Chapter 11: Securing TCP/IP Flashcards
1
Q
What is nonrepudiation?
A
-data is same as originally sent, came from source I think it should have come from.
2
Q
What is authentication?
A
-verifcy whoever accesses the data is the person I want to access it.
3
Q
What is authorization?
A
-what a person who accesses the data can do with the data.
4
Q
What is a cipher?
A
-general term for a way to encrypt data.
5
Q
What is an algorithm?
A
mathematical formula underlies the cipher.
6
Q
What is a complete algorithm?
A
cipher and implementation of the cipher.
7
Q
What is ciphertext?
A
result from running cleartext through a key.
8
Q
what is a symmetric key algorithm?
A
uses same key to encrypt and decrypt
9
Q
What is asymmetric key algorithm?
A
-different keys for encryption.
10
Q
What is a block cipher?
A
encrypt data in single chuncks
11
Q
What is a stream cipher?
A
-encrypts data a single bit at a time.
12
Q
Describe DES.
A
Data encryption standard
- grandaddy of all TCP/IP symmetric-key algorithms.
- 64 bit block and 56-bit key.
13
Q
Describe AES.
A
Advanced Encryption Standard
- block cipher
- 128-bit block size
- 128, 192, 256-bit key size.
- used in applications from file encryption to wireless networking, to web sites.
14
Q
what is public-key cryptography?
A
-keys can exchange securely
15
Q
What is RSA?
A
Rivest Shamier Adleman
- improvement to Diffre-Hellman public-key cryptography
- enables secure digital signature.
16
Q
Describe the encryption at the different levels at OSI.
A
- Level 1: no common encryption
- level 2: scramble all data in ethernet frame except mac address info.
- layer 3: IPSEC: software that encrypts everything inside packet.
- layer 4: TCP/UDP do not offer encryption.
- layer 5: and 6: not comon for encryption.
- layer 7: SSL/TLS
17
Q
How is non-repudiation implemented?
A
- most cryptographic hash function
- results in checksum or digest.
18
Q
Describe MD5
A
Message-Digest Algorithm version 5
- some SMTP servers use this
- most popular hash function.
- CRAM-MD5: tool for server authentication.
19
Q
Describe SHA
A
Secure Hash algorithm
-sha-1 and sha-2
20
Q
What is a digital signature?
A
- generated by sender to message and private key
- person with matching publick key verifies it came from intended sender.
21
Q
What is PKI?
A
Public-key infrastructure
-certificate: standardized type of digital signature that includes signature of a third party.
22
Q
Describe PGP.
A
Pretty Good Privacy
- web of trust
- group of peers that trust each other.
- email encryption: you get a certificate.
23
Q
Decribe GPG>
A
GNU privacy guard
-alternate to PGP
24
Q
What is an ACL?
A
Access control list.
-defined list of permissions specify that an authenticated user may perform on a shared resource.
25
What are three ACL access models?
- mandatory access control(MAC): every resource assigned a label.
- Discretionary access control(DAC): resource owner assigns access.
- Role-based access control(RBAC): most popular model and is an access based on role(group).
26
What is PPP?
Point to point protocol.
-an authentication standard where 2 devices connect, authenticate with name/password, negotiate network protocol.
-RFC 1661: defines how PPP works.
27
What are the phases of PPP?
- Link Dead; Link control protocol gets connection going
- link establishment
- Authentication: username/password
- Network layer protocol: negotiate layer 3 protocol. Network control protocol(NCP) makes proper connection.
- Termination.
28
Describe PAP
Password authentication Protocol
| -transmits username password in plaintext.
29
Describe CHAP
Challenge Handshake Authentication Protocol
- more secure authentication routine
- hashes based on shared secret.
30
Describe MS-CHAPv2.
- most common authentication for dial up.
| - most security.
31
What are three parts of AAA?
-authentication, authorization, and accounting.
32
Describe authentication as it relates to AAA.
- present credential for access
| - username/passwd, security token, retinal scan, digital certificate.
33
Describe authorization as it relates to AAA.
- What computer can and cannot do.
| - bandwidth limits, times of day, certain applications.
