1. Multifactor Authentication
1.1. The process of authentication requires a subject to supply verifiable credentials, these credentials are referred to as factors.
1.2. In multifactor-authentication two or more factors are presented.
1.3. Multilayer Authentication
1.3.1. In multilayer authentication more than one of the same type of factor is used.
1.4. Identification
1.4.1. Identification is establishing identity.
1.5. Authentication
1.5.1. Authentication is about proving identity.
2. Single Sign-On System
2.1. 1. A user is accessing resources on Server B; for example, the user sends an HTTP GET request for a web page (step 1)
2.2. 2,3. SSO is used to provide authentication service for Server B. When Server A receives the request for a web page, it redirects the user to the SSO server of the organization for authentication (steps 2 and 3)
2.3. 4, 5. The user will authenticate to the SSO server, redirecting the user back to Server B with proof of authentication—for example, a token (steps 4 and 5).
2.4. 6. Server B will validate the proof of authentication and grant access to resources.
3. Security Events & Log Management
3.1. Event (NIST SP 800-61r2)
3.1.1. An event is any observable occurrence in a network.
3.2. Security Incident
3.2.1. An event that violates the security policy of an organization.
3.3. Event Management
3.3.1. includes administrative, physical, & technical controls that allow the proper collection, storage, and analysis of events.
3.3.2. Many compliance frameworks such as ISO & PCI DSS mandate log management controls & practices.
4. Symmetric & Asymmetric Algorithms
4.1. Symmetric Encryption Algorithm / Symmetric Cipher
4.1.1. uses the same key to encrypt and decrypt the data
4.1.2. Examples
4.1.2.1. DES
4.1.2.2. 3DES
4.1.2.3. AES
4.1.2.4. IDEA
4.1.2.5. Blowfish
4.1.2.6. RC2
4.1.2.7. RC4
4.1.2.8. RC5
4.1.2.9. RC6
4.2. Asymmetric Algorithm
4.2.1. Is a public key pair. Two keys, private and public both work in tandem as a pair.
4.2.2. Public Key
4.2.2.1. The public key is available to anyone who wants to use it
4.2.3. Private Key
4.2.3.1. The private key is known only to the device that owns the key pair.
4.2.4. Examples
4.2.4.1. RSA (PKCS #1)
4.2.4.1.1. With a key length of 512 to 2048, min for security is at least 1024. Slower than Symmetric algorithms but can be used for signing and encryption. Uses integer factorization cryptography.
4.2.4.2. Diffie-Hellman (DH)
4.2.4.2.1. Allows the negotiation of a shared secret keying material (keys). The algorithm is asymmetric but the keys generated by the exchange are symmetric.
4.2.4.3. ElGamal
4.2.4.3.1. Is based on the DH exchange.
4.2.4.4. DSA
4.2.4.4.1. The Digital Signature Algorithm was developed by the US National Security Agency.
4.2.4.5. ECC
4.2.4.5.1. Elliptic curve cryptography is public-key cryptography based on the algebraic structure of elliptic curves over finite fields.
5. Hashes
5.1. Used to verify data integrity, also called a digest, message digest, or hash. A cryptographic hash function takes a block of data and creates a small-sized hash value.
6. The three most popular types of hashes
6.1. Message Digest 5 (MD5)
6.1.1. Creates a 128-bit digest
6.2. Secure Hash Algorithm 1 (SHA-1)
6.2.1. Creates a 160-bit hash digest.
6.3. Secure Hash Algorithm 2 (SHA-2)
6.3.1. Options of 224-bit digest & 512-bit digest.
7. Digital Signatures
7.1. Proves that you are who you say you are.
7.2. Core Benefits
7.2.1. Authentication, Data Integrity, Nonrepudiation
8. Description of next-generation encryption protocols
8.1. Suite B
8.1.1. algorithms designed to meet future security needs, approved for protecting classified info at secret & top-secret levels.
8.1.2. Examples
8.1.2.1. Elliptic curve cryptography replaces RSA signatures with the ECDSA (EC variant of DSA)
8.1.2.2. DH → ECDH
8.1.2.3. AES in GaRobin/Counter Mode (GCM)
8.1.2.4. ECC digital signature algorithm
8.1.2.5. SHA-256
8.1.2.6. SHA-384
8.1.2.7. SHA-512
8.1.2.8. Elliptic curve cryptography replaces RSA signatures with the ECDSA (EC variant of DSA)
9. Public & Private Key pairs
9.1. A key pair is a set of two keys that work in combination as a team.
9.2. A public key may be shared with everyone, a private key is known only to the owner.
9.3. The private key can encrypt, the public key can decrypt and the inverse is also true. This process is also called public-key cryptography or asymmetric key cryptography.
10. Description of Certificate Authorities
10.1. A certificate authority is a computer or entity that issues digital certificates.
10.2. Inside of digital certificates there contains information about the device.
11. Identity Certificates
11.1. An identity certificate describes the client and contains the public key of an individual host (the client). Identity certificates are used by web servers, APIs, VPN clients, and web browsers (in some cases).
