Cryptography

CCNA Security TV
Allow Up to One Minute for Video to Buffer Slides will

Be Synchronized at Next Slide Advance
Show Airs:
January 20, 2009 - 8:00 am Pacific, 15:00 GMT
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential INTRO v2.1—5-1
CCNA Security TV -
Site-to-Site VPNs: Cryptography Basics
Host: David Major

Guests: John Rupf, Pat Lao and John Rauma
January 20, 2009 - 8:00 am Pacific, 15:00 GMT
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential INTRO v2.1—5-2
Agenda
 Site-to-Site VPNs: Cryptography Basics

 Audience Q&A
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Ask a Question (Click the Hand Icon)
User ID
Question for ??? Or Subject
How does …..?
Don’t forget to fill out our Survey
Alternatively, if the survey

doesn’t popup, click ‘survey
button’ located here on this
page you have open.
Download Slide Deck
Download slide deck

here.
Need Help – Problems with Video/Audio or Slides
- Click on Support Net link – Bottom of Page
Need Help – Problems with Video/Audio or Slides
Click on red life saver icon
Site-to-Site VPNs:
Cryptography Basics
John Rupf
9
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—4-9
Outline
• Examining Encryption
• Cryptographic Hashes
• Digital Signatures
10
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—1-10
Examining Cryptographic
Services
11
Cryptology Overview
The science of cryptology has two subdisciplines—

cryptography and cryptanalysis.
 Cryptography is the science of creating secret codes.
 Cryptanalysis is involved in the breaking (cracking) of those
secret codes.
 Like cryptology, cryptography also has two subdisciplines –
encryption and hashing.
 Usually the objective of encryption is confidentiality.
 The primary purpose of hashing is authentication or verification.
12
Substitution Cipher
 Substitution ciphers substitute one character for another,
such as a=d, b=e, c=f, and so on to z=c.
– Julius Caesar used a substitution cipher that is now called
the Caesar cipher.
– Substitution ciphers are vulnerable to frequency analysis
because they retain the basic organization of the
message.
 Polyalphabetic ciphers are a more complex substitution
cipher.
– They counter the early frequency analysis vulnerability.
– They are still vulnerable to frequency analysis if the point
where the substitution repeats itself can be discovered.
13
Vigenère Cipher
The Vigenère cipher is a polyalphabetic cipher that uses

26 alphabets.
14
Substitution
 Write out the plaintext.

 Repeat the key above plaintext as many times as required.
 Use the key to select the row and the plaintext to select the
column.
CISCOC
ATTACK CBLCQM
(attack encrypted with the key CISCO)
15
Transposition
 Transposition is also known as permutation.

 Rather than replacing characters, characters are permuted or
rearranged.
 Some modern algorithms still use transposition as an element of
the algorithm, such as DES and 3DES.
attack takatc
(attack transposed to takatc)
16
Vernam Ciphers and One-Time Pads
 Vernam ciphers XOR the text with a text as long as the message.
 If the key is random and is used only it is a one-time pad.
 One-time pads are the only cipher that can be proved to be
secure and unbreakable, as long as the key is used only once.
 One-time pads are awkward to use.
– Creation of random data, in order to create the one-time pads,
is complicated.
– Key distribution is difficult because one copy is distributed to
the sender, the other copy retained by the receiver.
 Because of these difficulties, true one-time pads are usually
limited to super secret communications.
17
Transforming Plaintext into Ciphertext
Plaintext Plaintext
Cisco IOS Cisco IOS
Software 12.4 Software 12.4
Features Features
8vyaleh31&dk
tu.dtrw8743$
Fie*nP093h
Encryption Decryption
Algorithm Algorithm
Encryption Ciphertext Decryption

Key Key
Untrusted Network
18
Cryptanalysis
Examples of cryptographic
attacks are:
 Brute-force
 Ciphertext-only
 Known-plaintext
 Chosen-plaintext
 Chosen-ciphertext
 Birthday attack
 Meet-in-the-middle
19
Encryption Algorithm Features
Desirable features:
 Resistance to known cryptanalytic attacks
 Variable (long) key lengths and scalability
 Avalanche effect—small changes in plaintext cause substantial
changes in ciphertext
 No export or import restrictions
20
Encryption Keys
 A key is a required parameter for encryption algorithms.

 There are two different concepts regarding keys:
– Symmetric encryption algorithms—Same key encrypts and
decrypts data.
– Asymmetric encryption algorithms—Different keys encrypt and
decrypt data.
21
Symmetric Encryption Algorithms
Key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
 A sender and receiver must share a secret key.

 They are usually quite fast (wire speed).
 These algorithms are based on simple mathematical
operations.
 Examples of symmetric encryption algorithms are DES,
3DES, AES, IDEA, RC2/4/5/6, and Blowfish.
22
Symmetric Encryption Key Lengths
Key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
 Typical key lengths are 40-256 bits.

