Networking

Question 1

001 What is a host?

Answer 1

Any device that sends or receives traffic over a network:

Computer, laptop, phone, printer, server, cloud server.

Also any IoT device: TV, speakers, thermometers, lights, watches, fridge..

Question 2

002 What are clients and servers?

Answer 2

Client initiates requests, server responds.

Servers are simply computers with software installed which responds to specific requests. For example a web server.

However these categories are relative to specific communication. When a device that we normally call a server request something from another device / server (e.g. software update), it then acts as a client.

Question 3

003 What is IP address?

Answer 3

It’s an address that identifies each host on a network. It is made of 32 bits divided into 4 octets of 0-255.

Question 4

004 What is a network?

Answer 4

It is a connection between hosts and what transports traffic between them. It is a logical grouping of hosts. They can contain other networks, referred to as sub-networks or subnets.

Question 5

005 What is the difference between Repeater, Hub, Bridge, Switch and Router?

Answer 5

Data decays as it travels through a wire. A Repeater regenerates the signal, which enables us to create connections at greater distances.

When adding more and more hosts, connecting them all directly doesn’t scale. A Hub is simply a multiport repeater that not only regenerates the signal but also forwards it to all the remaining ports. It’s the first device that centrally connects multiple hosts. The problem with it is that everybody sees everybody else’s data.

A Bridge sits between two hubs. It only has two ports and it learns which hosts are on which side. It’s the first type of device that can keep traffic only within a relative network.

A Switch is like a combination of hub and bridge. It connects multiple hosts and it remembers which one is on which port. That means it can keep communication between two hosts only to their particular ports. It facilitates communication within a network, that has one IP address space.

A Router, on the other hand, is a device that enables connection between networks and to the network of networks, the Internet. Due to its position it provides a traffic control point, where security, filtering or redirecting can be handled.

Question 6

006 How does Routing work? What is Interface, Route, Gateway?

Answer 6

How router works is that it learns which networks it is attached to. The point of connection is called Interface, the knowledge of the attached network is called Route and it is stored in a so-called Routing Table.

Router has an IP address in every network it is attached to. Such IP address is the identity of the Interface that particular network is attached to. It serves as what is known as Gateway or Default Gateway. A Gateway is each host’s way out of their local network.

Question 7

007 What is OSI model?

Answer 7

It is basically a set of rules of networking divided into 7 layers. Each layer serves a specific function and if they all work correctly, hosts can share data with one another.

The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. It was the first standard model for network communications, adopted by all major computer and telecommunication companies in the early 1980s

The modern Internet is not based on OSI, but on the simpler TCP/IP model. However, the OSI 7-layer model is still widely used, as it helps visualize and communicate how networks operate, and helps isolate and troubleshoot networking problems.

OSI was introduced in 1983 by representatives of the major computer and telecom companies, and was adopted by ISO as an international standard in 1984.

Question 8

008 What are the purposes of the first 3 layers of OSI model and which technologies are related to them?

Answer 8

Layer 1 - Physical layer - Transporting data in the form of 1’s and 0’s (bits) between hosts.
L1 techs: Cables, Wifi, Repeater, Hub

The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices, and is responsible for transmission of the raw data, which is simply a series of 0s and 1s.

Layer 2 - Datalink layer - Hop to Hop delivery of data. It is what sends data to the physical layer and what retrieves it from there. It uses addressing scheme with so-called MAC addresses, which are unique identifiers of NIC - Network Interface Card or Wi-Fi Access Card. These devices are basically the points of connection of the physical layer to the hosts. Layer 2 enables communication (jump) from a host to a router or from a router to another router. These jumps are called hops. Very often many hops are needed to get to the target host. That’s why hop to hop delivery.
L2 techs: NICs - MAC addresses, Switches

The data link layer establishes and terminates a connection between two physically-connected nodes on a network. It breaks up packets into frames and sends them from source to destination. This layer is composed of two parts—Logical Link Control (LLC), which identifies network protocols, performs error checking and synchronizes frames, and Media Access Control (MAC) which uses MAC addresses to connect devices and define permissions to transmit and receive data.

