Unit-2 : Network security

Network Security protects your network and data from breaches, intrusions and other threats. This is a vast and overarching term that describes hardware and software solutions as well as processes or rules and configurations relating to network use, accessibility, and overall threat protection.

Network Security involves access control, virus and antivirus software, application security, network analytics, types of network-related security (endpoint, web, wireless), firewalls, VPN encryption and more.

Benefits of Network Security

Network Security is vital in protecting client data and information, keeping shared data secure and ensuring reliable access and network performance as well as protection from cyber threats. A well designed network security solution reduces overhead expenses and safeguards organizations from costly losses that occur from a data breach or other security incident. Ensuring legitimate access to systems, applications and data enables business operations and delivery of services and products to customers.

Types of Network Security Protections

Firewall

Firewalls control incoming and outgoing traffic on networks, with predetermined security rules. Firewalls keep out unfriendly traffic and is a necessary part of daily computing. Network Security relies heavily on Firewalls, and especially Next Generation Firewalls, which focus on blocking malware and application-layer attacks.

Network Segmentation

Network segmentation defines boundaries between network segments where assets within the group have a common function, risk or role within an organization. For instance, the perimeter gateway segments a company network from the Internet. Potential threats outside the network are prevented, ensuring that an organization’s sensitive data remains inside. Organizations can go further by defining additional internal boundaries within their network, which can provide improved security and access control.

What is Access Control?

Access control defines the people or groups and the devices that have access to network applications and systems thereby denying unsanctioned access, and maybe threats. Integrations with Identity and Access Management (IAM) products can strongly identify the user and Role-based Access Control (RBAC) policies ensure the person and device are authorized access to the asset.

Remote Access VPN

Remote access VPN provides remote and secure access to a company network to individual hosts or clients, such as telecommuters, mobile users, and extranet consumers. Each host typically has VPN client software loaded or uses a web-based client. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint compliance scanning, and encryption of all transmitted data.

Zero Trust Network Access (ZTNA)

The zero trust security model states that a user should only have the access and permissions that they require to fulfill their role. This is a very different approach from that provided by traditional security solutions, like VPNs, that grant a user full access to the target network. Zero trust network access (ZTNA) also known as software-defined perimeter (SDP) solutions permits granular access to an organization’s applications from users who require that access to perform their duties.

Email Security

Email security refers to any processes, products, and services designed to protect your email accounts and email content safe from external threats. Most email service providers have built-in email security features designed to keep you secure, but these may not be enough to stop cybercriminals from accessing your information.

Data Loss Prevention (DLP)

Data loss prevention (DLP) is a cybersecurity methodology that combines technology and best practices to prevent the exposure of sensitive information outside of an organization, especially regulated data such as personally identifiable information (PII) and compliance related data: HIPAA, SOX, PCI DSS, etc.

Intrusion Prevention Systems (IPS)

IPS technologies can detect or prevent network security attacks such as brute force attacks, Denial of Service (DoS) attacks and exploits of known vulnerabilities. A vulnerability is a weakness for instance in a software system and an exploit is an attack that leverages that vulnerability to gain control of that system. When an exploit is announced, there is often a window of opportunity for attackers to exploit that vulnerability before the security patch is applied. An Intrusion Prevention System can be used in these cases to quickly block these attacks.

Sandboxing

Sandboxing is a cybersecurity practice where you run code or open files in a safe, isolated environment on a host machine that mimics end-user operating environments. Sandboxing observes the files or code as they are opened and looks for malicious behavior to prevent threats from getting on the network. For example malware in files such as PDF, Microsoft Word, Excel and PowerPoint can be safely detected and blocked before the files reach an unsuspecting end user.

Hyperscale Network Security

Hyperscale is the ability of an architecture to scale appropriately, as increased demand is added to the system. This solution includes rapid deployment and scaling up or down to meet changes in network security demands. By tightly integrating networking and compute resources in a software-defined system, it is possible to fully utilize all hardware resources available in a clustering solution.

Cloud Network Security

Applications and workloads are no longer exclusively hosted on-premises in a local data center. Protecting the modern data center requires greater flexibility and innovation to keep pace with the migration of application workloads to the cloud. Software-defined Networking (SDN) and Software-defined Wide Area Network (SD-WAN) solutions enable network security solutions in private, public, hybrid and cloud-hosted Firewall-as-a-Service (FWaaS) deployments.

