36. (p. 295) Encryption is a method for guaranteeing that data is as originally sent, and that it came from the source you think it should have come from.
FALSE
FALSE
37. (p. 296) Before encryption, we consider all data as being plaintext (also called cleartext). This does not necessarily mean that the data is simple text format, but it can be any type of data.
TRUE
TRUE
38. (p. 297) Symmetric-key encryption is what we call any encryption that uses the same key for both encryption and decryption.
TRUE
TRUE
39. (p. 302) A hash is more accurately called public-key cryptography.
FALSE
FALSE
40. (p. 304) Adding a digital signature to an encrypted message ensures that you are getting the message from the person you expect it to be from.
TRUE
TRUE
41. (p. 304) Digital certificates enable us to safely do business with someone we do not know.
TRUE
TRUE
42. (p. 291) For most people, the first exposure to authentication is a request to accept a certificate.
FALSE
FALSE
43. (p. 307) Point-to-point and dial-up most often occur over Ethernet.
FALSE
FALSE
44. (p. 2312) RADIUS is an AAA standard.
TRUE
TRUE
45. (p. 313) The Kerberos authentication protocol was developed primarily for use with PPP.
FALSE
FALSE
46. (p. 320) Layer 2 of the OSI model offers IPsec encryption.
FALSE
FALSE
47. (p. 320) SSL and TLS are methods of encryption that occur at the Application layer of the OSI model.
TRUE
TRUE
48. (p. 295) Nonrepudiation guarantees that the sender of a message cannot later deny that they sent the message.
TRUE
TRUE
49. (p. 315) 802.1X authentication is essentially EAP over Ethernet, without using PPP.
TRUE
TRUE
50. (p. 295) Authorization is the process of proving your identity to another system, resource, or user.
FALSE
FALSE
Fill in the Blank Questions
51. (p. 296) A(n) _______________ is a series of complex and hard-to-reverse mathematics run on a string of ones and zeroes to make a new set of binary values.
cipher
cipher
52. (p. 296) When applying the binary math _______________ calculation, a cleartext value of 0 combined with a key value of 0 equals 0, as does a cleartext value of 1 combined with a key value of 1. Further, a cleartext value of 0 combined with a key value of 1 equals 1, as does a cleartext value of 1 combined with a key value of 0.
XOR (eXclusive OR)
XOR (eXclusive OR)
53. (p. 297) An example of a(n) _______________ is a simple cipher that takes the letters of the alphabet and transposes them.
Caesar cipher
Caesar cipher
54. (p. 298) A(n) _______________ takes a single bit at a time and encrypts on-the-fly.
stream cipher
stream cipher
55. (p. 298) Most encryption algorithms are _______________, which encrypt data in single "chunks" of a certain length at a time.
block ciphers
block ciphers
56. (p. 299) In the 1970s three men (Diffie, Hellman, and Merkle) developed what we now know as _______________.
public-key cryptography
public-key cryptography
57. (p. 300) The two keys created together for public-key cryptography are collectively called a(n) _______________.
key pair
key pair
58. (p. 295) _______________ defines what a person accessing data can do with it.
authorization
authorization
59. (p. 295) The solution to the problem of ensuring that a person who sent something is the person you believed them to be is some form of _______________.
nonrepudiation
nonrepudiation
60. (p. 303) _______________ is probably the most popular hashing function used for ensuring that a file is unchanged.
MD5
MD5
61. (p. 304) A(n)_______________ adds nonrepudiation to public-key cryptography.
digital signature
digital signature
62. (p. 305) When a browser connects to a secure Web page, the Web server sends a copy of its _______________.
certificate
certificate
63. (p. 319) Nearly every Web browser today uses _______________ for HTTPS-secured Web sites.
TLS
TLS
64. (p. 312) _______________ is the most popular RADIUS server for networks running Microsoft servers.
Internet Authentication Service (IAS)
Internet Authentication Service (IAS)
65. (p. 320) Using _______________, IPSec encrypts the entire IP packet and then places it into an IPSec endpoint, which encapsulates it inside another IP packet.
tunnel mode
tunnel mode
66. (p. 320) Until _______________ is widely implemented, IPSec's only common use is creating secure tunnels between two computers.
