CISSP Study Group/Blog
Help Me Build a Good Reference Guide
KERBEROS AUTHENTICATION PROTOCOL
Nov 8th
Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. (Wikipedia)
This authentication method is found in Windows Servers and Linux servers and it is a ticket granting system very commonly used to authenticate users. Here are some of the main focus points for the CISSP Review
| KERBEROS AUTHENTICATION PROTOCOL |
|
KERBEROS FACTS |
| Ø Defined as a trusted third-party authentication protocol.
Ø The 3 components of Kerberos are: 1. Key Distribution Center (KDC): Holds users and service crypto keys – Get Key. 2. Authentication Service (AS): Makes tickets and gives them to principals – Use Key. 3. Ticket Granting Service (TGS): Authenticates a principal – Gain Entry. Ø KERBEROS 3 PHASE / 6 STEP AUTHENTICATION PROCESS FIRST PHASE – Client obtains credentials to request access to Kerberized services. o The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with realms to access authentication data. This is the only step in which passwords and associated password policy information needs to be checked. o The KDC issues the client a ticket-granting ticket, the credential needed when the client wants to use Kerberized services. The ticket-granting ticket is good for a configurable period of time, but can be revoked before expiration. It is cached on the client until it expires. SECOND PHASE – Client requests authentication for a specific service. o The client contacts the KDC with the ticket-granting ticket when it wants to use a particular Kerberized service. o The KDC issues a ticket for that service. FINAL PHASE – Client presents its credentials to the service. o The client presents the ticket to the service. o The service authenticates the client by verifying that the ticket is valid. Ø The authenticator within Kerberos provides a requested service to the client after validating a timestamp. Ø Because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code. Ø Kerberos is vulnerable to replay in which of the following circumstances when a ticket is compromised within an allotted time window. Ø The client decrypts the message containing the session key (KC, TGS) with its secret key (KC), and will now use this session key to communicate with the TGS client (sometimes refer to as resource or principal) he wishes to access. Ø The Key Distribution Center represents a single point of failure. Ø Kerberos manages access permissions. Ø Kerberos uses symmetric key cryptography, credential-based. Ø The KDC contains a database that holds private, (secret), not public, keys for all users. Ø Ticket-based system (using two separate tickets); employs MD5 and CRC-32 one-way hash functions, and also uses public key cryptography to distribute Secret keys. Ø Note: Like the Kerberos protocol, SESAME is also subject to password guessing. Ø PRINCIPALS are defined as the users, applications, and services that are provided security services by the KDC within the Kerberos network authentication protocol. |
IPSEC PROTOCOL STANDARD
Nov 8th
Wikipedia Says that Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. This chart will provide some of the major point to review for the CISSP.
| IPSEC PROTOCOL STANDARD |
|
IPSEC (IP Security) |
| Ø To comply with the Internet Engineering Task Force (IETF) standard, IPSEC was designed to permit flexibility in choosing hashing, encryption, and key exchange mechanisms. Depending on the implementation, key exchange may be a manual process or an automated one.
Ø Default Hashing protocols are HMAC-MD5 or HMAC-SHA-1. Ø Default Encryption protocol is Cipher Block Chaining mode DES, but other algorithms like ECC (Elliptic curve cryptosystem) can be used. Ø Supports two communication modes – Tunnel mode and Transport mode. Tunnel mode is required for communication with a Gateway at the receiving end (gateway-to-gateway or host-to-gateway). Tunnel encrypts everything and is better security than Transport mode. Ø The two main concepts of IPSec are Security Associations (SA) and tunneling. Security association is a simplex logical connection between two IPSec systems. For bi-directional communication to be established between two IPSec systems, two separate Security Associations, one in each direction, must be defined. The security protocols can either be AH or ESP, which can be used independently, or together. AH provides integrity and authentication and ESP provides integrity, authentication and encryption. ESP can be operated in either tunnel mode (where the original packet is encapsulated into a new one) or transport mode (where only the data payload of each packet is encrypted, leaving the header untouched). Ø IKE (IPSEC Key Exchange) is defined as an Internet, IPsec, key-establishment protocol (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP. Ø Does NOT use CHAP as an authentication mechanism, but can use o Pre shared key o Certificate based authentication o Public key authentication Ø The 3 components of IPSEC: 1. IKE (Internet Key Exchange), based on Diffie-Hellman encryption protocol. Optional, but usually used. 2. SA (Security Association). 3. SPI (Security Parameter Index), control channel for direction of traffic. |
|
IKE (IPSEC Key Exchange) |
| Ø Defined as an Internet, IPsec, key-establishment protocol (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP.
