • Symmetric-Key Encryption
    • Advanced Encryption Standard (AES), the most-common block cipher, uses a 128-bit block size and 128-, 192-, or 256-bit key size.
    • AES is incredibly secure, practically uncrackable, and so fast even applications that traditionally used stream ciphers are switching to AES.
  • Symmetric-Key Encryption
    • The alternative to a block cipher is the much quicker stream cipher, which takes a single bit at a time and encrypts on-the-fly.
    • Stream ciphers used to be very popular for data that comes in long streams (such as with older wireless networks or cell phones), but they’ve been largely displaced by block ciphers (with the help of faster hardware) and are rare in the wild.
  • Asymmetric-Key Cryptography
    • Symmetric-key encryption has one serious weakness: anyone who gets a hold of the key can encrypt or decrypt data with it.
    • The nature of symmetric-key encryption forces us to send the key to the other person in one way or another, making it a challenge to use symmetric-key encryption safely by itself.
    • The answer is to bundle the symmetric key up inside another encrypted message via an asymmetric-key algorithm that uses two different keys— one to encrypt and one to decrypt.
  • Asymmetric-Key Cryptography
    • Public-key cryptography—the primary asymmetric implementation—works. Imagine two people, Bob and Alice, want to exchange Alice’s symmetric key
    • Before Alice can send her symmetric key to Bob, Bob first generates two keys. Bob keeps one of these keys (the private key) on his computer, and sends the other key (the public key) to Alice
    • These two keys—called a key pair—are generated at the same time and are designed to work together. Data encrypted with the public key, for example, must be decrypted with the private key, and vice versa.
  • Asymmetric-Key Cryptography
    • Alice encrypts her symmetric key with Bob’s public key, enabling her to send it to Bob securely for him to decrypt with his private key.
    • Now that Bob and Alice have the same symmetric key, they can establish a connection and exchange encrypted data using symmetric encryption.
    Some asymmetric cryptographic algorithms you will see these days are RSA (for its creators—Rivest, Shamir, and Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve DSA).
  • Encryption and the OSI Model
    • Layer 1: Encryption is not common at this layer, until you get to some of the bigger WAN technologies, like SONET.
    • Layer 2: Encryption is not common at this layer.
    • Layer 3: Only one common protocol encrypts at Layer 3: IPsec. IPsec is typically implemented via software that encrypts the IP packet. A new outer packet completely encapsulates and encrypts the inner packet.
  • Encryption and the OSI Model
    • Layer 4: Neither TCP nor UDP offers any encryption methods, so nothing happens security-wise at Layer 4.
    • Layers 5, 6, and 7 Important encryption standards (such as TLS used in e-commerce) happen within these layers, but they don’t fit cleanly into the OSI model.
  • Hash
    • In computer security, a hash (or more accurately, a cryptographic hash function) is a mathematical function that you run on a string of binary digits of any length that results in a value of some fixed length (often called a checksum or a message digest).
    • No matter how long or how short the input, the hash’s message digest will always be the same length (usually around 100 to 500 bits long, depending on the type of hash used).
  • Hash
    • A cryptographic hash function is a one-way function. One-way means the hash is irreversible in that you cannot recreate the original data from the hash, even if you know the hashing algorithm and the checksum.
    • A cryptographic hash function should also have a unique message digest for any two different input streams
  • Hash
    • Cryptographic hash functions have a huge number of uses, but a common one is for verifying file integrity. If you download a file from a reputable source, there are two main threats to its integrity: accidental damage caused by networking/storage issues, and tampering by an attack that has compromised the site or your connection.
    • When the download provider hashes the contents of the file— called file hashing—and publishes the resulting message digest, you can hash the copy downloaded and compare the digests to verify the file on your system is most likely identical
  • Hash
    • Operating systems and applications store hashes of passwords. It’s not a good idea to store plaintext passwords, and encrypting a password always leaves a chance that a bad actor can find the key and decrypt it.
    • When a user creates a password, the operating system hashes the password and only stores the hash.
    • From then on, when anyone provides a password, the operating system just hashes the value entered and compares the hash to the stored hash. If they match, the password is correct.
  • Hash
    • The main way to recover (or crack) a hashed password is to guess a password, hash it, and see if the hash matches.
    • Attackers speed this up by saving each guess and hash and looking up hashes they find to see if they already know the answer
    • Operating systems (especially old ones, or ones using legacy compatibility settings) may use hashes that are much easier to reverse.
  • Hash Algorithms
    • The first commonly used hash algorithm was called Message-Digest Algorithm version 5—best known as MD5. MD5 was introduced in 1991, creating a 128-bit message digest.
    • These days, Secure Hash Algorithm (SHA) is the primary family of cryptographic hash functions. It includes SHA-1, SHA-2, and SHA-3. SHA-1 produces a 160-bit message digest. SHA-2 has six variants
  • Hash Algorithms
    • SHA-224: SHA-2 with a 224-bit message digest
    • SHA-256: SHA-2 with a 256-bit message digest
    • SHA-384: SHA-2 with a 384-bit message digest
    • SHA-512: SHA-2 with a 512-bit message digest
    • SHA-512/224: SHA-2 with a 512-bit message digest truncated to 224 bits
    • SHA-512/256: SHA-2 with a 512-bit message digest truncated to 256 bits
  • Hash Algorithms
    • One thing to keep in mind about cryptographic functions is that we err on the side of caution. Once someone demonstrates a practical attack against an algorithm, recommendations shift quickly to newer functions with improved security.
