Unit 16
Chapter 10
Critical Terms
Encoding and Decoding
Encoding provides casual obfuscation, but anyone can decode the data.
https://gchq.github.io/CyberChef/
Hashing
Hashing provides a way to prove Integrity.
For instance, MD5 and SHA hashes are typically provided for downloadable files like ISOs. Once you’ve downloaded the file, you can calculate the hash(es) to ensure you’ve gotten a bit-for-bit perfect download.
MD5
https://en.wikipedia.org/wiki/MD5
SHA1, SHA2, SHA256 etc.
https://en.wikipedia.org/wiki/SHA-1
https://gchq.github.io/CyberChef/ –> Scroll down to “Hashing”
Hashing is critical to Authentication. You can’t store passwords; somebody sneaky will get them, for sure. But you can store the hash of a password, then when somebody logs in your system calculates the hash of that password, compares it to the stored hash, and if they match voila! You get Authenticated.
Encryption
Encryption provides actual Confidentiality, by making your data unreadable by others.
Cyphers: the actual Algorythms
Stream vs Block Cyphers
Symmetric Cyphers using Shared Secrets
Asymmetric Cyphers using a Public Key and a Private Key
PKI
Nonrepudiation
Nonrepudiation makes it impossible for someone who has said something to say, “I didn’t say that!” This is useful in, for instance, real estate transactions.
Asymmetric encryption is used for Nonrepudiation. I encrypt a document with my Private Key, and send it (the document, not the key!) to my Realtor. He easily gets my Public Key via PKI, and it easily decrypts my offer letter. Nobody in the universe but me (in theory) has my Private Key, so anything encrypted with it must have come from me. I can’t repudiate it; this operation has provided Nonrepudiation.
Digital Signatures
The only thing that’s wrong with the scenario above is that while I’ve provided Nonrepudiation, I haven’t provided an Integrity check (always think of a hash in these cases).
So let’s do this:
-
-
- Calculate the SHA1 hash of my Last Will and Testament.docx.
- Encrypt the resulting hash with my Private Key. This is a Digital Signature!
- Send an email to my lawyer, paste the Digital Signature into the text of the email, and attach my Will to the email.
- My lawyer gets my Will and calculates the SHA1 hash.
- My lawyer decrypts my Digital Signature and sees that the hash matches the one he just calculated for my Will.
- Bravo! The document is intact (has Integrity) and legal (because Digital Signatures are binding).
-
Authorization
Authorization is the only element on this list that doesn’t involve cryptography. It’s all about permissions: what shares you’re authorized to she, what documents you can change, what you can create or delete.
What Meyers doesn’t mention yet is that Authorization is part of another triad/list beloved by CompTIA, the AAA:
Authentication
Authorization
Audit (or Accountability)
Also know these common models for Access Control:
802.1x
ACL
MAC
DAC
RBAC
Authentication
See, told you Meyers was going to talk about this! Here are the major standards. Notice the discussion of AAA starting on page 370.
PPP
CHAP / MS-CHAP / MS-CHAPv2
RADIUS / Diameter
TACACS+
Kerberos
Encrypting Data Traffic
SSH
port 22
RSA Key
Tunneling
SSL / TLS
Everything below TLS 1.2 (“TLS 2”) is deprecated and not to be used, period.
https://tls.ulfheim.net/
IPsec
Transport Mode
Tunnel Mode
Secure TCP/IP Applications
HTTPS
Uses SSL / TLS (meaning actually TLS).
CRL
OCSP
https://en.wikipedia.org/wiki/OCSP_stapling
SCP
Secure, encrypted copy between any two endpoints. You could be on Server A and “skip” a file from Server B to Server C, as long as you have credentials on all systems.
SFTP
Encrypted email
Uses SSH encryption and the SSH port (22).
SNMP
Troubles with v1 and v2. Use v3.
LDAP
Directories
NTP
Network Time Protocol (port 123)