Hello again, get ready for a whole new chapter coming your way! Today we're gonna talk about Securing TCP/IP with encryption and stuff. Emphasis on stuff. I would usually say "let's get right in", but I've said that too many times. So, let's begin!
So what is Encryption? Well it's scrambling data so badly, that even an evil genius jerkface who wants to steal it can't read it. How do they do it? Nonrepudiation, which means that the data is verified to be what it was when it was first sent. Now if some guy decides to access the data, then he would have to go through Authentication. It also verifies, but this time, the actual guy accessing it, rather than the data sent. Authorization is basically what you're approved to do. If I'm authorized to be an admin on this computer, for example, and you aren't, then I get to be a dictator, and you don't. All of these things overlap in one form or another, but at the end of the day, they're the reasons why Encryption is so excellent at protecting sensitive data.
The data that travels on our network is simply ones and zeros. The first step towards scrambling your data so no one can understand, is making a cipher, which requires an algorithm. If I saw a string of ones and zeros, I'd be like what in the world does this mean? Well if it were part of an HTTP segment, my web browser would know that it was "Unicode". That's pretty much numbers representing letters. There are different types of encryptions, a couple covered in pg. 362 one is "eXclusive OR" or "binary XOR" which works with letters and numbers. You can crack encryptions using word patterns, frequency analysis, or brute force. When running cleartext through a cipher algorithm using a key, you get ciphertext. For many years, many different algorithms have been used. The symmetric-key encryption/algorithm uses the same key for both encryption and decryption, meaning that you'd need the same key for both tasks. However, if that is not the case, then you need an asymmetric key, making it an asymmetric-key algorithm. but all this encryption stuff goes way beyond the Network+ curriculum.
The differences among symmetric-key algorithms, are called block ciphers. They encrypt data in single "chunks". For example, if a word document had 100,000 bytes, one type of encryption would take 128-bit chunks and encrypt each one separately. The alternative is the "stream cipher", which will take a single-bit at a time and encrypt on the fly. The oldest TCP/IP symmetric-key algorithm is "Data Encryption Standard" (DES). There are several derivatives of DES like, 3DES, International Data Encryption Algorithm (IDEA), and Blowfish. On the streaming side, the only symmetric-key algorithm is Rivest Cipher 4 (RC4). After many years, those encryptions have become more vulnerable making the most used encryption,the "Advanced Encryption Standard" (AES). It uses a 128-bit block size, and 128-,192-, or 256-bit key size.
The main issue with Symmetric-key encryption is that if some guy gets a hold of a key while it's being sent, then he/she can access it without your knowledge. To fix this problem, two keys were used, one to encrypt and one to decrypt. This was known as "public-key cryptography". Ron Rivest and other guys made improvements to that, of which were called "Rivest Shamir Adleman" (RSA), literally just their last names put together. Here's how it works:
Imagine that Bob wanted to send Bailey an encrypted e-mail. Well SMTP cannot encrypt, so they need to create an encryption program themselves. Before Bob sends the email, he generates two keys. One of the keys is for his computer, and that's the private key, while the other key is sent to Bailey, and that's the public key. Those two keys are called a key pair. This algorithm works by encrypting data with a public key, and decrypting that same data with a private key. This way Bob can encrypt and send a message to Bailey, which can only be decrypted by Bailey's private key. If Bob wants to receive an e-mail message from Bailey, Bob must generate a key pair and send Bailey the public key. In a typical public-key cryptography setup, everyone has their own private key plus a copy of the public keys for secure communication. Before moving on, let's look at encryption and the OSI model:
- Layer 1: No common encryption done.
- Layer 2: Common are for encryption, using proprietary encryption dvices. These boxes scramble the data in an Ethernet frame, except the MAC address info. Devices or programs encode and decode the information.
- Layer 3: Only one common protocol encrypts at Layer 3: IPSec. IPSec is typically done via software that takes the IP packet and encrypts everything inside the packet, leaving on the IP addresses and a few other fields unencrypted.
- Layer 4: Neither TCP nor UDP offers encryption methods.
- Layer 5 and 6: No encryption done.
- Layer 7: Many applications have their own encryption, SSL/TLS are common Layer 7 standards.
To identify who's passing out the keys, that falls under nonrepudiation. As I said before, it just means that the receiver of the info knows that the sender is who they think it is. Nonrepudiation comes in several forms, but most uses math magic called "hash". A hash (cryptographic hash function) is a math function which uses a string of binary digits that results in a "checksum" or a "digest". A hash has a unique checksum. I already know what a checksum is. The most popular hash is "Message-Digest Algorithm version 5" (MD5). It's not the only one though, there's also Secure Hash Algorithm (SHA) which have two versions SHA-1 and SHA-2. Many things use hash, even SMTP.
