Protocols Flashcards
Explain the OAuth protocol flow
Oauth2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service like Facebook or Google. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account.
- The application requests authorization to access service resources from the user
- If the user authorized the request, the application receives an authorization grant
- The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
- If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
- The application requests the resource from the resource server (API) and presents the access token for authentication
- If the access token is valid, the resource server (API) serves the resource to the application
Application Registration:
Before using OAuth with your application, you must register your application with the service. This is done through a “registration” form in the developer portion of the service’s website.
What is the protocol used for secure file transfers?
SFTP uses SSH and securely transmits files, as opposed to FTPS which uses the unsecured FTP protocol. Secure file transfers should use the SFTP protocol.
Explain the TCP Handshake
This is a 3-way handshake (SYN, ACK & SYN, SYN). This is done before the TLS handshake.
After DNS lookup, the client starts to establish a connection with the server. The server should have a listening port ready to handle incoming TCP connections from clients. To start a TCP Handshake, the three-way handshake is initiated.
- SYN. Browser sends a SYN packet to the server with a random sequence, x.
- SYN-ACK. Server receives the SYN packet. It returns a SYN-ACK packet that includes two sequence numbers. For ACK, it is x+1, which acknowledges the packet sent from the client. For SYN, the server picks a random sequence y on its side and sends the packet to the client.
- ACK. The client receives the SYN-ACK packet. The client acknowledges the packet from the server by incrementing y+1. The client sends an ACK packet to the server with the sequence numbers y+1 and x+1.
Now the TCP connection is established.
Describe the process of a TLS session being set up when someone visits a secure website.
https://howhttps.works/the-handshake/
Server Certificate verification:
The client verifies the server’s certificate by using one of its pre-trusted root certificates
Client Certificate verification:
The TLS handshake Certificate Request message is optionally sent by the server to the client. The Certificate Request message includes a list of Distinguished Names of root certificates that the server trusts. It tells the client to respond with its own certificate or with its certificate and any needed intermediate certificates.
The client responds with a Client Certificate message. It includes the client’s certificate (and needed intermediate certificates) that chain to one of the Distinguished Names listed in the Certificate Request message.
TCP Handshake (mTLS):
1. Client Hello - send to server the TLS version the client supports, cipher suites supported, and a string of random bytes (client random)
2. Server Hello - send SSL cert to the client, chosen cipher suite, “server random”
3. Authentication - client verifies server cert with the issuing CA.
4. Premaster secret - client sends another random string of bytes, the “premaster secret”. Encrypts it with the server public key
5. Private key used - server decrypts the premaster secret using its private key
6. Session keys created - both client and generate session keys from client random, server random, and premaster secret. should arrive at the same results
7. Server is ready
8. Secure symmetric encryption achieved
Explain mutual TLS
https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/
What are some common ways that TLS is attacked, and/or what are some ways it’s been attacked in the past?
Look for a conversation about weak ciphers, vulnerabilities like Heartbleed, BEAST, etc.
Try to use the latest version of TLS (TLSv1.3). The older versions have vulnerabilities.
POODLE affects SSL 3.0. Some servers and clients still support SSL 3.0 for older legacy systems. The vulnerability is related to block padding. You can try to downgrade a client’s connection by doing a MITM and impersonating the server until the client agrees to use the weak cipher. SSL 3.0 is vulnerable to a padding oracle attack. The attacker can get the plaintext byte by byte.
BEAST affects SSL 3.0 and TLSv1.0. An attacker can decrypt the data exchanged by 2 parties by taking advantage of a vulnerability in the implementation of the CBC mode in TLS 1.0. It is a client-side attack. The attacker needs to have some control of the client’s browser. Uses MITM to inject packets into the TLS stream. Allows them to guess the IV used and then can compare the results to the ones of the block they want to decrypt.
Heartbleed affects the heartbleed extension of the OpenSSL library. This extension is used to keep a connection alive as long as both parties are still there. The client sends a heartbleed message to the server with a payload that contains data and the size of the data. The server must respond with the same heartbleed request, containing data and the size of the data that the client sent. If the client sent a false data length, the server would respond with data received by the client and random data from its memory to meet the length requirements. (like instead of “OK” 2 bytes, something like “OK” 43244 bytes). This leaks unencrypted data from the server and potentially sensitive data. Fix: update to the latest version of OpenSSL.
Don’t use weak ciphers. I.e for the key exchange, authentication algorithm, bulk encryption algorithm, and Mac algorithm.
What port does ping work over?
A trick question, to be sure, but an important one. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.
Name every layer of the ISO/OSI model.
An OSI model is a reference model for how applications communicate over a network. The purpose of an OSI reference is to guide vendors and developers so the digital communication products and software programs can interoperate.
Following are the OSI layers:
Physical Layer: Responsible for transmission of digital data from sender to receiver through the communication media.
Data Link Layer: Handles the movement of data to and from the physical link. It is also responsible for encoding and decoding of data bits.
Network Layer: Responsible for packet forwarding and providing routing paths for network communication.
