安全与认证Week3 Tutorial

发布时间:2024年01月02日

1) What is a replay attack?

1) 什么是重放攻击?

????????It is when an attacker re-uses a valid sequence of data in order to access a particular service.

????????它是指攻击者为了访问特定服务而重用有效的数据序列。

2) What is Kerberos system? What security services does it provide?

2)什么是Kerberos系统?它提供什么安全服务?

????????? Kerberos is a centralised authentication service designed for use in a distributed environment.

?????????Kerberos是专为在分布式环境中使用而设计的集中式身份验证服务。

????????? It makes use of a trusted third-party authentication service that enables clients and servers to establish authenticated communication. Also, it provides access control.

?????????它利用可信的第三方认证服务,使客户端和服务器能够建立身份验证通信。此外,它还提供访问控制。

3) A simple way for a server to authenticate a client, is to ask for a password. In Kerberos this authentication is not used, why? How does Kerberos authenticate the server and the clients?

3)服务器验证客户端身份的一种简单方法是要求提供密码。在Kerberos中不使用这种身份验证,为什么?Kerberos如何对服务器和客户机进行身份验证?

????????? The main security weakness is that the password is transmitted. So anybody eavesdropping can get hold of it.

?????????主要的安全弱点是密码会被传输。这样任何窃听者都能得到它。

????????? A better way is: the client request from the server a “service granting ticket”. The client sends the request for using the server, and the user’s ID. The server, which knows the users password, creates a session key using the user’s password. Using this session key, the server sends the ticket granting a service. The client asks the user for his/her password, generates the session key and recovers the ticket. The password is never transmitted between server-client.

?????????一个更好的方法是:客户端从服务器请求一个“服务授予票证”。客户端发送使用服务器的请求,以及用户的ID。服务器知道用户的密码,使用用户的密码创建会话密钥。使用此会话密钥,服务器发送授予服务的票证。客户端向用户询问密码,生成会话密钥并恢复票据。密码永远不会在服务器-客户端之间传输。

4) What are the four requirements for Kerberos? What mechanisms are used within Kerberos systems to achieve those requirements?

4) Kerberos的四个要求是什么?Kerberos系统中使用什么机制来实现这些需求?

RequirementMechanism
Secure

Provided?by?the?secure?steps,?mostly?achieved?by?using?conventional?encryption.?

AUTHENTICATION?is?an?alternative?answer.?

ReliableDistributed?architecture.?Uses?mirrored?system?backups.?
Transparent

Limitation?of?user?interaction?to?the?authentication?with?the?client

?(password,?or?other?methods).?

ScalablePrinciple?of?Kerberos?realms.
要求机制
安全所提供的安全步骤,大多是通过使用常规加密实现的。身份验证是另一种解决方案。
可靠分布式体系结构。使用镜像系统备份。
透明限制用户与客户端的身份验证交互(密码或其他方法)。
可伸缩Kerberos领域原理。


5) What is a public-key certificate?

5)什么是公钥证书?

????????It is used to authenticate public-keys of users. A public-key certificate contains a public key, an identifier of the key owner and other information, is signed and acreated by a certificate authority, and is given to the participant. A participant conveys its key information to another by transmitting its certificate. Other participants can verify that the certificate was created by the authority.

????????用于验证用户的公钥。公钥证书包含公钥、密钥所有者的标识符和其他信息,由证书颁发机构签名和创建,并提供给参与者。参与者通过传输其证书将其密钥信息传递给另一个参与者。其他参与者可以验证证书是由权威机构创建的。

6) Define the X.509 standard. How is an X.509 certificate revoked?

6)定义X.509标准。如何撤销X.509证书?

????????? X.509 defines a framework for the provision of authentication services by the X.500 directory to its users.

????????? the public key of a user and is signed with the private key of a trusted certification authority.

????????? The X.509 defines alternative authentication protocols based on the use of public-key certificates.

????????X.509定义了一个框架,用于X.500目录向其用户提供认证服务。

????????用户的公钥,并使用可信证书颁发机构的私钥签名。

????????X.509定义了基于使用公钥证书的可选认证协议。

????????? Each CA must maintain a certificate revocation list (CRL) consisting of all revoked certificates issued by that CA.

????????? The list is signed by the issuer and includes the issuer’s name, the date the list was created, the date the next CRL is scheduled to be issued, and an entry for each revoked certificate. Each entry consists of the serial number of a certificate and revocation date for that certificate.

????????? The user could check the CRL list each time a certificate is received to determine the certificate is not revoked.