Robust Network Security Will Protect Against

  • Virus: A virus is a malicious, downloadable file that can lay dormant that replicates itself by changing other computer programs with its own code. Once it spreads those files are infected and can spread from one computer to another, and/or corrupt or destroy network data.
  • Worms: Can slow down computer networks by eating up bandwidth as well as the slow the efficiency of your computer to process data. A worm is a standalone malware that can propagate and work independently of other files, where a virus needs a host program to spread.
  • Trojan: A trojan is a backdoor program that creates an entryway for malicious users to access the computer system by using what looks like a real program, but quickly turns out to be harmful. A trojan virus can delete files, activate other malware hidden on your computer network, such as a virus and steal valuable data.
  • Spyware: Much like its name, spyware is a computer virus that gathers information about a person or organization without their express knowledge and may send the information gathered to a third party without the consumer’s consent.
  • Adware: Can redirect your search requests to advertising websites and collect marketing data about you in the process so that customized advertisements will be displayed based on your search and buying history.
  • Ransomware: This is a type of trojan cyberware that is designed to gain money from the person or organization’s computer on which it is installed by encrypting data so that it is unusable, blocking access to the user’s system

Authentication Application

Authentication is the act of establishing identity via the presentation of information that allows the verifier to know the presenter is who or what it claims. This identity could be any number of things, including:

  • People
  • Systems
  • Applications
  • Messages

Why would one want to verify an identity in the first place? Hopefully, most people reading this recognize that as sarcastic humor. If not, here are a few common reasons:

  • To control access to a system or application
  • To bind some sensitive data to an individual, such as for encryption
  • To establish trust between multiple parties to form some interaction with them
  • To assure that a piece of information is genuine

Within an application, one or all of these aspects may apply. This article presents different types of authentication and ways of adding it to your applications.

Types of Authentication

There are many different types of authentication that can be used in an application. The selection of the most appropriate type of authentication will depend on the needs of the application; use this guide to determine which makes the most sense for your application.

  • Basic, single-factor authentication
  • Multi-factor authentication
  • Cryptographic authentication

These authentication types apply to all classes of entity that require authentication: systems, users, messages, and applications.

Basic Authentication

Basic authentication is a commonly used term that most people probably understand already. It refers to password-based authentication. A password can be any information that is used to verify the identity of a presenter. Common examples that fall into this category are:

  • The common password
  • Host or system names
  • Application names
  • Numerical IDs

Authentication entails the validation of a single credential pair—the presenter’s identity reference and their password. The authentication process typically takes the password and compares it to that which is stored in the authentication database. This comparison is often done as a plain text comparison where the provided password exactly matches that expected password, or with some permutation function where the password first undergoes an alteration such as hashing or encryption and the resulting data is then compared. The storage of the password is the next piece that is also often in plaintext or some permutation based on the aforementioned cryptographic function. Basic authentication has the following benefits. It is:

  • Easy to manage within an application
  • Easy to deploy across applications
  • Easy for end users to use

There are some important caveats when using basic authentication of which every developer should be aware:

  • Passwords are commonly weakly specified
  • Identities can be spoofed and impersonated
  • Passwords can be susceptible to theft
  • Requires considerable effort to provide strong security
  • Can be difficult to scale across distributed and large environments

Basic authentication often entails the transmission of a name (username or system name), and the password, which can be easily stolen and compromised if they’re transmitted unprotected across the network. Here are some of the ways to increase the strength of Basic authentication:

  1. Use digest authentication—hash or encrypt the password prior to transmission
  2. Use pass phrases (longer passwords) and set minimum password lengths
  3. Enforce the usage of diverse character sets that include alpha-numeric, special characters, and mixed-case passwords that are not in a dictionary
  4. Add security to the connection wherein the password is not transmitted in the clear across the network, such as TLS/SSL
  5. Do not store passwords in plaintext in whatever mechanism is used—database, file system, directory

Multi-Factor Authentication

Multi-factor authentication is the use of a combination of authentication methods to validate identity. The most commonly used description of multi-factor authentication is the use of information that is known only by the person, combined with something in his or her possession. These are typically:

