IAS 2 (Compiled Notes)
IAS 2 (Compiled Notes)
❖ Identification and Authentication: Who can log in. o On-Path: Routers can read, modify, or remove
❖ Authorization: What authorized users can do. any transmitted datagram.
❖ Accountability: Identifies what a user did. o Off-Path: Hosts can send datagrams appearing
to come from other hosts but cannot receive
AAA datagrams meant for them.
• Insider vs. Outsider: Definition of perimeter/border.
Authentication
Authorization • Deliberate Attack vs. Unintentional Event:
Accountability Configuration errors and software bugs can be as
harmful as deliberate attacks.
Authentication - Validating a claimed identity of an end user
or a device (e.g., host, server, switch, router). Must differentiate Security Aims
between user, device, or application authentication.
✓ Controlling data/network access.
Authorization - Granting access rights to a user, groups of ✓ Preventing intrusions.
users, system, or program, typically done in conjunction with ✓ Responding to incidents.
authentication. ✓ Ensuring network availability.
✓ Protecting information in transit.
Non-Repudiation - A property of a cryptographic system Security Services
preventing a sender from denying later that they sent a
message or performed a certain action. ❖ Authentication
❖ Authorization
Audit - A chronological record of system activities enabling the ❖ Access Control
reconstruction and examination of a sequence of events. ❖ Data Integrity
❖ Data Confidentiality
Vulnerability - A weakness in security procedures, network ❖ Auditing/Logging
design, or implementation that can be exploited to violate a ❖ DoS Mitigation
corporate security policy, such as:
Layer 2 Attacks
✓ Software bugs
✓ Configuration mistakes ▪ ARP Spoofing
✓ Network design flaws ▪ MAC Attacks
▪ DHCP Attacks
Exploit - Taking advantage of a vulnerability. ▪ VLAN Hopping
Risk - The possibility that a vulnerability will be exploited. MAC Flooding
✓ Risk Analysis: The process of identifying security Exploits the limitation of switches – fixed CAM table
risks, determining their impact, and identifying areas size.
requiring protection. CAM (Content Addressable Memory): Stores
Threat - Any circumstance or event with the potential to cause mapping of individual MAC addresses to physical
harm to a networked system, such as: ports on the switch.
Routing Attacks
Wireless Attacks
➢ Attempt to poison routing information.
➢ Distance Vector Routing: Announces zero distance WEP: The first security mechanism for 802.11
to all nodes, causing blackhole traffic and wireless networks, vulnerable to "FMS attacks"
eavesdropping. discovered by Fluhrer, Mantin, and Shamir.
➢ Link State Routing: Can randomly drop links or claim
direct links to other routers. Man-in-the-Middle Attacks (Wireless) - Creates a fake
➢ BGP Attacks: ASes can announce arbitrary prefixes access point for clients to authenticate, capturing traffic to see
or alter paths. usernames, passwords, etc., sent in clear text.
o Firewall
Digital Signatures - Sender encrypts the message with their o Intrusion Detection
own private key instead of the intended receiver’s public key. • Build trust on top of the TCP/IP infrastructure:
Message Digests - Produces a condensed representation of a o Strong authentication
message (hashing). o Public Key Infrastructure (PKI)
Strong Authentication
Secret Key Algorithms
• An absolute requirement involving:
• DES (Data Encryption Standard):
o Two-factor authentication (something you
o Block cipher using shared key encryption know and something you have).
(56-bit).
o Developed by IBM for the US government in • Examples: Passwords, Tokens, Tickets, Restricted
1973-1974, approved in Nov 1976. access, PINs, Biometrics, Certificates
o Block size: 64 bits.
• 3DES (Triple DES): Public Key Infrastructure (PKI)
o Applies DES three times to each data block • A framework that builds the network of trust.
using a key bundle (K1, K2, K3) of 56 bits
each (excluding parity). • Combines public key cryptography and digital
o Disadvantage: Very slow. signatures to ensure:
• AES (Advanced Encryption Standard):
o Confidentiality
o Published in November 2001 as a o Integrity
replacement for DES. o Authentication
o Symmetric block cipher with a fixed block o Non-repudiation
size of 128 bits and key sizes of 128, 192, or o Access control
256 bits. • Protects applications that require a high level of
o Based on Rijndael cipher developed by Joan security.
Daemen and Vincent Rijmen.
PKI Components
Hash Functions - A hash function takes an input message of
arbitrary length and outputs a fixed-length code, called the ➢ Certificate Authority (CA): A trusted third party.
hash or message digest. ➢ Registration Authority (RA): Binds keys to users.
➢ Validation Authority (VA): Validates user identities.
Uses of Hashing Digital Certificates
o Verifying file integrity: If the hash changes, the data is ✓ Basic element of PKI; secure credential that identifies
either compromised or altered in transit. the owner (also called a public key certificate).
o Digitally signing documents. ✓ Addresses binding a public key to an entity, which is
o Hashing passwords. crucial for eCommerce.
Components of a Digital Certificate