Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security (IP Security (IPSec) (Connection oriented (VIRTUAL CIRCUIT), with…
-
Found on all layers of a protocol stack, except for the physical layer
-
Ciphers
-
-
One-time pad
Uses a random bit string as the key (only used once), convert the plaintext into a bit string, then XOR the two string bit by bit
-
Symmetric Key Algorithms
-
Can use permutation, substitution and a combination of both to encrypt or decrypt
-
Cipher modes
-
Stream cipher (diagram)
Encrypt key + IV -> encrypt again to produce key stream -> plaintext XOR'ed key stream -> produce cipher text
Problem: mathematical proof where key stream is no longer relevant! If used long enough intruders can figure out the plaintext blocks
-
-
Digital Signatures
-
-
Approaches
-
-
Using message digests
Uses a one-way hash function to take an arbitrary length of plaintext (P) and compute a fixed-length bit string
Properties
- Given P, easy to compute MD(P)
- Given MD(P), effectively impossible to find P
- Given P, no one can find P' such that MD(P') = MD(P) => hashing function should be at least 128 bits long
- A change in even a single bit of input produces a very different output => hashing function should scramble the bits very thoroughly
Computing a message digest is faster then encrypting, so digests can be used to speedup the derivation of a digital signature
-
Authentication Protocol
Principle for secure authentication: minimise the use of permanent/private keys in establishment of secure connections -> the less packets are exchanged, the less exposure to potential attackers
4 methods
Shared Keys
-
One party sends a random number to the other party, who transforms it and sends the result back
-
Kerberos
-
Authenticated by a third party server -> directed to the party using a single use cryptographic ticket
-
IP Security (IPSec)
-
Encryption is compulsory, but a null encryption algorithm can be used between points which are not cryptographically inclined
Major features: secrecy, data integrity, replay attack protection (attackers replaying valid connections multiple times)
-
Connection oriented (VIRTUAL CIRCUIT), with connections being calls SA's (security associations)
-
-
-
Implementation
2 modes
Transport mode: uses header insertion; Authentication header (AH) provides no data encryption but provides integrity checking using HMAC (hashed message authentication code)
Tunnel mode: uses packet encapsulation; Encapsulating Security Payload (ESP) provides an encryption layer as well as HMAC based integrity checking
Tunnel mode is useful when a bundle of TCP connections is aggregated and handled as one encrypted stream -> prevents intrudcer to see how many packets have been sent
-
Virtual private network
Virtual layer on top of an IP network which provides a secure end-to-end connection over public infrastructure
Firewall at the end of a connection --> create an IPSec tunnel between the two end points; selectively route traffic for the specific destination via the encrypted connection
-
IPSec VPN
-
Architecture
-
-
Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) allow VPN devices to:
-
Generate, exchange and manage the keys used by the cryptographic algorithms employed by IPSec
Firewalls
-
-
Positioned at the network boundary, and provide a controlled series of route between the internal and external networks
Scope
Single choke point for a range of functions to deny access to unauthorised users either inbound or outbound
-
-
-
Constraints
-
No protection against internal threats - network segmentation and access control may alleviate internal risks
No protection against application payload threats e.g. Viruses, Trojans etc spread as application payloads e.g. email attachments
Wireless Security
Wired networks are relatively easy to secure because they require physical access to intercept traffic
Wireless networks are more difficult to secure because of omnidirectional signal propagation + most equipment operates in an insecure and promiscuous manner
-
-