11.2. X.500 & X.509v3
11.2.1. X.500 is a series of standards focused on directory services and how those directories are organized. Example, CN=Batman (CN stands for common name), OU=engineering (OU stands for organizational unit), O=cisco.com (O stands for organization)
11.3. Enrollment with a CA
11.3.1. 1. Authenticate with root CA, request own identity certificate with public-private key pair.
11.3.2. 2. CA signs your certificate, you can verify the digital certificate of CA with the signature provided in the authentication step.
12. Methods to check if certificates have been revoked
12.1. Certificate Revocation List (CRL)
12.1.1. This is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted.
12.2. Online Certificate Status Protocol (OCSP)
12.2.1. This is an alternative to CRLs. Using this method, a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.
12.3. Authentication, Authorization, & Accounting
12.3.1. isco AAA services also provide support for validating digital certificates, including a check to see whether a certificate has been revoked. Because this is a proprietary solution, it is not often used in PKI.
13. Identity & account management life cycle management phases
13.1. Registration & Identity Validation
13.1.1. A user provides information and registers for digital identity. The issuer will verify the information and securely issue a unique and non-descriptive identity.
13.2. Privileges provisioning
13.2.1. The resource owner authorizes the access rights to a specific account, & privileges are associated with it.
13.3. Access Review
13.3.1. Access rights are constantly reviewed to avoid privilege creep.
13.4. Access Revocation
13.4.1. Access to a given resource may be revoked due, for example, to account termination.
14. Password Management
14.1. Password Creation
14.1.1. Organizations should have policies and standards for password creation: strength, age, reusability.
14.2. User-generated passwords
14.2.1. Users generate their own passwords which are simple to remember but easy to guess and often re-used across multiple systems.
14.3. System-generated passwords
14.3.1. Generated by the system, are strong and compliant with security policy but can be difficult to remember and users tend to write them down.
14.4. OTP & token
14.4.1. Passwords are generated by an external entity & synced with an internal resource.
14.4.2. Users don't need to remember complex passwords, this method requires more infrastructure and the software & hardware required generates deployment & maintenance costs.
15. Log Collection, Analysis, & Disposal
15.1. Log storage critical for maintaining log confidentiality & integrity.
15.2. Information Collected via Logs
15.2.1. User ID, system activities, timestamps, successful or unsuccessful access attempts, configuration changes, network addresses & protocols, file access activities.
15.3. NIST SP 800-92
15.3.1. Defines three categories of logs of interest for security professionals.
15.4. Logs generated by security software
15.4.1. Antivirus/antimalware, IPS/ICD, Web Proxies, remote access software, authentication servers, vulnerability management software, infrastructure devices (firewalls, routers, switches, wireless access points)
15.5. Logs generated by the operating system
15.5.1. System events, audit logs
15.6. Logs generated by the applications
15.6.1. Connection & session info, usage info, significant operational action
15.7. Syslog (RFC 5424)
15.7.1. Event notification protocol with three main entities
15.7.1.1. Originator
15.7.1.1.1. The entity that generates a Syslog message
15.7.1.2. Collector
15.7.1.2.1. The entity that receives that info about an event in Syslog format
15.7.1.3. Relay
15.7.1.3.1. An entity that can receive messages from originators and forward them to other relays or collectors).
15.7.2. Syslog Facility
15.7.2.1. Kernel Messages (0)
15.7.2.2. User-level messages (1)
15.7.2.3. Mail system (2)
15.7.2.4. System daemons (3)
15.7.2.5. Security/Authorization messages (4)
15.7.2.6. Messages generated by Syslogd (5)
15.7.2.7. Line printer subsystem (6)
15.7.2.8. Network news subsystem (7)
15.7.2.9. UUCP subsystem (8)
15.7.2.10. Clock daemon (9)
15.7.2.11. Security/authorization messages (10)
15.7.2.12. FTP daemon (11)
15.7.2.13. NTP subsystem (12)
15.7.2.14. Log Audit (13)
15.7.2.15. Log alert (14)
15.7.2.16. Clock daemon (15)
15.7.2.17. Local use 0-7 (16-23)
16. Ciphers & Keys
16.1. Cipher
16.1.1. Also called an algorithm, which are rules on how to perform encryption & decryption
16.1.2. Common Cipher Methods
16.1.2.1. Substitution
16.1.2.1.1. Character substitution
16.1.2.2. Polyalphabetic
16.1.2.2.1. Similar to substitution but with more alphabets
16.1.2.3. Transposition
16.1.2.3.1. Any options including letter rearrangement
16.2. Key
16.2.1. Instructions on how to reassemble characters. For example, a one-time pad (OTP) could encrypt a 32-bit message with a 32-bit key called a pad.
16.2.2. Key Management
16.2.2.1. Deals with the relationship between users & keys.
16.2.2.2. Specifically deals with generating keys, verifying keys, exchanging keys, storing keys, and, at the end of their lifetime, destroying keys.
17. Block & Stream Ciphers
17.1. Block Cipher
17.1.1. Is a symmetric key pair (same key used to encrypt & decrypt) that operates on a group of bits called a block.
17.1.2. May add padding for a full block if necessary.
17.1.3. Examples
17.1.3.1. Advanced Encryption Standard (AES)
17.1.3.2. Triple Digital Encryption Standard (3DES)
17.1.3.3. Blowfish
17.1.3.4. Digital Encryption Standard (DES)
17.1.3.5. International Data Encryption Algorithm (IDEA)
17.2. Stream Cipher
17.2.1. Is a symmetric key pair (same key used to encrypt & decrypt) that operates on a bit at a time against the keystream, called a cipher digit stream.
17.2.2. May have slightly less overhead than a block cipher since it does not require a block.
18. Hashed Message Authentication Code (HMAC)
18.1. uses the mechanism of hashing with a secret key. Thus, only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. Interception and modification unrealistic since the attacker does not have the secret key.
18.2. MD5
18.2.1. Is an insecure hash function.
18.3. SHA-256
18.3.1. Provides adequate protection for sensitive information.
18.4. SHA-384
18.4.1. Used to protect classified information.
19. Digital Signatures in Action
19.1. Digital Signature
19.1.1. 1. For example, Batman takes a packet, generates a hash, and then encrypts it with his private key.
19.1.2. 2. Batman attaches this encrypted hash ( digital signature ) to the packet and sends it to Robin.
19.1.3. 3. Robin decrypts the packet with Batman's public key and runs the hash function, if a match we know Batman is who he says he is, this is authentication using digital signatures.
19.1.4. The keys are exchanged with the certificate exchange, these certificates are trusted if they are signed by a CA they both trust.
19.1.5. Certificate Authority (CA)
19.1.5.1. A trusted entity that hands out digital certificates.
20. Description of IPsec & SSL
20.1. IPsec
20.1.1. A suite of protocols to protect IP packets. Typically in remote-access VPNs & site-to-site VPNs
20.2. SSl/TLS
20.2.1. Is typically used for remote-access VPNs & secure communications with web services.
21. RSA Algorithm, the Keys, & Digital Signatures
21.1. Keys
21.1.1. Secrets that allow cryptography to provide confidentiality.
21.1.2. With RSA digital signatures, each party has a public-private key pair because both parties intend on authenticating the other side.
21.1.3. A CA takes each of their public keys as well as their names and IP addresses and created individual digital certificates, and the CA issued these certificates back to each party respectively. The CA also digitally signed each certificate.
21.2. Digital Signature
21.2.1. 1. Batman takes some data, generates a hash, and then encrypts the hash with Batman’s private key.
21.2.2. 2. This encrypted hash is inserted into the packet and sent to Robin. This encrypted hash is Batman’s digital signature.
21.2.3. 3. Having received the packet with the digital signature attached, Robin first decodes or decrypts the encrypted hash using Batman’s public key.
21.2.4. 4. It then sets the decrypted hash to the side for a moment and runs a hash against the same data that Batman did previously. If the hash that Robin generates matches the decrypted hash, which was sent as a digital signature from Batman, then Robin has just authenticated Batman—because only Batman has the private key used for the creation of Batman’s digital signature.
22. Root Certificates
22.1. A root certificate contains the public key of the CA server and other details about the CA server.
22.2. Certificate Parts
22.2.1. Serial Number
22.2.1.1. This is the number issued and tracked by the CA that issued the certificate.
22.2.2. Issuer
22.2.2.1. This is the CA that issued this certificate. (Need to have their certificates issued from someone, could be themselves.)
22.2.3. Validity Dates
22.2.3.1. These dates indicate the time window during which the certificate is considered valid.
22.2.4. The subject of the certificate
22.2.4.1. Includes organizational unit (OU), organization (O), country (C), other details commonly found in an X.500 structured directory.
22.2.5. Public Key
22.2.5.1. Contents of the public key and the length of the key.
22.2.6. Thumbprint algorithm and thumbprint
22.2.6.1. Hash of certificate.
23. Simple Certificate Enrollment Protocol (SCEP)
23.1. Cisco, in association with a few other vendors, developed the Simple Certificate Enrollment Protocol (SCEP), which can automate most of the process for requesting and installing an identity certificate.
24. Key Terms
24.1. Block Ciphers
24.1.1. A symmetric key cipher that operates on a group of bits called a block. The same key is used to encrypt and decrypt.
24.2. Symmetric Algorithms
24.2.1. An encryption algorithm that uses the same key to encrypt and decrypt.
24.3. Asymmetric Algorithms
24.3.1. An encryption algorithm that uses two different keys: private & public, these make a key-pair.
24.4. Hashing Algorithms
24.4.1. An algorithm used to verify data integrity.
24.5. Digital Certificates
24.5.1. A digital entity used to verify that the user is who he or she claims to be and provide the receiver a means to encode a reply. Can apply to systems as well.
24.6. Certificate Authority
24.6.1. A system that generates and issues digital certificates to users and systems.
24.7. Advanced Encryption Standard (AES)
24.7.1. A symmetric-key encryption algorithm used by most modern crypto implementations. Defined in FIPS PUB 197: "Advanced Encryption Standard (AES)" and ISO/IEC 18033-3: "Block Ciphers".
24.8. Online Certificate Status Protocol (OCSP)
24.8.1. A protocol used to perform certificate validation.