IPv6
IPv6
67. (p. 310) CHAP provides a secure authentication routine by having both ends of the authentication process perform a(n) _______________ on a shared secret, and having the initiator send the result of this rather than a cleartext password.
hash
hash
68. (p. 321) You cannot get an HTTPS connection without a good _______________ exchange.
certificate
certificate
69. (p. 2306) VeriSign's tree structure contains a root, intermediate, and issuing servers; this is an example of a(n) _______________.
public-key infrastructure (PKI)
public-key infrastructure (PKI)
70. (p. 308) A(n) _______________ is a list of permissions specifying what action an authenticated user may perform on a shared resource.
access control list (ACL)
access control list (ACL)
71. (p. 308) The most popular authorization model in file sharing is _______________.
role-based access control (RBAC)
role-based access control (RBAC)
72. (p. 314) Microsoft adopted _______________ as its authentication protocol for all Windows networks using a domain controller.
Kerberos
Kerberos
73. (p. 313) The cornerstone of Kerberos is the Key Distribution Center (KDC) which includes the _______________ and the _______________.
Authentication Server (AS); Ticket-Granting Service (TGS)
Authentication Server (AS); Ticket-Granting Service (TGS)
74. (p. 315) Wireless networks use _______________ for authentication, which in turn uses EAP.
802.1X
802.1X
75. (p. 318) To use _________________ keys for authentication, you must first generate a pair of RSA or DSA keys with a tool such as PuTTYgen.
public/private
public/private
76. (p. 311) _______________ is a philosophy for standards for protecting the central databases full of user names and passwords.
Authentication, Authorization, and Accounting (AAA)
Authentication, Authorization, and Accounting (AAA)
77. (p. 310) In PPP authentication, the side of the communication asking for a connection is called the _______________ and the side that has a list of user names and passwords is the _______________.
initiator; authenticator
initiator; authenticator
78. (p. 310) Of the three, PAP, CHAP, and MS-CHAP, _______________ offers the most security for dial-up authentication.
MS-CHAP
MS-CHAP
79. (p. 315) _______________, an older port authentication access control standard, was adopted for wireless networks.
802.1X
802.1X
80. (p. 317) In addition to using a password for authentication, SSH may also use _______________ to identify clients.
public keys
public keys
81. (p. 313) Kerboros uses TCP port _______________.
88
88
82. (p. 323) LDAP uses TCP port _______________.
389
389
83. (p. 315) 802,1X does not require the use of _______________ to encapsulate EAP.
PPP
PPP
84. (p. 302) Layer _____________ of the OSI model uses proprietary encryption devices.
2
2
85. (p. 302-304) Nonrepudiation uses ___________ and __________ to function.
hashing; digital signatures
hashing; digital signatures
Essay Questions
86. (p. 295) Define and compare the terms authentication and authorization.
Authentication is the verification of the identity of the person (or computer) attempting to access a network or data, while authorization occurs immediately after authentication, determining just what that person (or computer) is permitted to do on the network once connected.
87. (p. 296) Briefly describe the two things that all complete algorithms for encryption have in common.
All complete algorithms for encryption have two things in common: a complex algorithm underlying the cipher, and a key or keys used to encrypt and decrypt the cleartext.
88. (p. 297) Explain ways a hacker can break a Caesar cipher.
Since a Caesar cipher simply transposes letters of the alphabet, a hacker can easily break the code using word patterns, frequency analysis, or brute force. For instance, if the same three characters show up in the same order (a pattern) more than once (establishing a pattern), the hacker can assume it is a common word, such as "the" and then look for recurrences of the letters that were substituted for "t," "h," and "e." A brute force attack is a simple task for a computer when attempting to crack a password made up of only letters. It only involves going through a dictionary of words, trying each word until the password is cracked, and the hacker achieves entry.
89. (p. 308) Explain the connection between role-based access control (RBAC) and groups.
RBAC defines a user's access to a resource based on the roles the user plays in the network, and using groups to which various roles are assigned minimizes the administrative overhead, because an administrator can simply add a user to the group or groups that have the role or roles appropriate for that user.
90. (p. 300) Describe how the keys are used to encrypt and unencrypt data with public-key encryption.
With public-key cryptography, a pair of keys is created: a public key that is used by the algorithm to encrypt data, and a private key that is used to decrypt the data.
91. (p. 300) What must you do if you want someone to send you encrypted e-mail using public-key encryption?
In order to have someone send you encrypted e-mail, you must first generate a key pair. Then, you send the other person the public key, and you retain the private key. The other person creates the message, using the public key, and then sends the message to you. You open and decrypt it with your private key of the key pair.
92. (p. 302-303) Hashes are not just for nonrepudiation. What are the other purposes for hashes?
While hashes are a great tool for nonrepudiation, they are also used along with encryption and authentication schemes.
93. (p. 305) Explain how you can examine the certificate a secure Web site sends to your Web browser.
To examine a certificate, use your Web browser to connect to an e-commerce site, such as eBay, and select the sign-in or log-in option. This will connect you to a secure Web page (as evidenced by the "https" protocol at the beginning of the address). Once connected to the secure Web page, site use whatever method your browser provides for looking at certificates. In Firefox, double-click on the lock icon in the status bar. The resulting dialog box gives you some information about the certificate, and has a View Certificate button that you can click to see the actual contents of the certificate.
94. (p. 305) How can you identify a secure Web page?
You can identify a secure Web page by two common methods. First, the protocol in the address bar will read: https, where the "s" stands for "secure." The second common method is a lock icon that may appear in the status bar of the Web browser.
95. (p. 304) Give a brief definition of a certificate.
A certificate is a standardized type of digital signature that usually includes the digital signature of a third party who guarantees that the organization passing out the certificate is who they say they are.
96. (p. 304) Explain the link between digital certificates and asymmetric cryptography.
The link between digital certificates and asymmetric cryptography is the fact that digital certificates are almost always used to verify the exchange of public keys.
97. (p. 310) Describe the handshake interaction between a CHAP initiator and an authenticator.
First, both ends of a CHAP connection must have the same shared secret, such as a password. Then, after a client initiates a connection; the authenticator sends a challenge message. The initiator responds by sending a hash of the shared secret to the authenticator. The authenticator compares the hash from the initiator to its own hash of the correct password. If they match, the initiator is authenticated.
98. (p. 311) Define port authentication.
Port authentication involves allowing remote users authentication to a particular point of entry (or port) to a network.
99. (p. 314) Explain why EAP was developed.
Extensible Authentication Protocol (EAP) was developed to help two devices negotiate.
100. (p. 314) Explain why EAP is not an actual protocol.
EAP is not an actual protocol. It is a wrapper that EAP-compliant applications can use to accept one of many types of authentication.
101. (p. 316) Why was it necessary to develop all-purpose encryption protocols for TCP/IP?
As the Internet evolved, and more and more people were discovering that their TCP/IP applications were not secure, programmers first developed secure versions of individual applications. Eventually, more forward-looking programmers developed all-purpose encryption protocols that were not tied to an individual TCP/IP application, and would therefore be multipurpose.
102. (p. 315) Define 802.1X.
802.1X is a port-authentication network access control mechanism for networks—a complete authentication standard designed to force devices to go through a full AAA process to get past the gateway to a network.
103. (p. 319-320) Explain how SSL and TLS differ in the applications with which they work.
SSL, or Secure Sockets Layer (SSL), and Transport Layer Security (TLS) both combine authentication and encryption standards, but TLS is newer and is replacing SSL. While SSL is limited to certain applications (HTML, FTP, SMTP, and a fewer older ones), TLS does not have that restriction and is used to secure VoIP and VPNs, as well as Web pages.
104. (p. 320) What are the two modes of IPSec and the differences between them?
The two modes of IPSec are Transport mode and Tunnel mode. In Transport mode, only the payload of the IP packet is encrypted; the header is not. In Tunnel mode, the entire IP packet is encrypted, including the header, and placed into an IPSec endpoint where another IP packet encapsulates it.
105. (p. 320) Briefly define an authentication header (AH), and the protocol with which it is associated.
An authentication header is associated with the IPSec protocol, which adds an authentication header to every IP packet that uses IPSec. This header contains two hash values to ensure the integrity of each packet.
106. (p. 316) Compare the components of a RADIUS AAA setup with those of an 802.1X.
The components of an 802.1X implementation look somewhat like those of a RADIUS AAA setup with different names. The Authenticator in 802.1X has the same role as the RADIUS server in RADIUS; the supplicant in a 802.1X setup is like the client in RADIUS, and the NAS in 802.1X is referred to as a client, while in RADIUS we use the term NAS.
107. (p. 318) When using public/private keys for authentication, what must you do after you generate a pair of keys?
After you generate a pair of keys, the public key must be copied to the server and the private key is kept safe on the client.
108. (p. 318) When using public/private keys for authentication, after the initial steps of generating the keys and sending the appropriate key to the server, what does the client do every time it connects to the server?