Layer 3 - Network layer - End to End delivery of data using addressing scheme with IP addresses. Layers 2 and 3 work together to move the data across the Internet. What links layer 3 address (IP) to layer 2 address (MAC) is a protocol called ARP - Address Resolution Protocol.
L3 techs: IP addresses, Routers, any device with an IP address

The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network. The network layer uses network addresses (typically Internet Protocol addresses) to route packets to a destination node.

Question 9

009 What is the purpose of the layer 4 of the OSI model?

Answer 9

Layer 4 - Transport layer - Service to Service delivery using adressing scheme with Ports. It uses 2 different strategies (protocols) how to distinguish between data streams, TCP and UDP. TCP favors reliability, UDP efficiency and they both have addressing space from 0 to 65535. The ports ensure that the right application gets the right data and the data streams are kept isolated from each other.

The transport layer takes data transferred in the session layer and breaks it into “segments” on the transmitting end. It is responsible for reassembling the segments on the receiving end, turning it back into data that can be used by the session layer. The transport layer carries out flow control, sending data at a rate that matches the connection speed of the receiving device, and error control, checking if data was received incorrectly and if not, requesting it again.

Question 10

010 What are the 3 application layers in OSI model and what is their purpose?

Answer 10

5, 6, 7 - Session, Presentation, Application
The distinction between them is vague and it is often considered a one layer - Application layer.

5. Session Layer

The session layer creates communication channels, called sessions, between devices. It is responsible for opening sessions, ensuring they remain open and functional while data is being transferred, and closing them when communication ends. The session layer can also set checkpoints during a data transfer—if the session is interrupted, devices can resume data transfer from the last checkpoint.

6. Presentation Layer

The presentation layer prepares data for the application layer. It defines how two devices should encode, encrypt, and compress data so it is received correctly on the other end. The presentation layer takes any data transmitted by the application layer and prepares it for transmission over the session layer.

7. Application Layer

The application layer is used by end-user software such as web browsers and email clients. It provides protocols that allow software to send and receive information and present meaningful data to users.

A few examples of application layer protocols are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), and Domain Name System (DNS).

Question 11

011 What is a NIC?

Answer 11

Network Interface Card is a piece of hardware, typically a circuit board or chip, which is installed on a computer so it can connect to a network.

The network card operates as a middleman between a computer and a data network. For example, when a user requests a webpage, the computer will pass the request to the network card, which converts it into electrical impulses.

A web server on the internet receives the impulses and responds by sending the webpage back to the network card as electrical signals. The card gets these signals and translates them into the data that the computer displays.

Question 12

012 What is TCP/IP model?

Answer 12

The Transfer Control Protocol/Internet Protocol (TCP/IP) is older than the OSI model and was created by the US Department of Defense (DoD). A key difference between the models is that TCP/IP is simpler, collapsing several OSI layers into one:

OSI layers 5, 6, 7 are combined into one Application Layer in TCP/IP
OSI layers 1, 2 are combined into one Network Access Layer in TCP/IP – however TCP/IP does not take responsibility for sequencing and acknowledgement functions, leaving these to the underlying transport layer.
Other important differences:

TCP/IP is a functional model designed to solve specific communication problems, and which is based on specific, standard protocols. OSI is a generic, protocol-independent model intended to describe all forms of network communication.
In TCP/IP, most applications use all the layers, while in OSI simple applications do not use all seven layers. Only layers 1, 2 and 3 are mandatory to enable any data communication.

Question 13

013 What is TCP and UDP?

Answer 13

TCP - Transmition Control Protocol is a connection-oriented protocol, whereas UDP - User Datagram Protocol is a connectionless protocol. A key difference between TCP and UDP is speed, as TCP is comparatively slower than UDP. Overall, UDP is a much faster, simpler, and efficient protocol, however, retransmission of lost data packets is only possible with TCP. So TCP is more reliable, while UDP prioritizes speed and efficiency.

