Chapter 1 Flashcards
Do not Trust a Network Connection
Example: Two computers on a desk connected by an Ethernet cable (No other (wireless) connections exist)
How secure is it?
Assuming we have physical security, this network is secure.
Do not Trust a Network Connection
Assume we cannot protect the physical security of the Ethernet cable…
* Step 1: Obtain a knife
* Step 2: Add RJ45 adapters
* Step 3: Get yourself a computer with two network interfaces
* Step 4: Configure transparent Ethernet bridging
What happens next?
Do not Trust the Network
- In this case, you are not even required to be a physical “man in the middle”
- An ARP spoofing attack can logically place the attacker between, e.g., Alice and Bob.
- With tampered ARP tables, packets flow from Alice ↔ Attacker ↔ Bob!
- Result: There are endless opportunities for any kind of attacker to monitor/interfere with your traffic!
Types of Attackers
Options for attacks on the message level
Passive vs Active attacks, differentiate.
Attacker Model
- *
Attacker model = definition of what an attacker can do and cannot do
Dolev-Yao attacker model: explain.
- The attacker is or owns the network (all routers, switches, connections)
- But: The attacker has no control over end systems
- The attacker can perform any active and passive attack
- But: The attacker cannot break cryptographic primitives (encryption, signing, hashing, etc.)
The Attacker’s Position in the Network Determines their Capabilities
- Attackers typically do not control the entire network/Internet.
- The attacker’s position in the network is crucial and defines which messages can be seen/ what the attacker can do. Possible scenarios?
Security Goals
Confidentiality, Data Integrity, Authenticity, Controlled Access, Accountability, Availability. Explain them.
Discuss security goals that are in conflict.
Integrity vs. Authenticity
Authentication vs. Authorization
Explain the term THREAT, vulnerability, security violation, attack.
- A threat in a communication network is any possible event or sequence of actions that might exploit a vulnerability, leading to a violation of one or more security goals
- Vulnerability: e.g., a badly configured access control system
- Threat: e.g., a hacker accesses data protected by the access control system
- Security violation: e.g., confidentiality of company secrets harmed
- Attack: The actual realization of a threat
Threats vs Risk
- Threats can be more or less
- When performing a risk analysis or security audit, analysts often consider
- Often defense strategies are picked after …
- As a rule of thumb, you try to avoid high rist attacks first
- Security is expensive (and inconvenient)!
“problematic” or “critical”
- Likelihood: Can the attack be implemented efficiently, which makes it more likely and hence more critical?
- Resulting damage: Is the attacked target a critical component, which makes the attack more critical?
such an analysis to decide which security measures to take
Security Violations - Definitions
- Impersonation:
- Forgery of information:
- Modification or loss of (transmitted) information: …
- An entity claims to be another entity (also called “masquerade”)
- An entity creates new information in the name of another entity
- Data is being altered or destroyed
Security Violations - Definitions
- Repudiation
… - Eavesdropping:
… - Authorization Violation:
… - Denial of Service (Sabotage):
…
- An entity falsely denies its participation in a communication act
- An entity reads information it is not intended to read
- An entity uses a service or resources it is not intended to use
- Any action that aims to reduce the availability and / or correct functioning of services or systems
Example 1
* Authorization Violation + Eavesdropping
Example 2
* Impersonation + Forgery of Information
- Denial of service: Example
Denial of Service + Impersonation + Forgery of Information: Example
- Goal: Alice floods Bob with TCP SYN packets while also covering up her identity
- Alice@Box$ hping3 –fast –count 42 –rand-source –syn –destport 80 $BOB
- –rand-source: random spoofed source IP address
