networking:

terms:

station (STA), wireless client, node: any device capable of using the 802.11 protocol

service set: a set of all the devices associated with a 802.11 wireless local area network (WLAN)

basic service set (BSS): provides the basic building-block of an 802.11 wireless LAN. In infrastructure mode, a single access point (AP) together with all associated stations (STAs) is called a BSS

basic service set identification (BSSID): For a BSS operating in infrastructure mode, the BSSID is the MAC address of the wireless access point (WAP) generated by combining the 24 bit Organization Unique Identifier (OUI, the manufacturer’s identity) and the manufacturer’s assigned 24-bit identifier for the radio chipset in the WAP. The BSSID is the formal name of the BSS and is always associated with only one BSS. Note, the MAC address concept is not limited to radio communication, wired networks use the very same 24+24 bit MAC address concept to uniquely identify the hosts

(SSID): - a series of 0 to 32 octets. Each BSS or ESS is identified by a service set identifier. It is used as an identifier for a wireless LAN, and is intended to be unique for a particular area. Since this identifier must often be entered into devices manually by a human user, it is often a human-readable string and thus commonly called the “network name”. A common, albeit incorrect assumption, is that an SSID is a string of human-readable characters (such as ASCII), terminated by a NUL character (as in a C-string). SSIDs must be treated and handled as what they are, a series of 0 to 32 octets, some of which may not be human-readable.

wireless access point (WAP): a networking hardware device that allows a Wi-Fi compliant device to connect to a wired network. ? the functionality that should be emphasized here is the bridge made between wireless and wired. the typical home/personal ‘router’ is usually a converged device that includes the WAP, a router, and, often, an Ethernet switch.

wireless network interface controller (https://en.wikipedia.org/wiki/Wireless_network_interface_controller): a network interface controller which connects to a radio-based computer network rather than a wire-based network such as Token Ring or Ethernet. A WNIC, just like other NICs, works on the Layer 1 and Layer 2 of the OSI Model. A WNIC in a desktop computer usually is connected using the PCI bus

NIC: The network controller implements the electronic circuitry required to communicate using a specific physical layer and data link layer standard such as Ethernet, Fibre Channel, Wi-Fi or Token Ring. This provides a base for a full network protocol stack, allowing communication among small groups of computers on the same local area network (LAN) and large-scale network communications through routable protocols, such as Internet Protocol (IP). The NIC allows computers to communicate over a computer network, either by using cables or wirelessly. The NIC is both a physical layer and data link layer device, as it provides physical access to a networking medium and, for IEEE 802 and similar networks, provides a low-level addressing system through the use of MAC addresses that are uniquely assigned to network interfaces.

Router:

network switch, switching hub, bridging hub, officially MAC bridge network interface controller (NIC):

Node: a connection point, a redistribution point, or a communication endpoint

media access control address (MAC address): also called physical address, is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and WiFi. Logically, MAC addresses are used in the media access control protocol sublayer of the OSI reference model. MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card’s read-only memory or some other firmware mechanism

Octet: 8 bits. used when byte is ambiguous. can represent base 10 values of 0-255

Token Ring:

Ethernet:

OSI Model:

PCI bus:

cia triad http://atom.smasher.org assets and risk = threats * vulns principle of least privilege sensor network - denial of sleep

802.11 WEP, WPA, TKIP, WPA2, 802.11i, WPA2 WPA Enterprise RADIUS server WPA Personal (WPA-PSK) MAC addresses MAC address filtering

symmetric encryption: uses single shared key DES, 3DES, AES confidential online communication using ssl

asymmetric encryption: also called public key encryption uses pub and priv RSA PGP uses: key exchange and digital signatures

? Message Authentication Code (MAC) different from mac address ?

TODO: get software to perform symmetric encryption. TODO: get software to perform asymmetric encryption.

http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2 https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

Generate an RSA keypair with a 2048 bit private key

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

Extracting the public key from an RSA keypair

openssl rsa -pubout -in private_key.pem -out public_key.pem

Every digital certificate has a pair of associated cryptographic keys. This pair of keys consists of a private key and a public key. Public/private key pairs are used for asymmetric encryption. Asymmetric encryption is used mainly to encrypt and decrypt session keys and digital signatures.

