2020 Soft Exam Information Security Engineer (Second Edition) Study Summary [3]

Chapter 5 Physics and Environmental Security Technology

Physical security concepts and requirements

• Physical security concept
  • Traditional physical security is also called physical security, which refers to the overall security of all hardware supporting the operation of network information systems, including the environment, equipment and recording media.
  • In a broad sense, physical security refers to the security of a cyber cyber-physical system composed of hardware, software, operators, and the environment.
• Physical security requirements
  • "Technical Requirements for Information System Physical Security (GB/T 21052-2007)" is divided into 4 levels of protection:
    1. The first level of user independent protection provides basic physical security protection
    2. The second level of system audit protection level provides appropriate physical security protection
    3. The third level of security mark protection provides a higher degree of physical security protection
    4. The fourth level of structured protection provides a higher degree of physical security protection

Physical environment safety analysis and protection

• Natural disaster protection
  • Waterproof, fireproof, shockproof, lightningproof
• Man-made damage, rodent and pest safety protection
  • Anti-theft, anti-rat and insect pest
• Electromagnetic and power supply safety protection
  • Anti-electromagnetic, anti-static, safe power supply

Computer room safety analysis and protection

• Computer room composition content
  • "General Specification for Computer Sites (GB/T 2887-2011)" (multiple use in one room or increase or decrease as appropriate):
    1. Main working rooms: host room, terminal room, etc.;
    2. The first type of auxiliary rooms: low-voltage power distribution room, uninterruptible power supply room, air-conditioning room, generator room, gas cylinder room, monitoring room, etc.
    3. The second type of auxiliary rooms: data room, maintenance room, technical staff office
    4. The third type of auxiliary rooms: storage rooms, buffer rooms, technician lounges, toilets
• Computer room security level
  • The General Specification for Computer Sites (GB/T 2887-2011) is divided into three levels: A, B, and C:
    • Level A: After the computer system is interrupted, it will cause serious damage to national security, social order, and public interests
    • Level B: After the computer system is interrupted, it will cause greater damage to national security, social order, and public interests
    • Grade C: Not belonging to Grade A or B
• Computer room site selection
  • Environmental safety
  • Address reliability
  • Site anti-electromagnetic interference
  • Strong vibration sources and strong noise sources should be avoided
  • Avoid installing on the upper floors of buildings and the lower floors or next walls of water equipment

Security Analysis and Protection of Network Communication Line

• Network communication line security analysis (threat)
  • The network communication line is cut off
  • The network communication line is interfered by electromagnetic
  • Information leaking through network communication lines
• Network communication line safety protection
  • Network communication equipment: adopt equipment redundancy
  • Network communication line: adopt multiple communication

Equipment physical safety analysis and protection

• Equipment physical security analysis (threat)
  • Security threats associated with the physical environment of the device
  • The physical device is stolen or damaged
  • The physical device is subject to electromagnetic interference
  • The equipment supply chain is interrupted or delayed
  • The firmware part of the device entity is under attack
  • Hardware attack on the device
  • Security threats to the control components of the device entity
  • Illegal outreach of equipment
• Equipment physical security protection
  • GB/T 21052-2007, main technical measures:
    1. Marking and marking of equipment
    2. Equipment electromagnetic radiation protection
    3. Equipment static electricity and electricity safety protection
    4. Equipment magnetic field immunity
    5. Equipment environmental safety protection
    6. Equipment adaptability and reliability protection (including: temperature, humidity, impact and collision adaptability, reliability, supply chain flexibility, safety and quality assurance, safety compliance, safety review)

Storage media security analysis and protection

• Storage media security analysis (threats)
  • Storage management failure
  • Stored data leaks
  • Storage medium and storage device failure
  • Insecure deletion of storage media data
  • Malicious code attack
• Storage media security protection
  • Strengthen storage security management (special person responsible for approval, registration, backup, sealing, and data deletion)
  • Encrypted data storage
  • Fault-tolerant and disaster-tolerant storage technology (disk array, dual-machine online backup, offline backup)

Chapter VI Principles and Applications of Authentication Technology

Certification overview

• Authentication concept
  • Authentication is the process by which one entity proves its claimed identity to another entity .
  • Authentication generally consists of two parts: ** Identification and Authentication**
• Authentication basis: also known as authentication information, which refers to the credential used to confirm the authenticity of the entity's identity or its attributes
  • Known secret information
    • Secret information held by the claimant, such as passwords and verification codes
  • Physical certificate
    • Unforgeable physical devices held by the claimant, such as smart cards, USB shields
  • Biological characteristics
    • The biological characteristics of the claimant, such as fingerprints, voice, face
  • Behavioral characteristics
    • The behavioral characteristics of the claimant, such as keyboard strokes, mouse usage habits
• Authentication principle
  • The authentication mechanism consists of the verification object, the authentication protocol, and the authentication entity
  • Classified according to the number of types of authentication credentials required for verification objects
    • Single factor authentication
    • Two-factor authentication
    • Multi-factor authentication
  • The length of time used according to the certification basis
    • One Time Password OTP: SMS verification code
    • Continuous authentication: Continuously detect and verify user identity during the user’s characteristic behavior throughout the session

Certification types and certification process

• One-way authentication

  • During the authentication process, the verifier unilaterally authenticates the claimant, and the claimant does not need to identify the verifier

  

  • Two technical methods for one-way authentication

    • Based on shared secrets

      

    • Challenge-based response

      

