Is this for hashing… or encryption?

Starting to get a handle on things but there is still lots of detail to get into and I would like to understand it all. At first I was kind of erring on the side of that being unimportant and that I should get this done as quick as possible. While not being wrong, I would rather actually know all the material, go through answers to the questions and explain why each answer is wrong or write and also say ‘this is a bull shit question’ rather than knowing ‘oh this one is WPS and I have no real reason for understanding why its not the other answers.’ Its not totally lazy but it doesn’t indicate that you actually know the material and it makes passing the test less likely given that the material in the pretest isn’t on the actual test. Besides, for some reason my brain is more analytically functional than based on memorizing random things so it works better for me. Anyway, working from home for the next two weeks and I have no idea what will happen next but given that airports are all having a tough time, it may not be a good idea to buy a bunch of stuff I don’t need presently. Lets do some questions.

photo wps_zpsexhz47uc.png

My present level of understanding is that WPS is older, and now thinking back that’s why it works, and im not sure that its encrypted. You should be able to set up 802.1x on radius and push a certificate out with GP over like WPA2-Enterprise and AES encryption. but its complicated. Start here: Deploy Server Certificates for 802.1X Wired and Wireless Deployments and then check this out Create a Group Policy to deploy a company wireless network

I even recall seeing something about using eap-peep-mschapv2 to get this done as well but its really complicated and the question doesn’t say that your pushing a wireless configuration out. The funny part is that the 802.1x has nothing to do with authentication at all but is how the router is set up as a radius client.

So lets look at how they are authenticating and using encryption with WPS is set up. I know a lot more about the 802.1x for sure as its more modern and hardened. Anyway, looking at WPS stuff. Right away I’m on this website, Advantages & Disadvantages of WPS (WiFi Protected Setup) and im learning that you can walk up to the router and push a button to connect to it:

  • PBC (Push button configuration) Method, in which the user simply has to push a button, either an actual or a virtual one, on both WPS devices to connect.
  • PIN (Personal Identification Number) Method, in which a PIN has to be taken either from a sticker label or from the web interface of the WPS device. This PIN will then be entered in the AP or client WPS device to connect.

Clearly if physical security is an issue this isn’t a great set up but ok.

This is also helpful: Simple questions: What is WPS (Wi-Fi Protected Setup) and how does it work?

What can WPS do?

WPS: WiFi Protected Setup

WPS can sometimes simplify the connection process. Here’s how WPS connections can be performed:

  • First, press the WPS button on your router to turn on the discovery of new devices. Then, go to your device and select the network you want to connect to. The device is automatically connected to the wireless network without entering the network password.
  • You may have devices like wireless printers or range extenders with their own WPS button that you can use for making quick connections. Connect them to your wireless network by pressing the WPS button on the router and then on those devices. You don’t have to input any data during this process. WPS automatically sends the network password, and these devices remember it for future use. They will be able to connect to the same network in the future without you having to use the WPS button again.
  • A third method involves the use of an eight-digit PIN. All routers with WPS enabled have a PIN code that’s automatically generated, and it cannot be changed by users. You can find this PIN on the WPS configuration page on your router. Some devices without a WPS button but with WPS support will ask for that PIN. If you enter it, they authenticate themselves and connect to the wireless network.
  • A fourth and last method also involves using an eight-digit PIN. Some devices without a WPS button but with WPS support will generate a client PIN. You can then enter this PIN in your router’s wireless configuration panels, and the router will use it to add that device to the network.

Not really any other questions with WPS.

photo stream_zpssm9tlzhe.png

My first guess was Symmetric algorithm but I wasn’t really sure if Elliptic curves where block ciphers but I may be miss understanding something and wanted to investigate. So the first place to start is here: Stream cipher and the first line says:

A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).

So any thing asymmetric is a block cipher, i’m assuming? If we look at this: Block size (cryptography), it states that

In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size. Both the input (plaintext) and output (ciphertext) are the same length; the output cannot be shorter than the input – this follows logically from the pigeonhole principle and the fact that the cipher must be reversible – and it is undesirable for the output to be longer than the input.