????????? DRAW A DIAGRAM FOR X.509 STACK AND THE CRL?

????????? 每个CA必须维护一个证书撤销列表(CRL),其中包含由该CA颁发的所有已撤销证书。

????????? 该列表由颁发者签名,并包括颁发者的名称、创建列表的日期、计划颁发下一个CRL的日期以及每个被吊销证书的条目。每个条目由证书的序列号和该证书的撤销日期组成。

????????? 用户可以在每次收到证书时检查CRL列表,以确定证书未被吊销。

????????? 绘制x.509堆栈和crl?

7) What is IPsec? ?Why is it significant?

7)什么是IPsec?为什么它很重要?

????????? IPSec stands for IPSecurity as it protects IP packets

?????????IPSec代表IPSecurity,用于保护IP报文

????????? It is vital for providing additional security at the IP layer, and protects packets of all applications including security-ignorant applications

?????????它对于在IP层提供额外的安全性至关重要,并保护所有应用程序的数据包,包括不了解安全的应用程序

????????? It provides: confidentiality, authentication, or both for IP packets.

?????????为IP包提供:机密性、身份验证或两者兼有。

8) What are the two modes of operations in IPsec? How can they achieve protection against traffic analysis?

8)IPsec的两种操作方式是什么?他们如何实现对流量分析的保护?

????????? Tunnel Mode: protects entire packet.

?????????隧道模式:保护整个报文。

????????? Transport Mode: protects payload.? ESP provides protection against traffic analysis.

?????????传输模式:保护有效载荷。ESP提供针对流量分析的保护。

????????* In tunnel mode ESP provides protection against traffic analysis where the host on the internet networks use the Internet transportof data but do not interact with other Internet-based hosts.

????????*在隧道模式下,ESP提供流量分析保护,其中internet网络上的主机使用internet传输数据,但不与其他基于internet的主机交互。

????????* In Transport Mode, ESP only protects the payload, hence the IP header will not be hidden (limited protection against traffic analysis).

????????*在传输模式下,ESP只保护有效载荷,因此IP头不会被隐藏(对流量分析的有限保护)。

9) List the services provided by IPSec.

9)列出IPSec提供的服务。

????????Access control - 访问控制

????????Connectionless integrity - 无连接完整性

????????Data origin authentication - 数据来源认证

????????Rejection of replayed packets - 拒绝重放的数据包

????????Confidentiality (encryption) - 机密性(加密)

????????Limited traffic flow confidentiality - 有限的流量机密性

10) In IPSec, what is the domain of interpretation (DOI)?

10)在IPSec中,什么是解释域(DOI)?

????????Contains values to relate the different specifications of the protocol?

????????包含值来关联协议的不同规范

????????Identifiers for encryption and authentication algorithms?

????????加密和身份验证算法的标识符

????????Operational parameters, key lifetimes, key exchange, etc.?

????????操作参数、密钥寿命、密钥交换等方面的参数

11) In IPSec, what is the difference between transport mode and tunnel mode?

11)在IPSec中,传输模式和隧道模式有什么区别?

????????Transport mode: Provides protection primarily for upper-layer protocols. That is, transport mode

protection extends to the payload of an IP packet.?

????????传输模式:主要为上层协议提供保护。也就是说,传输模式的保护范围延伸到了IP数据包的负载。

????????Tunnel mode: Provides protection to the entire IP packet.

????????隧道模式:为整个IP数据包提供保护。


12) What are the parameters used to characterize the nature of a particular SA?

12)用来表征特定SA性质的参数是什么?

????????Sequence Number Counter(序列号计数器)

????????Sequence Counter Overflow(序列计数器溢出)

????????Anti-Replay Window(防重放窗口)

????????AH Information(身份验证头信息)

????????ESP Information(封装安全有效负载信息)

????????Lifetime of this Security Association(安全关联的生命周期)

????????IPSec Protocol Mode(IPSec协议模式)

????????Path MTU(路径最大传输单元)

13) What are the roles of the Oakley key determination protocol and ISAKMP in IPsec?

13)Oakley密钥确定协议和ISAKMP在IPsec中的作用是什么?

????????ISAKMP by itself does not dictate a specific key exchange algorithm; rather, ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms.?

????????ISAKMP本身不规定特定的密钥交换算法;相反,ISAKMP由一组消息类型组成,使得可以使用各种密钥交换算法。

????????Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP.?

????????Oakley是在ISAKMP的初始版本中规定使用的具体密钥交换算法。

文章来源:https://blog.csdn.net/qq_53631388/article/details/135350265
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。