Computer Science 4730  -  Final Exam  -  Review

Applied Cryptography

(see also Test 1 and Test 2 reviews; the Final Exam will be comprehensive)

 

1. Application level authentication

 

Kerberos: from MIT, for control of access to system services based on user ID;

     based on Authentication server, Ticket-granting server, and application servers;

     uses three levels of client-server exchange, two kinds of "tickets" and an "authenticator";

     differences version 4 to version 5;

X.509 standard and services: public-key certificates;

    used in other contexts (S/MIME, IPSec, SSL/TLS, SET);

    Certificate contents for versions 1, 2, 3; revocation; authentication procedures;

    based on public-key cryptography, digital signatures, and a secure hash function.

 

2. Electronic mail and IP security

 

PGP (Pretty Good Privacy): based on standard crypto algorithms, available for free or

     with commercial support, provides 5 services: authentication, encryption, compression, R64, segmentation;

     uses 4 types of keys: secret session, public, private, and passphrase hash; key identifiers and key rings;

 S/MIME: MIME history and message content types; S/MIME extensions for security: signature,

     encryption (enveloped), certificates;

IPSec: security implemented at the IP level; specifies packet-level authentication & encryption, plus

     key management; 2 formats: ESP & AH; security associations (SAs); transport & tunnel modes;

     Authentication Header (AH) supports data integrity and authentication but not confidentiality;

     Encapsulating Security Payload (ESP) supports confidentiality and optionally AH features;

     bundling of SAs: AH + ESP at one level or multi-layer tunneling; key management support: Oakley, ISAKMP.

 

3. Web and system security issues

 

SSL/TLS: started by Netscape, now an Internet standard (TLS); executed at the transport layer (TCP);

     architecture; handshake, change cipher, and alert protocols; handshake message exchange details;

SET: secure credit card transaction standards; supports confidentiality, data integrity, cardholder and

     merchant authentication, and non-repudiation; includes trusted Certificate Authority and Payment Gateway;

     based on public-key cryptography, certificates, dual signature, one-time symmetric key, and

     separate authentication of payment information and order information;

Intrusion detection and prevention; password management

Malware: viruses, worms, trap doors, trojans, zombies; counter-measures;

Firewalls: characteristics, types, configurations; weaknesses; trusted systems.