Beruflich Dokumente
Kultur Dokumente
Thursday, May 4, 2017 1:12 PM
1. Symmetric Encryption
In this episode, Mike explores the simplest type of encryption, symmetric encryption. Both parties have
the same key to encrypt and decrypt.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2450>
Let's start off with an old decoder ring. Caesar Cypher. Basically you take a ring that has the alphabet on
one side and the alphabet on the other side and you turn it and that increments each value.
Network+ Page 1
For example, let's increment each letter of the alphabet by 3.
This can be hacked very quickly.
With computers we can make very complicated algorithms. This is the process that stirs up the values.
All algorithms have a key in common.
Mike's algorithm for encryption: the key has to be 8 characters and a number 0‐9.
We take that key and keep repeating it underneath the clear text:
Network+ Page 2
To use Caesar Cypher, instead of incrementing everybody by one common value we use the key. By
doing that, we get a much more encrypted value that looks something like this:
This is a lot harder to hack than the simple Caesar Cypher.
To encrypt things you need:
1. An algorithm
2. A key value
Mike's Algorithm machine:
We start out with a piece of cleartext (a Word doc, a phone conversation, etc):
Network+ Page 3
In order to encrypt something we have to generate a key
We put the key in the algorithm and run the cleartext through the algorithm
Network+ Page 4
…then we get Cyphertext
All algorithms work this way! They will all have cleartext, cyphertext, algorithm, and a key.
Symmetric Encryption: an algorithm that uses the same key to encrypt and decrypt.
Network+ Page 5
Whenever you send symmetrically encrypted data you always have to have a key with it.
It is extremely common. Wi‐Fi networks use RC4 or AES symmetric encryption (it is done as an
automatic process).
2. Asymmetric Encryption
In this episode, Mike describes encryption that uses public and private keys for encrypting and
decrypting text.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2451>
One of the problems with symmetric encryption is in order for someone to decrypt your data they have
to have a copy of the key. Keys are passed around the internet and this can cause potential problems if
the key gets into the wrong hands! (they could hack it)
Rivest, Shamir, and Adleman created a new methodology for encryption called Asymmetric Encryption.
Network+ Page 6
Asymmetric Encryption has 2 keys:
1. Public Key
2. Private Key
Network+ Page 7
Public keys only encrypt.
Private keys only decrypt.
Key Pair:
Network+ Page 8
Mike Meyers sends his Public key to Mike Jones.
This process of exchanging keys is known as a key exchange.
You use your Private Key to decrypt the data.
Public Keys are stored on local storage or online so we can access them easily.
Network+ Page 9
3. Cryptographic Hashes
In this episode, Mike demonstrates how hashes, such as MD5 and SHA‐1, work.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2452>
Hash is an algorithm that doesn't encrypt. Instead it takes a big string of data, puts it through the hash
algorithm and it creates a fixed‐size hash value.
Network+ Page 10
You can take another bunch of text that is smaller, run it through the hash algorithm, and you will still
get a fixed amount of text. (128 bits, 32 hexadecimal values) No matter what you run through it, it will
always come out the same size.
Hashes are used to verify data integrity
i.e. you can take a giant video file, change 1 bit, and you will get a completely different hash value
Hashes are a great way to verify that the data hasn't been changed
One of the most common places you see people use hashes is when you're downloading stuff.
Example: he's downloading a huge 700 MB ISO file for Ubuntu. You can use hashes for this.
2 most common hashes are MD5 and SHA‐1
Network+ Page 11
These are actually the hash values for all of the different files that he can download. He can download
the file, run his own hash against that file, and if his value does come up to match this then he knows
there is a problem with the download, he's got the wrong file or just something else is wrong.
Online there are lots of Hash Generators. You can type in any value you want in them and then you can
run hashes
Network+ Page 12
Here are all the different types of hashes you can use:
MD5 and SHA1 are most common.
Network+ Page 13
Hashes: It's not an encryption, it's not an authentication, it's just a way to confirm that whatever piece
of value you have was exactly what you were expecting.
4. Access Control
In this episode, Mike dives into access control lists, describing the three levels of control commonly used
in computing.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2453>
Authentication: what does it take for you to get into the network/computer/resource. Usernames and
passwords, certificates, smartcards, retinal scanners to allow them to know what you need to be.
Authorization: what you can do once you are in.
Access Control Lists: exist everywhere! There's going to be an ACL when it comes to authentication and
authorization. i.e. on computer it is usernames and passwords and what people can do on folders.
Wireless network has ACL that determines the password, channels. On internet connectivity he's got an
ACL that blocks port numbers.
Network+ Page 14
There are 3 types of Access Control that you need to be aware of for the exam:
1. Mandatory Access Control. You put labels on an actual resource itself, like Top Secret, and based
on the label it defines what you can or cannot do a(access it or not). It was a little limiting.
2. Discretionary Access Control. You can define the resource in lots of different ways. Gives more
flexibility. i.e. Owner, Reader, Writer, etc.
3. Role Based Access Control. What we use today more than anything else. We can create users, put
the users into a group, and assign rights/permissions to a group. This is Microsoft best practice.
Users go into groups who then get rights and permissions.
Network+ Page 15
5. AAA
Mike describes the primary tools for providing network authentication, authorization, and accounting;
notably RADIUS and TACACS+.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2454>
These 3 blocks represent 3 different devices:
RADIUS Server: a system running some type of RADIUS authentication software. i.e. Microsoft Ias, Steel
Network+ Page 16
belted RADIUS, Open RADIUS.
RADIUS Client: not who is being authenticated. His job is to handle RADIUS requests from RADIUS
Supplicants. Intermediary who makes the request to the server itself.
RADIUS Supplicant: wants to get authenticated.
Let's say we have a wireless access point setup as a RADIUS client. The Supplicant is some laptop or
smartphone who sends his RADIUS request to the RADIUS client who sends it to the RADIUS server
itself.
The actual database itself doesn't have to be on this RADIUS server computer. Database could be a
Windows domain controller and the RADIUS server could authenticate against domain names in a
domain account on the database or something like that.
Network+ Page 17
This is a pretty standard setup.
RADIUS uses UDP ports 1812‐1813 or UDP ports 1645‐1646
RADIUS provides AAA: Authentication, Authorization, and Accounting.
There is another version of AAA on the Network+ called TACACS+
TACACS+ is a proprietary Cisco product. IT allows people to handle management of a large number of
routers and switches. It is not very common in a wireless network.
Client is a router in an enterprise.
Server is some computer in the enterprise keeping track of all these things.
User is someone logging into the network and wants to get to a bunch of the routers.
Remember: it uses TCP port 49
In summary,
RADIUS uses UDP and TACACS+ uses TCP
Network+ Page 18
They both do AAA
A RADIUS client is an intermediary agent between a RADIUS supplicant and a RADIUS server.
A RADIUS database of authenticated users and passwords may reside outside the RADIUS server (i.e. like
in Active Directory).
RADIUS uses UDP ports 1812‐1813 or UDP ports 1645‐1646, and TACACS+ uses TCP port 49
6. Kerberos/EAP
In this episode, Mike discusses two commonly used authentication mechanisms for remote connectivity;
Kerberos and EAP.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2455>
Authentication got started with PPP. It was designed for dial up/remote connections. We need
something different for wired (LAN) networks. There are a lot of efficiencies with a different method of
authentication.
Kerberos is designed to do authentication for Local Area Networks. It works different than PPP concepts.
Windows client = orange block
Windows server = blue block
Can setup Windows server as a Key Distribution Center
Network+ Page 19
When you setup a Windows server to be a domain controller, it becomes a Kerberos Key Distribution
Center.
KDC consists of 2 important services:
1. Authentication server
2. Ticket granting service
That's all built into the KDC.
When your computer logs in it sends a hash with its values for username and password. It's taken a look
at by the authentication server and the authentication server sends back a Ticket Granting Ticket (TGT)
token to the client. That gets him authenticated.
The TGT is then timestamped and sent back over to the Ticket Granting Service. The TGS reads it, stamps
it again with a time stamp, which turns it into a token.
Network+ Page 20
The token is then passed back to the client. It is good for 8 hours (most common, but it depends how
you have it setup).
