CISSP - Cryptography

Cryptography

Theory

Cryptograhpy - secret message between two parties

Crytanalysis - breaking cryptography - think - analysis - which is to remove complexity

Cryptology - cryptography and crytptanalysis

Block Ciphers: http://www.youtube.com/watch?v=OJuWOPSOOK4&feature=related

ECB - Electronic Code Book - Does not involve chaining - so input will always yield the same output. This makes it only good for small, short sensitivity-life data.

CBC - Cipher Block Chaining - Solves the problem with ECB about always producing the same output by introducing an IV (initialization vector).

CFB - Cipher Feedback Mode - Similiar to CBC but for streaming instead of block. It uses the ciphertext from the last block to XOR with this block - hiding the plain text.

OFB - Output Feedback Mode - Improvement of CFB

CTR - Counter Mode - Improvement of OFB

XOR - 1(true) if bits are different

Running Key - when the key is not as long as the message (which is usual), the key is repeated until it is

One time pad -> Vernam Cipher - key must be protected, >= message, resulting pad cannot be reused, random key gen

Stream ciphers do not alter the length of the message - block ciphers do as they pad the message to conform to block sizes

Clipper Chip: used the skipjack cipher. Was meant to give the government the ability to wiretap phones but didn't take.

Morris worm of 1988: While going to Cornell, Morris deployed the worm from MIT. He only meant to 'measure' the internet, but the worm reinfected computers over and over again, causing a DOS attack. He is now a professor at MIT.

Symmetric - Skytale (Spartans)-> Ceasar's Cipher -> Enigma (Germans WWI) -> Purple Machine (Japanese WWII) -> DES (32 rounds) -> IDEA(64 bit blocks, 128 bit key, used in PGP) -> MARS (IBM entrance for AES)-> Blowfish(64 bit blocks, 448bit key entrance for AES) -> AES (Rinjdael 128, 10 rounds)

Assymetric - LUC (Lucas Functions, discrete logarithms) -> RSA -> ElGamal (used in PGP)-> ECC

Diffie-Hellman is just for key exchange -> used by ElGamal

Collision - when two files produce the same hash.

Clustering - different keys yield the same result

Transposition -> Diffusion - moving things around

Substitution -> Confusion

PKI

4 Components - certificate and registration authorities, repository and archive

Revoked -> Revocation List, and online certification status protocol

SET - Secure Electronic Transaction - x.509 derivative that didn't gain traction

Integrity (Hasing)

HAVAL (variable bit), RIPEMD (europe version of MD4), MD Series(MD5 = 128 bit), SHA (>160 bit), TIGER (designed for 64 bit systems)

MD4 is for high-speed computations, MD5 is standard

DSS - Digital Signature Standard - 160 bits

Securing Email

S/MIME, PGP, PEM (uses AES or RSA), MSP

UUencode - encoding for email - to add support for binaries (attachments)

X.400 - standard for email (exchange)

Securing Wireless

WEP - RC4 - stream cipher - used because it was fast and exportable

Attacks

Side Channel - attack the encryption device itself

Remote Desktop slowness fixed

I was surprised to find that remote desktop was running very slowly to my directly connected server.

I came across the following link which discusses the issue. http://blog.tmcnet.com/blog/tom-keating/microsoft/remote-desktop-slow-problem-solved.asp

I entered the following command on my client computer and the problem was resolved.
netsh interface tcp set global autotuninglevel=highlyrestricted

Server 2008 - Wireless Feature Disabled

I recently found myself trying to set up a server to act as a bridge to get wireless from the hotel into my room and to a switch. I already had Server 2008 installed on a box running HyperV and thought it should be no trouble to plug in my wireless card and bridge the network.

Long story short: Wireless LAN 'Feature' is disabled by default. To enable it, go to Server Manager > Features > Wireless Lan Service.

Here is the link that led me to this: http://vspug.com/yazan/2008/02/21/windows-server-2008-wirless-connection/

Note the consistent inconsistency by Microsoft as this is called a service in the list of features.

CISSP - Access Control

Access Control

Role Based(Non-discretionary) vs Discretionary Access Control

Discretionary Access Control allows the owner to manage permissions of their resources. In theory this was a good idea but most owners aren't proficient enough to manage the security of their resources effectively. This also isn't usually a priority for them. A good example of this would be giving new users permission but never removing any of the old users.

