Legend:
E / D : Encrypt / Decrypt
p / c : plain / cipher
PK / SK : public key / secret key
m / s : message / signature
Reminder:
Public-key crypto: Data encrypted with a public (or private) key can be decrypted only with the corresponding private key.
A certificate contains a public key; it's used to verify that an entity is the owner of a particular public key.
You can obtain a certificate from a Certificate Authority (CA).Alternately, you can create a self-signed certificate, in which the owner and the issuer are the same.
Signature (sign/verify):
- Sender: hash and encrypt with secret key (= sign)
- Recipient: decrypt with public key and verify
Kerberos :
- symm enc/dec of all exchanges,
- Client / Server, each with its own symm key
- KDC (kerberos distribution center) single source off all symmetric keys.
SSL/TLS
- SSl Journey:
- Website owner get a public/secret key
- Website owner provide the public key and request for certificate from CA
- CA issue a certificate to the website owner.
- Website provide the certificate for each ssl connection handshake
- The ssl client get and verify the certificate through CA
- Basically, http messages (request & response) are encrypted then sent to TCP.
- PK /PS policy.
- Force full-https as earlier as possible(e.g DNS bootstrap)
- Openssl vs java keytool
=========================================================
IP connects / localize computers + routes/breaks packets (datagrams)
TCP control communication (windowing) + error detection
[NAT / PAT + Subnet masking] as a mediation / boundary between public and private IPs.
DNS: resolve domain names to IPs (nslookup). DNS caching property. DNS record types (SN, MX, wildcard ....)
Traffic/Routing diagnosis: tracerout, pathping
DHCP: assign IPs.
IPv4 format: 4 bytes (possible values: 2^(8 * 4) => 2^32)
IPv6 format: 16 bytes (possible values: 2^(8 * 16) => 2^128)
Binary golden rule: sigma(2^i / i from 0 to n -1) = (2^n) - 1
Why program namespaces are usually inverted (e.g com.github.forks)? maybe inspired from DNS IP resolution (com => github => forks => Ip ).
- Port connectivity: telnet, nmap(not built-in).
Telnet: communicate remotely with a device (e.g send requests to a service port).
SSH: Manage/administrate remotely a device (e.g shell command)
- Basic scenario of internet connectivity
Client host (routing table, ARP)--> router (NAT ...) --> modem --> ISP (internet service provider) router --> ISPs backbone --> modem ---> Server firewall / router (PAT) --> server host
Network packets sniffing:
A packet sniffer copies data as it travels across a network and makes it available for viewing.
why?
- Identify congested node or link
- Identify applications that generates most of traffic
- Identify peaks and troughs on the network demand
- collect / log data for more advanced analysis
- tcpdump
- wireshark
- Fiddler (HTTP capture)
HTTP Caching
Notes
- Private Network is a set of physical nodes connected each other, without been exposed to the Internet (Intranet, LAN, MAN, WAN ..). The traffic originating and terminating within a private network traverses only those nodes that belong to the private network
- Public Network is any network exchanging traffic through public Internet.
- VPN: Communication environment constructed by controlled segmentation of a shared communications infrastructure to emulate the characteristics of a private network
- Why VPN:
- Traditional private networks are not cheap to plan and deploy. The costs of dedicated links are high when they involve international locations.
- Companies need to provide a reliable IT infrastructure so employees can access from remote locations, without being physically present in their offices.
- Types of VPN:
- Site-to-Site VPN: interconnect LANs located at multiple geographic areas over the shared network infrastructure.
- Remote access VPN: permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.The third party is usually an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers
- VPN technologies:
- Desktop software client for each remote user
- Dedicated hardware such as a VPN concentrator or secure PIX firewall
- Dedicated VPN server for dial-up services
- NAS (network access server) used by service provider for remote-user VPN access
- VPN network and policy-management center
- VPN uses IPsec a standard protocol. Two VPN connectivity modes:
- Tunnel mode:
- The original packet is encapsulated entirely (header + payload) by a another IP packet.
- IPsec wraps the original packet, encrypts it, adds a new IP header and sends it.
- It is widely implemented in site-to-site VPN scenarios.
- NAT traversal is supported with the tunnel mode.
- Transport mode:
- The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.
- The IPsec Transport mode is implemented for client-to-site VPN scenarios.
- NAT traversal is not supported with the transport mode.
Subnetting
CIDR is a more generic and flexible way (compared to classfull techniques) for IP Assignment and Subnetting.CIDR RFC: https://tools.ietf.org/html/rfc4632
CIDR for private network: https://tools.ietf.org/html/rfc1918
1 comment:
Great explanation!
Post a Comment