Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Active Directory
What is a directory service? Active Directory is a digital list containing information about network resources, such as: Computers Printers Applications People
Introduction
Network security is based on three fundamental concepts: authentication, authorization, and the principle of least privilege.
User
Resource
Least privilege: provide users with the minimum privileges needed to accomplish the tasks they are authorized to perform
Least privilege
The principle of least privilege states that you should provide users with the necessary level of privilege to perform their jobs and no more. By restricting access that is not necessary to job performance, you can prevent malicious users from using extraneous privileges to circumvent network security.
Proof of Identity
Something you know: a password Something you have: a smart card Something you are: biometric data
Introducing Encryption
Secret key encryption: One key, protected Public key encryption: Two keys, one distributed and one protected
Example
Used in OS2 and Windows for Workgroups, Windows 95, Windows 98, and Windows Me Least secure protocol Used for connecting to servers running Windows NT Service Pack 3 or earlier Used for connecting to servers running Windows 2000, Windows XP, and Windows NT Service Pack 4 or higher
Kerberos
Default authentication protocol for Windows Server 2003, Windows 2000, and Windows XP Professional Most secure
1
Nonce
3 4
5
User Password Hash + Nonce
Kerberos
The Kerberos protocol gets it name from the threeheaded dog in Greek mythology who guards the entrance to Hades
Kerberos
The three components of Kerberos are: The client requesting services or authentication. The server hosting the services requested by the client. A computer that is trusted by the client and server
Kerberos
Kerberos authentication is based on specially formatted data packets known as tickets. In Kerberos, these tickets pass through the network instead of passwords. Transmitting tickets instead of passwords makes the authentication process more resistant to attackers who can intercept the network traffic.
Kerberos
Efficiency. When a server needs to authenticate a client, the server can validate the client s credentials without having to contact a domain controller. Mutual authentication. The client and the server identities are validated to both the client and server. Delegated authentication. Allows services to impersonate clients when accessing resources on their behalf. Simplified trust management. Kerberos can use transitive trusts between domains in the same forest and domains connected with a forest trust. Interoperability. Kerberos is based on the IETF standards, and is therefore compatible with other IETF-compliant Kerberos realms.
The KDC looks up the users master key (KA), which is based The KDC creates a pair of tickets, one for the client and one for the on the users password. The KDC creates two items, a session When a user enters a user name and password, the To access a wants resource, the client presents its TGT and a also contain server the client to access resources on. Both tickets key (SA) to sharethe with the user, and a Ticket Ticket computer sends logon credentials to the Granting Key timestamp encrypted with the session key a new key (KAB). (TGT). Distribution Centre (KDC).
Cryptography Basics
Encryption Types
Symmetric encryption: The same key is used for encryption and decryption. The key must be exchanged so that both the data sender and the recipient can access the plaintext data.
Encryption Types
Asymmetric encryption: Two mathematically related keys, a key pair consisting of a public key and a private key, are used in the encryption and decryption processes.
If the public key is used for encryption, the associated private key is used for decryption. If the private key is used for encryption, the associated public key is used for decryption.
Data Encryption
Encryption protects data against inspection by unauthorized people.
Symmetric Encryption
Uses the same key for both encryption and decryption. The algorithms associated are able to encrypt large amounts of data in little time thanks to the use of a single key and the fact that symmetric encryption algorithms are much simpler compared to asymmetric encryption algorithms.
The system generates a random symmetric key. The length of the key, typically expressed in the number of bits, is determined by the algorithm and the application
Symmetric Algorithms
Data Encryption Standard (DES): An encryption algorithm that encrypts data with a 56-bit, randomly generated symmetric key.
Triple DES (3DES): A variation on the DES encryption algorithm in which DES encryption is applied three times to the plaintext. The plaintext is encrypted with key A, decrypted with key B, and encrypted again with key C. A common form of 3DES uses only two keys: The plaintext is encrypted with key A, decrypted with key B, and encrypted again with key A.
Symmetric Algorithms
Advanced Encryption Standard (AES): Developed as a successor to DES, rather than using a 56-bit key, AES is able to use 128-bit, 192-bit, and 256-bit keys. AES uses the Rijndael algorithm and can encrypt data in one pass instead of three (as is the case with 3DES).
32 56 128 168
232 = 4.3 x 109 256 = 7.2 x 1016 2128 = 3.4 x 1038 2168 = 3.7 x 1050
Key Distribution
1. A key could be selected by A and physically delivered to B. 2. A third party could select the key and physically deliver it to A and B. 3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. 4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
Key Distribution
Session key: Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed Permanent key: Used between entities for the purpose of distributing session keys.
Asymmetric Encryption
Asymmetric encryption increases the security of the encryption process by utilizing two separate but mathematically related keys known as a public key and a private key. The encryption process is more secure because the private key is possessed only by the user or computer that generates the key pair. The public key can be distributed to any person who wishes to send encrypted data to the private key holder.
Asymmetric Encryption
The complexity of the asymmetric encryption algorithm make the encryption process much slower. Symmetric encryption is at least 100 times faster than asymmetric encryption when using software-based cryptography and can be as much as 10,000 times faster when using hardware-based cryptography.
Asymmetric Algorithms
Diffie-Hellman Key Agreement Rivest Shamir Adleman (RSA) Digital Signature Algorithm (DSA)
Although encryption can keep data secret and protect data against modification, only digital signing proves the source of the data in addition to protecting the data from modification.
Message Digest
h = H(m)
Hash Algorithms
Message Digest 5 (MD5): This algorithm takes a message of any length and produces a 128-bit message digest. Secure Hash Algorithm 1 (SHA1): This algorithm takes data that is less than 264 bits in length and produces a 160-bit message digest.
Encryption vs Hashing
Encryption is for maintaining data confidentiality and requires the use of a key (kept secret) in order to return to plaintext. Hashing is for validating the integrity of content by detecting all modification thereof via obvious changes to the hash output.