Ø Used in conjunction with the IPSec standard; enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IPSec can however, be configured without IKE by manually configuring the gateways communicating with each other for example. Ø A security association (SA) is a relationship between two or more entities that describes how the entities will use security services to communicate securely. In phase 1 of this process, IKE creates an authenticated, secure channel between the two IKE peers, called the IKE SA (security association). The Diffie-Hellman key agreement is always performed in this phase. In phase 2 IKE negotiates the IPSec SA’s and generates the required key material for IPSec. The sender offers one or more transform sets that are used to specify an allowed combination of transforms with their respective settings. Ø Diffie-Hellman is a widely-used key exchange algorithm used by IKE. Ø Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers. Ø Allows you to specify a lifetime for the IPSec SA. Ø Allows encryption keys to change during IPSec sessions. Ø Allows IPSec to provide anti-replay services. Ø Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. Ø Allows dynamic authentication of peers. |
|
AH (Authentication Header) |
| Ø Mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation, depending on which cryptographic algorithm is used and how keying is performed. For example, use of an asymmetric digital signature algorithm, such as RSA, could provide non-repudiation.
Ø Does NOT provide confidentiality. Ø Integrity and authentication for IP datagrams are provided by AH. Ø Provides 3 services in IPSEC: 1. Authentication. 2. Anti-reply. 3. Data integrity services. |
|
ESP (Encapsulating Security Protocol) |
| Ø Mechanism for providing integrity and confidentiality (encryption) to IP datagrams. It may also provide authentication, depending on which algorithm and algorithm mode are used.
Ø Does NOT provide Non-repudiation and protection from traffic analysis. Ø In transport mode, ESP only encrypts the data payload of each packet. Ø Provides 4 services in IPSEC: 1. Payload protocol encrypts information in IP datagrams. 2. Authentication. 3. Anti-replay. 4. Integrity. |
|
ISAKMP (Internet Security Association Key Management Protocol) |
| Ø Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.
Ø Key management protocol typically used with IPsec, but intentionally excludes selection of any particular key exchange method. |
OSI Reference Model Layer Summary
Oct 22nd
The The Open System Interconnection Reference Model is some thing that should be completely learned and memorized. Pretty much just read the chart a couple of times and try to learn it so that when you are asked you can have a quick response.
C&A Life Cycle
Oct 19th
A correct implementation of the Certification and Accreditation program will help the organization maintain a secure environment on the computer systems. An establish life cycle will help the organization maintain a properly revised program.
5 TYPES OF BCP TESTING
Oct 17th
Business Continuity Planning is the key essential master plan used for recovery and restore of business. This logistical plan will layout how the organization will recover from partial or complete interruption of business. Here is a quick guide that will help you determine if the business continuity plan will work.
Trusted Computer Security Evaluation Criteria
Oct 11th
Trusted Computer System Evaluation Criteria (TCSEC) is a US Gov. DoD standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.
Security Modes of Operation
Oct 10th
There are various modes of security operations depending of the information you are protecting and it’s classification. Here is a review of some of the modes of operation.
History of CRYPTOGRAPHY
Oct 9th
Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network. Cryptography is far more than helping keep integrity of the communications. It has evolved into a tool used in communications in a daily bases. Here is basic introduction to Cryptography.
Security Architecture & Design / Security Access Control Models
Oct 9th
Security Architecture include models to follow to design a security oriented network infrastructure. They will depend on the need of security classification. Each model will be focus on a specific area of the security tria Confidentiality, Integrity and Availability.
10 Common Body of Knowledge, By Shon Harris
Aug 13th
Applications and Systems Development Security
This domain examines the security components within operating
systems and applications and how to best develop and measure their
effectiveness. This domain looks at software life cycles, change control,
and application security. Some of the other topics covered include: