Chapter 11: Securing TCP/IP Flashcards
What is nonrepudiation?
-data is same as originally sent, came from source I think it should have come from.
What is authentication?
-verifcy whoever accesses the data is the person I want to access it.
What is authorization?
-what a person who accesses the data can do with the data.
What is a cipher?
-general term for a way to encrypt data.
What is an algorithm?
mathematical formula underlies the cipher.
What is a complete algorithm?
cipher and implementation of the cipher.
What is ciphertext?
result from running cleartext through a key.
what is a symmetric key algorithm?
uses same key to encrypt and decrypt
What is asymmetric key algorithm?
-different keys for encryption.
What is a block cipher?
encrypt data in single chuncks
What is a stream cipher?
-encrypts data a single bit at a time.
Describe DES.
Data encryption standard
- grandaddy of all TCP/IP symmetric-key algorithms.
- 64 bit block and 56-bit key.
Describe AES.
Advanced Encryption Standard
- block cipher
- 128-bit block size
- 128, 192, 256-bit key size.
- used in applications from file encryption to wireless networking, to web sites.
what is public-key cryptography?
-keys can exchange securely
What is RSA?
Rivest Shamier Adleman
- improvement to Diffre-Hellman public-key cryptography
- enables secure digital signature.
Describe the encryption at the different levels at OSI.
- Level 1: no common encryption
- level 2: scramble all data in ethernet frame except mac address info.
- layer 3: IPSEC: software that encrypts everything inside packet.
- layer 4: TCP/UDP do not offer encryption.
- layer 5: and 6: not comon for encryption.
- layer 7: SSL/TLS
How is non-repudiation implemented?
- most cryptographic hash function
- results in checksum or digest.
Describe MD5
Message-Digest Algorithm version 5
- some SMTP servers use this
- most popular hash function.
- CRAM-MD5: tool for server authentication.
Describe SHA
Secure Hash algorithm
-sha-1 and sha-2
What is a digital signature?
- generated by sender to message and private key
- person with matching publick key verifies it came from intended sender.
What is PKI?
Public-key infrastructure
-certificate: standardized type of digital signature that includes signature of a third party.
Describe PGP.
Pretty Good Privacy
- web of trust
- group of peers that trust each other.
- email encryption: you get a certificate.
Decribe GPG>
GNU privacy guard
-alternate to PGP
What is an ACL?
Access control list.
-defined list of permissions specify that an authenticated user may perform on a shared resource.
What are three ACL access models?
- mandatory access control(MAC): every resource assigned a label.
- Discretionary access control(DAC): resource owner assigns access.
- Role-based access control(RBAC): most popular model and is an access based on role(group).
What is PPP?
Point to point protocol.
-an authentication standard where 2 devices connect, authenticate with name/password, negotiate network protocol.
-RFC 1661: defines how PPP works.
What are the phases of PPP?
- Link Dead; Link control protocol gets connection going
- link establishment
- Authentication: username/password
- Network layer protocol: negotiate layer 3 protocol. Network control protocol(NCP) makes proper connection.
- Termination.
Describe PAP
Password authentication Protocol
-transmits username password in plaintext.
Describe CHAP
Challenge Handshake Authentication Protocol
- more secure authentication routine
- hashes based on shared secret.
Describe MS-CHAPv2.
- most common authentication for dial up.
- most security.
What are three parts of AAA?
-authentication, authorization, and accounting.
Describe authentication as it relates to AAA.
- present credential for access
- username/passwd, security token, retinal scan, digital certificate.
Describe authorization as it relates to AAA.
- What computer can and cannot do.
- bandwidth limits, times of day, certain applications.
Describe RADIUS.
Remote Authentication Dial-In User Service.
- used to support ISPs with thousands of modems.
- radius server, network access servers, systems that dial in.
What does a Radius server do?
Internet Authentication Service(microsoft)
-FreeRadius(Unix/linux)
-authenticate on UDP port 1812/1813
or ports 1645/1646
Describe TACACS+.
Terminal Access Controller Access Control System Plus
- single server stores ACL for all devices
- developed by CISCO to support AAA
- uses port 49 by default
- can use Kerberos as part of the authentication scheme.
What port does TACACS+ work on?
port 49
What port does radius use?
UDP port 1812/183 or 1645/1646
Describe Kerberos.
no connection to PPP
-authentication protocol for TCP/IP networks with clients connecting to single authenticating server
What port does Kerberos use
UDP or TCP port 88
Describe a kerberos key distribution center(KDC)
- authentication server(AS)
- Ticket-Granting Service(TGS)
- after compares hash sends ticket granting ticket(TGT)
- client sends TGT to TGS for authorization.
- TGS sends token back to client called SID in winDNS.
Descirbe EAP.
Extensible Authentication Protocol(EAP)
- single standard to allow two devices to authenticate.
- a PPP wrapper that EAP-compliante applications can use to accept one of many types of authentication.
- substantial use in wireless networks
What is EAP-PSK?
- personal share key
- shared secret code stored on both WAP and client encrypted with AES.
What is EAP-TLS?
- Transport layer security.
- use of RADIUS server
- mutual authentication, certificates on server and client.
- only on wireless networks.
What is EAP-TTLS?
- Tunneled TLS
- Single server-side certificate.
What is EAP-MD5?
-hashes for transfer of authentication details.
What is LEAP?
Lightweight EAP
-used by Cisco wireless products.
What is 802.1x?
EAP for ethernet networks.
- puts EAP inside of ethernet frame.
- port authentication NAC mechanism for networks.
Describe SSH.
Secure shell
- use PKI in form of RSA key.
- server sends public key, client encrypts session id, negotion encryption.
- AES is popular, 3DES might be used.
Describe publick keys to identify clients as it relates to SSH.
- non-interactive logins - turn off password logins.
- generate pair of RSA or DSA keys
- public key on server, public key on cient.
Describe Tunnels as they relate to SSH.
- can tunnel for any tcpip application
- encrypted link between two programs on separate computers.
- freeSSHd server: any packet that enters encrypted tunnel(even unencrypted) automatically is encrypted.
Describe SSL/TLS.
netscape created SSL.
Describe TLS.
upgraed to SSL.
- SSL limited to HTML, FTP, SMTP and few others.
- TLS has no restrictions used in VOIP, VPNs, and webpages.
Describe IPsec.
authenticate and encryption at layer 3.
What is transport mode of IPsec?
-only payload of packet is encrypted.
What is tunnel mode of IPsec?
-entire ip packet encrypted, encapsulated inside another IP packet.
What is Authentication Header(AH) of IPsec?
-authentication
What is ESP as it relates to IPsec?
Encapsulating Security Payload.
-authenticate and encryption
What is ISAKMP?
Internet Security Association and Key management protocol.
-security associates.
What is IKE and IKEv2 as it relates to IPSEC?
- Internet Key exchange: kerberized internet negotiation of keys(KINK)
- can encrypt data with MD5, SHA.
What is SCP?
Secure copy protocol.
-transer data securely between two hosts.
doesnt have directory listing.
What is SFTP?
Secure/SSH FTP.
- active FTP uses ports 20 and 21, creating two-session communication.
- SSH can only handle one session per tunnel.
- OpenSSH: group of secure programs made by OpenBSD
- WINSCP and Filezilla clients for SFTP server.
What is SNMP?
-cacti.net queries SNMP
What is LDAP?
-Lightweight directory access protocol.
What port does LDAP use?
-port 389
What port does NTP use?
port 123.