Security Flashcards
Encryption
Modifying data to make it unreadable to miscreants
Nonrepudiation
The process that guarantees that the data is the same as original sent, came from the bona fide source
Authentication
Verifying that whoever is accessing the data is who they claim to be. The computer that is trying to connect must present some form of credential to be allowed access to the network.
Authorization
Verifying that whoever is accessing the data should be able to do so. Once authenticated, the computer determines what the device can and cannot do on the network.
Accounting
The logging of authentications and authorizations. The authenticating server should do some form of accounting fo who is logging in and when, number of unsuccessful logins, etc.
Cipher
A series of algorithms (complex and hard to reverse) that is run on data to encrypt it
Complete algorithm
A combination of a cipher and an implementation method for it
XOR
“eXclusive OR.” A logical operation that compares to inputs and outputs true (i.e. “1”) if both inputs differ, otherwise it outputs false (i.e., “0”).
Brute force
The process of testing every possible combination of characters to determine an answer
Ciphertext
The result when cleartext/plaintext is run through a cipher algorithm using a key
Symmetric encryption
Any encryption implementation that uses the same key for encryption and decryption. Inherently weak since the key must be shared and can be lost. E.g., DES
Asymmetric encryption
Any encryption implementation that uses different keys for encryption and decryption (e.g., a public/shared key and a private/secret key)
Block cipher
Any cipher that encrypts data in discrete blocks/chunks (e.g., a cipher encrypting discrete IP packets). E.g., AES
Stream cipher
Any cipher that encrypts data on the fly. Common on wireless networks and mobile phone data networks. E.g., RC4
DES
Data encryption standard. Symmetric key algorithm and block cipher. Encrypts data using a 56-bit key, in 64-bit blocks. Very vulnerable due to the short key length. More modern variants: 3DES, IDEA, Blowfish
RC4
Rivest Cipher 4. Symmetric key algorithm and stream cipher. Today it is very vulnerable to attacks
AES
Advanced encryption standard. Block cipher. Encrypts data in 128-bit blocks. Can use a 128- 192-, or 256-bit key. Very fast. For now, virtually uncrackable. Very popular today, usually the only cipher that is recommended
Safest and most secure encryption algorithm today
AES. The longer the key, the better. 256-bits is the longest.
Inventors of asymmetric public key cryptography
Whitfield Diffie, Martin Hellman, Ralph Merkle
Common name for public key asymmetric key implementation
Diffie-Hellman Key Exchange
Private key
One of the two keys created in asymmetric encryption. Kept strictly secret; never revealed to anyone. Used only to decrypt data encrypted with the matching public key.
Public key
One of the two keys created in asymmetric encryption. Can be freely shared with anyone. Used to encrypt data that can only be decrypted with the matching private key.
Encryption at OSI Layer 1
None; no common encryption on the physical layer
Encryption at OSI Layer 2
Lots of encryption at the Data Link layer using proprietary devices
Encryption at OSI Layer 3
Only IPSec encryption occurs (currently) at the network layer
Encryption at OSI Layer 4
None; no common encryption at the transport layer
Encryption at OSI Layer 5
None; no common encryption at the session layer
Encryption at OSI Layer 6
None; no common encryption at the presentation layer
Encryption at OSI Layer 7
Common layer for encryption (e.g., SSL/TLS, etc.)
Hash
A one-way mathematical function run on data (regardless of its content or length) that creates a fixed length result called a checksum or a digest
Checksum
The output of a hash. Also called a digest.
MD5
Message-digest algorithm version 5. Common hashing algorithm.
SHA
Secure hash algorithm. Another common hashing algorithm. Two versions: SHA-1, SHA-2
CRAM-MD5
Challenge-Response Authentication Mechanism MD5. Used as a special form of server authentication, especially for SMTP servers
Digital signature
Created by the sender of data (typically email), usually by hashing the message with a private key. Allows the holder of the public key to verify the identity of its sender.
Certificate
Standardized digital signature that allows proof of nonrepudiation of data (i.e., that the sender of the data is who they claim to be, and that the data is what it is supposed to be). Also used to verify the exchange of public keys.
PKI
Public key infrastructure. The tree of root certificate authorities (VeriSign, DigiCert, etc.), intermediate authorities, etc.
Self-signed certificate
An unsigned certificate issued by someone other than a root or intermediate certificate authority.
PGP
Pretty good privacy. Web-of-trust peer group verification system for email.
NAC
Network access control. Generic term for series of security applications. A common one prevents computers lacking anti-malware from accessing the network, create policies defining what systems can do on the network, etc.
ACL
Access control list. A defined list of permissions that specify what an authenticated user can do on a shared resource or network
MAC security access model
Mandatory access control. Every resource is assigned a label that defines its security level. If the user lacks that level he does not get access. Old model; no longer common
DAC security access model
Discretionary access control. Every resource has an owner who has discretion to assign access to it. More flexible than MAC
RBAC security access model
Role based access control. Defines access based on roles of each user. Often organized by group. Very common today.
The three security access models for access control
MAC, DAC, and RBAC
PPP
Authentication protocol. Stands for “Point-to-Point”. Enables two devices to connect and authenticate to each other. Old.
