CCNA Security Chapter Seven Cryptographic Systems
This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction Lesson Planning
Describe how the types of encryption, hashes, and digital signatures work together to provide confidentiality, integrity, and authentication Describe the mechanisms to ensure data integrity and authentication Describe the mechanisms used to ensure data confidentiality Describe the mechanisms used to ensure data confidentiality and authentication using a public key Major Concepts
Upon completion of this lesson, the successful participant will be able to: Describe the requirements of secure communications including integrity, authentication, and confidentiality Describe cryptography and provide an example Describe cryptanalysis and provide an example Describe the importance and functions of cryptographic hashes Describe the features and functions of the MD5 algorithm and of the SHA-1 algorithm Explain how we can ensure authenticity using HMAC Describe the components of key management Lesson Objectives
Lesson Objectives • Describe how encryption algorithms provide confidentiality • Describe the function of the DES algorithms • Describe the function of the 3DES algorithm • Describe the function of the AES algorithm • Describe the function of the Software Encrypted Algorithm (SEAL) and the Rivest ciphers (RC) algorithm • Describe the function of the DH algorithm and its supporting role to DES, 3DES, and AES • Explain the differences and their intended applications • Explain the functionality of digital signatures • Describe the function of the RSA algorithm • Describe the principles behind a public key infrastructure (PKI)
Lesson Objectives • Describe the various PKI standards • Describe the role of CAs and the digital certificates that they issue in a PKI • Describe the characteristics of digital certificates and CAs
Secure Communications CSA MARS Firewall VPN IPS CSA • Traffic between sites must be secure • Measures must be taken to ensure it cannot be altered, forged, or deciphered if intercepted VPN CSA Iron Port Remote Branch CSA CSA CSA CSA CSA Web Server Email Server DNS
Authentication • An ATM Personal Information Number (PIN) is required for authentication. • The PIN is a shared secret between a bank account holder and the financial institution.
Integrity • An unbroken wax seal on an envelop ensures integrity. • The unique unbroken seal ensures no one has read the contents.
Confidentiality • Julius Caesar would send encrypted messages to his generals in the battlefield. • Even if intercepted, his enemies usually could not read, let alone decipher, the messages. I O D Q N H D V W D W W D F N D W G D Z Q
History Scytale - (700 BC) Vigenère table German Enigma Machine Jefferson encryption device
Transposition Ciphers 1 The clear text message would be encoded using a key of 3. FLANK EAST ATTACK AT DAWN Clear Text 2 F...K...T...T...A...W. .L.N.E.S.A.T.A.K.T.A.N ..A...A...T...C...D... Use a rail fence cipher and a key of 3. 3 The clear text message would appear as follows. FKTTAW LNESATAKTAN AATCD Ciphered Text
Substitution CiphersCaesar Cipher 1 The clear text message would be encoded using a key of 3. FLANK EAST ATTACK AT DAWN Clear text Shift the top scroll over by three characters (key of 3), an A becomes D, B becomes E, and so on. 2 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C 3 The clear text message would be encrypted as follows using a key of 3. IODQN HDVW DWWDFN DW GDZQ Cipherered text
Cipher Wheel 1 The clear text message would be encoded using a key of 3. FLANK EAST ATTACK AT DAWN Clear text 2 Shifting the inner wheel by 3, then the A becomes D, B becomes E, and so on. 3 The clear text message would appear as follows using a key of 3. IODQN HDVW DWWDFN DW GDZQ Cipherered text
Stream Ciphers • Invented by the Norwegian Army Signal Corps in 1950, the ETCRRM machine uses the Vernam stream cipher method. • It was used by the US and Russian governments to exchange information. • Plain text message is eXclusively OR'ed with a key tape containing a random stream of data of the same length to generate the ciphertext. • Once a message was enciphered the key tape was destroyed. • At the receiving end, the process was reversed using an identical key tape to decode the message.
Defining Cryptanalysis Allies decipher secret NAZI encryption code! Cryptanalysis is from the Greek words kryptós (hidden), and analýein (to loosen or to untie). It is the practice and the study of determining the meaning of encrypted information (cracking the code), without access to the shared secret key.
Cryptanalysis Methods Brute Force Attack Known Ciphertext Successfully Unencrypted Key found With a Brute Force attack, the attacker has some portion of ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys.
Meet-in-the-Middle Attack Known Ciphertext Known Plaintext Use every possible decryption key until a result is found matching the corresponding plaintext. Use every possible encryption key until a result is found matching the corresponding ciphertext. MATCH of Ciphertext! Key found With a Meet-in-the-Middle attack, the attacker has some portion of text in both plaintext and ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys while at the same time encrypt the plaintext with another set of possible keys until one match is found.