So this is kind of a bull shit question but ok. It is possible that is the answer. Anything that uses public key or asymmetric encryption I’m going to assume encrypts at a point in time when the data is complete and processes the entire thing rather than blocks of information.

photo saml token_zps2plyfdsh.png

I think Oauth should be able to do this so lets find out! This first link was the most helpful and is the only one I really want to share The Difference Between SAML 2.0 and OAuth 2.0

As you read through it you start to realize what people are using SAML for and that if you read OAUTH documentation it does fit the bill however its not really used for the type of access its describing. Yes, i realize that it says API and that this OAuth 2 Simplified say that the API is the resource but its a really generic term that a lot of people don’t really understand what it is and the first part of that indicates that its a web server: Representational state transfer and SAML is the standard for that. So, OAUTH will work, making this slightly shady question but SAML is normally used for web server authentication.

Anyway, sorry for sharing so many links but the important part was the REST in front of the API. Also here is a helpful grid from the graph where they are comparing the two (the first one) and explaining the common use cases:

photo Jesse_blogi_kaavio-750x239_zps7kljdlk2.jpg

Are they going to throw in another ‘fun’ question with a similar scenario that is total crap? Who knows but I agree with this one based on the general consensus internet has to say about it.

photo sha data de-dup_zpsbs9ypur1.png

I think I’ve covered this before and SHA would be my first guess but it says supported by a wide range of systems and I think SHA is newer than AES which is why I picked AES. Anyway, wanted to cover that again. Well according to this, SHA-2, it was first released in 2001 so I think its a safe assumption that it should be in wide use. The original SHA was released in 1993 and it does say its faster than AES. Given what we now know about the modes of AES and how it works, I can for sure see why. Given the option I’m not sure why you would pick anything other than the best form of SHA2 that you could use. Given that, some sites report that AES is the most commonly used encryption. However, this says hashing. Which you could use AES for but there is a great note about that in this: Why AES is not used for secure hashing, instead of SHA-x?

Summary: not only are block ciphers and hash functions quite different; but the idea of building a hash function out of the AES turns out to be of questionable validity. It is not easy, and the limited AES block size is the main hindrance.

The duplicate bits is interesting too. Clearly, I don’t really know what I’m doing yet but I would like to take a look at that anyway. Are they saying hash collisions or it expecting, a hashing algorithm, to detect file contents and eliminate duplicates? No, I think it means that no file hash duplicates with the algorithm used. For more info check this out: Why haven’t any SHA-256 collisions been found yet? and what they mean by collisions is duplicate hashes.

photo crl-pk1_zps4pj6t3d6.png

I find this confusing as with a x.509 certificate I thought part of a browsers acceptance was checking the CRL. As per the x.509 wiki

X.509 and RFC 5280 also include standards for certificate revocation list (CRL) implementations. Another IETF-approved way of checking a certificate’s validity is the Online Certificate Status Protocol (OCSP). Firefox 3 enables OCSP checking by default, as do versions of Windows from at least Vista and later.[4]

So, I mean maybe but ok. Get a CRL or cross check it. Maybe I’m not understanding something however it does seem like the clear cut choice. However, maybe its self signed? No… it says small public…

photo 636_zpshocgksc0.png

To be real honest, I don’t know what these ports do I should figure that out but I think I understand the first part of the answer.

  • port 389 – Lightweight Directory Access Protocol
  • port 636 – Lightweight Directory Access Protocol over TLS/SSL (LDAPS) (official)

So that makes sense now because the traffic needs to go over TLS.

photo what_zpshsujfhh6.png

So I’m not sure why its using radius if these are not wireless clients as it doesn’t say wireless clients because I’m typically used to seeing it set up like that in MSFT land. After reading a ton of stuff, long story short TACACS+ and Radius is the way to go. LDAP and MSCHAPv2 is possible but that’s really not a good set up. According to Juniper Understanding Central Network Access Using RADIUS and TACACS+

What About Using LDAP For Authentication? Lightweight Directory Access Protocol (LDAP) is a client/server protocol used to access and manage directory information. It reads and edits directories over IP networks and runs directly over TCP/IP using simple string formats for data transfer. Directory servers include information about various entities on your network, such as user names, passwords, rights associated with user names, metadata associated with user names, devices connected to the network, and device configuration.

