Core Security Patterns by Steel, Nagappan & Lai (2006)
Notes, Discussion Points and Review
Chapter Two - "Basics of Security"
Requirements and Goals:
- Confidentiality - protecting sensitive data from being viewed by unauthorized
- Integrity - ensuring that data hasn't been altered during transit or storage.
- Authentication - ensuring the user's identity is correct.
- Authorization - controlling what actions a user is permitted to perform.
- Non-Repudiation - associating an action with a user such that they can't
deny performing the action.
One-Way Hash Function Algorithms (SHA, MD5) - create a short digest
that can be used to verify the integrity of the message or file.
Symmetric Ciphers - encryption and decryption is done with the same
key (relatively fast).
- Block ciphers (DES, IDEA, AES, Blowfish) - encrypt a block of data at a
- Stream ciphers (RC4, WAKE) - encrypt a stream of data. Generally faster
than a block cipher.
Asymmetric Ciphers - 1,000 times slower than symetric ciphers - the
key used for decryption is different from the key used for encryption.
Digital Certificates (X.509 certificate)
- A digital certificate includes a person/company's information (name, etc)
and their public key along with a signature of a trusted entity (CA). A certificate
is verified by using the public key of the CA to compute a hash value of the
signature, this must match the hash value of the certificate. Thus the recipient
of the digital certificate knows that the entity is who they claim to be.
Thus the recipient can encrypt any information with the public key provided
in the certificate knowing that only the owner of that certificate will be
able to decrypt the information.
- Root Certificate = self signed certificate (thus essentially a Certificate
- Certificate revocation checking is not built into SSL! Browsers have
solutions to check certificate revocation lists but this check is optional
and turned off by default!
- Certificate revocation - browsers do not by default do any checking
of revocation lists!
SSL - Secure Sockets Layer
LDAP - Lightweight Directory Access Protocol