Choosing a Cryptanalysis Method The graph outlines the frequency of letters in the English language. For example, the letters E, T and A are the most popular. 1 There are 6 occurrences of the cipher letter D and 4 occurrences of the cipher letter W. Replace the cipher letter D first with popular clear text letters including E, T, and finally A. Trying A would reveal the shift pattern of 3. 2 IODQN HDVW DWWDFN DW GDZQ Cipherered text
Defining Cryptology Cryptology + Cryptography Cryptanalysis
Cryptographic Hashes, Protocols,and Algorithm Examples HASH HASH w/Key NIST Rivest Encryption
Hashing Basics • Hashes are used for integrity assurance. • Hashes are based on one-way functions. • The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint. Data of Arbitrary Length Fixed-Length Hash Value e883aa0b24c09f
Hashing Properties Arbitrary length text X Why is x not in Parens? H (x) = h Hash Function (H) Why is H in Parens? h Hash Value e883aa0b24c09f
I would like to cash this check. Internet Pay to Alex Jones $1000.00 One Thousand and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9 12ehqPx67NMoX Match = No changes No match = Alterations Hashing in Action • Vulnerable to man-in-the-middle attacks • Hashing does not provide security to transmission. • Well-known hash functions • MD5 with 128-bit hashes • SHA-1 with 160-bit hashes
MD5 • MD5 is a ubiquitous hashing algorithm • Hashing properties • One-way function—easy to compute hash and infeasible to compute data given a hash • Complex sequence of simple binary operations (XORs, rotations, etc.) which finally produces a 128-bit hash. MD5
SHA • SHA is similar in design to the MD4 and MD5 family of hash functions • Takes an input message of no more than 264 bits • Produces a 160-bit message digest • The algorithm is slightly slower than MD5. • SHA-1 is a revision that corrected an unpublished flaw in the original SHA. • SHA-224, SHA-256, SHA-384, and SHA-512 are newer and more secure versions of SHA and are collectively known as SHA-2. SHA
Hashing Example In this example the clear text entered is displaying hashed results using MD5, SHA-1, and SHA256. Notice the difference in key lengths between the various algorithm. The longer the key, the more secure the hash function.
Features of HMAC • Uses an additional secret key as input to the hash function • The secret key is known to the sender and receiver • Adds authentication to integrity assurance • Defeats man-in-the-middle attacks • Based on existing hash functions, such as MD5 and SHA-1. Data of Arbitrary Length Secret Key + Fixed Length Authenticated Hash Value e883aa0b24c09f The same procedure is used for generation and verification of secure fingerprints
Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars HMAC Example Data Received Data Secret Key Secret Key HMAC(Authenticated Fingerprint) HMAC(Authenticated Fingerprint) 4ehIDx67NMop9 4ehIDx67NMop9 If the generated HMAC matches the sent HMAC, then integrity and authenticity have been verified. If they don’t match, discard the message. 4ehIDx67NMop9
Using Hashing • Routers use hashing with secret keys • Ipsec gateways and clients use hashing algorithms • Software images downloaded from the website have checksums • Sessions can be encrypted Data Authenticity Data Integrity e883aa0b24c09f Fixed-Length Hash Value Entity Authentication
Key Management Key Verification Key Generation Key Management Key Storage Key Exchange Key Revocation and Destruction
Keyspace Twice as much time Four time as much time With 60-bit DES an attacker would require sixteen more time than 56-bit DES • For each bit added to the DES key, the attacker would require twice the amount of time to search the keyspace. • Longer keys are more secure but are also more resource intensive and can affect throughput.
Types of Keys Symmetric Key Asymmetric Key Digital Signature Hash Protection up to 3 years 80 1248 160 160 Protection up to 10 years 96 1776 192 192 Protection up to 20 years 112 2432 224 224 Protection up to 30 years 128 3248 256 256 Protection against quantum computers 256 15424 512 512 • Calculations are based on the fact that computing power will continue to grow at its present rate and the ability to perform brute-force attacks will grow at the same rate. • Note the comparatively short symmetric key lengths illustrating that symmetric algorithms are the strongest type of algorithm.
Key Properties Shorter keys = faster processing, but less secure Longer keys = slower processing, but more secure
Confidentiality and the OSI Model • For Data Link Layer confidentiality, use proprietary link-encrypting devices • For Network Layer confidentiality, use secure Network Layer protocols such as the IPsec protocol suite • For Session Layer confidentiality, use protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) • For Application Layer confidentiality, use secure e-mail, secure database sessions (Oracle SQL*net), and secure messaging (Lotus Notes sessions)
Symmetric Encryption Pre-shared key Key Key Encrypt Decrypt $!@#IQ $1000 $1000 • Best known as shared-secret key algorithms • The usual key length is 80 - 256 bits • A sender and receiver must share a secret key • Faster processing because they use simple mathematical operations. • Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.
Symmetric Encryption and XOR The XOR operator results in a 1 when the value of either the first bit or the second bit is a 1 The XOR operator results in a 0 when neither or both of the bits is 1
Asymmetric Encryption Two separate keys which are not shared Decryption Key Encryption Key Encrypt Decrypt %3f7&4 $1000 $1000 • Also known as public key algorithms • The usual key length is 512–4096 bits • A sender and receiver do not share a secret key • Relatively slow because they are based on difficult computational algorithms • Examples include RSA, ElGamal, elliptic curves, and DH.
Asymmetric Example : Diffie-Hellman Get Out Your Calculators?
Symmetric Encryption Techniques Encrypted Message blank blank 1100101 01010010110010101 01010010110010101 64 bits 64bits 64bits Block Cipher – encryption is completed in 64 bit blocks Encrypted Message 0101010010101010100001001001001 0101010010101010100001001001001 Stream Cipher – encryption is one bit at a time
DES DES DES DES DES Block Cipher Modes ECB CBC Message of Five 64-Bit Blocks Message of Five 64-Bit Blocks Initialization Vector DES DES DES DES DES
Considerations • Change keys frequently to help prevent brute-force attacks. • Use a secure channel to communicate the DES key from the sender to the receiver. • Consider using DES in CBC mode. With CBC, the encryption of each 64-bit block depends on previous blocks. • Test a key to see if it is a weak key before using it. DES
Encryption Steps The clear text from Alice is encrypted using Key 1. That ciphertext is decrypted using a different key, Key 2. Finally that ciphertext is encrypted using another key, Key 3. When the 3DES ciphered text is received, the process is reversed. That is, the ciphered text must first be decrypted using Key 3, encrypted using Key 2, and finally decrypted using Key 1. 1 2