Lecture CCNA security partner - Chapter 12: Fundamentals of Cryptography and VPN Technologies

This chapter introduces the concepts of cryptography and covers encryption, hashing, and digital signatures and how these techniques provide confidentiality, integrity, authenticity, and nonrepudiation. You will learn about algorithms, symmetric and asymmetric encryption, digital signatures, and Public Key Infrastructure (PKI).

Trang 1

Fundamentals of Cryptography and

VPN Technologies

Trang 2

This chapter introduces the concepts of cryptography and VPN

technologies It covers the following topics:

• Need for VPN and VPN deployment models

• Encryption, hashing, and digital signatures and how they provide

confidentiality, integrity, and nonrepudiation

• Methods, algorithms, and purposes of symmetric encryption

• Use and purpose of hashes and digital signatures in providing integrity

and nonrepudiation

• Use and purpose of asymmetric encryption and Public Key Infrastructure (PKI)

Contents

Trang 3

VPN, even though GRE does not encrypt

public network, such as the Internet, to form a virtual network instead of using a dedicated Layer 2 connection

VPN Overview

Trang 4

Where VPNs Are Found

Trang 5

Trang 6

There are different types of commercially deployed VPNs

VPN are classified according to the following criteria:

• Based on deployment mode: Site-to-site VPN and remote-access VPN

• Based on Open Systems Interconnection (OSI) layer: Layer 2 VPN

(legacy protocols such as Frame Relay or ATM, and Layer 2 MPLS VPN), Layer 3 VPN (IPsec and MPLS Layer 3 VPN), and Layer 7 VPN (SSL

VPN)

• Based on underlying technology: IPsec VPN, SSL VPN, MPLS VPN,

other Layer 2 technologies such as Frame Relay or ATM, and hybrid

VPNs combining multiple technologies

VPN Types

Trang 7

Cisco VPN Solutions

Trang 8

Site-to-Site VPNs

Trang 9

Remote-Access VPNs

Trang 10

Cryptographic services are the foundation for many security

implementations

The key services provided by cryptography are as follows:

• Confidentiality: The assurance that no one can read a particular piece of data except the receivers explicitly intended

• Integrity or data authentication: The assurance that data has not been

altered in transit, intentionally or unintentionally

• Peer authentication: The assurance that the other entity is who he, she,

or it claims to be

• Nonrepudiation: A proof of the integrity and origin of data The sender

can’t repudiate that he or she is the person who sent the data

• Key management: The generation, exchange, storage, safeguarding,

use, vetting, and replacement of keys

Examining Cryptographic Services

Trang 11

Cryptology Overview

Trang 12

those codes

each makes the other one better

put them to work against each other

Cryptology Overview

Trang 13

years ago

other courts

attempt to steal any message sent to a kingdom they considered an

adversary

The History of Cryptography

Trang 14

• A cipher is an algorithm for performing encryption and decryption

Ciphers

Trang 15

Every day has a different key, and that key is used to adjust the

alphabet accordingly

in an encoded message using F instead; a B is a G, a C is an H, and so forth

is now I, B is J, and so on

Substitution Cipher

Trang 16

The Vigenère Cipher

Trang 17

Transposition Ciphers

F K T T A W.

.L.N.E.S.A.T.A.K.T.A.N A A T C D

3

Ciphered text

FKTTAW LNESATAKTAN AATCD

The clear text message.

Clear text

Trang 18

One-Time Pad Cipher

Trang 19

Encryption Using One-Time Pad

Trang 20

Decryption Using One-Time Pad

Trang 21

Computer Version of a Substitution

Cipher

Trang 22

Algorithms can operate in two modes:

• Block mode: The algorithm can work on only fixed chunks of data

• Stream mode: The algorithm can process data bit by bit

Block ciphers transform a fixed-length block of plaintext into a block of

Trang 23

The following are common block ciphers:

• DES and 3DES, running in either Electronic Code Book (ECB) mode or Cipher Block Chaining (CBC) mode

• Advanced Encryption Standard (AES)

• International Data Encryption Algorithm (IDEA)