    • Still, existing uses of the old functions can linger for a long time. As the result of a number of attacks, MD5 and SHA-1 have both ended up on this list of hash functions that are no longer recommended as safe. Don’t use them in the real world
  • Hash Algorithms
    • SHA-2 is the most popular set of cryptographic hash functions used and SHA-2 continues to resist any attacks. The SHA-256 variant is used all over the place, such as in TLS, SSH, IPsec, even Bitcoin
    • NIST adopted a new family of hash algorithms called SHA-3. Like SHA-2, SHA3 comes in six variants, each with a different message digest length.
    • SHA-3 variants include SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, and SHAKE256. SHA-3 is not widely used yet.
  • Non-Repudiation
    • In network security, nonrepudiation is typically enabled by a combination of encryption and hashing called a digital signature.
    • Digital signatures—much like the signatures put on contracts and other legal documents—play a role in bringing nonrepudiation to IT contexts where older approaches like physical signatures aren’t practical.
  • Digital Signatures
    • To create a digital signature, the sender hashes a message (or part of one) and then encrypts the hash with their private key.
    • The receiver decrypts the signature with the sender’s public key and computes the hash of the message itself. If the hash the receiver computes matches the one inside the digital signature, all is well.
    • The sender can’t deny sending the signed message, because the computed hash matches the hash decrypted with their public key—the signature could only have been encrypted with the sender’s private key.
  • PKI: Certificates
    • A certificate is a standardized type of file that includes a public key, some information about the certificate, and the digital signature of a trusted third party—a person or a company that vouches for the identity of whoever requested the certificate.
    • The information about the certificate includes goodies like the exact date and time, who is issuing it, who they’re issuing it to, when it will expire, and so on
  • PKI: Certificates
    • A company called DigiCert issued this certificate. That’s great, but how does your computer check all this? DigiCert is a certificate authority (CA). Every Web browser keeps a list of CA certificates that it checks against when it receives a digital certificate.
    • When an organization wants to create a secure Web site, the organization buys a certificate signed by a certificate authority, such as DigiCert. DigiCert acts as the root, and the new Web site’s certificate contains DigiCert’s signature.
  • PKI: Certificates
    • In most situations, DigiCert doesn’t directly sign these certificates with its root certificate—it keeps that under lock and key (we hope).
    • Instead, they’ll use an intermediate certificate, which they’ve signed with their own root certificate, to sign the buyer’s certificate.
    • This creates a tree of certificate authorization, with the root certificate authorities at the top and issued certificates at the bottom.
  • PKI: Certificates
    • You can also have additional intermediate certificate authorities, although these are not as heavily used.
    • A CA that directly issues certificates to organizations or devices is also sometimes called an issuing certificate authority.
    • Together, this hierarchy is called a public-key infrastructure (PKI)
  • PKI: Certificates
    • You don’t have to use PKI to use certificates. First, you can create and self-sign your own certificates.
    • These are perfectly fine for lower-security situations (such as e-mail among friends), but don’t expect anyone to buy products on a Web site or send highly sensitive e-mail without a signed certificate from a well-known certificate authority like Sectigo, DigiCert, or Let’s Encrypt.
    • Digital certificates and asymmetric cryptography are closely linked because digital certificates verify the ownership of public keys.
  • Authentication
    • The first exposure to authentication for most users is local authentication, coming across a login screen prompting you to enter a username and password, to log into a Windows or macOS computer
    • Passwords create as many problems as they solve—especially the problems of how to store, transfer, and verify passwords securely. Because of these problems, passwords get compromised all the time.
    • Some second forms of authentication include items you carry (like a smart card) or something physical that uniquely identifies you (such as your retinal patterns or fingerprints—biometrics)
  • Authentication
    • Multifactor authentication (MFA) means using two or more distinctly different methods for authentication: Factors:
    • Something you know • Something you have • Something you are
    • Something you know (a knowledge factor) is a username, a password, a passphrase, or a personal identification number (PIN). Something you have (a possession factor) is an object, like a key fob you scan to get into your gym at night. Something you are (an inherent or inherence factor) indicates some distinguishing, unique characteristic, like the biometrics just mentioned.
  • Authorization
    • At a high level, networking exists to enable one computer to request something from another computer. A Web client, for example, might ask for a Web page.
    • A computer far away might ask another computer for access to a private network. Whatever the scenario, you should carefully assign levels of access to your resources.
    • This is authorization and an essential part of network hardening techniques. To help define how to assign levels of access, you use an access control list.
  • Authorization
    • Network access control (NAC) defines a newer series of protection applications that combine the features of what traditionally was done by separate applications.
    • A NAC application usually prevents computers lacking anti-malware and patches from accessing the network. NACs also create policies (their own policies, not Windows policies) that define what individual systems can do on the network, including network access, segregation of portions of the network, etc
  • Authorization
    • An access control list (ACL) is a clearly defined list of permissions that specifies what an authenticated user may perform on a shared resource.
    • . To help you to understand these changes, the security industry likes to use the idea of ACL access models. There are three types of ACL access models: mandatory, discretionary, and role based.