ccna security 012- cryptographic systems

1© 2009 Cisco Learning Institute.

11- Cryptographic Systems

Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH


Secure Communications

• Traffic between sites must be secure

• Measures must be taken to ensure it cannot be altered, forged, or deciphered if intercepted

MARS

Remote BranchVPN

VPN

Iron Port

Firewall

IPS

CSA

Web Server

Email Server DNS

CSACSA CSA

CSA

CSA

CSA

CSA


Authentication

• An ATM Personal Information Number (PIN) is required for authentication.

• The PIN is a shared secret between a bank account holder and the financial institution.


Integrity

• An unbroken wax seal on an envelop ensures integrity.

• The unique unbroken seal ensures no one has read the contents.


Confidentiality

• Julius Caesar would send encrypted messages to his generals in the battlefield.

• Even if intercepted, his enemies usually could not read, let alone decipher, the messages.

I O D Q N H D V W

D W W D F N D W G D Z Q


Transposition Ciphers

F...K...T...T...A...W..L.N.E.S.A.T.A.K.T.A.N..A...A...T...C...D...

Ciphered Text

3FKTTAW

LNESATAKTANAATCD

The clear text message would be encoded using a key of 3.

1FLANK EAST

ATTACK AT DAWN

Use a rail fence cipher and a key of 3.

2

The clear text message would appear as follows.

Clear Text


Substitution CiphersCaesar Cipher

Cipherered text

3IODQN HDVW

DWWDFN DW GDZQ

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z


1FLANK EAST

ATTACK AT DAWN

Shift the top scroll over by three characters (key of 3), an A becomes D, B becomes E, and so on.

2

The clear text message would be encrypted as follows using a key of 3.

Clear text


Cipher Wheel

Cipherered text

3IODQN HDVW

DWWDFN DW GDZQ


1FLANK EAST

ATTACK AT DAWN

Shifting the inner wheel by 3, then the A becomes D, B becomes E, and so on.

2

The clear text message would appear as follows using a key of 3.

Clear text


Cryptanalysis Methods

Known Ciphertext

Brute Force Attack

With a Brute Force attack, the attacker has some portion of ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys.

Successfully Unencrypted

Key found


Mat-in-the-Middle Attack

With a Man-in-the-Middle attack, the attacker has some portion of text in both plaintext and ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys while at the same time encrypt the plaintext with another set of possible keys until one match is found.

Known Ciphertext Known PlaintextUse every possible decryption key until a result is found matching the corresponding plaintext.

Use every possible encryption key until a result is found matching the corresponding ciphertext.

MATCH of Ciphertext!

Key found


Defining Cryptology

Cryptography

Cryptology

+

Cryptanalysis


Cryptanalysis


Cryptographic Hashes, Protocols,and Algorithm Examples

IntegrityIntegrity AuthenticationAuthentication ConfidentialityConfidentiality

MD5SHA

HMAC-MD5HMAC-SHA-1RSA and DSA

DES3DESAESSEAL

RC (RC2, RC4, RC5, and RC6)

HASH HASH w/Key

Encryption


Hashing Basics

• Hashes are used for integrity assurance.

• Hashes are based on one-way functions.

• The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.

Data of ArbitraryLength

Fixed-LengthHash Value e883aa0b24c09f


Hashing Properties

XWhy is x not inParens?

h e883aa0b24c09f

H

(H)Why is H inParens?

= (x)h

Hash Value

Hash Function

Arbitrary length text


Hashing in Action

• Vulnerable to man-in-the-middle attacks- Hashing does not provide security to transmission.

• Well-known hash functions- MD5 with 128-bit hashes- SHA-1 with 160-bit hashes

Pay to Terry Smith $100.00

One Hundred and xx/100 Dollars

Pay to Alex Jones $1000.00

One Thousand and xx/100 Dollars

4ehIDx67NMop9 12ehqPx67NMoX

Match = No changesNo match = Alterations

Internet

I would like to cash this check.


MD5

• MD5 is a ubiquitous hashing algorithm

• Hashing properties

- One-way function—easy to compute hash and infeasible to compute data given a hash

- Complex sequence of simple binary operations (XORs, rotations, etc.) which finally produces a 128-bit hash.

MD5


SHA

• SHA is similar in design to the MD4 and MD5 family of hash functions

- Takes an input message of no more than 264 bits

- Produces a 160-bit message digest

• The algorithm is slightly slower than MD5.

• SHA-1 is a revision that corrected an unpublished flaw in the original SHA.

• SHA-224, SHA-256, SHA-384, and SHA-512 are newer and more secure versions of SHA and are collectively known as SHA-2.

SHA


Hashing Example

In this example the clear text entered is displaying hashed results using MD5, SHA-1, and SHA256. Notice the difference in key lengths between the various algorithm. The longer the key, the more secure the hash function.


Features of HMAC

• Uses an additional secret key as input to the hash function

• The secret key is known to the sender and receiver

- Adds authentication to integrity assurance

- Defeats man-in-the-middle attacks

• Based on existing hash functions, such as MD5 and SHA-1.

The same procedure is used for generation and verification of secure fingerprints

Fixed Length Authenticated Hash Value

+ Secret Key

Data of ArbitraryLength

e883aa0b24c09f


HMAC Example

Data

HMAC(Authenticated

Fingerprint)

SecretKey



4ehIDx67NMop9



4ehIDx67NMop9

Received Data

HMAC(Authenticated

Fingerprint)

Secret Key

4ehIDx67NMop9



If the generated HMAC matches the sent HMAC, then integrity and authenticity have been verified.