• Secure and Fast Encryption Routine (SAFER)

• Skipjack

• Blowfish

• Rivest-Shamir-Alderman (RSA)

Block Cipher

Trang 24

DES ECB Mode Versus DES CBC Mode

Trang 25

secret key to generate a pseudorandom stream of bits, which only the

secret key can generate

Common stream ciphers include the following:

• DES and 3DES, running in output feedback (OFB) or cipher feedback

(CFB) mode

• Rivest Cipher 4 (RC4)

• Software-optimized Encryption Algorithm (SEAL)

Stream Ciphers

Trang 26

The Process of Encryption

Trang 27

Encryption can provide confidentiality at an OSI layer, such as the

following:

• Encrypt application layer data, such as secure email, secure database

sessions (Oracle SQL*Net), and secure messaging (Lotus Notes

sessions)

• Encrypt session layer data, using a protocol such as SSL or Transport

Layer Security (TLS)

• Encrypt network layer data, using protocols such as those provided in

the IPsec protocol suite

• Encrypt link layer data, using proprietary link-encrypting devices

OSI layer and Encrytion

Trang 28

Cryptanalysis is the practice of breaking codes to obtain the meaning of

Trang 29

through the keyspace, which is the set of all possible keys

force

– It is estimated it would take 149 trillion years to crack an AES key using the

same method.

Brute-Force Method

Trang 30

– Access to the ciphertext of several messages.

– Knowledge (underlying protocol, file type, or some characteristic strings)

about the plaintext underlying that ciphertext

the correct key produces a meaningful result

attack to succeed because, on average, an attacker must search

through at least half of the keyspace to be successful

Known-Plaintext Method

Trang 31

– A portion of the plaintext and the corresponding ciphertext

stored

– The ciphertext is then decrypted using every key, until one of the results

matches one of the stored values.

Meet-in-the-Middle Method

Trang 32

observes the ciphertext output

– A chosen-plaintext attack is more powerful than a known-plaintext attack

because the chosen plaintext might yield more information about the key

to capture both the ciphertext and plaintext

Chosen-Plaintext Method

Trang 33

to the decrypted plaintext

– With the pair, the attacker can search through the keyspace and determine

which key decrypts the chosen ciphertext in the captured plaintext

– Like the chosen-plaintext attack, this attack is not very practical

– Again, it is difficult or impossible for the attacker to capture both the ciphertext and plaintext.

Chosen-Ciphertext Method

Trang 34

a cryptosystem

management, and all modern cryptographic algorithms require the

services of key management procedures

key management level rather than at the cryptographic algorithm itself

Key Management

Trang 35

• Key generation

• Key verification

• Key storage

• Key exchange

• Key revocation and destruction

Key Management Components

Trang 36

values

example, DES with its 56-bit keys has a keyspace of more than

72,000,000,000,000,000 (256) possible keys,

attacker needs twice the amount of time to search the keyspace

Keyspaces

Trang 37

function that is used to encrypt and decrypt data

public, and cryptographic keys are used to ensure the secrecy of data

Trang 38

The following are well-known

encryption algorithms that use

symmetric keys:

• DES: 56-bit keys

• Triple DES (3DES): 112- and

• RC6: 128-, 192-, and 256-bit keys

Symmetric Encryption Algorithms

Trang 39

Acceptable Key Lengths in Bits

Characteristics of Symmetric Encryption Algorithms

Trang 40

(3DES-EDE) to encrypt plaintext

DES and 3DES

Trang 41

the key used for decryption

Asymmetric Encryption Algorithms

Trang 42

Public key (encrypt) + Private key (decrypt) = Confidentiality

Public Key Confidentiality

Trang 43

algorithm for your organization:

– Trust in the algorithm by the cryptographic community

– Protection against brute-force attacks

Encryption Algorithm Selection

Trang 44

modern cryptosystems

Cryptographic Hashes and Digital

Signatures

HMAC Digest Creation

Trang 45

Data Integrity: Hashing in Action

Trang 46

Hashing Algorithms

Comparing Hashing Algorithms

Trang 47

Hashed Message Authentication Codes

Trang 48

HMAC in Action

Trang 49

Cisco products use hashing for entity-authentication, data-integrity, and

data-authenticity purposes:

• IPsec gateways and clients use hashing algorithms, such as MD5 and SHA-1

in HMAC mode, to provide packet integrity and authenticity.

