Cisco cybersecurity essentials chapter -5

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Chapter 5:
The Art of Ensuring
Integrity
Cybersecurity Essentials v1.1

Presentation_ID 3© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chapter 5 - Sections & Objectives
5.1 Types of Data Integrity Controls
Explain the processes used to ensure integrity.
5.2 Digital Signatures
Explain the purpose of digital signatures.
5.3 Certificates
Explain the purpose of digital certificates.
5.4 Database Integrity Enforcement
Explain the need for database integrity enforcement.

5.1 Types of Data Integrity
Controls

► Hashing is a tool that ensures data
integrity by taking binary data (the
message) and producing a fixed-length
representation called the hash value or
message digest.
► Hash function is considered one-way
because with hash functions, it is
computationally infeasible for two
different sets of data to come up with the
same hash digest or output.
► Every time the data is changed or altered,
the hash value also changes. Because of
this, cryptographic hash values are often
called digital fingerprints. They can detect
duplicate data files, file version changes,
and similar applications

►Hashing is a one-way mathematical function that is relatively easy to
compute, but significantly harder to reverse.
►Grinding coffee is a good analogy of a one-way function.
A cryptographic hash function has
the following properties:
 The input can be any length.
 The output has a fixed length.
 The hash function is one way and is
not reversible.
 Two different input values will almost
never result in the same hash values.

The 8-bit checksum is one of the first hashing algorithms, and it is the simplest form of
a hash function. An 8-bit checksum calculates the hash by converting the message into
binary numbers and then organizing the string of binary numbers into 8-bit chucks. The
algorithm adds up the 8-bit values. The final step is to convert the result using a
process called 2’s complement. The 2’s complement converts a binary to its opposite
value, and then it adds one.

There are many modern hashing algorithms widely used today. Two of the most
popular are MD5 and SHA.
 Message Digest 5 (MD5) Algorithm - is a hash algorithm developed by Ron Rivest
that produces a 128-bit hash value.
 Secure Hash Algorithm (SHA) – was developed by the U.S. National Institute of
Standards and Technology (NIST) and can be implemented in different strengths:

Hashing algorithms turn any amount of data into a fixed-length fingerprint or digital
hash. A criminal cannot reverse a digital hash to discover the original input. If the
input changes at all, it results in a different hash. This works for protecting passwords.
A system needs to store a password in a form that protects it and can still verify that a
user’s password is correct.
Hashing Passwords
While hashing can detect accidental changes, it cannot guard against deliberate
changes. There is no unique identifying information from the sender in the
hashing procedure.

► Salting is used to make hashing more secure. If two users have the same
password, they will also have the same password hashes. A salt, which is a
random string of characters, is an additional input to the password before
hashing.
► This creates a different hash result for the two passwords. A database stores both
the hash and the salt.
► Salting prevents an attacker from using a dictionary attack to try to guess
passwords. Salting also makes it impossible to use lookup tables and rainbow tables
to crack a hash.
► A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is the
best choice to generate salt as it has a high level of randomness and is completely
unpredictable, making it cryptographically secure.
► To implement salt successfully, it should be unique per password, never reused,
have a length of that of message digest and hash it on the web server.

► HMACs strengthens hashing
algorithms by using an additional secret
key as input to the hash function.
► An HMAC uses a specific algorithm
that combines a cryptographic hash
function with a secret key.
► Only the sender and the receiver know
the secret key, and the output of the
hash function now depends on the input
data and the secret key. Only parties
who have access to that secret key can
compute the digest of an HMAC
function.
► This characteristic defeats man-in-the-
middle attacks and provides
authentication of the data origin.

 HMACs can also authenticate a web user.
Many web services use basic
authentication, which does not encrypt
the username and password during
transmission.
 Using HMAC, the user sends a private
key identifier and an HMAC. The server
looks up the user’s private key and
creates an HMAC. The user’s HMAC
must match the one calculated by the
server.
 VPNs using IPsec rely on HMAC
functions to authenticate the origin of
every packet and provide data integrity
checking.

5.2 Digital Signatures

► A digital signature is used to determine if
someone edits a document after the user
signs it.
► A digital signature is a mathematical
method used to check the authenticity and
integrity of a message, digital document, or
software.
► In many countries, digital signatures have
the same legal importance as a manually
signed document.
► A digital signature helps to establish
authenticity, integrity, and non-repudiation.
Digital signatures have specific properties
that enable entity authentication and data
integrity.
► Digital signatures are an alternative to
HMAC.

►Non-repudiation is a way to ensure that the sender of a message or
document cannot deny having sent the message or document and that
the recipient cannot deny having received the message or document.
►A digital signature ensures that the sender electronically signed the
message or document. Since a digital signature is unique to the
individual creating it, that person cannot later deny that he or she
provided the signature.

► Asymmetric cryptography is the basis for digital signatures. A public key
algorithm like RSA generates two keys: one private and the other public.
The keys are mathematically related.
► Code signing - Used to verify the integrity of executable files downloaded from a vendor
website.
► Digital certificates - Used to verify the identity of an organization or individual to
authenticate a vendor website and establish an encrypted connection to exchange
confidential data.

5.3 Certificates

►A digital certificate is equivalent to an electronic passport. Digital
certificates enable users, hosts, and organizations to exchange
information securely over the Internet.
►A digital certificate authenticates and verifies that users sending a
message are who they claim to be. Digital certificates can also
provide confidentiality for the receiver with the means to encrypt a
reply.

► A certificate authority (CA) functions the same as the licensing bureau. The
CA issues digital certificates that authenticate the identity of organizations and
users. These certificates also sign messages to ensure that no one tampered
with the messages.
► X.509 is a standard for a public
key infrastructure (PKI) to
manage digital certificates.
PKI is the policies, roles, and
procedures required to create,
manage, distribute, use, store,
and revoke digital certificates.
The X.509 standard specifies
that digital certificates contain
the standard information

5.4 Database Integrity
Enforcement

►Databases provide an efficient way to store, retrieve, and analyze
data.
►As data collection increases and data becomes more sensitive, it is
important for cybersecurity professionals to protect the growing
number of databases.
►Data integrity refers to the accuracy, consistency, and reliability of
data stored in a database.

The four data integrity rules or constraints are as follows:
: All rows must have a unique identifier called a Primary Key.
: All data stored in a column must follow the same format
and definition.
: Table relationships must remain consistent. Therefore, a
user cannot delete a record which is related to another one.
: A set of rules defined by a user which does not belong
to one of the other categories.

A validation rule checks that data falls within the parameters defined by the database
designer. A validation rule helps to ensure the completeness, accuracy and consistency
of data. The criteria used in a validation rule include the following:
– checks the number of characters in a data item
– checks that the data conforms to a specified format
– checks for the consistency of codes in related data items
– checks that data lies within a minimum and maximum value
– provides for an extra calculation to generate a check digit for error detection
is the simplest data validation and verifies that a user entering
data is consistent with the type of characters expected. Databases allow three data
types: .
 One of the most vulnerable aspects of database integrity management is
controlling the data input process.
refers to identifying patterns in data that do not conform to
expected behavior. requires verification data requests or
modifications when a system detects unusual or surprising patterns.

Cisco cybersecurity essentials chapter -5

More Related Content

What's hot

Similar to Cisco cybersecurity essentials chapter -5

More from Mukesh Chinta

Recently uploaded

Cisco cybersecurity essentials chapter -5