• Mutual authentication

  • During the authentication process**, the verifier unilaterally identifies the claimant, and at the same time, the claimant also confirms the verifier’s identity**

  

• Third-party authentication: refers to the realization of two entities through a trusted third party in the authentication process. Trusted Third Party (TTP)

  

• Entity A and entity B have various forms of authentication schemes based on third parties. Choose a technical scheme based on third-party challenge response

  

Authentication technology method

• Password authentication technology

  • Authentication technology based on the secrets that users know is a common method of identity authentication on the Internet. Network equipment, operating systems, and network application services all adopt password authentication technology
  • Password authentication is vulnerable to eavesdropping, replay, man-in-the-middle attacks, password guessing, etc., and the following conditions must be met:
    • Password information should be stored securely and encrypted
    • Password information must be transmitted securely
    • Password authentication protocol should resist attacks and meet the design requirements of security protocol
    • Password selection requires avoiding weak passwords

• Smart card technology

  • An integrated circuit card with a memory and a microprocessor, which can safely store authentication information and has certain computing capabilities

  

• Based on biometric authentication technology: use human biometrics to verify

  • Currently, biometric information such as fingerprints, faces, retinas, and voices are used for identity authentication

• Kerberos authentication technology

  • A network authentication protocol, the goal is to use key encryption to provide strong identity authentication for client/server applications

  • Technical principle: Use symmetric cryptography technology, use a trusted third party to provide authentication services for the application server, and establish a secure channel between the user and the server

  • A Kerberos system involves four basic entities:

    • Kerberos client, the device used by the user to access the server
    • AS (Authentication Server), which identifies the user and provides the TGS session key
    • TGS (Ticket Granting Server), to grant tickets to users applying for services
    • Application Server, a device or system that provides services to users

  • Among them, AS and TGS are collectively referred to as KDC (Key Distribution Center)

  • Kerberos V5 authentication protocol is mainly composed of six steps

    

    1. The Kerberos client (knowing his user name and password) applies to the AS (knowing all the passwords of all users and service names) for a ticket TGT
    2. When the AS receives the Kerberos client message, it generates a session key after checking and confirming the authentication database. At the same time, the client secret key is used to encrypt the session key to generate a ticket TGT (entity name, address, timestamp, time limit, session secret). Key composition). Then send it to the Kerberos client .
    3. After receiving the TGT , the Kerberos client decrypts the session key with its own secret key, uses the decrypted information to reconstruct the authentication request form, and sends a request to the TGS to apply for the ticket needed to access the application server AP .
    4. TGS uses its secret key TGT is decrypted, using both TGT session key in the Kerberos client requests authentication ticket information is decrypted, and the decrypted information with the TGT compare the information. Then TGS generates a new session key for Kerberos clients and application servers to use, and uses their respective secret keys to encrypt the session key. Finally, generate a ticket TGT (consisting of the client's entity name, address, timestamp, time limit, and session key), and send the TGT to the Kerberos client .
    5. After receiving the TGS response , the Kerberos client obtains the session key shared with the application server. At this point, the Kerberos client generates a new certificate for accessing the application server, encrypts it with the session key shared with the application server, and transmits it to the application server together with the ticket sent by the TGS.
    6. Application server confirmation request

    advantage:

    • Significantly reduce the number of ciphertext exposures of user keys , and reduce the accumulation of ciphertext of relevant user key pairs by attackers
    • Has the advantage of single sign-on , as long as the TGT has not expired, the authentication process does not need to re-enter the password

    Disadvantages:

    • If the server time is sent incorrectly , the entire Kerberos authentication system will be paralyzed

• Public Key Infrastructure (PKI) technology

  • PKI refers to the hardware, software, personnel, and strategies required to create, manage, store, distribute and revoke public key certificates

    And process safety service facilities.

  • Its main security services include identity authentication, integrity protection, digital signature, session encryption management, and key recovery

    

  • The functions of PKI entities are described as follows:

    • CA: Certificate Authority, which is mainly responsible for the issuance, revocation and renewal of certificates; the certification body is responsible for issuing, managing and revoking the certificates of a group of end users
    • RA: The certificate registration authority, which links the public key with the identity and other attributes of the corresponding certificate holder for registration and guarantee; RA can act as an intermediate entity between the CA and its end users, assisting the CA to complete other absolutes Most of the certificate processing functions
    • Directory server: CA usually uses a directory server to provide certificate management and distribution services
    • Terminal entity: Refers to the object that needs to be authenticated, such as server, E-mail address
    • Client: refers to users who need PKI-based security services, including users, service processes, etc.

• sign in

  • It means that when users access different systems, they only need to perform identity authentication once. Simplified certification management

Certification main technical indicators and products

• Certification evaluation index
  • Safety function requirements
  • Performance requirements
  • Security requirements
• Main technical indicators of certified technical products:
  • Cryptographic algorithm support
  • Certified accuracy
  • Number of user support
  • Security level
• Certified products
  • System security enhancement: multi-factor authentication
  • Biometric authentication
  • Electronic authentication service: digital certificate
  • Network admission control
  • Identity authentication gateway

Authentication technology application

• User identity verification: verify the identity of visitors to network resources and provide support services for network system access authorization
• Information source verification: verify the authenticity of the sender and receiver of network information to prevent counterfeiting
• Information security protection: protect the confidentiality and integrity of network information through authentication technology to prevent leakage, tampering, replay or delay

Related case P150-155