1, e-mail security
Security threats: spam, phishing scams, mail bombs, e-mail transmission of the virus.
Safety requirements: confidentiality, integrity, authentication (not being an imposter), non-repudiation (digital signature).
Email properties: one-way and non-real-time, so you can not use an encrypted tunnel, only to encrypt the message itself.
E-mail security principle (in which (data and digital signature) with symmetric encryption for efficiency)
PEM (Privacy Enhanced Mail) Standard: guaranteed message encryption; message integrity; sender authentication; prevent repudiation sender uses less.
PGP (Pretty Good Privacy) standard: free, can be used for windows, unix, military and other high-security performance, more often.
Public key encryption algorithm: RSA, DSS, Diffie-Hellman
Symmetric encryption algorithms: CAST, 3DES, IDEA
Hash algorithm: MD5, SHA-1
On the basis of the above principle is added: compression, Base64 encoding, segmentation and the like.
PGP secret key management:
When installed, generating the secret key pair, the public key on the key server, the private key is protected with a password.
PGP public key authentication mechanism: PGP public key can be trusted by the Web authentication; you can go to add their own user authentication;; CA by authenticated users to other public key authentication guarantees (third-party guarantee, and the traditional distinction CA).
S/MIME(Secure/multipurpose Internet Mail Extensions)标准:
Not only supports messaging, can be used for any MIME data transfer mechanism, such as HTTP. Authentication mechanism relies on CA (X.509 certificate format specification).
2, secure sockets (SSL)
Web Application Security
Security threats (Web widespread application server software underlying complexity): falsification of information between the C / S, tampering site information, monitor traffic information, the data flow analysis, security server (HTTP service requires certain privileges by obtaining permission, Home tampering server, etc.), browser security (Web page may have hidden malicious programs (now a lot of web pages contains a number of scripts need to be run on the client's browser)).
Safety requirements: confidentiality, integrity, authentication, not a denial of service (denial of service attack).
Solve web application layer security:
Transport Layer Security Web to solve the problem (using SSL or TLS):
Secure Sockets Layer SSL (Secure Socket Layer), TLS is SSL variant (RFC2246):
To provide security services: confidentiality, integrity, authentication.
SSL provides application programming interfaces for network applications. c / java database languages such as SSL / classes are available.
Protocol principle: a bit difficult, then later added.
Stack structure:
SSL supports multiple code groups, there are two sides to discuss the communication group which password to use the selected (+ + symmetric secret key algorithm disclosed in the MAC algorithm secret key algorithm).
①SSL change cipher spec protocol: update the current code group.
②SSL Alerting Protocol: Alert Message
③SSL handshake protocol: ContentType = 22, authentication, negotiate an encryption algorithm to generate a secret key (a lot)
④SSL record protocol: a recording format (a data recording head +)
3, IP security
Private network PN (Private Network): Based on the construction of a dedicated network devices, links or protocol specific network dedicated to serving the organization. Security is the biggest feature.
Virtual Private Network VPN (Virtual Private Networks): is through the public network to a logical tunnel. Creating a private network over a public network.
Or functional requirements: data confidentiality, data integrity, authentication and prevent replay attacks, access control.
Key technologies: tunneling, data encryption, authentication, secret key management, access control, network management.
Tunneling (Tunneling Protocol):
vpn implementation: IPSec most widely used, SSL has the advantages of high-level, L2TP widely used in remote access
vpn technologies used: IPSec and SSL, IPSec and L2TP
Network layer security IPSec
IPSec architecture
IPSec provides services: confidentiality, data integrity, origin authentication / identification, replay attack prevention
Two models providing different services protocols: the AH Authentication Header (ip protocol number of the data header 51) ESP (ip protocol number of the data header 50)
Two modes of IPSec: Host mode (also known as the transmission mode, the host is aware IPSec) tunnel mode (edge router IPSec-aware).
Security Association SA: the sending entity to the receiving entity established between SA, SA maintain status information (maintenance information and TCP connection endpoints similar), IP is a connectionless, but IPSec is connection-oriented .
SA parameters: the security parameter index (32bit unique identification), encryption keys, authentication keys, serial numbers, anti-replay window, life cycle, operating mode, IPSec tunnel source and destination address.
IKE protocol can automatically manage the establishment of the SA, negotiation, modification, deletion, IPSec is the only secret key management protocol.
Negotiation management secret key exchange and management, authentication, SA's
IPSec Summary:
IPSec bit difficult, difficult, and then added back understood.
4, the wireless LAN security (802.11WEP encryption)
5. Firewall: isolation within the network organization and public networks, allowing some packets through, while blocking other packets through.
Common is deployed on the network edge router.
Three kinds of firewall: stateless packets filters; stateful packets filters; application gateways
stateless packets filters:
stateful packets filters: tcp connection tracks each.
application gateways: Based on application data, user identity to determine whether to allow access.