This is the 11th day of my participation in Gwen Challenge

Passive aggression

Attackers eavesdrop on communications from the network

Such attacks are often referred to as intercepts

In passive attack, the attacker only observes and analyzes a protocol data unit, PDU, in order to understand some properties of the exchanged data, but does not interfere with the information flow

Passive attack is also called traffic analysis

Take the initiative to attack

Tamper – Deliberately tamper with packets on the network. Also known as change packet flow

Malware – a wide variety of programs, including: viruses, worms, Trojan horses, logic bombs, backdoor intrusion, rogue software, etc

Denial of service – When an attacker sends a large number of packets to a server on the Internet so that the server cannot provide normal service or even crashes

DDoS – Distributed denial of service

A distributed denial of service attack, also known as a network bandwidth attack or connectivity attack, is a concentrated attack on a single website from hundreds of websites on the Internet

The goal of computer network communication security

  1. Prevents outgoing packet content and traffic analysis
  2. Preventing malicious programs
  3. Detects change packet flow and denial of service

Various data encryption techniques can be used for passive attack

For active attack, encryption technology and authentication technology should be combined

Four goals for secure computer networks

  • confidentiality

Only the sender and receiver of a message can understand the content of the message. Network security communication is the most basic content, but also must have the function, can use password technology to use the network with confidentiality

  • The endpoint to identify

Identify the real identity of the sender and receiver of a message

  • Integrity of information

Ensuring that the content of the message has not been modified is often used in conjunction with endpoint authentication

  • Operational security

The system runs properly and provides services. Access control, you must control the access to the network and specify the access rights of each user

The key

A secret string

The sender converts the plaintext into ciphertext using an encryption algorithm and encryption key

The recipient converts the ciphertext into plaintext using the decryption algorithm and key

The encryption key and the decryption key can be the same or different

The key is usually provided by the key center

When a key needs to be sent remotely, it must be sent over a secure channel

Symmetric cryptosystem

Encryption key and decryption key are the same cryptosystem, also known as symmetric key system

Public key cryptosystem

There are different encryption keys and decryption keys. The encryption key is a public key, and the decryption key is a private key. The public key is public, and the private key is secret

Sender A encrypts the plaintext with B’s public key, and receiver B decrypts the plaintext with its private key

The difference between public and object keys

When the symmetric key is used, the two parties use the same key. Therefore, one-to-one bidirectional communication can be carried out. Each party can encrypt the ciphertext with the key and send it to the other party, or receive the ciphertext and decrypt the ciphertext with the same key

When the public key is used, there can be many-to-one one-way secure communication over the communication channel

A digital signature

Encryption with the private key and decryption with the public key is called digital signature

The role of digital signatures

Used to prove authenticity.

  1. Source-proof packet authentication enables the receiver to verify the sender’s signature on the packet
  2. Anti-denial – Indicates the integrity of the packet. The sender cannot deny the signature of the packet
  3. Anti-forgery – It is undeniable that the receiver cannot forge the signature of the packet

To identify

Encryption is an important measure to deal with passive attack, and identification is used to deal with the end of active attack and forgery

Packet authentication enables the receiver to verify the authenticity of the received message (sender, message content, sending time, and sequence)

Classification of discrimination

  • Message authenticated

Verify that the received message is indeed sent by the sender and not forged or tampered by others. This includes endpoint authentication and packet integrity authentication

  • Entities to identify

Only the entity that sent the message is identified. An entity can be a person or a process (client or server)

Characteristics of hash functions

  1. The input length of a hash function can be long, but its output length is fixed and short. The output of a hash function is called a hash value, or hash
  2. Different hashes certainly correspond to different inputs, but different inputs may yield the same hash value. The input and output of a hash function are not one-to-one, but many-to-one
  3. Unidirectional – It is computationally infeasible to find two different packets that have the same password hash function output

MD5 Calculation Procedure

  1. Append – Append a message of any length to the end of the message by counting the rest of the number in modulo 2^64
  2. Padding – Fills 1 to 512 bits between the packet and the length item so that the total length is a multiple of 512. The padding starts with a 1, followed by zeros
  3. Grouping: Divides the appended and filled packets into 512-bit data blocks. Each 512-bit packet data is then divided into four 128-bit data blocks
  4. Cheat – Send 4 128-bit data blocks to different hash functions for 4 rounds of calculation. Each round performs complex operations in small 32-bit chunks of data. Until finally the message digest code is calculated (128 bits)

Basic ideas of SHA-1

  1. The input code length is less than 2^64 bits, and the output code length is 160 bits
  2. The plaintext is divided into 512-bit blocks of constant length. Each block is combined with the current packet digest value to generate the next intermediate result of the packet digest until the processing is complete.
  3. 5 times of scanning, slightly lower than MD5 efficiency, high anti-exhaustion

Message authenticated

The result of hash encryption is called the packet identification code MAC

  1. The entire packet does not need to be encrypted
  2. An encryption algorithm is required to export the MAC identification code from the hash. However, the length of the hash is much smaller than that of the packet. Therefore, the encryption does not consume many computing resources
  3. The MAC authentication code can be used to protect the integrity of packets

Entities to identify

Packet identification identifies the sender of each received packet

Entity authentication is to authenticate the other entity that communicates with oneself only once during the entire duration of system access

Replay attack

Intruder C can intercept the packets sent from A to B on the network

C does not need to decipher the message, but directly sends the intercepted message encrypted by A to B, making B mistake C for A. B then sends A packet to C disguised as A, which is called A replay attack

IP spoofing

A user C can even intercept A’s IP address and impersonate it as its own, which is called IP spoofing

Use nonmultiplicity for identification

A nonrepeatable number is a large random number that is not used repeatedly, i.e. one number at a time. Since non-repeaters cannot be reused, the intercepted non-repeaters cannot be reused during replay attacks

User B uses the private key to sign R(A) and sends the signature back to USER A. User A uses user B’s public key to verify the signature. If you can find the non-multiplicity R(A) you sent originally, you can verify that the other party you are communicating with is really B

Similarly, A uses its private key to sign R(B) and sends the signature to B. B uses A’s public key to verify the signature and authenticate A’s identity

Key distribution

Out-of-network distribution – Sending very reliable messengers carrying keys to distribute to users communicating with each other

Network allocation – Automatic key allocation

Distribution of symmetric keys

Currently, a Key distribution Center (KDC) is commonly used.

KDC is a trusted organization whose job is to temporarily assign a session key (used only once) to users who need to communicate confidentially

Assume that users A and B are registered users of the KDC and have installed their master keys on the SERVER of the KDC to communicate with the KDC

Allocation of public Keys

In public key cryptography, secure communication can be achieved if each user has the public key of other users

However, the user’s public key cannot be freely published, because there is no way to prevent counterfeiting and spoofing. The user is also unable to determine the true owner of the public key

A trusted Certification Authority (CA) is required to bind the public key to the entity corresponding to the base. The CA is generally funded by the government

Each entity has a certificate from the CA containing the public key and the identity of its owner

The certificate is digitally signed by the CA and cannot be forged and trusted