Any time your computer wants to access a resource on any other computer on the network, he will use
that Token to do so. (as long as their part of the same domain / AD)
Anyone who has Windows domains and domain controllers is using Kerberos by default.
Downsides to Kerberos:
You have to buy a copy of Windows Server. For example, at Universities they might have a bunch of
Linux boxes but they buy a copy of Windows Server to use for Kerberos.
Everything is time stamped. There is a small amount of time to use it because it tries to protect against
Man in the Middle attacks. All your computers need to be set to the same time. When you have a
Windows system and you are unable to log into a system, one of the first things you should do is check
the time.
Kerberos is great but it is designed for wired networks. PPP is great but it is designed for point to point
connections. To fix this we came up with EAP.
Network+ Page 21
EAP is like an envelope. It allows transactional based authentication mechanisms to be able to talk to
each other and say "hey, I can do these types of authentications, what can you do?" It allows a lot of
flexibility where before you would set it up so it can only do certificates or a password.
You have outrageous flexibility now :)
The EAP helps negotiate what you can do.
Here are the big types of EAP you can do:
1. Personal Shared Key: EAPPSK
2. Username Password: PEAP
3. Hash: EAPMD5
4. Certificate: EAPTLS (comes from the server side and is passed to individual clients)
5. Certificate: EAPTTLS (requires both the individual clients as well as the authenticating system to
each have certificates)
Network+ Page 22
Network+ Page 23
EAP was designed as a method of capturing any kind of authentication that anybody could possibly want
to do. This was we don't have to worry about what type of authentication method you used.
The only real challenger is Kerberos.
EAP is pretty much used exclusively to connect to wireless networks.
7. Cryptographic Tunnels with SSH
In this episode, Mike explores the process of making secure connections through tunnels.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2456>
Mike uses a program called VNC to access his home computer from the office. VNC is free, runs on many
different operating systems, and works well.
He puts a VNC server on his home computer (the computer he wants to access) and puts a VNC client on
whatever computer he wants to use to access his home computer with.
Network+ Page 24
He makes the connection and it is like he is working right on his home computer.
The downside is that the data is unencrypted, so anyone can intercept the data that is going between his
computers and see what he's doing. If he wants to encrypt the data, he can either:
1. Rewrite VNC (the program) to include encryption
I.e. Microsoft's Remote Desktop Protocol has it built in
The internet is full of all kinds of encrypted programs (i.e. email, games, telnet). The onus of having to
rewrite the protocols themselves to handle encryption is too much.
2. Piggyback on a protocol (i.e. SSH) that's already encrypted
Run the data through this program. i.e. PuTTY is an SSH program. Fire up an SSH program, make the SSH
connection
Network+ Page 25
Part of PuTTY is the SSH endpoint that handles the encryption. There's the interface that handles
commands like dir. It's taking keyboard input and putting it right into SSH. Tell PuTTY to take input
directly from the VNC client (instead of a keyboard input inputting commands).
Equally it can do output and take it out to the VNC client. There are settings in PuTTY that you have to go
into to configure this stuff.
Network+ Page 26
Plug in the VNC server.
Now, anything you type into the VNC Client, it goes into the SSH Program, the other SSH program
decrypts it and gives it to the VNC server.
This is what a Tunnel is. A Tunnel starts by making an encrypted connection between 2 computers.
Plug it in, make the connection, and take the application on either end of that connection and port
them ‐ not to talk to eachother ‐ to go through the tunnel itself.
The #1 reason we do tunneling is to encrypt unencrypted protocols.
Network+ Page 27
8. Network Time Protocol
In this brief episode, Mike reveals the secret importance of NTP.
From <https://hub.totalsem.com/content/2257#path=2257,2449,2457>
Out on the internet there are a few computers setting very precise time. Any kind of computer based
clock can be set by the NTP servers.
NTP runs on port 123
This computer is set to auto sync with time.windows.com
Network+ Page 28
Hit Change Settings if you want to change which Internet Time server it syncs with
There are a lot of features on a lot of computer where syncronization becomes absolutely critical.
Movies that are distributed to computers individually, a lot of phone systems, even Windows logons
themselves.
Network+ Page 29
Network+ Page 30