N11. Security

Question 1

What is a firewall?

Answer 1

Programmable packet filter
- situated on border router
- implements filter policy
Prevents:
- packets leaving site network
- packets entering site network
Access control lists (ACLs) - what is and is not allowed
Deep packet inspection (DPI) - looks beyond header of packet
Stateful packet inspection - looks beyond single packet at flow of packets and monitors state

Question 2

Disadvantage of firewalls

Answer 2

Can be a performance bottleneck

Question 3

What is the difference between security and privacy?

Answer 3

Security - protection from things on the wire
Privacy - protection from sharing information that shouldn’t be publicly shared (helps with security but they are distinct, beyond packet layer to application layer)

Question 4

List 3 parts of security analysis to consider:

Answer 4

1. Security threats - what to protect against
2. Security services - to protect against threats
3. Security mechanisms - algorithms and protocols to implement security services chosen
   (Implementation - specific hardware, software and policy required)

Question 5

Give examples of common security threats

Answer 5

Eavesdropping (traffic monitoring) - inspection of traffic contents, traffic patterns. Control-plane and user-plane.
Traffic modification - changing ‘genuine’ packets, forging of packets and data
Man in the Middle (MitM) - forged identities, fake servers/services, fake clients

Question 6

What is the secret-key system of key-based cryptography?

Answer 6

Secret-key system:

• single key, k1 == k2
• used for both encryption and decryption
• must be known and kept secret by both parties

Question 7

What is the public-key system of key-based cryptography?

Answer 7

Public-key system

• pair of matched keys - one for encryption, one for decryption
• k1 and k2 different but complementary - one secret, one public
• harder to break than private-key encryption but more computationally expensive

Question 8

How are hash algorithms used in security?

Answer 8

Creates a fixed size bit pattern from any input of bits (strong checksum)
1. fixed size hash value as output
2. cannot reproduce original message from hash value
3. very low probability of producing two messages with same hash
Message Authentication Code

Question 9

What is a Message Authentication Code?

Answer 9

Based on hash algorithm, alternative to public-key encryption

• use secret key k
• combine secret key with plain text and hash
• check that MAC output matches expected (even one bit changed indicates tampering with content)

Question 10

Explain how Digital Signatures are used in security?

Answer 10

Digital signature is like a strong, secure checksum
Gives high assurance of message authenticity and integrity
Signature - with public key (create hash, encrypt with secret key, check at receiver using public key) - if hash given to receiver doesn’t match hash from decrypting with public key then document has changed

Question 11

How are certificates used in security?

Answer 11

Certification Authority issues a certificate (and public key to user) and authenticates the certificate with a digital signature.
Certificate contains:
- user ID
- user public key
- dates of validity
- CA’s ID and signature
On receiving a certificate, user should check signature using public key, check for revocation and use directory service (must trust CA)

Question 12

What is TLS?

Answer 12

Transport Layer Security (formerly SSL)
- originally for secure HTTP sessions - HTTPS
- general API can potentially be used by any protocol over TCP
TLS is end-to-end - sits above normal sockets interface

Question 13

What services does TLS provide?

Answer 13

1. a client to authenticate a server
2. a serve to authenticate a client (optional)
3. client and server to select crypto protocols for a communication session
4. client and server exchange session keys securely
5. confidential sessions between client and server

Question 14

Describe the TLS handshake

Answer 14

1. client hello - TLS options proposed
2. server hello - TLS options selected by server
3. server key exchange - certificate (with public key)
4. server hello complete
5. client key exchange - sends session key encrypted with server’s public key
6. client change cipher spec - activate new session state
7. client finished - secure session established
8. server change cipher spec - activate new session state
9. server finished - secure session established