  • The name and password
  • Some form of token

A token is a hardware component that is used during the authentication process; it typically provides another piece of information that cannot be ascertained without physical control of the token. Different types of tokens used in multi-factor authentication are:

  • Smart cards
  • One-time password/phrases
  • Single-use PINs or pseudo-random numbers
  • Biometric information

Multi-factor authentication provides the following additional benefits:

  • Difficult to spoof and impersonate
  • Easy to use

As security components are layered, the complexity also rises. The following potential drawbacks are had with multi-factor authentication—each environment is different; therefore, the influence of these on the decision-making process will vary:

  • Deployment can be difficult
  • Tokens easily can be stolen
  • Management of the tokens can be challenging, especially in the event of lost or stolen tokens

Cryptographic Authentication

The final form of authentication outlined here is that which utilizes cryptography. This includes the following forms:

  • Public Key Authentication
  • Digital Signatures
  • Message Authentication Code
  • Password permutation
Public Key Authentication

Public key authentication occurs when the owner of a key pair (private and public) communicates the public key, in some form, to the authenticating party, at which point it is verified to be true. There are a couple of methods for public key authentication worth discussing:

  • The use of the public key itself
  • Public key certificates

To verify the identity of the presenter of the public key, a nonce is encrypted using the public key. If the nonce can be decrypted and returned to the sender, that means the owner of the public key also has possession of the corresponding private key.

The use of public-key certificates builds on this relationship between the public and private key. Verification of a public key, alone, may indicate that the identity is as expected, but there is still a bit missing—trust. How does one know whether the party presenting the keys has not stolen them from the legitimate owner? Also, just because a person, system, or application may be truly who or what it says it is, how does the authenticating party know it can or should trust it? A public key certificate adds a trust relationship between a mutually known and trusted third party. The certificate is created when a mutually trusted third-party signs a public key with its own key. The authenticating party then can verify the identity of the presenter’s key and also know that it can be trusted because of the shared relationship with the certificate signer. In the event that the keys are stolen, the trusted third party easily can revoke its trust of the keys and notify its trustees that they are no longer trustworthy.

Digital Signatures

Digital signatures are another piece of the cryptographic puzzle. A digital signature is made when the owner of a key pair (an individual or a system) uses its private key to “sign” a message. This signature can be verified only by the corresponding public key.

This is most recognizable with the signed public key certificate—wherein the Certificate Authority, or trusted third party, signs a public key. The party doing the authentication can verify that the presenter of a public key has possession of the private key, and that a mutually trusted party vouches that the holder of the key is true. Digital signatures are also commonly used on messages such as e-mail, so that the recipient can have some trust that the e-mail message was sent by the person they expect.

Message Authentication Codes (MACs)

A message authentication code is created when a secret key is used in combination with the message or information to be proved authentic. The MAC can be generated by using a hashing algorithm or symmetric encryption. MACs can be used to provide integrity verification as well as authenticity to those possessing the secret key.

Password Permutation

I cannot discuss cryptographic methods without showing the relationship to basic authentication and its differences. As discussed above, in basic authentication, many passwords are typically encrypted or hashed, and then during the process of authentication, the password goes through the same transformation as that which is stored and then compared. This should not be confused as a method of strong authentication simply because of its use of cryptographic functionality (hashing, encryption). Password schemes are still weak because the cryptography used is only for the storage and comparison piece, but has no relationship to the presenter’s authenticity. They are easily stolen and impersonated.

Collaboration Between Authenticating Entities

With the widespread creation and deployment of distributed applications, authentication is critical, but also requiring some attention is the concept of Single Sign-On (SSO). Single sign-on is the mechanism that allows a person, system, or application to identify itself and be authenticated once and, through various methods, have that authentication work across all other related components and applications. A simple example is an application that authenticates a person at the Web interface and then uses the provided credentials to transparently authenticate the person at all other applications within the service. Single sign-on can be done in any of the following ways:

  • Simple transparent caching and re-use of provided credentials
  • Stateful session information such as cookies and tokens
  • Complex authentication services such as Kerberos

The goal of single sign-on is to increase ease-of-use while maintaining some higher degree of security. In cases where different applications are used to provide a single service, the lack of single sign-on could require an individual or application to go authenticate several times to receive a desired service. A more easily used service is one that allows an entity to authenticate once at the outset and transparently gain access to all of the applications required to provide the intended service, on demand.

