This article covers Symmetric and Asymmetric Encryption, Hashes, radius, and Single Sign-On. You We also learned about certificate and trust and in the end, IP tunneling was covered.
Let’s start discussing how to make TCP IP secure. One thing that must be kept in mind while doing security that is CIA ( Confidentiality Integrity Availability ). Now the first part Confidentiality means I want to keep things confidential. So the best way to do that is the concept of Encryption. we need to make sure that data flying over the internet should be encrypted so that nobody can see it.
Integrity is making sure does it really came from the source that it is claiming to be. In simple work, if someone is handing me something I have to make sure its the same person who it should be. This part includes certificates, hashed and a lot of stuff like that.
Last part availability is the balance eg you are locking a door you have to make sure not to lock it so hard that it would become a lot difficult for you to unlock and you avoid doing that. availability is if the thing we need is ready to go when we need that thing.
Two more important things are authorization and authentication. Authentication is giving someone writes to access something eg username and password. Authorization is what you can do eg access certain files etc.
We need encryption all over the places from encrypting hard drives, emails. video and a lot of other stuff. So let’s understand what encryption is and start with a very basic example we had a word network and we are going to encrypt this text using a very old technique called caesar cipher.
So what we will do is increment each letter of the alphabet by 3 eg A will become D and B will become E and C will become F and so on. Now if we apply it to our text it will become qhwzrun.
But now the problem is its very week encryption and anyone can easily crack this. But because of a computer, we can make very complex Algorithms that are difficult to break. One thing that all these algorithms have in common is key.
So let’s say we have our own key=395 and we will repeat it until all letters are completed so for the word network it will be 3953953 and we will use the value of the key for giving the increment.
So in order to decrypt the other person must have to know the key. So remember in this process you have a clear text a key and an algorithm you will apply the algorithm using that key and you will have the encrypted text called ciphertext and you can decrypt it using the same key.
Now the problem in symmetric encryption key is needed to decrypt and if you are using it you have to pass the key online which is not safe. Now the big difference between asymmetric encryption and symmetric encryption if we have two keys in asymmetric encryption.
A public key and a private key. You put the public key and put it into an algorithm and it can only encrypt the data. But if you put the private key in algorithms it can only do is decrypt.
For example, I want someone to send me some data and I want to reply back with something. Now what we will do is exchange the keys I will send my public key to him and he will send his public key to me.
I will send him data encrypted using his public key and he has his private key saved on his hard drive. He will send me data using my public key and I have my own private key save in my hard drive.
A lot of times when we send data to someone we have to make sure that data is correct and it’s not changed. that’s where hashes come in to play. We happen is we have data it can be text, video or anything we pass it through a hash algorithm and in return get a string of let’s say 128-bit characters. Now any time you will pass this data from that algorithm you will get the same result.
If you change even a bit or letter from the data hash will totally change. So this is a good way to verify if data is changed or not. The biggest example is when you download the software they give you a hash while downloading so after download you can run the same hash algorithm against that file and if you get the same hash you will know it’s downloaded correctly else there is a problem while downloading.
Identification: It is the process of finding out if that person is claiming to be someone is the same person or not it’s an example would be username password, captcha, security question, pin code, etc.
Authentication: What it takes for you to get into a network, system or computer. eg username passwords, certificates, RSA tokens scanners, etc
Authorization: Now once you are in what you can do in there is what authorization is.
Access Control List: It is a very generic term when it comes to identification and authorization. It has a set of rules which define what you could and could not do etc. It includes MAC (Mandatory access control), DAC (Discretionary access control) and RBAC (Role-based access control) We can create groups that give that group permissions of something and add people in that group.
Radius [ AAA (Authentication Authorization and Accounting) ]
To understand how radius work lets say we have three points A B and C each represent three different devices. Let’s can C is radius server which is nothing but has a radius software in it eg Microsoft IAS, Open radius. B is a radius client his job is to handle authentication requests coming from Radius supplicants which is A.Now A makes requests and B is the middle man who makes the request to the server running a C.
A is a mobile phone which sends radius request to the radius client B which then forwards it to radius server C. Radius is gonna be using certificates, username password something that is coming from A. Now all of that information doesn’t have to be on radius server C that can b on a database server called D and C can access data from D.
One thing you need to know about radius is it runs on UDP port 1812-1813 or 1645-1646. Radius provides us Authentication Authorization and Accounting (keep track of who does what).
CISCO has its own alternate called TACACS+ which work’s the same juts term and different and it runs on TCP port 49. It has a TACACS+ user which is A, TACACS+ client which is B and TACACS+ server which is C.
