Security - the introduction of network security protocols

News 2023-07-26 02:57:17 views: null

insert image description here

TCP/IP Security Flaws

information leakage

overview

Messages delivered on the network often contain sensitive information such as account numbers and passwords. If such information is leaked, it will have disastrous consequences. Among them, sniffing is a common and hidden means of network attack.

to sniff

overview

  1. Problem: In the shared network architecture, all data is sent in broadcast mode. You only need to set the working mode of the network card to "promiscuous" to sniff all communication data in the network segment.
  2. Solution: To solve the problems caused by sniffing and broadcasting, you can use a switched network architecture to bind each port to the physical address connected to the port, and send the data directly to the corresponding port according to the "destination address" in the frame header. port. But it will bring another problem, ARP spoofing.

ARP spoofing

  1. Problem description: ARP spoofing is the basis for attackers to implement sniffing in a switched network environment. Assuming that there is a host A in the network, it is necessary to sniff the communication data of B and C. The IP addresses of the three annotations are IPA, IPB, and IPC, and the physical addresses are MACA, MACB, and MACC.
  2. Process description:
    1) A first sends an ARP response message to B, which contains the mapping relationship IPA/MACC.
    2) After B receives this response, it updates its own cache and saves the mapping relationship IPA/MACC.
    3) A sends an ARP response message to C, which contains the mapping relationship IPA/MACB.
    4) After receiving the response, C updates its own cache and saves the mapping relationship IPA/MACB.
    5) At this point, all communication data between B and C will be sent to A. After intercepting important communication data, A can forward the data to the correct destination, while B and C cannot detect the sniffing behavior. Although the ARP cache is updated regularly, A can continue to sniff data between B and C as long as it sends ARP spoofing packets at a frequency less than the update interval.

information tampering

overview

  1. Information tampering can be based on network sniffing that implements ARP spoofing, and tampers with data before forwarding it.
  2. The common attack method of information tampering is to insert a piece of malicious code into the intercepted data to realize Trojan horse implantation and virus transmission.

identity disguise

overview

  1. APR spoofing is to realize identity disguise from the network interface layer of the TCP/IP protocol stack, in addition to IP spoofing and domain name server spoofing.

behavior denial

overview

  1. Behavioral denial refers to the behavior of the data sender denying that he has sent the data, or the receiver denying that he has received the data.
  2. Such as IP spoofing, the sender sends information with a forged IP address to hide his identity.

Network Security Requirements

confidentiality

  1. Preventing unauthorized disclosure of data means keeping messages private from unrelated audiences.
  2. Such as sniffing destroys data confidentiality.
  3. Cryptography provides confidentiality protection.

integrity

  1. Prevent data from being tampered with, and ensure that the information received by the receiver is the message sent by the sender.
  2. Such as malicious code injection destroys data integrity.
  3. Antivirus software, cryptography can provide integrity protection.

controllability

  1. Restricting access to network resources (hardware and software) and data (storage and communication), unauthorized use of resources by the organization, unauthorized disclosure or modification of data.
  2. Its elements include, in order: identification and authentication, authorization, decision-making, and enforcement.
  3. The basic idea of ​​access control is to give each communication entity a unique identifier and corresponding access rights. When implementing communication, first confirm the identity of the entity, and then implement the corresponding access control strategy.
  4. Such as ARP spoofing, IP spoofing and DNS spoofing destroy controllability.
  5. Firewall and cryptography provide controllable protection.

non-repudiation

  1. Communication entities need to be responsible for their own actions, and what they have done cannot be denied. That is two aspects: one is that the sender cannot deny the behavior of sending data, and the other is that the receiver cannot deny that he has received the data.
  2. Such as IP spoofing destroys non-repudiation.
  3. Cryptography provides non-repudiation protection.

availability

  1. That is, legitimate users can obtain normal services when they need to use network resources.
  2. Such as DoS attack is an example of destroying availability.
  3. Cryptography provides availability protection.

encryption and decryption

overview

  1. Encryption is the basic means to ensure data confidentiality, and decryption is its inverse process.
  2. The encryption algorithm converts data into ciphertext under the action of a key, and this process can be seen as a process of increasing data irregularity. Given the key, decrypt the ciphertext back to plaintext.

cryptographic algorithm

Symmetric encryption algorithm

overview

  1. Both communicating parties share the same key.
  2. Encryption and decryption all rely on this key.

algorithm

Advanced Encryption Standard (Advanced Encryption Standard, AES), Triple Data Encryption Standard (Triple DES, 3DES), RC2, RC4, International Data Encryption Algorithm (International Data Encryption Algorithm, IDEA, etc.)

Asymmetric Cryptographic Algorithms

overview

  1. Each party has a pair of keys, a public key and a private key.
  2. The public key can be made public, but the private key needs to be kept secret.
  3. The two parties in the communication inform both parties of their public keys, and when sending data to the other party, they can use the other party's public key to encrypt to ensure the confidentiality of the data. After receiving the data, the other party can decrypt it with the private key.

algorithm

RSA, Digital Signature Algorithm (DSA), ElGamal, Elliptic Curves Cryptography (ECC)

message digest

overview

  1. The digest digest of a piece of data is a character string representing the characteristics of the data, and the function of obtaining the data digest is usually completed by a hash function. A hash function can receive data of any length and generate a fixed-length hash value.
  2. Hash function formula: h=H(M), where M is a plaintext of any length, H is a hash function, and h is the hash value obtained by M under the action of H.
  3. The hash function is a compressed mapping process. The space of the hash value is much smaller than the space of the input. Different inputs may be hashed into the same output, and it is impossible to uniquely determine the input value from the hash value.
  4. The messages of IP, ICMP, TCP, UDP and other protocols in TCP/IP include a "checksum" field, with a fixed length of 2B, which is a kind of summary information.

message verification code

overview

  1. The message authentication code is a value obtained based on the key and the message digest, which can be used for data source authentication and integrity verification.

process

  1. Before sending data, the sender first calculates the digest value using the hash function negotiated by the communication parties. Under the action of the session key shared by both parties, only the message authentication code is obtained from the digest.
  2. Send the message verification code along with the data.
  3. After receiving the message, the receiver first uses the session key to restore the digest value, and at the same time uses the hash magic to calculate the digest value of the received data locally, and compares the two values. If the two are equal, the packet is authenticated.

digital signature

overview

  1. Digital signatures are usually used to ensure non-repudiation and have authentication functions.
  2. Digital signatures also need to be based on message digests, but unlike message verification codes, message verification codes use the session key shared by both communication parties to process digests, while digital signatures use the sender's private key to encrypt digests. When the receiver verifies the digital signature, it must use the sender's public key to decrypt it.

algorithm

DSA and RSA

Guess you like

Origin blog.csdn.net/Andya_net/article/details/131040839
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com