If several different applications are being hooked together to provide a single service, and if each requires some level of authentication, single sign-on may be a valuable component. Common architectures for single sign-on include proxying authentication information and generating stateful session information.

Proxying authentication information means that one or more applications are caching that data. This has the following potential pitfalls:

  • Multiple copies of sensitive credential data are in memory, in different locations and subject to compromise.
  • Does not easily handle the case where authentication information differs at each juncture in the service.
  • Does not reflect a tight integration between related applications and introduces weaknesses at each level, including identity spoofing and theft of credentials.
  • Caching of data must handle synchronization safely, or be susceptible to cache corruption and stale information.

Stateful session information is information that has the following aspects:

  • Is generated as a result of successful, initial authentication
  • Can be verified
  • Can be trusted
  • Maintains sequencing to avoid insertion, replaying and spoofing

This means that an entity authenticates at the start of a session, and as a result some form of information is generated—this could be a cookie or token—which then can be uniquely identified and verified to have been generated by a known trusted component that is part of the service. This token information then can be passed around to all applications as needed and verified.

Kerberos

Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users’ identities.

Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late ’80s, Kerberos is now the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.

Microsoft rolled out its version of Kerberos in Windows 2000, and it’s become the go-to protocol for websites and single sign-on implementations over different platforms. The Kerberos Consortium maintains the Kerberos as an open-source project.

The protocol derives its name from the legendary three-headed dog Kerberos (also known as Cerberus) from Greek myths, the canine guardian to the entrance to the underworld. Kerberos had a snake tail and a particularly bad temper and, despite one notable exception, was a very useful guardian.

But in the protocol’s case, the three heads of Kerberos represent the client, the server, and the Key Distribution Center (KDC). The latter functions as the trusted third-party authentication service.

Users, machines, and services that use Kerberos depend on the KDC alone, which works as a single process that provides two functions: authentication and ticket-granting. KDC “tickets” offer authentication to all parties, allowing nodes to verify their identity securely. The Kerberos authentication process employs a conventional shared secret cryptography that prevents packets traveling across the network from being read or altered, as well as protecting messages from eavesdropping and replay (or playback) attacks.

What is Kerberos Used For?

Although Kerberos is found everywhere in the digital world, it is employed heavily on secure systems that depend on reliable auditing and authentication features. Kerberos is used in Posix authentication, and Active Directory, NFS, and Samba. It’s also an alternative authentication system to SSH, POP, and SMTP.

The Benefits of Kerberos Authentication

Kerberos brings a host of advantages to any cybersecurity setup. Its advantages include:

  • Effective Access Control: Kerberos gives users a single point to keep track of logins and security policy enforcement.
  • Limited Lifetime for Key Tickets: Each Kerberos ticket has a timestamp, lifetime data, and authentication duration controlled by the administrator.
  • Mutual Authentication: Service systems and users can authenticate each other.
  • Reusable Authentication: Kerberos user authentication is reusable and durable, requiring each user to get verified by the system just once. As long as the ticket is in effect, the user won’t have to keep entering their personal information for authentication purposes.
  • Strong and Diverse Security Measures: Kerberos security authentication protocols employ cryptography, multiple secret keys, and third-party authorization, creating a strong, secure defense. Passwords do not get sent over networks, and all secret keys are encrypted.

As a part of the learning flow of learning what Kerberos is, let’s check out the Kerberos protocol flow.

What is Kerberos: Protocol Flow Overview

Here’s a more detailed look at what Kerberos authentication is all about. We will also learn how it works by breaking it down into its core components.

Here are the principal entities involved in the typical Kerberos workflow:

  • Client: The client acts on behalf of the user and initiates communication for a service request
  • Server: The server hosts the service the user wants to access
  • Authentication Server (AS): The AS performs the desired client authentication. If the authentication happens successfully, the AS issues the client a ticket called TGT (Ticket Granting Ticket). This ticket assures the other servers that the client is authenticated
  • Key Distribution Center (KDC): In a Kerberos environment, the authentication server logically separated into three parts: A database (db), the Authentication Server (AS), and the Ticket Granting Server (TGS). These three parts, in turn, exist in a single server called the Key Distribution Center
  • Ticket Granting Server (TGS): The TGS is an application server that issues service tickets as a service

Now let’s break down the protocol flow.