34
Describe RADIUS.
Remote Authentication Dial-In User Service.
- used to support ISPs with thousands of modems.
- radius server, network access servers, systems that dial in.
35
What does a Radius server do?
Internet Authentication Service(microsoft)
-FreeRadius(Unix/linux)
-authenticate on UDP port 1812/1813
or ports 1645/1646
36
Describe TACACS+.
Terminal Access Controller Access Control System Plus
- single server stores ACL for all devices
- developed by CISCO to support AAA
- uses port 49 by default
- can use Kerberos as part of the authentication scheme.
37
What port does TACACS+ work on?
port 49
38
What port does radius use?
UDP port 1812/183 or 1645/1646
39
Describe Kerberos.
no connection to PPP
| -authentication protocol for TCP/IP networks with clients connecting to single authenticating server
40
What port does Kerberos use
UDP or TCP port 88
41
Describe a kerberos key distribution center(KDC)
- authentication server(AS)
- Ticket-Granting Service(TGS)
- after compares hash sends ticket granting ticket(TGT)
- client sends TGT to TGS for authorization.
- TGS sends token back to client called SID in winDNS.
42
Descirbe EAP.
Extensible Authentication Protocol(EAP)
- single standard to allow two devices to authenticate.
- a PPP wrapper that EAP-compliante applications can use to accept one of many types of authentication.
- substantial use in wireless networks
43
What is EAP-PSK?
- personal share key
| - shared secret code stored on both WAP and client encrypted with AES.
44
What is EAP-TLS?
- Transport layer security.
- use of RADIUS server
- mutual authentication, certificates on server and client.
- only on wireless networks.
45
What is EAP-TTLS?
- Tunneled TLS
| - Single server-side certificate.
46
What is EAP-MD5?
-hashes for transfer of authentication details.
47
What is LEAP?
Lightweight EAP
| -used by Cisco wireless products.
48
What is 802.1x?
EAP for ethernet networks.
- puts EAP inside of ethernet frame.
- port authentication NAC mechanism for networks.
49
Describe SSH.
Secure shell
- use PKI in form of RSA key.
- server sends public key, client encrypts session id, negotion encryption.
- AES is popular, 3DES might be used.
50
Describe publick keys to identify clients as it relates to SSH.
- non-interactive logins - turn off password logins.
- generate pair of RSA or DSA keys
- public key on server, public key on cient.
51
Describe Tunnels as they relate to SSH.
- can tunnel for any tcpip application
- encrypted link between two programs on separate computers.
- freeSSHd server: any packet that enters encrypted tunnel(even unencrypted) automatically is encrypted.
52
Describe SSL/TLS.
netscape created SSL.
53
Describe TLS.
upgraed to SSL.
- SSL limited to HTML, FTP, SMTP and few others.
- TLS has no restrictions used in VOIP, VPNs, and webpages.
54
Describe IPsec.
authenticate and encryption at layer 3.
55
What is transport mode of IPsec?
-only payload of packet is encrypted.
56
What is tunnel mode of IPsec?
-entire ip packet encrypted, encapsulated inside another IP packet.
57
What is Authentication Header(AH) of IPsec?
-authentication
58
What is ESP as it relates to IPsec?
Encapsulating Security Payload.
| -authenticate and encryption
59
What is ISAKMP?
Internet Security Association and Key management protocol.
| -security associates.
60
What is IKE and IKEv2 as it relates to IPSEC?
- Internet Key exchange: kerberized internet negotiation of keys(KINK)
- can encrypt data with MD5, SHA.
61
What is SCP?
Secure copy protocol.
-transer data securely between two hosts.
doesnt have directory listing.
62
What is SFTP?
Secure/SSH FTP.
- active FTP uses ports 20 and 21, creating two-session communication.
- SSH can only handle one session per tunnel.
- OpenSSH: group of secure programs made by OpenBSD
- WINSCP and Filezilla clients for SFTP server.
63
What is SNMP?
-cacti.net queries SNMP
64
What is LDAP?
-Lightweight directory access protocol.
65
What port does LDAP use?
-port 389
66
What port does NTP use?
port 123.
