Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Show Airs:
January 20, 2009 - 8:00 am Pacific, 15:00 GMT
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential INTRO v2.1—5-1
CCNA Security TV -
Site-to-Site VPNs: Cryptography Basics
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential INTRO v2.1—5-2
Agenda
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Ask a Question (Click the Hand Icon)
User ID
Question for ??? Or Subject
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Don’t forget to fill out our Survey
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Download Slide Deck
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Need Help – Problems with Video/Audio or Slides
Click on red life saver icon
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Site-to-Site VPNs:
Cryptography Basics
John Rupf
9
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-9
Outline
• Examining Encryption
• Cryptographic Hashes
• Digital Signatures
10
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—1-10
Examining Cryptographic
Services
11
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-11
Cryptology Overview
12
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-12
Substitution Cipher
Substitution ciphers substitute one character for another,
such as a=d, b=e, c=f, and so on to z=c.
– Julius Caesar used a substitution cipher that is now called
the Caesar cipher.
– Substitution ciphers are vulnerable to frequency analysis
because they retain the basic organization of the
message.
Polyalphabetic ciphers are a more complex substitution
cipher.
– They counter the early frequency analysis vulnerability.
– They are still vulnerable to frequency analysis if the point
where the substitution repeats itself can be discovered.
13
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-13
Vigenère Cipher
CISCOC
ATTACK CBLCQM
(attack encrypted with the key CISCO)
15
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-15
Transposition
attack takatc
(attack transposed to takatc)
16
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-16
Vernam Ciphers and One-Time Pads
Vernam ciphers XOR the text with a text as long as the message.
If the key is random and is used only it is a one-time pad.
One-time pads are the only cipher that can be proved to be
secure and unbreakable, as long as the key is used only once.
One-time pads are awkward to use.
– Creation of random data, in order to create the one-time pads,
is complicated.
– Key distribution is difficult because one copy is distributed to
the sender, the other copy retained by the receiver.
Because of these difficulties, true one-time pads are usually
limited to super secret communications.
17
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-17
Transforming Plaintext into Ciphertext
Plaintext Plaintext
Cisco IOS Cisco IOS
Software 12.4 Software 12.4
Features Features
8vyaleh31&dk
tu.dtrw8743$
Fie*nP093h
Encryption Decryption
Algorithm Algorithm
18
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-18
Cryptanalysis
Examples of cryptographic
attacks are:
Brute-force
Ciphertext-only
Known-plaintext
Chosen-plaintext
Chosen-ciphertext
Birthday attack
Meet-in-the-middle
19
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-19
Encryption Algorithm Features
Desirable features:
Resistance to known cryptanalytic attacks
Variable (long) key lengths and scalability
Avalanche effect—small changes in plaintext cause substantial
changes in ciphertext
No export or import restrictions
20
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-20
Encryption Keys
21
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-21
Symmetric Encryption Algorithms
Key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
Key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
23
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-23
DES
24
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-24
DES Modes
25
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-25
DES ECB vs. CBC Mode
ECB CBC
Message of five 64-Bit Blocks Message of five 64-Bit Blocks
Initialization
Vector
DES
DES
DES
DES
DES
DES
DES
DES
DES
DES
26
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-26
DES Usage Guidelines
27
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-27
Asymmetric Encryption Algorithms
Encryption Decryption
Key Key
Encrypt Decrypt
$1000 %3f7&4 $1000
29
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-29
Asymmetric Confidentiality Process
Alice Bob
30
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-30
Public Key Authentication Scenario
31
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-31
Asymmetric Authentication Process
Alice Bob
32
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-32
The DH Algorithm
33
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-33
The DH Key Exchange Algorithm
Peer A Peer B
34
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-34
Choosing an Encryption Algorithm
35
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-35
Overview of Cryptographic Hashes
36
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-36
What is a Hash Function?
37
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-37
Hashing in Action
Vulnerable to eavesdroppers:
– Hashing does not provide security to transmission.
Well known hash functions:
– MD5 with 128-bit hashes I would like to
– SHA-1 with 160-bit hashes cash this
check.
Internet
Pay to Terry Smith
Pay to Terry Smith $100.00 Pay to Alex Jones $1000.00
Pay to Alex Jones $1000.00
$100.00
One Hundred and xx/100 Dollars One Thousand and xx/100 Dollars
One Thousand and xx/100 Dollars
One Hundred and xx/100 Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations 38
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-38
What Is Key Management?
39
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-39
Keyspaces
40
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-40
Key Length Issues
If the cryptographic system is trusted, it can only be broken using a brute-
force attack:
– A brute-force attack searches through the keyspace trying all possible
keys and requires a huge amount of time.
– On average, half of the keyspace has to be searched to find the
correct key.
With modern algorithms, the strength of protection depends solely on the
length of the key as long as:
– The algorithm is trusted.
– The key is generated and maintained securely.
The choice of key length depends on:
– The sensitivity of data the key is protecting and the desired period of
confidentiality
– The performance requirements of a system—longer keys can mean
lower performance
The aim is for adequate protection of data.
41
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-41
Summary
Cryptology is the science of cryptanalysis and cryptography.
Symmetric encryption is used for bulk encryption and
asymmetric algorithms are used for authentication and key
exchange.
Block ciphers encrypt data in fixed-length blocks. Stream
ciphers encrypt data in blocks one bit long.
Symmetric algorithms are faster and stronger than asymmetric
algorithms.
Cryptographic hashes are designed to be irreversible.
Key management is an essential part of cryptographic security.
Usually the easiest way to breach encryption is to compromise
the keys.
SSL is an example of a cryptosystem that utilizes symmetric
and asymmetric encryption as well as cryptographic hashes to
provide a complete cryptographic solution.
42
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-42
43
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-43
TechWiseTV
Technology you can use, from geeks you can trust.
Joining us :
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
4
During Broadcast
Ask a Question (Click the Hand Icon)
User ID
Question for ??? Or Subject
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
4
During Broadcast:
Phone Q & A
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
4
Review and Practice
cisco.com/go/learnnetspace
A video of “Site-to-Site VPNs:
Cryptography Basics” should be
posted in the next two weeks.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
4
Thank you! Don’t forget to fill out our Survey
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
4
Deploying Unified Wireless— 5
© 2008 Cisco Systems, Inc. All rights reserved.