First, there are three crucial secret keys involved in the Kerberos flow. There are unique secret keys for the client/user, the TGS, and the server shared with the AS.

  • Client/user: Hash derived from the user’s password
  • TGS secret key: Hash of the password employed in determining the TGS
  • Server secret key: Hash of the password used to determine the server providing the service.

The protocol flow consists of the following steps:

Step 1: Initial client authentication request. The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS). This request includes the client ID.

Step 2: KDC verifies the client’s credentials. The AS checks the database for the client and TGS’s availability. If the AS finds both values, it generates a client/user secret key, employing the user’s password hash.

The AS then computes the TGS secret key and creates a session key (SK1) encrypted by the client/user secret key. The AS then generates a TGT containing the client ID, client network address, timestamp, lifetime, and SK1. The TGS secret key then encrypts the ticket.

Step 3: The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client’s TGS.

Step 4: The client uses TGT to request access. The client requests a ticket from the server offering the service by sending the extracted TGT and the created authenticator to TGS.

Step 5: The KDC creates a ticket for the file server. The TGS then uses the TGS secret key to decrypt the TGT received from the client and extracts the SK1. The TGS decrypts the authenticator and checks to see if it matches the client ID and client network address. The TGS also uses the extracted timestamp to make sure the TGT hasn’t expired.

If the process conducts all the checks successfully, then the KDC generates a service session key (SK2) that is shared between the client and the target server.

Finally, the KDC creates a service ticket that includes the client id, client network address, timestamp, and SK2. This ticket is then encrypted with the server’s secret key obtained from the db. The client receives a message containing the service ticket and the SK2, all encrypted with SK1.

Step 6: The client uses the file ticket to authenticate. The client decrypts the message using SK1 and extracts SK2. This process generates a new authenticator containing the client network address, client ID, and timestamp, encrypted with SK2, and sends it and the service ticket to the target server.

Step 7: The target server receives decryption and authentication.  The target server uses the server’s secret key to decrypt the service ticket and extract the SK2. The server uses SK2 to decrypt the authenticator, performing checks to make sure the client ID and client network address from the authenticator and the service ticket match. The server also checks the service ticket to see if it’s expired.

Once the checks are met, the target server sends the client a message verifying that the client and the server have authenticated each other. The user can now engage in a secure session.

X.509

X.509 is a standard defining the format of public-key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures. An X.509 (also called digital) certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.

What is an X.509 certificate?

An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.

A public key is a large numerical value used to encrypt data or check the legitimacy of a digital signature. A PKI, moreover, is the underlying framework that enables entities like users and servers to securely exchange information using digital certificates.

The X.509 certificate is a safeguard against malicious network impersonators. When a certificate is signed by a trusted authority, or is otherwise validated, the device holding the certificate can validate documents. It can also use a public key certificate to secure communications with a second party.

Digital certificates must be requested from a registration authority and granted by a certificate authority.

The X.509 certificate is defined by the International Telecommunication Union’s Telecommunication Standardization Sector (ITU-T).

In cryptography, the X.509 certificate securely associates cryptographic key pairs of public and private keys with websites, individuals or organizations. The certificate is typically used to manage identity and security in computer networking and over the internet. For the internet, it is used in numerous protocols to ensure a malicious website doesn’t fool a web browser. The X.509 certificate is also used to secure email, device communications and digital signatures.

The X.509 standard is based on Abstract Syntax Notation One, an interface description language. An X.509 certificate contains an identity and a public key. It binds an identity — such as an individual or hostname — to a public key with a digital signature. The signature is either made by a trusted certificate authority (CA) or is self-signed. Some digital certificates can also be automated.