• Cisco IOS routers use hashing with secret keys in an HMAC-like manner, to

add authentication information to routing protocol updates.

• Cisco software images that you can download from Cisco.com have an based checksum available so that customers can check the integrity of

MD5-downloaded images.

• Hashing can also be used in a feedback-like mode to encrypt data; for

example, TACACS+ uses MD5 to encrypt its session.

Cisco products and Hashing

Trang 50

security issues must be determined:

communications:

– Authenticity of digitally signed data

– Integrity of digitally signed data

– Nonrepudiation of the transaction

Overview of Digital Signatures

Trang 51

Digital Signatures in Action

Trang 52

the digest and appending that encrypted digest to the plaintext or

encrypted message to verify the identity of the sender

• The code has not been modified since it left the software publisher.

• The code is authentic and is actually sourced by the publisher.

• The publisher undeniably publishes the code This provides nonrepudiation of the act of publishing.

Digital Signatures = Encrypted Message Digest

Trang 53

methods

algorithms extensively to provide a reliable and trusted method for key exchange over untrusted channels

Diffie-Hellman

Trang 54

Diffie-Hellman Key Exchange Algorithm

Trang 55

Diffie-Hellman Example

Trang 56

accomplish these goals

implementations, and is directly tied to the strength of the protocol itself,

as well as the strength of the keys

• Asymmetric encryption algorithms accomplish two primary objectives:

confidentiality and authentication

they use more complex mathematics

key exchange protocols and are rarely used for bulk encryption

Cryptographic Processes in VPNs

Trang 57

Public Key Authentication

Private key (encrypt) + Public key (decrypt) = Authentication

Step 1 Alice, using her private key, creates a digital signature and appends it to the message.

Step 2 Alice transmits the signed message to Bob.

Step 3 Bob acquires Alice’s public key.

Step 4 Bob uses Alice’s public key to verify the signature.

Trang 58

Adleman invented the patented public-key RSA algorithm in 1977

RSA and Digital Signatures

Trang 59

third-party environment that uses the concept of a trusted introducer

environments

Public Key Infrastructure

Trang 60

Trusted Third Party Example

Trang 61

public-key-based technologies

needed to establish a system that enables large-scale use of public-key cryptography to provide authenticity, confidentiality, integrity, and

nonrepudiation services

• PKI: A service framework needed to support large-scale PK-based

Trang 62

There are five main areas of a PKI:

• CAs for key management

• PKI users, such as people, devices, servers, and so on

• Storage and protocols

• Supporting organizational framework, known as practices and user

authentication using local registration authorities (LRA)

• Supporting legal framework

Many vendors offer CA servers as a managed service or as an end-user

Trang 63

Certificate Authorities

PKI Topology Using a Single-Root CA

PKI Topology Using Hierarchical CAs

Trang 64

PKI Topology Using Cross-Certifying CAs

Trang 65

There are many defined PKCS standards:

• PKCS #1: RSA Cryptography Standard

• PKCS #3: Diffie-Hellman Key Agreement Standard

• PKCS #5: Password-Based Cryptography Standard

• PKCS #6: Extended-Certificate Syntax Standard

• PKCS #7: Cryptographic Message Syntax Standard

• PKCS #8: Private-Key Information Syntax Standard

• PKCS #9: Selected Attribute Types

• PKCS #10: Certification Request Syntax Standard

• PKCS #11: Cryptographic Token Interface Standard

• PKCS #12: Personal Information Exchange Syntax Standard

• PKCS #13: Elliptic Curve Cryptography Standard

• PKCS #15: Cryptographic Token Information Format Standard

PKI Standards

Định dạng
Số trang	77
Dung lượng	1,51 MB