Lesson 4.1: Security Technology & Cryptography
Intrusion Detection, Access Control Models, and Cryptographic Foundations
1.1 IDS/IPS Fundamentals: Network vs. Host-Based Detection
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical components of a defense-in-depth strategy, providing visibility into network traffic and host activities to identify malicious behavior.
Deployment Models:
Monitors traffic flowing across network segments. Typically deployed at network boundaries (perimeter) or critical internal segments. Advantage: Visibility into broad network traffic patterns. Limitation: Cannot inspect encrypted payloads without decryption; may miss host-specific attacks.
Installed directly on endpoints (servers, workstations). Monitors system logs, file integrity, and process execution. Advantage: Can detect insider threats and encrypted attacks; sees post-decryption activity. Limitation: Consumes host resources; management complexity scales with number of hosts.
Detection Methodologies:
| Method | Mechanism | Strengths | Weaknesses |
|---|---|---|---|
| Signature-Based | Matches traffic patterns against a database of known attack signatures | Low false positive rate for known threats; fast processing | Cannot detect zero-day attacks; requires constant signature updates |
| Anomaly-Based | Establishes a baseline of "normal" behavior and flags deviations | Can detect novel/zero-day attacks; adapts to environment | Higher false positive rate; requires training period; resource intensive |
| Heuristic/Behavioral | Analyzes sequences of events to identify suspicious patterns | Effective against multi-stage attacks; context-aware | Complex configuration; may miss sophisticated evasion techniques |
Operational Insight: Modern Security Operations Centers (SOCs) rarely rely on standalone IDS/IPS. Instead, alerts are fed into a SIEM (Security Information and Event Management) system for correlation with other data sources (firewall logs, endpoint telemetry) to reduce false positives and prioritize response.
2.1 Controlling Access: DAC, MAC, and RBAC
Access control determines who can access what resources within a system. Different models offer varying levels of security, flexibility, and administrative overhead.
Discretionary Access Control (DAC)
The data owner decides who has access to the resource. Access rights are typically managed via Access Control Lists (ACLs).
Characteristics:
- Flexibility: High. Users can share files easily.
- Security: Low to Moderate. Vulnerable to Trojan horses (a user can grant access to malware).
- Example: Windows NTFS file permissions, Unix file ownership (chmod).
Mandatory Access Control (MAC)
The operating system constrains the ability of a subject (user/process) to access an object (file/resource) based on security labels.
Characteristics:
- Flexibility: Low. Users cannot change permissions.
- Security: Very High. Enforced by the kernel.
- Labels: Subjects and Objects have clearance/classification levels (e.g., Top Secret, Confidential).
- Example: SELinux, military systems, government classified networks.
Role-Based Access Control (RBAC)
Access is assigned based on the user's role within the organization, not their individual identity.
Characteristics:
- Flexibility: Moderate. Easy to onboard/offboard users by changing role assignments.
- Security: High. Enforces Least Privilege effectively.
- Administration: Simplified. Manage permissions for roles, not individuals.
- Example: Enterprise ERP systems, Database roles (DBA, Read-Only).
| Model | Decision Maker | Primary Use Case | Complexity |
|---|---|---|---|
| DAC | Data Owner / User | Small offices, personal computing | Low |
| MAC | System / Security Policy | Military, High-security government | High |
| RBAC | Security Administrator | Corporate enterprises, Cloud environments | Moderate |
3.1 Cryptographic Concepts and Terminology
Cryptography is the practice of secure communication in the presence of adversarial behavior. It provides confidentiality, integrity, authentication, and non-repudiation.
Core Terminology:
The original, readable message or data before encryption.
The scrambled, unreadable output produced by the encryption algorithm.
A piece of information (parameter) that determines the functional output of a cryptographic algorithm. Without the correct key, decryption is computationally infeasible.
The mathematical function used to transform plaintext into ciphertext and vice versa (e.g., AES, RSA).
Cryptographic Goals:
- Confidentiality: Only authorized parties can read the message.
- Integrity: The message has not been altered in transit.
- Authentication: Verifying the identity of the sender.
- Non-Repudiation: The sender cannot deny sending the message.
3.2 Symmetric vs. Asymmetric Encryption
Encryption algorithms are broadly categorized by how they manage keys.
Symmetric Encryption (Secret Key)
Uses the same key for both encryption and decryption.
// Symmetric Encryption Process Sender: Encrypt(Plaintext, SharedKey) → Ciphertext Receiver: Decrypt(Ciphertext, SharedKey) → Plaintext // Common Algorithms AES (Advanced Encryption Standard) - "Gold Standard" DES (Data Encryption Standard) - "Deprecated (Weak)" 3DES (Triple DES) - "Legacy" ChaCha20 - "High Performance (Mobile)"
Pros & Cons:
- Pros: Very fast; efficient for large amounts of data.
- Cons: Key distribution problem (how to share the secret key securely?).
Asymmetric Encryption (Public Key)
Uses a pair of keys: a Public Key (shared openly) and a Private Key (kept secret).
// Asymmetric Encryption Process Encryption: Encrypt(Plaintext, RecipientPublicKey) → Ciphertext Decryption: Decrypt(Ciphertext, RecipientPrivateKey) → Plaintext // Common Algorithms RSA (Rivest–Shamir–Adleman) ECC (Elliptic Curve Cryptography) - "Smaller keys, same security" Diffie-Hellman - "Key Exchange only"
Pros & Cons:
- Pros: Solves key distribution; enables digital signatures.
- Cons: Computationally slow (1000x slower than symmetric).
Hybrid Cryptosystems: Real-world protocols (like TLS/SSL) use both. Asymmetric encryption is used to securely exchange a Symmetric Session Key, which is then used to encrypt the actual data transfer. This combines the security of public-key crypto with the speed of symmetric crypto.
4.1 Cryptographic Hashing Functions
Hashing transforms input data of any size into a fixed-size string of characters (hash value or digest). It is a one-way function.
Properties of a Secure Hash:
- Deterministic: Same input always produces same hash.
- Fast Computation: Hash is calculated quickly.
- Pre-image Resistance: Cannot reverse the hash to get the original input.
- Avalanche Effect: Small change in input (1 bit) drastically changes the hash.
- Collision Resistance: Hard to find two different inputs that produce the same hash.
Common Hashing Algorithms:
| Algorithm | Output Size | Status | Usage |
|---|---|---|---|
| MD5 | 128-bit | Broken (Insecure) | Legacy checksums (not for security) |
| SHA-1 | 160-bit | Deprecated | Legacy Git commits, old SSL certs |
| SHA-256 | 256-bit | Secure | Bitcoin, TLS, Password storage |
| SHA-3 | Variable | Secure | Next-gen security applications |
Application: Password Storage
Passwords should never be stored in plaintext. Systems store the hash of the password. When a user logs in, the system hashes the input and compares it to the stored hash.
// Python Hashing Example (SHA-256) import hashlib password = "SecurePassword123!" hash_object = hashlib.sha256(password.encode()) hex_dig = hash_object.hexdigest() print("Hash:", hex_dig) // Output: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
4.2 Digital Signatures and PKI
Digital signatures provide authentication, integrity, and non-repudiation using asymmetric cryptography.
How Digital Signatures Work:
- Hashing: The sender creates a hash of the message.
- Signing: The sender encrypts the hash with their Private Key. This creates the Digital Signature.
- Verification: The receiver decrypts the signature using the sender's Public Key to reveal the original hash.
- Comparison: The receiver hashes the received message themselves. If the two hashes match, the message is authentic and unaltered.
Public Key Infrastructure (PKI)
PKI is the framework that manages digital keys and certificates. It binds a public key to an identity.
- Certificate Authority (CA): Trusted entity that issues digital certificates (e.g., DigiCert, Let's Encrypt).
- Digital Certificate: An electronic document (X.509 standard) that proves ownership of a public key.
- Registration Authority (RA): Verifies the identity of entities requesting certificates.
- Certificate Revocation List (CRL): List of certificates that have been revoked before expiration.
Web Security: When you visit an HTTPS website, your browser checks the site's SSL/TLS certificate against a list of trusted CAs built into the browser. If the signature is valid and the CA is trusted, a secure connection is established.
5.1 Common Cryptographic Attacks and Mitigations
Even strong algorithms can be compromised through implementation flaws or brute force.
Attack Vectors:
Trying every possible key until the correct one is found. Mitigation: Use long key lengths (AES-256, RSA-4096) to make computation time infeasible.
Attacker intercepts and possibly alters communication between two parties. Mitigation: Use mutual authentication and PKI to verify identities before exchanging keys.
Exploits the mathematics behind the birthday problem to find hash collisions. Mitigation: Use hash functions with larger output sizes (SHA-256 instead of MD5).
Attacks the physical implementation of a cryptosystem (e.g., measuring power consumption, timing, or electromagnetic leaks) rather than the algorithm itself. Mitigation: Constant-time algorithms, hardware shielding.
Uses precomputed tables of hash chains to reverse cryptographic hash functions (mainly for cracking passwords). Mitigation: Use Salting (adding random data to the password before hashing).
Implementation Risk: "Rolling your own crypto" is dangerous. Always use established, vetted libraries (like OpenSSL, libsodium, or language-native crypto modules) rather than writing custom encryption code.
6.1 Secure Communication Protocols
Cryptography is implemented in protocols to secure data in transit.
SSL/TLS (Secure Sockets Layer / Transport Layer Security)
- Purpose: Secures web traffic (HTTPS), email (SMTPS, IMAPS), and VoIP.
- Mechanism: Uses asymmetric crypto for handshake (key exchange) and symmetric crypto for data transfer.
- Versions: SSL is deprecated. TLS 1.2 and 1.3 are current standards.
SSH (Secure Shell)
- Purpose: Secure remote login and command execution.
- Port: TCP 22.
- Replacement: Replaced insecure protocols like Telnet and rlogin.
IPsec (Internet Protocol Security)
- Purpose: Secures IP communications by authenticating and encrypting each IP packet.
- Modes: Transport Mode (payload only) and Tunnel Mode (entire packet, used for VPNs).
PGP/GPG (Pretty Good Privacy / GNU Privacy Guard)
- Purpose: Email encryption and signing.
- Mechanism: Uses a "Web of Trust" model rather than centralized CAs.
| Protocol | Layer | Primary Use | Key Feature |
|---|---|---|---|
| TLS | Transport / Session | Web Browsing (HTTPS) | Server Authentication via Certificates |
| SSH | Application | Remote Administration | Secure Command Line Access |
| IPsec | Network | VPNs, Site-to-Site | Transparent to Applications |
| S/MIME | Application | Email Security | Encryption & Digital Signatures |
7.1 Essential Knowledge Check: Cryptography & Access Control
Review these foundational questions to reinforce core concepts from this lesson.
Q: What is the main difference between Symmetric and Asymmetric encryption?
A: Symmetric uses a single shared key for both encryption and decryption (fast, key distribution is hard). Asymmetric uses a key pair (Public/Private); one encrypts, the other decrypts (slower, solves key distribution).
Q: Why is hashing considered a one-way function?
A: Mathematically, it is computationally infeasible to reverse the process and derive the original input data from the hash value. This makes it ideal for password storage and integrity checking.
Q: How does a Digital Signature provide Non-Repudiation?
A: Because the signature is created using the sender's Private Key (which only they possess), they cannot later deny having sent the message. Anyone with the Public Key can verify it.
Q: What is the purpose of Salting in password hashing?
A: Salting adds random data to the password before hashing. This prevents Rainbow Table attacks by ensuring that even identical passwords result in unique hashes.
Q: Which Access Control model is best for a military environment?
A: Mandatory Access Control (MAC). It enforces strict security labels (Clearance levels) and prevents users from changing permissions, ensuring data confidentiality.
Study Recommendation: Memorize the acronyms: AES (Symmetric), RSA (Asymmetric), SHA (Hashing), TLS (Protocol). Understand the specific role each plays in a secure transaction (e.g., TLS uses RSA for handshake, AES for data, SHA for integrity).
8.1 Consolidated Learning: Defending and Encrypting Data
This lesson covered the technical mechanisms used to detect intrusions, control access, and mathematically protect data.
Essential Takeaways:
- Detection is layered: Use both NIDS (network view) and HIDS (host view) for comprehensive visibility.
- Access Control models vary: Choose DAC for flexibility, MAC for high security, and RBAC for enterprise manageability.
- Cryptography ensures CIA: Encryption provides Confidentiality; Hashing provides Integrity; Digital Signatures provide Authentication and Non-Repudiation.
- Hybrid systems are standard: Modern security uses Asymmetric crypto to exchange Symmetric keys, balancing security and performance.
- PKI is the backbone: Certificate Authorities and Digital Certificates allow us to trust public keys on the internet.
- Algorithms age: What is secure today (SHA-256) may be broken tomorrow. Stay updated on cryptographic standards (NIST recommendations).
Forward Look: In the next unit, we will move from technical controls to the implementation phase: managing security projects, personnel issues, and maintaining security over time (Digital Forensics).
Recommended Next Steps:
- Experiment with OpenSSL command line tools to generate keys and certificates.
- Use an online hash calculator to see the "Avalanche Effect" by changing one character in input.
- Review the access control settings on your own computer (File Properties > Security).
- Inspect a website's SSL certificate in your browser (Click the Lock icon).
Final Insight: Cryptography is a powerful tool, but it is only as strong as its implementation and key management. A perfect algorithm with a stolen key offers zero security. Protect your keys as fiercely as your data.