The client uses the private key to generate a signature, and sends this to the server in order to be authenticated.
109. (p. 298) Explain why a block cipher is more appropriate for TCP/IP data than a stream cipher.
A stream cipher takes a single bit at a time and encrypts on-the-fly, which is appropriate for data that comes in long streams, like cell phone data. A block cipher encrypts a block of data at a time, which is appropriate for data that comes in blocks, which is true of TCP/IP data, which comes in blocks that we call packets.
110. (p. 299) Explain the statement "AES is not limited to just TCP/IP."
Advanced Encryption Standard is not limited to TCP/IP, but is used for file encryption and wireless networking.
111. (p. 308) Describe the three types of ACL access models: mandatory, discretionary, and role-based.
The mandatory access control (MAC) model assigns every resource a label that defines its security level. A user may only access a resource if that user has the necessary security level. In the discretionary access control (DAC) model, each resource has an owner who may assign access to that resource at his or her discretion. The last and most popular model is role-based access control (RBAC). This model defines a user's access to a resource based on the roles the user plays in the network, and we assign these roles by giving the user membership in one or more groups with the appropriate access.
112. (p. 295) Describe a few types of actions a user may be allowed through authorization.
Authorization defines what an authenticated user may do on a network; that can include the amount of bandwidth a user is allowed, or the time of day, or exactly what applications the user is permitted to access on the network.
113. (p. 312) Explain how a RADIUS server, which supports PPP, CHAP, and MS-CHAP, makes PPP more secure.
PAP is not secure because it transmits user names and passwords in cleartext. A RADIUS server will hash the user name and password so that it is not exposed.
114. (p. 313-314) Explain the authentication and authorization process for a user logging on to a Windows server environment (Active Directory with Kerberos).
A client logging on to a Windows domain sends a hash of the user name and password to the Authentication Server (AS). The AS compares the results of the hash to a hash it did on the user name in password in its database. If they match, the AS sends a Ticket-Granting Ticket (TGT) and a timestamp back. This is the authentication portion. For authorization, the client sends the TGT to the Ticket-Granting Service (TGS) for authorization. The TGS sends back a timestamped service ticket, which is often called a token. The client can now use this token as a key to access resources on the entire domain, for as long as the user is authorized, without having to be reauthenticated for every different resource. The token has an expiration time—usually 8 hours—and will have to reauthenticate to receive a new token at that point.
115. (p. 318) Describe what happens to any packet entering a tunnel.
Any packet entering a tunnel, which is an encrypted connection between two endpoints, is encrypted, even if the packet already contained encrypted data.
116. (p. 302) Describe how encryption is implemented at various layers of the OSI model.
Encryption can happen at different layers of the OSI model using different methods, techniques, and technologies, as follows:
Layer 1: No common encryption at this layer. Layer 2: Proprietary encryption devices. Layer 3: IP Security (IPSec) protocol. Layer 4: No built-in encryption methods for TCP or UDP. Layers 5 and 6: Not common layers for encryption. Layer 7: Many different applications and protocols use different encryption methods. Examples include SSL/TLS, SSH.
Layer 1: No common encryption at this layer. Layer 2: Proprietary encryption devices. Layer 3: IP Security (IPSec) protocol. Layer 4: No built-in encryption methods for TCP or UDP. Layers 5 and 6: Not common layers for encryption. Layer 7: Many different applications and protocols use different encryption methods. Examples include SSL/TLS, SSH.
117. (p. 302-304) Describe the concept of nonrepudiation, and what technologies it uses.
Nonrepudiation guarantees that the sender of a message cannot later deny that they sent the message.
It is enabled through a combination of several technologies and techniques working together, including hashing and digital signatures.
It is enabled through a combination of several technologies and techniques working together, including hashing and digital signatures.
118. (p. 295) Describe the concept of authorization.
Authorization: what rights, privileges, permissions, and actions person has or can take with respect to a resource or system. In other words, what they can and can't do!
119. (p. 323) Describe the Lightweight Directory Access Protocol.
LDAP is used to query directory services databases, which can give information on directory resources, such as printers, shares, computers and other objects that can be queried. Windows Active Directory is the most popular example of a directory database, and domain controllers use LDAP to replicate directory information among them.
120. (p. 315) Describe the difference between 802.1X and regular EAP.
802.1X essentially encapsulates EAP into an Ethernet frame, while regular EAP uses PPP.
No comments:
Post a Comment