If they don’t match, discard the message.


Using Hashing

• Routers use hashing with secret keys

• IPSec gateways and clients use hashing algorithms

• Software images downloaded from the website have checksums

• Sessions can be encrypted

Fixed-Length Hash Value

e883aa0b24c09f

Data Integrity

Entity Authentication

Data Authenticity


Keyspace

DES Key Keyspace # of Possible Keys

56-bit256

11111111 11111111 11111111

11111111 11111111 11111111 11111111

72,000,000,000,000,000

57-bit

257

11111111 11111111 11111111

11111111 11111111 11111111 11111111 1

144,000,000,000,000,000

58-bit258

11111111 11111111 11111111

11111111 11111111 11111111 11111111 11

288,000,000,000,000,000

59-bit

259

11111111 11111111 11111111

11111111 11111111 11111111 11111111 111

576,000,000,000,000,000

60-bit260

11111111 11111111 11111111

11111111 11111111 11111111 11111111 1111

1,152,000,000,000,000,000For each bit added to the DES key, the attacker would require twice the amount of time to search the keyspace.

Longer keys are more secure but are also more resource intensive and can affect throughput.

With 60-bit DES an attacker would

require sixteen more time than

56-bit DES

Twice asmuch time

Four time asmuch time


Types of Keys

2242242432112Protection up to 20 years



HashDigital Signature

Asymmetric Key

Symmetric Key


51251215424256Protection against quantum computers

Calculations are based on the fact that computing power will continue to grow at its present rate and the ability to perform brute-force attacks will grow at the same rate.

Note the comparatively short symmetric key lengths illustrating that symmetric algorithms are the strongest type of algorithm.


Shorter keys = faster processing, but less secure

Longer keys = slower processing, but more secure

Key Properties


Symmetric Encryption

• Best known as shared-secret key algorithms

• The usual key length is 80 - 256 bits

• A sender and receiver must share a secret key

• Faster processing because they use simple mathematical operations.

• Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.

Key Key

Encrypt Decrypt$1000 $1000$!@#IQ

Pre-shared key


Symmetric Algorithms

Symmetric Encryption Algorithm

Key length(in bits)

Description

DES 56

Designed at IBM during the 1970s and was the NIST standard until 1997.Although considered outdated, DES remains widely in use. Designed to be implemented only in hardware, and is therefore extremely slow in software.

3DES 112 and 168

Based on using DES three times which means that the input data is encrypted three times and therefore considered much stronger than DES.However, it is rather slow compared to some new block ciphers such as AES.

AES 128, 192, and 256Fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

Software Encryption

Algorithm (SEAL)160

SEAL is an alternative algorithm to DES, 3DES, and AES. It uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms.

The RC series

RC2 (40 and 64)RC4 (1 to 256)

RC5 (0 to 2040)RC6 (128, 192,

and 256)

A set of symmetric-key encryption algorithms invented by Ron Rivest. RC1 was never published and RC3 was broken before ever being used. RC4 is the world's most widely used stream cipher. RC6, a 128-bit block cipher based heavily on RC5, was an AES finalist

developed in 1997.


Asymmetric Encryption

• Also known as public key algorithms

• The usual key length is 512–4096 bits

• A sender and receiver do not share a secret key

• Relatively slow because they are based on difficult computational algorithms

• Examples include RSA, ElGamal and DH.

Encryption Key Decryption Key

Encrypt Decrypt$1000 $1000%3f7&4

Two separate keys which are

not shared


How Asymmetric Encryption works ?

Computer A

B Private Key

Can I get your Public Key please?

Here is my Public Key.

Computer B Public Key

Computer A Public Key

Computer B

Computer A acquires Computer B’s public key

Computer A uses Computer B’spublic key to encrypt a messageusing an agreed-upon algorithm

Computer A transmits The encrypted messageto Computer B

Computer B uses its private key todecrypt and reveal the message

A Private Key


Asymmetric Key Algorithms

Key length

(in bits)Description

DH512, 1024,

2048

Invented in 1976 by Whitfield Diffie and Martin Hellman. Two parties to agree on a key that they can use to encrypt messages The assumption is that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome.

Digital Signature Standard (DSS) and

Digital Signature Algorithm (DSA)

512 - 1024Created by NIST and specifies DSA as the algorithm for digital signatures. A public key algorithm based on the ElGamal signature scheme.Signature creation speed is similar with RSA, but is slower for verification.

RSA encryption algorithms

512 to 2048

Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977Based on the current difficulty of factoring very large numbersSuitable for signing as well as encryption Widely used in electronic commerce protocols

EIGamal 512 - 1024

Based on the Diffie-Hellman key agreement. Described by Taher Elgamal in 1984and is used in GNU Privacy Guard software, PGP, and other cryptosystems. The encrypted message becomes about twice the size of the original message and for this reason it is only used for small messages such as secret keys


Digital Signatures

• The signature is authentic and not forgeable: The signature is proof that the signer, and no one else, signed the document.

• The signature is not reusable: The signature is a part of the document and cannot be moved to a different document.

• The signature is unalterable: After a document is signed, it cannot be altered.

• The signature cannot be repudiated: For legal purposes, the signature and the document are considered to be physical things. The signer cannot claim later that they did not sign it.

ccna security 012- cryptographic systems

Education