3 protocols used for layer 3: IP, IPSec, ICMP, ARP
Transport Layer: Responsible for end-to-end communication over the network. It splits the data from the above layer and passes it to the Network Layer and then ensures that all the data has successfully reached at the receiver’s end.
Session Layer: Controls connection between the sender and the receiver. It is responsible for starting, ending, and managing the session and establishing, maintaining and synchronizing interaction between the sender and the receiver.
Presentation Layer: It deals with presenting the data in a proper format and data structure instead of sending raw datagrams or packets.
Application Layer: It provides an interface between the application and the network. It focuses on process-to-process communication and provides a communication interface.
What is IPsec?
IPsec is a group of protocols that are used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. It is often used to set up VPNs. It works by encrypting IP packets and authenticating the packet’s source. IPsec uses port 500.
How does it work:
Sets up keys with a key exchange between the connected devices.
IPsec adds several headers to data packets containing authentication and encryption information. It also adds trailers.
Provides authentication for each packet. Ensures that each packet comes from a trusted source.
Encrypts the payloads in a packet and the IP header.
It most often uses UDP as the transport protocol instead of TCP.
At the other end of the communication, the packets are decrypted.
What is an ARP and how does it work?
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network.
When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address.
The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine.
If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it.
What is ARP Spoofing / ARP Cache Poisoning?
ARP Cache Poisoning is when an attacker has access to the network. The attacker uses a spoofing tool to send out forged ARP responses. The forged responses advertise that the correct MAC address for both IP addresses is the attacker’s MAC address. This fools both the router and workstation to connect to the attacker’s machine instead of to each other. Then, the two devices communicate with the attacker instead of each other. Now, the attacker MITM the traffic between the two devices.
What protocols fall under TCP/IP internet layer?
Application: NFS, DNS, tenet, ftp, rlogin, and others
Transport: TCP, UDP
Internet: IP, ARP, ICMP
Data Link: PPP, IEEE
Physical: Ethernet, Token Ring
Explain OIDC flow
https://developers.onelogin.com/openid-connect
What happens when you type amazon.com?
You type amazon.com into the browser.
The browser checks the cache for a DNS record to find the corresponding IP address of maps.google.com.
DNS servers are like phone books
The checks 4 caches:
Browser cache
OS cache
Router cache
ISP cache. The ISP has its own DNS cache.
If the requested URL is not in the cache, ISP’s DNS server initiates a DNS query to find the IP address of the server that hosts maps.google.com.
They DNS query searches multiple DNS servers on the Internet until it finds the correct IP address for the website. A recursive search.
These requests are sent using small data packets that contain information such as the content of the request and the IP address it is destined for (IP address of the DNS recursor). These packets travel through multiple networking equipment between the client and the server before it reaches the correct DNS server. This equipment use routing tables to figure out which way is the fastest possible way for the packet to reach its destination. If these packets get lost, you’ll get a request failed error. Otherwise, they will reach the correct DNS server, grab the correct IP address, and come back to your browser.
The browser initiates a TCP connection with the server.
To transfer packets between the client and the server, you need to establish a TCP connection.
The connection is established through a 3-way handshake.
The client sends a SYN packet to the server asking if it is accepting new connections.
If the server can accept new connections, it will respond with the acknowledgement of the SYN packet using a SYN/ACK packet.
The client receives the SYN/ACK packet from the server and acknowledges it by sending an ACK packet back.
The browser sends an HTTP request to the webserver.
The server handles the request and sends back a response.
The server sends out an HTTP response
The browser displays the HTML content (for HTML responses, which is the most common).
Explain TCP/IP, UDP differences in depth.
TCP and UDP are layer 4 protocols.
TCP stands for Transmission Control Protocol. It is designed to offer a highly reliable and end-to-end byte stream over an unreliable internetwork.
UDP stands for User Datagram Protocol. It is used for broadcast and multicast type of network transmissions. There is no error handling.
TCP is connection oriented and UDP is connectionless.
TCP is slower than UDP.
TCP uses handshake protocols like SYN, SYN-ACK, and ACK. UDP uses no handshake protocols. TCP gets established with the three-way handshake.
TCP does error checking and makes error recovery. UDP does error checking but discards erroneous packets.
TCP has acknowledgement segments, UDP does not.
TCP is heavy-weight. UDP is lightweight.
With UDP a packet may be delivered out of order. It is more likely to suffer from packet loss.
TCP has more overhead. With TCP, the data is sent in sequence. It adds a sequence number to the data packets in the header. It helps with data congestion and flow control.
Is UDP secure? It’s almost impossible to set up a firewall allowing only some UDP connections and blocking the rest. TCP has the 3-way handshake that establishes the session. This makes it nearly impossible to spoof your ip address.
If the acknowledgement is not received in TCP, it retransmits the packet. They also have checksums in the headers to ensure that the data in the packet hasn’t been corrupted. I.e. when the client receives the packet, the recalculated checksum won’t match if the data has been corrupted. And it won’t accept the packet.