Initiator
The device asking for the connection in a PPP connection
Authenticator
The device containing the list of usernames and passwords (or hashes) in a PPP connection
PAP
Password authentication protocol. Original method within PPP to authenticate usernames and passwords. Stored and sent in plaintext. Very insecure.
CHAP
Challenge handshake authentication protocol. Replacement for PAP. More secure authentication. Relies on hashes based on a shared secret. Actual password never transmitted. Periodically repeats entire process.
MS-CHAP
Version of CHAP released by Microsoft. MS-CHAPv2 still the most common authentication protocol for dialup PPP connections
AAA
The philosophy that a proper authentication protocol should provide for authentication, authorization, and accounting.
RADIUS
Remote Authentication Dial-In User Service. An AAA standard. Users are authenticated and authorized by a central server that tracks logins and attempts. Supports PAP, CHAP, and MS-CHAP.
Three components of a RADIUS environment
The RADIUS server, the Network Access Servers that control the modems, and the hosts that connect to the modems
NAS [in the context of RADIUS]
Network Access Server. Controls the modems in a RADIUS setting. [Don’t confuse with Network Attached Storage!]
IAS
Internet Authentication Service, Microsoft’s implementation of a RADIUS server
TACACS+
Terminal Access Controller Access Control System Plus. Cisco (proprietary), supports AAA in a network with lots of routers and switches. Similar to RADIUS, but uses TCP Port 49. Can use Kerberos for authentication as well as PAP, CHAP
Kerberos
Authentication protocol for TCP/IP clients connected to a single authenticating server. Unconnected with PPP. Default protocol for Windows domains; also used in TACACS+
KDC
Key distribution center. The centerpiece of the Kerberos system. Consists of the Authentication Server and the Ticket Granting Service.
Kerberos AS
Authentication Server. Receives login request, compares the hash to its stores and, if they match, sends a time-stamped TGT (Ticket Granting Ticket) to the host, who then sends it to the TGS.
Kerberos TGT
Ticket Granting Ticket. What the authentication server gives a host who has presented a valid hash. The host takes the TGT to the TGS for access to the network.
Kerberos TGS
Ticket Granting Service. Receives a TGT from the host and (if valid) issues a timestamped service ticket (aka token, access token).
Kerberos Service Ticket (aka token, access token)
Used by a host on a Kerberos system to access network resources. When a host tries to access a folder, printer, etc., it must present the token.
SID
Security Identifier. The name for a Kerberos token in Windows.
Duration of a Kerberos service ticket
8 hours.
EAP
Extensible Authentication Protocol. Essentially a PPP wrapper that allows EAP-compliant applications to accept one of many types of authentication. Primarily used in wireless networks.
EAP-PSK
EAP-Personal Shared Key. Shared secret key stored on a WAP and a wireless client, usually encrypted with AES.
EAP-TLS
EAP-Transport Layer Security. Wireless authentication protocol that requires a RADIUS server, and that both the client and server have valid certificates. Very robust but difficult to set up.
EAP-TTLS
EAP-Tunneled Transport Layer Security. Wireless authentication protocol that requires a RADIUS server, and that the server have a valid certificate. No client certificate needed.
EAP-MS-CHAPv2
EAP with MS-CHAPv2 authentication through an encrypted TLS tunnel. Also called Protected Extensible Authentication Protocol.
EAP-MD5
EAP that uses only an MD5 has for transferring login credentials. Very weak security, rarely used
LEAP
Lightweight EAP. Cisco (proprietary) authentication protocol for wireless. A combination of MS-CHAP authentication and RADIUS server methods
IEEE 802.1x
Formal protocol that combines RADIUS-style AAA with EAP versions to make a complete solution. Only really used in wireless.
Encryption used by SSH
PKI, with public/private keys
Tunnel
An encrypted link between to programs on two separate computers
SSL/TLS
Secure Sockets Layer. Superseded by Transport Layer Security. Requires a server with a certificate. Current version of TLS is 1.2
IPSec
Internet Protocol Security. Combined authentication and encryption that works at the network layer. Works in either transport or tunnel mode.
Two modes of IPSec
Transport mode (headers sent in plaintext but data is encrypted); Tunnel mode (headers and data both encrypted). In IPv6, transport mode is enabled by default.
IPSec authentication header (AH)
Used in IPSec for authentication
IPSec encapsulating security payload (ESP)
Used in IPSec for implementing authentication and encryption
IPSec ISAKMP
Internet security association and key management protocol. Used for establishing security associations, defining things like the protocol used for exchanging keys.
IPSec Internet Key Exchange
key exchanging protocol
IPSec KINK
Kerberized Internet Negotiatino of Keys. IPSec key exchanging protocols
SCP
Secure copy protocol. Transfers data securely between two hosts. No ability to see files on the other computer. Predecessor to SFTP
SFTP
Secure FTP. Also known as SSH FTP. A way to run FTP through an SSH tunnel.
SNMP
Simple network management protocol. Queries the state of SNMP capable network devices, reporting things like CPU usage, network utilization, firewall hits, etc. Uses agents to collect data from a Management Information Base (MIB)
SNMP Port
UDP Port 161
LDAP
Lightweight directory access protocol. A tool used by programs to query and change information in network databases.
LDAP Port
TCP port 389.
NTP
Network time protocol. Gives the current time. Important for Kerberos.
NTP port
UDP port 123.