Role Based Access Control is very similiar but permissions are based on a role. Now an administrator can manage the security by assigning users to their appropriate roles and giving that role the necessary permissions. The key distinction besides the obvious is that in the DAC, only the owner can make the changes.

Detective Access Control

CRC is a Detective Access Control because it detects that the integrity has been breached.

Preventive vs Deterrent: 4 foot fence is deterrent - and 8 foot fence is preventive. I would argue that deterrent is a subset of preventive.

Types of Authentication

Type 1 -> 3 - Something you know, have, are

Bio-Metrics

Accuracy of Bio-Metrics: Fingerprint > Palm Scan > Hand Geometry > Retina Scan > Iris Scan

Zephyr Chart is used to compare different bio metric systems (by factoring in acceptance, etc.) When comparing like systems - use the CER (Cross Over Erorr Rate - where FRR meets FAR) AKA EER (Equal Error Rate)

Lower CER the Better.

Type 1 = FRR = Annoying

Type 2 = FAR = Breach

Leap: Cisco Proprietary version of EAP

CVE: Common Vulnerabilities and Exposures

Policies are high level and do not say how.

MITM: Man in the Middle

ACLs are used in Discretionary Access Controls. On CISSP - think decentralized workgroup file ACLS (NOT AD centralized ACLS)

Enticement vs Entrapment: You entice someone that is committing a crime to do something that you can record to catch them. Entrapment is 'enticing' someone to commit the crime in the first place. The line can get gray quickly - entrapment is illegal/unethical and serves as a defense for the criminal.

Sesame is an Assymetric version of SSO (Kerberos)

Biba (Integrity - no write down)

Attacks

Rainbow Table: precomputed password hashes - big file instead of computing time

SATAN is the first vulnerability scanner - renamed SANTA

Superzapping - program that bypasses normal security

Smurf - ping users across a network with spoofed source so that the spoofed source (victim) gets overwhelmed

LAND - SYN packet with source and destination ip and port as the target (most NICs are no longer vulnerable to this)

TRINOO - sort of bot net that was part of the yahoo DDOS attack of 2000.

SYN attack - AKA half open attack - target runs out of memory while trying to keep track of an infinite number of TCP sessions.

Chargen - Character Generator - can be used to cause systems to go into an infinite loop talking to themselves.

Ping of Death - icmp packets that are larger than allowed

Fraggle - wrote by the same author as Smurf - this attack is similiar to smurf only it uses echo instead of ping

Teardrop - crashes a victim by sending malformed IP fragments that are over sized and/or overlapping

MEME - hoax - usually a chain letter looking for victims to forward it throughout the internet

EICAR - is used to verify the functionaly of antivirus software. Simply an innocent signature that all vendors flag for test purposes

CISSP Prep

In preparation for my CISSP I will collect sources and notes here.

I am reading CISSP for Dummies. I originally bought a much denser book but after learning that the CISSP certification is 50 miles wide and 10 inches deep, I figured a less dense book would suffice, and more importantly save me some time.

I went into CISSP for Dummies knowing that it would probably only go about 5 inches deep and that I would need to identify my areas of weakness and do more research to complement what I am reading. What follows is the other 5 inches addressing the areas I needed more work in.

Rainbow Books

Kerberos: http://www.youtube.com/watch?v=7-LjpO2nTJo&feature=related. I found this video to be very helpful. It is easy to get lost in all the keys and exchanges, especially when trying to read it in text format. In summary and from a higher more memorable level:

A secure connection between the client and authentication server is established by encrypting the traffic with the client's secret key. This secret key is based on the password that is stored in the authentication server. The user on the client computer enters a password and it is used to decrypt the messages from the authentication server. If it is not the right password then the messages will not be decipherable and the process halts. Over this secure connection, the Authentication Server sends the client it's Ticket Generating Service Session Key. It also sends it an encrypted message that only the Ticket Generating Service can decrypt. The client simply forwards this message along to the Ticket Generating Service.

When the Ticket Generating Service receives the message from the Authentication Server via the client it decrypts it using a secret key that only the Authentication Server and the Ticket Generating Service know. This reveals the Ticket Generating Service Session key and client associated with the key.

Next the Client establishes a secure connection with the Ticket Generating Service by using the Ticket Generating Service Session key that only Ticket Generating Service and the Client know. This is a dynamic key that was generated by the Authentication Server and not only establishes a secure connection between the Ticket Generating Service and the Client but also limits the time the connection can last.

