Chapter 10: Securing TCP/IP Flashcards
Define: Integrity
The process that guarantees that the data received is the same as originally sent.
Define: Nonrepudiation
Means that a person cannot deny he or she took a specific action.
Define: Authentication
Means to verify that whoever is trying to access the data is the person you want accessing that data.
Define: Authorization
Defines what an authenticated person can do with the data.
Any encryption that uses the same key for both encryption and decryption is called:
symmetric-key encryption
Any encryption that uses different keys for encryption and decryption is called:
asymmetric-key encryption
Symmetric-key algorithms are either ____ ciphers or ____ ciphers.
block
stream
How do block ciphers encrypt data?
In single chunks of a certain length at a time.
How do stream ciphers encrypt data?
They take a single bit at a time and encrypt on-the-fly.
What is one serious weakness that symmetric-key encryption has?
Anyone who intercepts the key can encrypt or decrypt data with it.
How does asymmetric-key encryption solve the weakness of symmetric-key encryption?
The public key of the receiver is used to encrypt the symmetric-key before it is sent, and the receiver uses their private key to decrypt it.
Public-key cryptography, the primary asymmetric implementation, generates a key pair. What are these keys called?
private key
public key
What are the three asymmetric algorithms used today?
RSA (Rivest, Shamir, Adleman)
DSA (Digital Signature Algorithm)
ECDSA (Elliptic Curve DSA)
What is a one-way function that you run on a string of binary digits of any length that results in a value of some fixed length (often called a checksum or message digest)?
A cryptographic hash function
Can you recreate the original data from its hash if you know the hashing algorithm used?
No, a hash is irreversible.
How do operating systems and applications store passwords?
They only store the hashes of passwords and not the passwords themselves.
What is the primary family of cryptographic functions and which two are currently recommended?
SHA (Secure Hash Algorithm)
SHA-2 (six variants)
SHA-3 (six variants)
In network security, nonrepudiation is typically enabled by a combination of encryption and hashing called a:
digital signature
How does a sender of a message create a digital signature?
The sender hashes all or part of a message and then encrypts the hash with their private key.
The system for creating and distributing digital certificates issued by trusted third party certificate authorities (CA) such as DigiCert, GoDaddy, or Sectigo is called:
PKI (Public-Key Infrastructure)
What three things are included in a PKI certificate?
- Public Key
- Info about the certificate
- The digital signature of a trusted third party
In a PKI encryption method, which key encrypts the data?
The public key
In order to have a PKI you must have a/an ____.
root authority
What two jobs does a NAC (Network Access Control) application do?
- It usually prevents computers lacking anti-malware and patches from accessing the network.
- It creates policies that define what individual systems can do on the network.
What is an ACL (Access Control List)?
A list of permissions that specifies what an authenticated user may perform on a shared resource.
Which type of access control assigns a security level label on every resource?
MAC (Mandatory Access Control)
Which type of access control is based on the idea that a resource has an owner who may at their discretion assign access to that resource?
DAC (Discretionary Access Control)
Which type of access control defines a user’s access to a resource based on the roles the user plays in the network environment?
RBAC (Role-Based Access Control)
____ enables two devices to connect, authenticate with a username and password, and negotiate the network protocol the two devices will use.
PPP or Point-to-Point Protocol
Originally used by PPP for authentication, ____ transmits the username and password over the connection in plaintext to authenticate a user.
PAP or Password Authentication Protocol
PPP switched from PAP to ____ for a secure authentication routine using hashes.
CHAP or Challenge Handshake Authentication Protocol
Microsoft invented a more detailed and secure version of CHAP for authentication called:
MS-CHAPv2
What does AAA stand for in network security?
Authentication
Authorization
Accounting
____ servers provides AAA for remote users accessing a network using point-to-point connections.
RADIUS or Remote Authentication Dial-In User Service
RADIUS consists of these three devices:
- The RADIUS server
- NASs (Network Access Servers)
- Systems that connect to the network
RADIUS
Port #s
UDP port 1812 (authentication)
UDP port 1645 (authentication)
UDP port 1813 (accounting)
UDP port 1646 (accounting)
The ____ protocol supports AAA in a network with many routers and switches that need administration. It is similar to RADIUS in function.
TACACS+ or Terminal Access Controller Access Control System Plus
TACACS+
Port #
TCP port 49
The authentication protocol ____ is used for TCP/IP networks with many clients all connected to a single authenticating server. Microsoft Windows domains rely on it for authentication.
Kerberos
Kerberos
Port #
UDP or TCP port 88
The ability to log in only one time and use the same token to access any resource you’re allowed to access on an entire network is called:
SSO (Single Sign-On)
What is a SSH tunnel?
An encrypted link between SSH processes on two separate computers.
What does the authentication and encryption protocol suite IPsec (Internet Protocol Security) do and at what OSI layer does it work?
It creates secure tunnels between two computers and works at the Network layer.
What does IPsec Transport mode do?
It encrypts the payload of the IP packet.
What does IPsec Tunnel mode do?
It encrypts the entire IP packet and encapsulates it inside another IP packet at an endpoint.
Who generates CRLs (Certificate Revocation Lists) that a web browser can check certificates against?
Root authorities
What does SMTPS (Simple Mail Transport Protocol Secure) do?
It wraps SMTP communication with TLS (Transport Layer Security).
SMTPS (SMTP TLS)
Port #
TCP port 587
What does the POP3S (Post Office Protocol 3 over SSL) extension do?
It adds a TLS (Transport Layer Security) wrap to POP3 e-mail retrieval.
POP3S
Port #
port 995
What does the IMAPS (Internet Message Access Protocol over SSL) extension do?
It adds a TLS (Transport Layer Security) wrap for encryption.
IMAPS
Port #
port 993
What protocol offers secure file transfers, resumption of interrupted file transfers, deletion of files on the server, and more?
SFTP or SSH File Transfer Protocol
SFTP
Port #
TCP port 22
What protocol queries the state of network devices and reports whatever device-specific information the devices provide?
SNMP or Simple Network Management Protocol
SNMPv3 is the standard version used today.
SNMP
Port #s
UDP ports 161 and 162
What protocol do programs use to query and change a database used by the network (ie. Active Directory)? Domain controllers will use it automatically in the background to keep your databases in good order.
LDAP or Lightweight Directory Access Protocol
LDAP
Port #s
TCP port 389
UDP port 389