A digital signature is another string of ones and zeroes that can only be generated by the sender. The person with the matching public key does something to the digital signature using the public key to verify it. When you're doing business with someone you don't know, you should try and verify the source. A certificate is a standard way of doing just that. I already know about this, but essentially you just go to the the top left of your browser where the "http://" is and usually https has certificates, but you'll be able to tell if the site is secure by viewing the certificate details under "Security" and seeing the SSL certificate it has. VeriSign is a very good one, for example. The way VeriSign would certify the web site is by acting as a root, giving the website a VeriSign signature. Through intermediate certificate authority between VeriSign's root and the user's certificate, a tree of certificate authorization is created. Together the organization is called "public-key infrastructure" (PKI). However, PKI does not necessarily have to be used for certificates. Digital certificates and asymmetric cryptography have a lot in common, because the certificates verify the exchange of public keys.
It is very important to know the different types of authentication available in TCP/IP networks. Now authorization is key, and we all know what that word means. Are you allowed, or not? Well in networking, you can provide many levels of authorization. To define these levels of access you use an "access control list" (ACL). There are three types of ACL access models: mandatory (MAC), discretionary (DAC), and role based (RBAC). MAC is a security model in which every resource is assigned a lable that defines its security level. If you don't have the right level, you don't get access. Then DAC gives control to the owner of the resource to choose who gets access to the resource. Finally, RBAC decides who gets control to the resource based on their role in the network. Understand them for the Network+ exam!
Mike Meyers said that TCP/IP was never really meant for security. Authentication standards are some of the oldest standards in TCP/IP. Some are older than even the internet itself. Back in the days of dial-up, several types of authentication were used. "Point-to-Point Protocol" (PPP) gives the ability for two point-to-point devices to connect with a username and password, while negotiating a network protocol. Here are the five phases to PPP:
1. Link dead - This is a way of saying, there is no link yet. THe modem is turned off, nothing is going on. This is when the PPP conversations begin. The main player here is "Link Control Protocol (LCP). The LCP will get the connection to start up.
2. Link establishment: The LCP communicates with the LCP on the other side of the PPP link.
3. Authentication - This is when the authentication takes place, usually username and password.
4. Network layer protocol - PPP works on OSI Layer 3, it's mostly used on TCP/IP obviously, and it supports a bunch of ancient protocols.
5. Termination - Two ends of the PPP connection send each other termination packets, and the link is then closed.
PPP provided the first common method to get a server to request a username and password. To give an example, under PPP the side asking for the connection is the "initiation", and the other side is called the "authenticator" and holds a list of usernames and passwords. There are two methods to authenticate this. "Password Authentication Protocol" (PAP), but anyone who can tap the connection can learn the username and password, which means the security on that sucks. So everyone uses "Challenge Handshake Authentication Protocol" (CHAP), which is more secure. It relies on hashes and stuff. CHAP will keep repeating the entire process to prevent the attacks which PAP is vulnerable to. Quick note, Microsoft invented a better version of CHAP called MS-CHAP.
To better protect PPP standards were made called "Authentication, Authorization and Accounting" (AAA). The way it works is that during authentication a computer trying to connect to the network needs to give some kind of credentials to access the network. It's usually a username and password. Could also be a smart card, retinal scan, or a digital certificate, or a combo. Then once authenticated the computer processes that data and decides what permissions it gets, this is called authorization. Then accounting is basically keeping logs of all the logon attempts and other data. Once AAA became the norm, people created two standards of AAA.
The first one is "Remote Authentication Dial-In User Service" (RADIUS). It's the better known of the two AAA standards. It contains three devices: The RADIUS server which has access to the database with all the data user name and passwords, some Network Access Servers (NASs) which control the modems, and a group fo systems which dial into the network. To use RADIUS you need a a RADIUS server, many use "Internet Authentication Service" (IAS) in Microsoft environments. For Unix/Linux use FreeRADIUS. It uses UDP ports 1812, 1813, or 1645, 1646. Then there's "Terminal Access Controller Access Control System Plus" (TACACS+) which was developed by Cisco and supports many routers and switches. The only real difference with RADIUS is that it uses TCP port 49, and it separates AAA into different parts. It uses hashes as well but it can also use Keberos.
Next, on a completely different note, we have Keberos, which has nothing to do with PPP. "Kerberos" is an authentication protocol, different from PPP. This protocol was made for security purposes, and was even adopted by Microsoft for its amazingness. One key component to Kerberos is the "Key Distribution Center" (KDC), no pun intended, the "Authentication Server" (AS), and the "Ticket-Granting Service" (TGS). When your client logs onto the domain, it requests the hash of the username and password to the AS. The AS compares it to its own, and if it matches, it will send a "Ticket-Granting Ticket" (TGT). From this point, the client is now authenticated, but not authorized. The client will then send the TGT to the TGS to be authorized. The TGS will then send a timestamped service ticket or a "token" back to the client. This token is the key to access any resource in the domain. Timestamping is important because Kerberos will contiunally ask for a new token every 8 hours.
Once the whole token thing got popular, people made standards which allowed two devices to authenticate. The first prominent one was the "Extensible Authentication Protocol" (EAP). It is a PPP wrapper with EAP applications. There are many variations.
- EAP-PSK (Personal Shared Key)
- EAP-TLS (Transport Layer Security)
- EAP-TTLS (Tunneled TLS)
- EAP-MS-CHAPv2
- EAP-MD5
- LEAP (Lightweight) [Most Common]
Completion Status: 59%
Pages Left:
- Book: 279 pages
No comments:
Post a Comment