X.509 certificate fields

An X.509 certificate contains information about the identity to which the certificate is issued and the identity that issued it. Standard information in an X.509 certificate includes the following:

  • Version. Which X.509 version applies to the certificate, indicating what data the certificate must include.
  • Serial number. The CA creating the certificate must assign it a serial number that distinguishes the CA certificate from other certificates.
  • Algorithm information. The signature algorithm the issuer uses to sign the certificate.
  • Issuer distinguished name. The name of the entity issuing the certificate — usually, the CA.
  • Validity period of the certificate. The start and end date, as well as the time the certificate is valid and can be trusted.
  • Subject distinguished name. The name to which the certificate is issued.
  • Subject public key information. The public key associated with the identity.
  • Extensions (optional). Extensions have their own unique IDs, expressed as a set of values called an object identifier. An extension can be rejected if it is not recognized or if the extension has information that can’t be processed.

Applications of X.509 certificates

Common applications of X.509 certificates include the following:

Benefits of X.509 certificates

Potential benefits that come with X.509 certificates include the following:

  • Wide area of use. X.509 certificates are a part of web browser security, web server security, online document signing, SSH keys and email security.
  • Level of trust. Certificates help safeguard against potentially malicious network impersonators.
  • How signed certificates are issued. Certificates are signed by a publicly trusted issuer, such as a CA, or self-signed.

Directory Authentication service

Authentication is the process of validating users. During authentication, the server asks itself, “Is the user who he or she says they are?”

Each DSA has one or more  authentication levels. The authentication levels assigned to a DSA define what credentials a user must present to bind to and query that DSA.

Directory supports three levels of authentication:

  • Anonymous authentication
  • Clear-password authentication
  • SSL authentication

Anonymous AuthenticationAnonymous authentication lets users connect to a directory without providing credentials.This is useful for public directory services, because user identification is usually not important.

Clear-Password Authentication

Clear-password authentication (sometimes called simple authentication) allows users to connect or bind to a directory by providing a username and password.

The following conditions are required for clear-password authentication to work:

  • The name corresponds to a real entry in the directory.
  • That entry has a password attribute.
  • The user supplies a username and password.
  • The minimum authentication of all the DSAs must not include the value ssl-auth.

Authentication fails and the bind is refused in the following cases:

  • The entry named by the user cannot be found.
  • The entry named by the user name does not contain a password attribute.
  • The password provided does not match the password value of the attribute in the entry named by the user name.

How a Connection Is Established with Clear-Password Authentication

Clear-password authentication consists of sending the DSA the DN of the client, and the client’s password.

The diagram below illustrates the following steps:

  1. The client sends a bind request with its username and password.
  2. The DSA checks the username and password against the relevant DN entry.
  3. If the username exists and the password matches, the bind is authenticated and established.  If the username does not exist, or the password is incorrect, an BIND REFUSE message is returned to the client.
How a Connection Is Established with Clear Password Authentication 14.1
How a Connection Is Established with Clear Password Authentication 14.1

Once a bind or connection is established, all further client operations or directory requests are subject to access control rules.

SSL Authentication

Strong authentication uses SSL certificates to protect LDAP and X.500 access by encrypting data with Secure Sockets Layer (SSL) security. When certificate-based authentication is used, all communication on the binding set up by the bind use SSL encryption.

SSL certificate based authentication is typically used in environments where personal or company data requires protection, for example, an online banking environment.

SSL authentication has two parts:

  • The SSL connection
  • The directory connection (using a bind)

Two variants are allowed:

  • Simple SSL
  • Authenticated SSL

Simple SSL authenticates the server only, while Authenticated SSL authenticates both the client and the server.

How an SSL Connection Is Established

An SSL connection always starts with an exchange of messages between the client and the DSA server, and is commonly referred to as the SSL handshake. The handshake allows both the DSA and client to authenticate themselves using public-key techniques (trusted certificates).

The following diagram illustrates the first part of the SSL certificate-based authentication process:

  1. The client sends a bind request, including a certificate.
  2. DSA validates the connection request by checking the validity dates and checking the issuer of the certificate against the configured trusted roots.
  3. If the certificate details are correct, the DSA establishes an SSL connection with the client application.

How a Directory Connection Is Established

After an SSL connection has been established between a client and a DSA, the client can use that connection to request a bind to the directory.

In LDAP, this is known as SASL/EXTERNAL. In a distributed or X.500 environment, the bind external procedure is used. This tells the directory to use the certificate from the link layer.

The directory connection is established over an existing SSL link as follows:

  1. The client sends a bind request to the directory.
  2. The DSA checks the directory entry named by the subject DN contained in the certificate.
  3. If the DN named in the subject DN of the certificate match those in the directory, then the DSA accepts the bind request.

In a secure environment, you can choose to bypass the DSA check on the DN.

Bypass the Entry Check

Usually, during SSL authentication, the DSA verifies that the entry exists. To bypass this entry check, add the following command to the DSA’s configuration:

set ssl-auth-bypass-entry-check = true;

When this is set, while authenticating the client, the DSA does not check that an entry with a distinguished name matching the subject field in the certificate of the client exists in the directory.

Pretty Good Privacy

Pretty Good Privacy (PGP) is a security program used to decrypt and encrypt email and authenticate email messages through digital signatures and file encryption. 

PGP was first designed and developed in 1991 by Paul Zimmerman, a political activist. PGP software was owned and sold by a company called PGP Corporation, which was founded in 2002 then sold to Symantec in 2010. 

Email is a prime attack method for cyber criminals who can easily forge messages using a victim’s name or identity. PGP aims to solve this and enhance email security by encrypting the data to make the communication method more private. 

PGP was one of the first public-key cryptography software publicly available for free. Originally, it was used to enable individual users to communicate on bulletin board system computer servers. Later, it was standardized and supported by other applications such as email. It has now become a core standard in email security and has been widely used to protect individuals and organizations. 

The data encryption program provides cryptographic authentication and privacy for data used in online communication. This allows PGP to be used for encrypting and decrypting text messages, emails, and files.

How Does PGP Encryption Work?

PGP works through a combination of cryptography, data compression, and hashing techniques. It is similar to other popular encryption methods such as Kerberos, which authenticates network users, secure sockets layer (SSL), which secures websites, and the Secure File Transfer Protocol (SFTP), which protects data in motion. 

PGP uses the public key system in which every user has a unique encryption key known publicly and a private key that only they know. A message is encrypted when a user sends it to someone using their public key, then decrypted when the recipient opens it with their private key. It combines private-key and public-key cryptography and the use of symmetric and asymmetric key technology to encrypt data as it travels across networks.

PGP follows a three-step process:

  1. Step 1: PGP generates a huge, one-time-use public encryption algorithm that cannot be guessed, which becomes the random session key.
  2. Step 2: The session key is then encrypted using the recipient’s public key, which protects the message while being transmitted. The recipient shares that key with anyone they want to receive messages from.
  3. Step 3: The message sender submits their session key, then the recipient can decrypt the message using their private key.

Encrypting entire messages can take a long time, but PGP encrypts it using a faster algorithm. PGP compresses plaintext data, which saves on disk space and transmission time, as well as reinforces cryptographic security. The public key is used to encrypt the shorter version that encrypted the full message. Both are sent to the recipient, who uses their private key to unlock the shorter key, then decrypt the full message.

PGP uses efficient algorithms that create a mathematical summary known as a hash to send digital signatures. The hash code, which can be usernames and other digital data, is encrypted by the message sender’s private key. The recipient uses the message sender’s public key to decrypt the hash, and if it matches that sent by the sender, then it confirms that the message was securely received.

There are two public key versions of PGP:

Rivest-Shamir-Adleman (RSA): RSA is one of the first public-key cryptosystems, which encrypts a short key created using the International Data Encryption Algorithm (IDEA). This sees users create and publish public keys based on two prime numbers, which are required for anyone to decode, and use the message-digest algorithm (MD5) to create a hash code.

The RSA algorithm is effectively considered unbreakable, to the point where it has been used in highly sophisticated malware strands such as CryptoLocker. However, it is a fairly slow algorithm, which means it is not appropriate for encrypting user data.

Diffie-Hellman: The Diffie-Hellman version enables two users to generate shared private keys through which they can exchange data on insecure channels. It encrypts the message with a short key using the CAST algorithm and the Secure Hash Algorithm (SHA-1) to create a hash code.

Uses of PGP Encryption

The most common reason for PGP encryption use is to enable people to confidentially send messages and data to each other using a combination of their public and private keys. It is often used to encrypt and decrypt emails, files, text messages, and entire disk partitions, and to authenticate digital certificates. 

PGP is also used to authenticate messages and for integrity checking, which detects whether a message is altered after it was written and sent by the person who claims to have sent it. PGP creates a digital signature for private and public keys to prove that a sender is the rightful owner of the message.