Kerberos is designed to do authentication for the local area network. Let’s say we have a client and a server. Now when you set up a window server as a domain controller it becomes a Key Distribution Center (KDC). KDC has two important things AS ( authentication service ) and TGS ( Ticket Granting Service ).
When the client login it sends a hash value of username and password towards the server AS ( authentication server ) verify it and send back a TGT (Ticket-Granting-Ticket) token which says its authenticated. Client timestamps the TGT and send it back to the server.
The server again timestamps the TGT which is then change into the token and sent to the client. Now, this token is valid for 8 hours normally and if any other computer over the network wants to access any resource they use this token to access that.
For using Kerberos you have to buy a copy of the windows server. Because of timestamps, you have very less amount of time to do this as it’s trying to prevent man in the middle attack. You have to send all of your computers set at the same time. You can use NTP ( Network Time Protocol ) to do this job.
EAP ( Extensible Authentication Protocol )
EAP enables flexible authentications. It allows transitional base authentication mechanisms to be able to talk to each other saying I can do this type of authentication what can you do. In easy words, you can say it’s an envelope telling what you can do.
Another version of it is PEAP ( Protected Extensible Authentication Protocol ) which users username and password. Another one is EAP-MD5 which uses hash. We can also use EAP-TLS which is a single certificate that comes from the server-side of the system.
Let’s say on a local area network we have few computers sharing stuff eg printer, data, etc. Now to access any computer I have to know its username and password for accessing which is very bad. Now one thing that I can do to solve this issue is to use the same password for all of them but this is a bad idea.
So it’s alternative is single sign-on Its idea is I login to something and I am automatically logged in to all the required devices. For applying this process in LAN you have to use windows active directory. We establish a domain and we then join all the computers to this domain one by one manually. Once it’s done now we don’t have to log in to any of those and everything is done automatically for us.
So now every computer on the domain trust us and will not ask for username and password.
SAML ( Security Assertion Markup Language )
SAML is used when you want to access something online instead of LAN.SAML is designed for web applications it allows us as a single person at a single place to log in to the whole bunch of devices. What we do is log in through an identity provider and that will give us a token to access all service providers eg cameras, PC, etc.
For the local area, network use windows active directory for single sign-on. SAML is used to manage multiple apps using a single account.
Certificates and Trust
Normally in asymmetric encryption, we have a public key and private key.when you open a website your public key is automatically sent but the problem is you as a client do you really know is the key is from the requested website. Now there are two problems one where this key comes from and the second one is that is it the person that you think it is.
Previously we said you encrypt with the public key and then you decrypt with the private key. But in reality, there is no difference in both of them well both have different binary values but you can encrypt with the public key and decrypt with a private key or you can also encrypt with a private key and decrypt with public key both will work the same this is what I mean by both are the same.
Both can be used for both purposes is but we never do that. Now let’s say I am opening a webpage what I will do is send your public key but with my public key, I will send you hash of that webpage found through my private key. Now what you can do is with your public key get the hash of that webpage and make sure both hashes are the same. we call this digital signature. It’s just a hash that’s all that it is.
But still, there is a problem we still don’t know who sends us this certificate well it says that I have sent it but I am not still sure so what we do is we both agree on a third party and that third party website will also send a digital signature.
So now when we join public key my signature and third party digital signature we call this a certificate. A digital certificate is just a document that is filled with information on the public key and both digital signatures. Now I can put this certificate on the website and pass it to anyone.
Now, Who Do You Trust? Well, there are three ways to trust.
Unsigned Certificate: Generate a certificate on your own forget the third party and just make your own. This work when you are working in a private network eg employes working for a company.
Web of Trust: It works as a web eg I get two people to sign my certificate and others will sigh for them and this process will go on. Actually, the web of trust uses a web of mutually trusting peers.
PKI (Public Key Infrastructure): This is the right way and how the internet is working nowadays what you do is start from the root server from above then there are intermediate servers in the middle to do the load balancing and then users at the end.
At the top, we have a certificate authority that just issues certificates eg Verisign, Thawte, etc. Now in middle, we have intermediate certificate authority which is only there to help manage the load.
Some of the errors you can get related to certificates is a self-signed certificate can throw you a 443 error as the certificate is not issued by the authorities. what you can do is open the site if you think it is secure.
An expired certificate can also be viewed then fixed either by getting a new certificate from its the issuer or accepting the certificate at its current state.
Understanding IP Tunneling
Normally if you want to access your computer from home it is trough using software like VNC and it will help you access from home PC. You have installed a Server on your PC you want to access and the client on the other one. One problem with this method is it is not encrypted.
In tunneling, we simply run the program through a secure program eg SSH. eg we type something on the keyboard it will first go to the ssh server and after that, it will go to the VNC server.