Question 14

014 What is MAC address?

Answer 14

Media Access Control (MAC) Address –
MAC Addresses are unique 48-bits hardware number of a computer, which is embedded into a network card (known as a Network Interface Card) during the time of manufacturing. MAC Address is also known as the Physical Address of a network device.

Question 15

015 What is the format of MAC address?

Answer 15

MAC Address is a 12-digit hexadecimal number (6-Byte binary number), which is mostly represented by Colon-Hexadecimal notation.

The First 6-digits (say 00:40:96) of MAC Address identifies the manufacturer, called OUI (Organizational Unique Identifier). IEEE Registration Authority Committee assigns these MAC prefixes to its registered vendors.

Here are some OUI of well-known manufacturers :

CC:46:D6 - Cisco
3C:5A:B4 - Google, Inc.
3C:D9:2B - Hewlett Packard
00:9A:CD - HUAWEI TECHNOLOGIES CO.,LTD

The rightmost six digits represent Network Interface Controller, which is assigned by the manufacturer.

As discussed above, the MAC address is represented by Colon-Hexadecimal notation. But this is just a conversion, not mandatory. MAC address can be represented using any of the following formats:

hyphen, colon or period-separated hexadecimal notation:

00-0a-83-b1-c0-8e
00:0a:83:b1:c0:8e
00.0a.83.b1.c0.8e

Colon-Hexadecimal notation is used by Linux OS and Period-separated Hexadecimal notation is used by Cisco Systems.

Question 16

016 What is IP address?

Answer 16

An IP address is a unique address that identifies a device on the internet or a local network. IP stands for “Internet Protocol”, which is the set of rules governing the format of data sent via the internet or local network.

In essence, IP addresses are the identifier that allows information to be sent between devices on a network: they contain location information and make devices accessible for communication.

The internet needs a way to differentiate between different computers, routers, and websites. IP addresses provide a way of doing so and form an essential part of how the internet works.

Question 17

017 What is ARP?

Answer 17

Address Resolution Protocol (ARP) is a communication protocol used to find the MAC (Media Access Control) address of a device from its IP address.

This protocol is used when a device wants to communicate with another device on a Local Area Network or Ethernet.

Question 18

018 What is encapsulation and de-encapsulation?

Answer 18

In a networking model, the term encapsulation refers to a process in which protocol information is added to the data. The term de-encapsulation refers to a process in which information added through the encapsulation process is removed. Protocol information can be added before and after the data.

Question 19

019 How does Switching work?

Answer 19

Switch is a device whose primary purpose is moving data within a network. All the devices communicating through a switch belong to the same IP network.

As switch is a layer 2 device, it only looks at the layer 2 header. Everything else from its perspective is simply considered as data.

It uses and maintains MAC Address Table, which maps switch ports to MAC Addresses. This table doesn’t start out populated. It starts out empty. As data flows throught it, the switch populates this table.

Beyond the MAC address table the switch performs 3 types of actions:

1) Learning = updating MAC Address Table with mapping of the switching port to the source MAC Address
2) Flooding = duplicating and sending the frame out of all the switch ports except from the source port
3) Forwarding = using MAC Address Table to deliver frame to the appropriate switching port

A switch also has its own MAC address, but it is not involved in the switching process. It only gets in use when we want to send data TO or FROM the switch, not through it. For example when we want to perform some switching set-up. In such case an IP address is also needed. The switch is then essentially acting as another host on the network.

Question 20

020 What is Unicast and Broadcast and what is the difference between Unicast flooding and Broadcast flooding?

Answer 20

Unicast is a type of frame with another host as a destination MAC Address.

Broadcast is a type of frame with destination MAC Address FFFF.FFFF.FFFF (unspecified).

Flooding is on of the three actions a switch can do.

Unicast flooding only happens when the destination MAC Address is not in the MAC Address Table.

Whereas broadcast frames are always flooded.

Question 21

021 What is a VLAN?

Answer 21

Virtual Local Area Network is basically dividing switching ports into isolated groups. It essentially divides a switch into multiple “mini-switches” that use separate MAC Address Tables and do all three types of switching actions only within their respective VLAN.

Question 22

022 How does switching work within a typology with two interconnected switches with two or more hosts connected to each of them?

Answer 22

The switching process is the same as with one switch. The only difference is that they use separate MAC Address Tables, which they don’t share with each other and the ports of connection between the two switches can be linked to multiple MAC Addresses, as they represent hosts connected to the opposite switch.

Question 23

023 What is SSL / TLS Encryption?

Answer 23

SSL/TLS encrypts communications between a client and server, primarily web browsers and web sites/applications.

SSL (Secure Sockets Layer) encryption, and its more modern and secure replacement, TLS (Transport Layer Security) encryption, protect data sent over the internet or a computer network. This prevents attackers (and Internet Service Providers) from viewing or tampering with data exchanged between two nodes—typically a user’s web browser and a web/app server. Most website owners and operators have an obligation to implement SSL/TLS to protect the exchange of sensitive data such as passwords, payment information, and other personal information considered private.

Question 24

024 What are 3 main usecases of SSL / TLS?

Answer 24

1) using https to securely transfer websites
2) using SSL VPN to securely connect to a corporate network
3) using SSL VPN to securely connect to a public VPN provider to hide one’s identity

Question 25

025 What are the 3 ways of protection of data by SSL / TLS?

Answer 25

Data sent across a wire can be captured by anyone in the middle. SSL / TLS can’t prevent that. Their purpose is to protect the data in 3 ways:

1) Confidentiality = Data is only accessible by Client and Server.
2) Integrity = Data is not modified between Client and Server.
3) Authentication = Client / Server are who they say they are.

Question 26

026 What are Anti-Replay and Non-Repudiation concepts in secure communication?

Answer 26

Anti-Replay = protection against replay attacks via protecting the chunks of data from being duplicated and repeatedly sent over to the receiver by providing them with built-in sequence numbers. When the same sequence number is detected, the incriminate package of data is simply ignored.

Non-Repudiation (repudiate - refuse to have anything to do with) = preventing the sender from later denying sending a particular message. This is ensured by the Integrity and Authentication concepts of data protection. It’s simply their by-product. We know the data couldn’t have been modified and it was definitely sent by the sender. No extra measures need to be taken.

Question 27

027 What are the 3 key players of SSL / TLS?

Answer 27

1) Client = entity initiating the TLS Handshake (web browser, phone, apps, IoT devices)
2) Server = entity receiving the TLS Handshake (web server, load balancer, SSL accelerator)
3) Certificate Authority = governing entity issuing Certificates, trusted by Client and Server, provides so called Trust Anchor (if we trust CA, we trust what the CA trusts). Five organizations secure 98% of the Internet: IdenTrust, DigiCert (GeoTrust, Verisign and Thawte), Sectigo, GoDaddy and GlobalSign.

Question 28

028 What is the history of SSL / TLS versions?

Answer 28

In 1994 SSL v1.0 was developed by Netscape as a result of the race for internet security among the main browsers of that time. They never publicly released it, kept it as a competitive advantage and it was full of flaws, therefore considered completely insecure.

Netscape was forced to completely redesign it and in 1995 came with SSL v2.0. However, it was also full of flaws and so it was determined insecure as well.

One year later, in 1996, Netscape released SSL v3.0. The result was pretty good and it layed foundations of TLS versions we use today. It introduced the concept of Certificate Chains and the optional support for additional Key Exchanges (SSL v1.0 and v2.0 only supported RSA Key Exchange).

When Netscape finally released the draft, it was saved as RFC 6101 - Historical copy of original SSLv3.0 from 1996.

SSL v3.0 was predominant version of SSL all the way through October 2014, when a vulnerability allowing so called Poodle attack was revealed. Since then it is considered completely insecure.

TLS v1.0, v1.1 and v1.2 are just minor incremental updates to the SSL v3.0

The term TLS was coined by** I.E.T.F.** (Internet Engineering Task Force - a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite) when the SS protocol ownership was transferred to them and it became an open standard under RFC 2246.

TLS v1.0 from 1999 was largely identical to SSL v3.0 with a few minor changes: HMAC support and required support fo additional Key Exchanges. Its major vulnerability was the BEAST attack (attack on CBC ciphers), which is now mitigated in most of themodern browsers.

TLS v1.1 was released in 2006 under RFC 4346 and it was largely similar to v1.0 with a few minor updates: formally deprecated Export Grade ciphers, protection against CBC attacks.

From March 2021 (RFC 8996) TLS v1.0 and v1.1 are not recommended for use and they fail most compliance certifications like HIPAA, PCI, NIST, etc..

In 2008 TLS v1.2 was released. The changes introduced were: Improved security of key generation, support for AEAD Ciphers (Authenticated Encryption with Associated Data).

TLS v1.3 was ratified in 2018 under RFC 8446. Among major changes from prior versions there are: Shorter handshake (2 messages vs 5+), 0-RTT Resumption, Forward Secrecy required, AEAD ciphers required.

The major paradigm shift with v1.3 is that it favors simplicity and security over backwards compatibility, which was historically the main cause of vulnerabilities. It removes support for insecure algorithms.

TLS v1.2 and v1.3 are considered secure and therefore recommended.

Question 29

029 What is hashing and how does it work?

Answer 29

Hashing is an algorithm which takes a message of arbitrary length and produces as output a fingerprint of the original message. That output is usually called Digest (or Checksum, Fingerprint, Hash, CRC, etc..)

Question 30

030 What are the most common purposes of using hashing?

Answer 30

1. to compare large amounts of data. You create the hashes for the data, store the hashes and later if you want to compare the data, you just compare the hashes.
2. to index data. They can be used in hash tables to point to the correct row. If you want to quickly find a record, you calculate the hash of the data and directly go to the record where the corresponding hash record is pointing to. (This assumes that you have a sorted list of hashes that point to the actual records)
3. in cryptographic applications like digital signatures.
4. to generate seemingly random strings.

Question 31

031 What are 2 basic properties of a good hashing function?

Answer 31

1) it should be very fast to compute
2) it should minimize duplication of output values (collisions).

Question 32

032 What are 4 requirements that a real world hashing algorithm must satisfy?

Answer 32

1. Infeasible to produce given digest
2. Impossible to extract the original message
3. Slight changes produce drastic differences
4. Resulting digest has fixed length

Question 33

033 What are collisions in hashing and can they be avoided?

Answer 33

Collision happens when two messages result in an** identical digest**. They cannot be avoided as they are simply a by-product of fixed width digest, that brings limited number of possibilities. Although they cannot be avoided, they can be made more rare. Hashing algorithms with higher bit digest output are generally more secure.

Question 34

034 What are the common hashing algorithms?

Answer 34

MD5: the fifth version of the Message Digest algorithm. MD5 creates 128-bit outputs. It was a very commonly used hashing algorithm. That was until weaknesses in the algorithm started to surface. Most of these weaknesses manifested themselves as collisions. Because of this, MD5 began to be phased out.

SHA-1: This is the second version of the Secure Hash Algorithm standard, SHA-0 being the first. SHA-1 creates 160-bit outputs. It is one of the main algorithms that began to replace MD5, after vulnerabilities were found. It gained widespread use and acceptance. It was actually designated as a FIPS 140 compliant hashing algorithm.

SHA-2: This is actually a suite of hashing algorithms. The suite contains SHA-224, SHA-256, SHA-384, and SHA-512. Each algorithm is represented by the length of its output. SHA-2 algorithms are more secure than SHA-1 algorithms, but SHA-2 has not gained widespread use.

LANMAN: Microsoft LAN Manager hashing algorithm was used by legacy Windows systems to store passwords. It used DES algorithms to create the hash. The problem is that its implementation of the DES algorithm isn’t very secure, and therefore, it is susceptible to brute force attacks. LANMAN password hashes can actually be cracked in just a few hours. Microsoft no longer uses it as the default storage mechanism. It is available, but is no longer turned on by default.

NTLM: This is the NT LAN Manager algorithm. The NTLM algorithm is used for password hashing during authentication. It is the successor of the LANMAN algorithm. NTLM was followed with NTLMv2, which uses an HMAC-MD5 algorithm for hashing.

Question 35

035 How is hashing used to provide Integrity? What is MAC and HMAC?

Answer 35

Both parties have to establish a mutual Secret Key. Sender combines the key and the message to create the Digest. Receiver verifies by calculating the digest from the message and his key.

When successful, it ensures Integrity by proving the message was not modified and Authentication, because it shows that the sender had the identical key.

This concept is known as MAC - Message Authentication Code. It combines the message and a secret key to calculate the digest and therefore provides integrity and authentication of data transfers. The key has to be the same and the way it is combined with the message as well.

The industry standard implementation of MAC, ie. how to combine a message with a key, is called HMAC - Hash based Message Authentication Code (RFC 2104).

Question 36

036 What is Encryption and how does it work? What is simple encryption, its disadvantage and the solution?

Answer 36

Encryption is a way to conceal information by altering it so that it appears to be random data. It is essential for security on the Internet.

It is used to provide Confidentiality - ensuring that only the intended recipient can interpret the data.

Data before encryption is called Plain or Clear text and after the encryption it is Cipher text.

Transforming Plain text into Cipher text is called Simple Encryption. The problem with it is that it doesn’t scale and it’s hard to do securely. For every recipient a new encryption algorithm would have to be used.

The solution is so called Key Based Encryption, that combines an industry vetted algorithm with a Secret Key. Algorithms are created by experts. Secret keys can be generated randomly.

Question 37

037 What are the 2 types of Key Based Encryption?

Answer 37

1. Symmetric Encryption = encrypting and decrypting content using the same keys
2. Asymmetric Encryption = encrypting and decrypting content using different keys. They have to be mathematically related. What one key encrypts, the other one can decrypt. It works both ways.

Question 38

038 What are the strengths and weaknesses of the 2 types of encryption?

Answer 38

1. Symmetric:
   + faster: lower CPU cost
   + cipher text is approximately the same size as plain text
   - Secret key must be shared = less secure
2. Asymmetric:
   - slower: requires much larger key size
   - cipher text expansion
   + Public key is shared but Private key never = more secure

Therefore symmetric encryption is good for bulk data transfers and asymmetric encryption for limited data.

Question 39

039 What are some examples of Symmetric and Assymetric encryption algorithms?

Answer 39

Symmetric:

insecure:
DES - 56 bit key
RC4 - 128 bit key

somewhat secure:
3DES - 168 bit key

secure:
AES - 128, 192, 256 bit keys
ChaCha20 - 128 or 256 bit keys

Asymmetric:

less secure:
DSA

secure:
RSA
Diffie-Hellman
ECDSA
ECDH

The key size for asymmetric encryption varies depending on the context. For example the recommended key size for RSA is 2048 bits.

Question 40

040 What are Public and Private Keys and how are they used?

Answer 40

Both of them are part of Asymmetric Key Pair used in asymmetric encryption. As the names suggest, Public key is publicly shared and Private is never shared with anyone. They only work together. One without another is useless.

They can be used for:

Encryption: Sender encrypts the message with Receiver’s public key and so the Receiver is the only one who can decrypt it, because only he owns the related Private key.

Signatures: Sender only wants to prove that he sent the message and doesn’t really care if someone else will see the content. He encrypts it using his Private key and so the only way to decrypt it is to use the Public key. When using the Public key results in a successful decryption, it proves two things:

1. It was really the sender who sent the message = Authentication
2. The message was not modified in transit = Integrity

Question 41

041 What is hybrid encryption?

Answer 41

It’d a combination of symmetric and asymmetric one: using asymmetric encryption to facilitate Key Exchange and then symmetric for bulk data transfer.

How does it work?
Because assymetric encryption is not efficient for big bulk data, we use symmetric encryption for that purpose. In order to establish such communication, both parties have to have the same symmetric key, that has to be shared betwen them in a secure way. As symmetric key is basically a small set of data, it is convenient to send it using the asymmetric encryption. Once the symmetric key is owned by both parties, big bulk data can be sent in a fast and secure way. This can be done in both directions for arbitrary amount of data.

This way we can use the strengths of each type of encryption to achieve the best possible result.

Question 42

042 How does using Assymetric Key Pair for creating Signatures work?

Answer 42

The Sender calculates a hash of his message, encrypts the resulting Digest using his Private key and sends both the original message and the Signature together.

The Receiver decrypts the Signature using the Public key, which will result into the Digest created by the Sender. The Receiver independently calculates the Digest and compares the results. If they are the same, it proves 2 things:

The message hasn’t changed = Integrity
It was really the Sender who created the Signature = Authentication

Question 43

043 How does communication between Client and Server on the Internet work using SSL / TLS cryptography?

Answer 43

The Client ans the Server intent to share bulk data with each other in a secure way. That means they have to apply Symmetric encryption to ensure Confidentiality and Message Authentication Code to get Integrity. Both of these things require mutual Secret keys.

The Key Exchange is done using the Asymmetric encryption. Because anybody can generate asymmetric keys, the Client cannot be sure who is on the other side of the wire. That is where the Certificate Authority comes into the picture.

Certificate Authority (CA) is an entity that is trusted by the Client. It generates a Certificate that links a particular set of Asymmetric keys to an Identity. This Certificate is signed by the CA. So because the Client knows it was signed by the CA and not modified, and becuase the Client trusts the CA, the Asymmetric keys that the Certificate validates also inherit the Authentication. Which means that any Symmetric keys derived from the Asymmetric keys inherit it as well.

So anytime using MAC with Symmetric keys derived from Asymmetric keys with Authentication, it also provides the service of Authentication. This completes all 3 ways of protection of data and that’s how it is provided by SSL / TLS on the Internet. All three key players have a crucial role and form a triangle called the PKI - Public Key Infrastructure.

Question 44

044 What is PKI - Public Key Infrastructure and what is it formed by?

Answer 44

A Public Key Infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.

It is formed by 3 entities:

Client - needs to connect securely or verify an identity
Server - needs to prove its identity
Certificate Authority - validates identities and generates certificates

It can represent different contexts: www environment, software code signing, internal corporate PKI

Question 45

045 What is RSA?

Answer 45

It’s a public-key based cryptosystem created by Ron Rivest, Adi Shamir and Leonard Adleman in 1977.

It’s the most common Asymmetric Encryption algorithm.

RSA creates a pair of commutative keys, which means that what we encrypt with one, we can decrypt with the other, ie. it doesn’t matter in which order they are used.

It can be used to do Encryption, Signatures and Key Exchange.

Question 46

What is Diffie-Hellman protocol?

Answer 46

It’s an Asymmetric Encryption algorithm, that allows two parties to establish a shared secret over an unsecured medium.

The shared secret is usually not used as a key itself, but to generate symmetric keys or HMAC keys.

The security of DH is dependent on Discrete Logairthm problem.

G^X MOD P = N

Finding X in this equasion is infeasible. The only method is brute force, ie. trying every possible combination.

It can be used only for Key Exchange.

Question 47

What is DSA - Digital Signature Algorithm?

Answer 47

It’s asymmetric encryption algorithm that can be used only for two operations:

Signature generation:
Input involves: Message, Private Key, Random number and DSA parameters.
When these four things are fed into signature generation, the DSA will provide us with a Digital Signature correlating with the message.

Signature verification:
Input: Message, Public Key, Signature, DSA parameters.
Output: 1 or 0 (True or False)

Important:
The random number has to be unique for each message or DSA fails. If it is ever re-used, Private Key can be extracted. This can be solved by using the formula in RFC 6979, that generates the andom number deterministically based on the Message sent. So the only case when it can be the same is when the message is the same and that meets the original condition of uniqness.

Question 48

What are the steps of complete TLS sequence?

Answer 48

1. Certificate Authority as the cornerstone of the SSL/TLS process generates its Public and Private Key and issues a Self-Signed Certificate.
2. Server wants to acquire a Certificate.
3. It generates its own Public and Private key.
4. Then it generates a CSR - Certificate Signing Request, that contains the Server’s Public key and it’s signed with the Server’s Private key.
5. Server send the signed CSR to a CA.
6. CA inspects and validates the information.
7. CA creates Certificate using the information from CSR.
8. CA signs the Certificate, so it contains the Server’s Public key and it’s signed by the CA’s Private key, which ties a particular set of keys to an Identity. This Identity is guaranteed by the CA.
9. CA gives the Certificate to the Server.
10. Server can provide Certificate to prove its Identity.
11. Client wants to connect securely to the Server. Client web browser already has the CA certificates pre-installed.
12. Client request’s Server’s Certificate and validates if it is legitimate by using the CA’s Public key and if te Server truly owns this Certificate.
13. Both of these validations happen in what’s known as SSL/TLS Handshake. The Handshake also allows the Client and the Server to establish symmetric keys.
14. The outcome of a successful Handshake is the agreement upon various Session keys to protect bulk data transfers between them. One set of symmetric Encryption keys to provide Confidentiality and one set of symmetric MAC keys to provide Authentication.
15. These Session keys form s Secure tunnel to protect communication between the Client and the Server.

Question 49

What is a Cipher Suite?

Answer 49

It’s a suite of actual protocols used to attain secure communication between Client and Server, that they agreed on. It has to cover all four areas of secure communication:

Key Exchange protocol - to generate necessary keys
Authentication protocol - verify Server’s identity
Symmetric Encryption protocol - confidentiality for bulk data transfer
Hashing Algorithm - used within MAC for data integrity

Example of how a cipher suite looks like:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5 (RSA used for both Key Exchange and Authentication)

the least secure cipher suite:
TLS_NULL_WITH_NULL_NULL

the most secure (Apr 2022):
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Each Cipher Suite specifies all four items. The user doesn’t pick up and choose individual protocols.

All Cipher Suites are defined and listed by IANA (Internet Assigned Numbers Authority).

Question 50

What is HSTS - HTTP Strict Transport Security?

Answer 50

In a 2009 paper, Moxie Marlinspike introduced the concept of SSL stripping, a man-in-the-middle attack in which a network attacker could prevent a web browser from upgrading to an SSL connection in a way that would likely go unnoticed by a user.

How does it work?
A man in the middle intercepts an http request sent by a Client, turns it into https request and forwards it to the Server. Server reacts with https website, potentially requesting sensitive data. The attacker changes it into http and send over to the Client, who might not notice and send the sensitive data unprotected. The attacker can either get the data or use them to perform some actions on the Server side.

HSTS - HTTP Strict Transport Security basically instructs browsers that certain websites should be always https. When user browses to the website over https, the site provides 3 HSTS directives:

1. max age - duration in seconds to automatically request site in https (63mil = 2 years)
2. includeSubDomains - automatically apply to all subdomains

HSTS preload - a static list of HSTS websites maintained locally by browsers = prevention from the vulnerability that when a site is visited for the first time, the HSTS directives are not shared yet. Website can apply for the preload status at https://hsts.preload.org

3. preload - anybody can apply for the preload directive, but only the web server operator can add this directive to their web server

HSTS has one more benefit, that it disables the users to click-through SSL/TLS warnings.