The two main branches of public key cryptography are:

Public key encryption: a message encrypted with a recipient’s public key cannot be decrypted by anyone except a possessor of the matching private key—presumably, this will be the owner of that key and the person associated with the public key used. This is used for confidentiality.

Digital signatures: a message signed with a sender’s private key can be verified by anyone who has access to the sender’s public key, thereby proving that the sender had access to the private key (and therefore is likely to be the person associated with the public key used), and the part of the message that has not been tampered with. On the question of authenticity, see also message digest.

An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the key can open the mailbox and read the message.

Public/private key pairs are used for asymmetric encryption. Asymmetric encryption is used mainly to encrypt and decrypt session keys and digital signatures. Asymmetric encryption uses public key encryption algorithms.

Public key algorithms use two different keys: a public key and a private key. The private key member of the pair must be kept private and secure. The public key, however, can be distributed to anyone who requests it. The public key of a key pair is often distributed by means of a digital certificate. When one key of a key pair is used to encrypt a message, the other key from that pair is required to decrypt the message. Thus if user A’s public key is used to encrypt data, only user A (or someone who has access to user A’s private key) can decrypt the data. If user A’s private key is used to encrypt a piece of data, only user A’s public key will decrypt the data, thus indicating that user A (or someone with access to user A’s private key) did the encryption.

If the private key is used to sign a message, the public key from that pair must be used to validate the signature. For example, if Tom wants to send someone a digitally signed message, she would sign the message with her private key, and the other person could verify her signature by using her public key. Because presumably only Tom has access to her private key, the fact that the signature can be verified with Tom’s public key indicates that Tom created the signature.

http://bsdsupport.org/q-how-do-i-use-openssl-to-encrypt-files/ https://www.openssl.org/docs/manmaster/apps/enc.html

symmetric:

encrypt: openssl aes-256-cbc -salt -a -e -in plaintext.txt -out encrypted.txt

decrypt: openssl aes-256-cbc -salt -a -d -in encrypted.txt -out plaintext.txt

Asymmetric:

generate your private key and extract the public key

openssl genrsa -des3 -out private.key 4096 openssl -in private.key -pubout -out public.key

the second statement didnt work

openssl genrsa -out private.key 4096 openssl -in private.key -pubout -out public.key

this worked

openssl genrsa -out private.key 4096 openssl rsa -in private.key -pubout -out public.key

encrypt: openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt

decrypt: openssl rsautl -decrypt -inkey private.key -in encrypted.txt -out plaintext.txt

what is des3

# what is cbc (in aes-256-cbc)

https://sandilands.info/sgordon/demo-of-symmetric-key-encryption-using-openssl

http://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files

Encrypt: openssl enc -in infile.txt -out encrypted.dat -e -aes256 -k symmetrickey

Decrypt: openssl enc -in encrypted.dat -out outfile.txt -d -aes256 -k symmetrickey

– comment: To use a plaintext password, replace -k symmetrickey with -pass stdin or -pass ‘pass:PASSWORD’ enc ~> openssl enc -in plaintext.txt -out encrypted.dat -e -aes256 -pass ‘pass:yodude’ dec ~> openssl enc -in encrypted.dat -out outfile.txt -d -aes256 -pass ‘pass:yodude’

– comment: Do not use the above command since there is no key derivation. Read more here: openssl weak key

https://www.reddit.com/r/crypto/comments/4gu3df/weak_key_derivation_in_openssl/ weak key derivation

https://ruslanspivak.com/lsbaws-part3/ http://stackoverflow.com/questions/918676/generate-sha-hash-in-c-using-openssl-library https://nodejs.org/en/docs/guides/anatomy-of-an-http-transaction/

check out first section

https://nodejs.org/api/tls.html

Perfect Forward Secrecy Diffie Hellman key-agreement Elliptic Curve Diffie Hellman key-agreement

google “creating a tls socket”

https://en.wikipedia.org/wiki/Digital_signature https://en.wikipedia.org/wiki/Smart_card

http://security.stackexchange.com/questions/8034/how-digital-signature-verification-process-works