7 layers: The application layer, The presentation layer, The session layer, The transport layer, The network layer, The data-link layer, The physical layer
IP Packet: SrcIP, DstIP, Length, ID, TTL
TCP Packet: SrcPort, DstPort, Seq, Ack, Flag
TCP: RST, Data Injection, Disruption, Blind Hijacking, Blind Spoofing. (guess port and seq)
UDP: User Datagram Protocol
DHCP (Dynamic Host Configuration Protocol): offer message includes IP address, DNS server, gateway router, and how long client can have these (lease time). Adv can fake DNS, gateway and be MITM.
ARP: Address Resolution Protocol
WPA2 (4-way Handshake): AP and client have same pre-shared key (PSK key). Goal is to create a shared key called PTK (Pairwise Transient Key). This key is derived from both password and SSID using PBKDF.
WPA Enterprise: before 4-way handshake, your computer first handshakes with the authentication server using public key cryptography, then authenticates to this server with your username and password. The server now generates a unique key.
DNS Packet: SrcPort, DstPort, ID, TTL. Cache poisoning, spoof, blind spoof.
Bailiwick checking: Don’t accept Additional records unless they’re for the domain we’re looking up.
The Kaminski Attack: First try to poison some other sub domains.
DOS: SYN flood (don’t allocate anything until see ACK, SYN-cookies)
CA: Revocation(expiration dates, cert revocation list (CRL))
• Browser (client) connects via TCP to Amazon’s HTTPS server • Client picks 256-bit random number RB, sends over list of crypto protocols it supports • Server picks 256-bit random number RS, selects protocols to use for this session • Server sends over its certificate • Client now validates cert
• For RSA, browser constructs “Premaster Secret” PS • Browser sends PS encrypted using Amazon’s public RSA key KAmazon • Using PS, RB, and RS, browser & server derive symmetric cipher keys (CB, CS) & MAC integrity keys (IB, IS) (One pair to use in each direction)
• For Diffie-Hellman, server generates random a, sends public parameters and ga mod p (Signed with server’s private key) • Browser verifies signature • Browser generates random b, computes PS = gab mod p, sends gb mod p to server • Server also computes PS = gab mod p • From PS, RB, and RS, browser & server derive symm. cipher keys (CB, CS) and MAC integrity keys (IB, IS).
Prevent replay attack: don’t reuse random numbers
DOS Amplification: DNS lookups
Application-Layer DoS: Algorithmic complexity attacks
DNSSEC: Designed to prove the value of an answer, or that there is no answer.
The Key Signing Key (KSK) is used only to sign the DNSKEY RRSET, The Zone Signing Key (ZSK) is used to sign everything else. The client has hardwired in one key for . (This is the root’s KSK)
NSEC: Proof that a name exists but no type exists for that name, Proof that a name does not exist. NSEC3: use a hash of the name.
OPT records to say “I want DNSSEC”, RRSIG records are certificates, DNSKEY records hold public keys, DS records hold key fingerprints, Used by the parent to tell the child’s keys, NSEC/NSEC3 records to prove that a name doesn’t exist or there is no record of that type.
sanitizing user input
The same-origin policy does not prevent XSS (Cross-site scripting attack)
Two main types of XSS: Stored XSS(using images), Reflected XSS.
XSS prevention: Content-security policy (CSP)
cookie scope: any domain-suffix of URL-hostname, except TLD(top-level domains)
Client side read/write: document.cookie
Cross Site Request Forgery(CSRF): hidden CSRF token, Referer Validation(indicates which URL initiated the request)
Cookies: NAME, domain, path, secure, expires, HttpOnly.
DHCP: discover, offer, request, pack