PGP can also be used to confirm that a message reaches the intended recipient. A user’s public key can be distributed in an identity certificate, which is constructed to ensure that tampering is easily detected. PGP products can also confirm whether a certificate belongs to someone, also known as the web of trust concept.

Encrypting Emails

PGP is most commonly used to encrypt email messages. It was initially used by anyone wanting to share sensitive information, such as activists and journalists. But its popularity has increased significantly in the face of organizations and government agencies collecting user data, as people look to keep their personal and sensitive information private.

Digital Signature Verification

PGP can be used for email verification. For example, if an email recipient is not sure about the identity of the people sending them an email, they can use a digital signature in conjunction with PGP to verify their identity.

A digital signature works through algorithms that combine a sender’s key with the data they try to send in an email message. This creates a hash function, which is an algorithm that converts the email message into a fixed-size block of data. That data is then encrypted using the email sender’s private key, and the recipient can decrypt the message using the sender’s public key.

As a result, the recipient will know whether any character in the message has been amended in transit. This tells them whether the sender is who they claim to be, whether a fake digital signature has been used, or if the email message has been tampered with or hacked.

Encrypting Files

The algorithm that PGP uses, which is typically the RSA algorithm, is largely considered unbreakable, which makes it ideal for encrypting files. It is particularly effective when used with a threat detection and response tool. File encryption software enables users to encrypt all of their files while removing the complexity of the encryption-decryption process.

Advantages and Disadvantages of PGP Encryption

PGP encryption usage is typically dependent on how secure an individual or organization needs their communication and files to be. It requires users to put more work into sending and receiving messages from trusted contacts but hugely increases the security of their communications. PGP also allows organizations to make their systems, resources, and users more secure and enhances the resilience of their systems against cyberattacks.

There are benefits and challenges with using PGP encryption, depending on what it is being used for.

Advantages of PGP Encryption

The biggest advantage of PGP encryption is that the algorithm is unbreakable. It is widely used by people who need to secure their private communications and is considered a leading method for enhancing cloud security. That is because PGP makes it impossible for a hacker, nation-states, or government agencies to break into files or emails protected by PGP encryption. 

However, there have been stories that note security failings in some PGP implementations like EFAIL, which was a vulnerability in OpenPGP and S/MIME end-to-end encryption technologies.

Disadvantages of PGP Encryption

  1. Complexity of use: PGP encryption’s biggest downside is that it is typically not user-friendly. Encrypting data and files using PGP takes time and effort, which can complicate message sending for users. Organizations must provide employee training if they are considering implementing PGP.
  2. Key management: Users need to fully understand how the PGP system works to ensure they do not inadvertently create holes in their security defenses. This can either be through the incorrect usage of PGP or losing or corrupting keys, which puts their fellow users at risk in highly secure environments.
  3. Lack of anonymity: PGP will encrypt messages that users send, but it does not anonymize them. As a result, senders and recipients of emails sent through a PGP solution can be traced. The subject line of the message is also not encrypted, so avoid including sensitive data or information. Users who want to hide their location can use anonymous browsers through proxy servers or virtual private networks (VPNs). They can also use encrypted messaging applications, such as Signal, that provide simple-to-use encryption or anonymization, which is a more efficient alternative to encrypting stored data.
  4. Compatibility: It is impossible to use PGP unless both the sender and recipient of the communication are using the same version of the software. 

What is S/MIME?

S/MIME means Secure/Multipurpose Internet Mail Extensions. It is a technology that allows us to encrypt the content of our e-mails, so that they are not vulnerable to cyber attacks. In other words, S/MIME keeps our e-mails safe and makes sure that the only person who reads them is the intended receiver.

S/MIME was first developed by the RSA Data Security to ensure the security of e-mail messages, then it became a standard with the help of IETF.

S/MIME is based on asymmetric encryption and public key infrastructure. It aims to provide a layer of security for the e-mail messages with the help of encryption and authentication techniques. In other words, S/MIME makes it possible for you to sign your e-mails digitally so that only the intended receiver of your e-mails can receive and view them. Also, S/MIME makes sure that nobody alternates the content of your e-mail while it is on its way to the receiver’s inbox.