Please enable JavaScript.

Coggle requires JavaScript to display documents.

Security (IP Security (IPSec) (Connection oriented (VIRTUAL CIRCUIT), with…

- - - - uses 64 bit blocks and 56 bit key
      - 2^56 key space
    - - Uses 128 blocks and 128 bit keys
      - 2^128 key space
  - - - Each plaintext block XOR with previous ciphertext block -> Encrypted with Key -> produce ciphertext block
      - First plaintext block is XOR'ed with an initialization factor (IV)
      - Problems if there are errors in the received Ciphertext blocks!! -> impact the decrypted plaintext for that block and the next block only
    - - Encrypt key + IV -> encrypt again to produce key stream -> plaintext XOR'ed key stream -> produce cipher text
      - Problem: mathematical proof where key stream is no longer relevant! If used long enough intruders can figure out the plaintext blocks
    - - Encrypt IV + counter with the Key -> XOR key stream and plain text -> cipher text
- - - - Uses a one-way hash function to take an arbitrary length of plaintext (P) and compute a fixed-length bit string
      - Properties
        
        Given P, easy to compute MD(P)
        
        Given MD(P), effectively impossible to find P
        
        Given P, no one can find P' such that MD(P') = MD(P) => hashing function should be at least 128 bits long
        
        A change in even a single bit of input produces a very different output => hashing function should scramble the bits very thoroughly
      - Computing a message digest is faster then encrypting, so digests can be used to speedup the derivation of a digital signature
- - - - Challenge and response protocol
      - One party sends a random number to the other party, who transforms it and sends the result back
    - - A trusted intermediary used to facilitate the authentication
      - users each share a key with a central key distribution centre and authenticate to the KDC directly
      - KDC then acts as a relay between the two parties
    - - Multi-component system
        
        Authentication server
        
        Ticket granting server
        
        Recipient
      - Authenticated by a third party server -> directed to the party using a single use cryptographic ticket
    - - Public Key Infrastructure with directory
      - Users enquire and get public keys of recipients from PKI for encryption containing sender identity
- - - - Transport mode: uses header insertion; Authentication header (AH) provides no data encryption but provides integrity checking using HMAC (hashed message authentication code)
      - Tunnel mode: uses packet encapsulation; Encapsulating Security Payload (ESP) provides an encryption layer as well as HMAC based integrity checking
      - Tunnel mode is useful when a bundle of TCP connections is aggregated and handled as one encrypted stream -> prevents intrudcer to see how many packets have been sent
    - - New headers being added to packets in transit
      - ISAKMP key management
- - - - Collision-free hashing algorithm
      - Diffie-Hellman key exchange protocol
      - Public Key Infrastructure for Certification
      - Content encryption algorithm
    - - Authentication Header (AH) added to an IP packet for
        
        Data origin authentication
        
        Data integrity Checking
      - Encapsulating Security Payload(ESP) for IP
        
        Encryption
        
        Data origin authentication
        
        Data integrity checking
      - Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) allow VPN devices to:
        
        Securely negotiate and manage IPSec security associations
        
        Generate, exchange and manage the keys used by the cryptographic algorithms employed by IPSec
  - - - All inbound and outbound traffic must transit the firewall
      - Only authorised traffic must pass through the firewall
      - Firewalls should be immune to penetration themselves
    - - Single choke point for a range of functions to deny access to unauthorised users either inbound or outbound
      - Monitoring location for security related events
      - Platform for non-security functions
        
        Network Addressing Translation (NAT)
        
        Usage logging and auditing
      - Platform for extended security functions
        
        IPSec
        
        VPNs
        
        Anti-Virus
    - - No protection against threats originating via bypass networks
        
        Direct dialin systems
        
        Direct dialout systems
      - No protection against internal threats - network segmentation and access control may alleviate internal risks
      - No protection against application payload threats e.g. Viruses, Trojans etc spread as application payloads e.g. email attachments
- - - - 40-bit encryption is breakable with low-moderate computational resources
      - RC4 re-uses keys, so capturing a small volume of encrypted traffic will guarantee key identification