Over this secure connection, the Ticket Generating Service sends the client a Client/Server Session key. It also sends an encrypted message to be sent to the Server that includes the Client/Server Session key and Client ID and time limit associated with the key.

Now the Server and Client can establish mutual trust.

In layman's terms:

You go to the security gate of a building and ask to go to the accounting department. The security guard verifies your identity and gives you a document that he signs stating that you are who you say you are and that you are allowed to go to the receptionist.

You arrive at the receptionist and she takes the document, verifies the signature, verifies that you are the person identified in the document and gives you a new signed document stating that you can go to the accounting department.

Upon arriving at the accounting department, they take the document, verify the signature, verify that you are the person identified in the document, and then asks, "so what can we do for you?"

And after all that, now imagine that this makes Single Sign On possible - in other words this is supposed to reduce complexity by reducing the number of logons needed to enter various systems.

Passed CCNA Security 640-553

I just passed the CCNA Security 640-553.

Obviously I can't go into the specifics - but its worth mentioning some highlights.

Lots on Zone Based Firewalls (being able to interpret zone-pairs -> policies -> class maps)

Layer 2 port security

Intimate understanding of how Phase 1 / 2 works in IPSEC. You should be able to teach this to a layman.

I had a couple questions on SSL VPNs (not sure if they were 'future' questions).

I used the Sybex study guide along with Jemery's CBT videos.

Good Luck

Subnetting - Memory Dump Cheat Sheet

There are times when a subnet calculator may not be available - Apocalypse and for your CCNA.

So during an Apocalypse - if you decide that you need to be able to subnet you only need to remember how to create this cheat sheet. Using this table - you can ultimately solve all subnetting problems.

Bits (borrowed)	2n(host/networks)	Interval	Mask
1	2	128	128
2	4	64	192
3	8	32	224
4	16	16	240
5	32	8	248
6	64	4	252
7	128	2	254
8	256	1	255

Remembering how to create this table is not as hard as it looks. First you must remember the columns. Bits Borrowed, 2ⁿ (hosts/networks), Interval, and Mask.

Then you must fill in the Bits column, starting from 1 to 8 bits (per octet).

Then you can fill in the Bits Borrowed, 2ⁿ (hosts/networks) column by simply doing the math. What is 2 to the power specified by the Bits (borrowed) row.

The next part is a little tricky. You must simply rewrite the 2ⁿ (hosts/networks) column into the Interval column in reverse order but skip 256 as this interval really means the interval is the whole octet. Think about what your doing, is 256 valid? so skip it.

Lastly, for the mask column - sum the intervals up as you go.

Now why do all this?

If you know what the mask is you can determine what the interval is. For example: 10.11.12.13 255.255.248.0

We can match 248 to the interval 8 in the third octet. Using this interval we can find the IP range. The nearest lower multiple of 8 in the third octet from 12 is 8. So the network address is 10.11.8.0. The next network address is an interval of 8 in the 3rd octet, so the next network address is 10.11.16.0. The broadcast address is then 1 less, 10.11.15.255. Knowing both the network and broadcast address we can determine the IP range as 10.11.8.1 - 10.11.15.254.

If we were to use CIDR notation, 10.11.12.13/21. We can determine how many bits we have borrowed. 8 (first octet) + 8 (second octet) + 5 (third octet). Using the table we can match 5 bits borrowed to the interval 8 and continue as we did before.

Lastly, we can solve problems like how many hosts do we have or many many networks do we have. 150.160.170.180/20 is a class B address. From the 16 bits associated with class B we have borrowed an additional 4 bits. The formula for networks is 2 ⁿ. So we find 4 and go to the 2 ⁿ column to find that we can have 16 subnets. We have 12 out of 32 bits left for hosts. To determine our hosts we use the formula 2 ⁿ - 2. But our table is not big enough. We simply extend it out by multiplying by 2 until it is big enough.

Bits (borrowed)	2n(host/networks)	Interval	Mask
1	2	128	128
2	4	64	192
3	8	32	224
4	16	16	240
5	32	8	248
6	64	4	252
7	128	2	254
8	256	1	255
9	512
10	1024
11	2048
12	4096

And now we know that we can support 4094 hosts in each subnet.

This is a tool that you can easily use during the CCNA as you can write it down on the provided paper as soon as you start your test.

Hopefully you find this helpful - let me know if you have any questions.