Use LDAP to obtain directory information, such as email addresses and public keys. If you want to make directory information available over the Internet, this is the way to do it. LDAP works well for captive portal authentication. However, LDAP does not implement 802.1X security easily. 802.1X was essentially designed with RADIUS in mind, so 802.1X challenge/response protocols like MSCHAPv2 work well with RADIUS.

photo raidus tacacs_zps7gxfw9py.png

And currently I haven’t figure out why, in your spaghetti, that you use TACACS+ instead of MSCHAPv2 but im working on that. Ok, none of this really makes much sense, at all and there is no real answer but Radius and TACACS+ work great together, for this question. However, there could be another that says Radius and MSCHAPv2 or something like that but I think there’s an issue with the strength of encryption if implemented like that so it would be like eap-peep-mschapv2. However, that’s generally the implied thing anyway. Wow, sometimes this stuff makes no sense and I imagine fair questions are hard to write. The thing this question leaves out is that TACACS+ is Cisco proprietary tech according to this TACACS+ Protocol but that appears to be bad info per the wiki page that says

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ have largely replaced their predecessors.

So at the end of the day, this shit, like all tests, is confusing and the answers are some times not using standard logic as there … two web sites with conflicting info on who owns the tech…

photo MD5_zps3jbti7r4.png

Not sure if I understand what they mean by ‘fixed length’ but one would assume a block cipher that fills the blocks with nonsense. So the question no is why the fuck would you not want to unencrypt something? So what they mean is using this for hashing rather than encryption, which is hella confusing as the algorithms can do both, apparently. That said, which per the wiki, this seems to indicate that its used more for hashing where is AES is for sure an encrypting protocol Does MD5 hash or encrypt its string? and they say its irreversable but there are apparently rainbow tables all over that can crack md5 hashes but the value is always 128 bits no matter what the input is. So hopefully, this info is pretty standard and I can always rule out md5 for anything but hashing.

photo comands on network_zpsmbnh3wr9.png

I was really confused by this because I hadn’t heard of any authentication protocol granting users rights but it is TACACS+ and I’m pretty sure its the only one that does that. The interesting note is this is on a site that suggest that its not available for use outside of Cisco tech when one of the links I found was for Juniper and I don’t think they are owned by Cisco. Anyway, TACACS+ Protocol

To ease this task to some extent, Cisco ACS (Access Control Server) is used. ACS provides a centralized management system in which the database of username and password are kept. Also, authorization (means what the user is authorized to do) can be configured. But for this we have to tell the router to refer to ACS for its decision on authentication and authorization.

So, what they may mean by it being proprietary tech for AAA frame work is that this part only works on Cisco routers? Not very clear and the Cisco doc’s on this are not quick reads with basic information. It’s all config docs. blah!

photo 802.1x_zpsbdjwodto.png

Yeah, thats 802.1x for sure, radius server with the routers as clients. But how is that different from Radius federation? What I’m getting is that its a transitive authentication between domains. I think what they mean is a federated trust between domains where the one your on uses Radius authentication. for more info Federated identity and What is federation with Azure AD?

Again, this is hashing vs encryption with sha2 being a hash function and AES being used for encryption as, noted above. However, why not use RSA? How does RSA and AES differ?

Well, it says 3rd party and that would require an additional key gen as RSA is asymmetric. Hopefully I will remember this haha

Alright, thats all for now. Time to go through some more questions I missed and then possibly repost questions while getting into more granular detail until I feel good about spending over 300 dollars on testing haha

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: