81 terms

Chapter 14

Key Terms
The IEEE standard for wireless network encryption and authentication that uses the EAP authentication method, strong encryption, and dynamically assigned keys, which are different for every transmission. 802.11i specifies AES encryption and weaves a key into each packet.
AES (Advanced Encryption Standard)
A private key encryption algorithm that weaves keys of 128, 160, 192, or 256 bits through data multiple times. The algorithm used in the most popular form of AES is known as Rijndael. AES has replaced DES in situations such as military communications, which require the highest level of security.
AH (authentication header)
In the context of IPSec, a type of encryption that provides authentication of the IP packet's data payload through public key techniques.
AS (authentication service)
In Kerberos terminology, the process that runs on a KDC (key distribution center) to initially validate a client who's logging on.
asymmetric encryption
A type of encryption (such as public key encryption) that uses a different key for encoding data than is used for decoding the ciphertext.
authentication protocol
A set of rules that governs how servers authenticate clients. Several types of authentication protocols exist.
In Kerberos authentication, the user's time stamp encrypted with the session key. The authenticator is used to help the service verify that a user's ticket is valid.
bio-recognition access
A method of authentication in which a device scans an individual's unique physical characteristics (such as the color patterns in his iris or the geometry of his hand) to verify the user's identity.
brute force attack
An attempt to discover an encryption key or password by trying numerous possible character combinations. Usually, a brute force attack is performed rapidly by a program designed for that purpose.
A random string of text issued from one computer to another in some forms of authentication. Used, along with the password (or other credential), in a response to verify the computer's credentials.
CHAP (Challenge Handshake Authentication Protocol)
An authentication protocol that operates over PPP and that requires the authenticator to take the first step by offering the other computer a challenge. The requestor responds by combining the challenge with its password, encrypting the new string of characters and sending it to the authenticator. The authenticator matches to see if the requestor's encrypted string of text matches its own encrypted string of characters. If so, the requester is authenticated and granted access to secured resources.
The unique data block that results when an original piece of data (such as text) is encrypted (for example, by using a key).
In the context of SSL encryption, a message issued from the client to the server that contains information about what level of security the client's browser is capable of accepting and what type of encryption the client's browser can decipher (for example, RSA or Diffie-Hellman). The client_hello message also establishes a randomly generated number that uniquely identifies the client, plus another number that identifies the SSL session.
A person who uses his knowledge of operating systems and utilities to intentionally damage or destroy data or systems.
denial-of-service attack
A security attack caused by a deluge of traffic that disables the victimized system.
DES (Data Encryption Standard)
A popular private key encryption technique that was developed by IBM in the 1970s.
dictionary attack
A technique in which attackers run a program that tries a combination of a known user ID and, for a password, every word in a dictionary to attempt to gain access to a network.
The first commonly used public, or asymmetric, key algorithm. Diffie-Hellman was released in 1975 by its creators, Whitfield Diffie and Martin Hellman.
digital certificate
A password-protected and encrypted file that holds an individual's identification information, including a public key and a private key. The individual's public key is used to verify the sender's digital signature, and the private key allows the individual to log on to a third-party authority who administers digital certificates.
DNS spoofing
A security attack in which an outsider forges name server records to falsify his host's identity.
EAP (Extensible Authentication Protocol)
A Data Link layer protocol defined by the IETF that specifies the dynamic distribution of encryption keys and a pre-authentication process in which a client and server exchange data via an intermediate node (for example, an access point on a wireless LAN). Only after they have mutually authenticated can the client and server exchange encrypted data. EAP can be used with multiple authentication and encryption schemes.
The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm—decrypting the data—to keep the information private. The most popular kind of encryption algorithm weaves a key into the original data's bits, sometimes several times in different sequences, to generate a unique data block.
ESP (Encapsulating Security Payload)
In the context of IPSec, a type of encryption that provides authentication of the IP packet's data payload through public key techniques. In addition, ESP also encrypts the entire IP packet for added security.
A security attack in which an Internet user sends commands to another Internet user's machine that cause the screen to fill with garbage characters. A flashing attack causes the user to terminate her session.
A person who masters the inner workings of operating systems and utilities in an effort to better understand them. A hacker is distinguished from a cracker in that a cracker attempts to exploit a network's vulnerabilities for malicious purposes.
handshake protocol
One of several protocols within SSL, and perhaps the most significant. As its name implies, the handshake protocol allows the client and server to authenticate (or introduce) each other and establishes terms for how they securely exchange data during an SSL session.
HTTPS (HTTP over Secure Sockets Layer)
The URL prefix that indicates that a Web page requires its data to be exchanged between client and server using SSL encryption. HTTPS uses the TCP port number 443, rather than port 80 (the port that normal HTTP uses).
IKE (Internet Key Exchange)
The first phase of IPSec authentication, which accomplishes key management. IKE is a service that runs on UDP port 500. After IKE has established the rules for the type of keys two nodes use, IPSec invokes its second phase, encryption.
IPSec (Internet Protocol Security)
A Layer 3 protocol that defines encryption, authentication, and key management for TCP/IP transmissions. IPSec is an enhancement to IPv4 and native to IPv6. IPSec is unique among authentication methods in that it adds security information to the header of all IP packets.
IP spoofing
A security attack in which an outsider obtains internal IP addresses, then uses those addresses to pretend that he has authority to access a private network from the Internet.
KDC (Key Distribution Center)
In Kerberos terminology, the server that runs the authentication service and the Ticket-granting service to issue keys and tickets to clients.
A cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. It is an example of a private key encryption service.
A series of characters that is combined with a block of data during that data's encryption. To decrypt the resulting data, the recipient must also possess the key.
key management
The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data.
key pair
The combination of a public and private key used to decipher data that was encrypted using public key encryption.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
An authentication protocol offered by Microsoft with its Windows clients and servers. Similar to CHAP, MS-CHAP uses a three-way handshake to verify a client's credentials and encrypts passwords with a challenge text.
MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2)
An authentication protocol provided with Windows XP, 2000, and Server 2003 operating systems that follows the CHAP model, but uses stronger encryption, uses different encryption keys for transmission and reception, and requires mutual authentication between two computers.
mutual authentication
An authentication scheme in which both computers verify the credentials of each other.
network key
A key (or character string) required for a wireless station to associate with an access point using WEP.
An open source version of the SSH suite of protocols.
packet-filtering firewall
A router that operates at the Data Link and Transport layers of the OSI Model, examining the header of every packet of data that it receives to determine whether that type of packet is authorized to continue to its destination. Packet-filtering firewalls are also called screening firewalls.
PAP (Password Authentication Protocol)
A simple authentication protocol that operates over PPP. Using PAP, a client issues its credentials in a request to authenticate, and the server responds with a confirmation or denial of authentication after comparing the credentials to those in its database. PAP is not very secure and is therefore rarely used on modern networks.
PGP (Pretty Good Privacy)
A key-based encryption system for e-mail that uses a two-step verification process.
port forwarding
The process of redirecting traffic from its normally assigned port to a different port, either on the client or server. In the case of using SSH, port forwarding can send data exchanges that are normally insecure through encrypted tunnels.
In Kerberos terminology, a user or client.
private key encryption
A type of key encryption in which the sender and receiver use a key to which only they have access. DES (data encryption standard), which was developed by IBM in the 1970s, is a popular example of a private key encryption technique. Private key encryption is also known as symmetric encryption.
proxy server
A network host that runs a proxy service. Proxy servers may also be called gateways.
proxy service
A software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic and providing one address to the outside world, instead of revealing the addresses of internal LAN devices.
public key encryption
A form of key encryption in which data is encrypted using two keys: One is a key known only to a user, and the other is a key associated with the user and can be obtained from a public source, such as a public key server. Some examples of public key algorithms include RSA (named after its creators, Rivest, Shamir, and Adleman), Diffie-Hellman, and Elliptic-curve cryptography. Public key encryption is also known as asymmetric encryption.
public key server
A publicly available host (such as an Internet host) that provides free access to a list of users' public keys (for use in public key encryption).
RADIUS (Remote Authentication Dial-In User Service)
A protocol that runs over UDP and provides centralized network authentication and accounting for multiple users.
RADIUS server
A server that offers centralized authentication services to a network's access server, VPN server, or wireless access point via the RADIUS protocol.
An asymmetric key encryption technique that weaves a key with data multiple times as a computer issues the stream of data. RC4 keys can be as long as 2048 bits. In addition to being highly secure, RC4 is fast.
The algorithm used for AES encryption.
An encryption algorithm that creates a key by randomly choosing two large prime numbers and multiplying them together.
SCP (Secure CoPy)
A method for copying files securely between hosts. SCP is part of the OpenSSH package, which comes with most modern UNIX-type of operating systems. Third-party SCP applications are available for Windows-based computers.
security audit
An assessment of an organization's security vulnerabilities. A security audit should be performed at least annually and preferably quarterly—or sooner if the network has undergone significant changes. For each risk found, it should rate the severity of a potential breach, as well as its likelihood.
security policy
A document or plan that identifies an organization's security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches.
In the context of SSL encryption, a message issued from the server to the client that confirms the information the server received in the client_hello message. It also agrees to certain terms of encryption based on the options the client supplied. Depending on the Web server's preferred encryption method, the server may choose to issue your browser a public key or a digital certificate at this time.
session key
In the context of Kerberos authentication, a key issued to both the client and the server by the authentication service that uniquely identifies their session.
SFTP (Secure File Transfer Protocol)
A protocol available with the proprietary version of SSH that copies files between hosts securely. Like FTP, SFTP first establishes a connection with a host and then allows a remote user to browse directories, list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it.
SSH (Secure Shell)
A connection utility that provides authentication and encryption.
SSL (Secure Sockets Layer)
A method of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology.
SSL session
In the context of SSL encryption, an association between the client and server that is defined by an agreement on a specific set of encryption techniques. An SSL session allows the client and server to continue to exchange data securely as long as the client is still connected to the server. SSL sessions are established by the SSL handshake protocol.
symmetric encryption
A method of encryption that requires the same key to encode the data as is used to decode the ciphertext.
TACACS (Terminal Access Controller Access Control System)
A centralized authentication system for remote access servers that is similar to, but older than, RADIUS.
TGS (Ticket-granting service)
In Kerberos terminology, an application that runs on the KDC that issues ticket-granting tickets to clients so that they need not request a new ticket for each new service they want to access.
TGT (ticket-granting ticket)
In Kerberos terminology, a ticket that enables a user to be accepted as a validated principal by multiple services.
three-way handshake
An authentication process that involves three steps.
In Kerberos terminology, a temporary set of credentials that a client uses to prove that its identity has been validated by the authentication service.
TLS (Transport Layer Security)
A version of SSL being standardized by the IETF (Internet Engineering Task Force).
Triple DES (3DES)
The modern implementation of DES, which weaves a 56-bit key through data three times, each time using a different key.
WEP (Wired Equivalent Privacy)
A key encryption technique for wireless networks that uses keys both to authenticate network clients and to encrypt data in transit.
Wi-Fi Alliance
An international, nonprofit organization dedicated to ensuring the interoperability of 802.11-capable devices.
WPA (Wi-Fi Protected Access)
A wireless security method endorsed by the Wi-Fi Alliance that is considered a subset of the 802.11i standard. In WPA, authentication follows the same mechanism specified in 802.11i. The main difference between WPA and 802.11i is that WPA specifies RC4 encryption rather than AES.
The name given to the 802.11i security standard by the Wi-Fi Alliance. The only difference between WPA2 and 802.11i is that WPA2 includes support for the older WPA security method.
____encrypts data exchanged throughout the session.
With ___, you can securely log on to a host, execute commands on that host, and copy files to or from that host.
With ____, IETF aims to create a version of SSL that encrypts UDP as well as TCP transmissions.
____which is supported by new Web browsers, uses slightly different encryption algorithms than SSL, but otherwise is very similar to the most recent version of SSL.
____ is commonly used with dial-up networking, VPNs, and wireless connections.