 Key lengths greater than or equal to 80 bits can be trusted.
 Key lengths of less than 80 bits are considered obsolete,
regardless of the strength of the algorithm.
23
DES
 DES is an ubiquitous symmetric algorithm developed by IBM in 1975

where it was called Lucifer.
 The algorithm is very good, essentially a sequence of permutations and
substitutions, but the key length is susceptible to brute-force attacks.
 The algorithm has been scrutinized for nearly 35 years with no
significant flaws found.
 DES is easily implemented in hardware because it uses simple logical
operations.
 DES has a fixed key length. The key is 64 bits long, but only 56 bits are
used for encryption:
– Eight bits are used for parity, where the least significant bit of each
key byte is odd parity.
 40-bit DES is actually a 40-bit key plus 16 known bits.
24
DES Modes
 DES operates in two block cipher modes:

– EBC mode - electronic codebook - Each plaintext block always
gives the same ciphertext block.
– CBC mode – cipher block chaining - Plaintext is XORed with
previous ciphertext block and then encrypted.
 CBC mode is used by IPsec in most cases.
 DES also uses the following two common stream cipher modes :
– CFB mode – cipher feedback - Makes a block cipher into a
self-synchronizing stream cipher and is very similar to CBC.
– OFB mode – output feedback - Generates keystream blocks,
which are then XORed with the plaintext blocks to get the
ciphertext.
25
DES ECB vs. CBC Mode
ECB CBC
Message of five 64-Bit Blocks Message of five 64-Bit Blocks
Initialization
Vector
DES
DES
DES
DES
DES
DES
DES
DES
DES
DES
26
DES Usage Guidelines
 To better protect the data, follow these guidelines:

– Change keys frequently to prevent brute-force attacks.
– Communicate DES keys from sender to receiver using a
secure channel.
– Consider using DES in CBC mode. With CBC, the encryption
of each 64-bit block depends on previous blocks.
 Because DES is considered obsolete, limit its use to small data
volumes or instances where no alternative exists.
27
Asymmetric Encryption Algorithms
Encryption Decryption
Key Key
Encrypt Decrypt
$1000 %3f7&4 $1000
 Asymmetric encryption algorithms are best known as public key

algorithms.
 The usual key length is 512–4096 bits.
 These algorithms are relatively slow because they are based on
difficult computational algorithms.
 Examples of asymmetric encryption algorithms are RSA,
ElGamal, elliptic curves, and DH.
28
Public Key Confidentiality Scenario
 When the public key is used to encrypt, the corresponding

private key is used to decrypt.
 Because the private key is only present on one system,
confidentiality is achieved in communicating with that system.
 Public keys are usually available by asking because no effort
is made to keep them secret.
 This scenario is often used for key exchange.
Public Key (encrypt) + Private Key (decrypt) = Confidentiality
29
Asymmetric Confidentiality Process
Alice Bob
Clear Encryption Encrypted Decryption Clear
Bob’s Public Key Bob’s Private Key
 Alice gets Bob’s public key.

 Alice encrypts the message using Bob’s public key.
 Bob decrypts the message using his private key.
30
Public Key Authentication Scenario
 When the private key is used to encrypt, the corresponding public

key is used to decrypt.
 Because the private key is only present on one system,
authentication is assured when its public key decrypts the
message.
 Great effort is made to maintain the secrecy of private keys.
 This scenario is used for authentication.
Private Key (encrypt) + Public Key (decrypt) = Authentication
31
Asymmetric Authentication Process
Alice Bob
Clear Encryption Encrypted Decryption Clear
Alice’s Private Key Alice’s Public Key
 Alice encrypts the message with her private key.

 Bob decrypts the message using Alice’s public key.
32
The DH Algorithm
 Used for secure key exchange over insecure channels

 Based on the difficulty of finding discrete logarithms
 Used to establish a shared secret between parties, such as the
secret keys for symmetric encryption or HMACs
33
The DH Key Exchange Algorithm
Peer A Peer B
1. Agree with peer on a large 1. Agree with peer on a large

prime integer p and a generator g. prime integer p and a generator g.
2. Select a random integer A 2. Select a random integer B..
3. Generate public key 3. Generate public key

YA = gA mod p. YB = gB mod p.
4. Send public key YA. 4. Send public key YB.
5. Generate shared-secret 5. Generate shared-secret

number ZZ = gAB mod p. number ZZ = gBA mod p.
6. Generate shared-secret key 6. Generate shared-secret key

from ZZ (DES, 3DES, or AES). from ZZ (DES, 3DES, or AES).
34
Choosing an Encryption Algorithm
 When choosing algorithms, there are two basic criteria:

– The algorithm is trusted by the cryptographic community.
– The algorithm provides enough protection against
brute-force attacks.
 DES, 3DES, IDEA, RC4, and AES are symmetric algorithms that
are considered trusted.
 RSA and DH are asymmetric algorithms that are considered
trusted.
 Other algorithms, such as ECC, are generally considered
immature in cryptographic terms.
35
Overview of Cryptographic Hashes
 Hashes are based on one-

way functions.
 They are used for integrity
assurance.
 They hash arbitrary data into
a fixed-length digest known
as a fingerprint.
36
What is a Hash Function?
Basic requirements for a

cryptographic hash function:
 The input can be any length.
 The output has a fixed length.
 H(x) is relatively easy to
compute for any given x.
 H(x) is one-way and not
reversible.
 H(x) is collision-free.
37
Hashing in Action
 Vulnerable to eavesdroppers:
– Hashing does not provide security to transmission.
 Well known hash functions:
– MD5 with 128-bit hashes I would like to
– SHA-1 with 160-bit hashes cash this
check.
Internet
Pay to Terry Smith
Pay to Terry Smith $100.00 Pay to Alex Jones $1000.00
Pay to Alex Jones $1000.00
$100.00
One Hundred and xx/100 Dollars One Thousand and xx/100 Dollars
One Thousand and xx/100 Dollars
One Hundred and xx/100 Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations 38
What Is Key Management?
 Key management deals with the secure generation, verification,

exchange, storage, and destruction of keys.
 Key management is often considered the most difficult task of
designing cryptographic systems.
 It is extremely important to have secure methods of key
management.
 In practice, most attacks on cryptographic systems will be
aimed at the key management level, rather than at the
cryptographic algorithm itself.
39
Keyspaces
 The keyspace of an algorithm is the set of all possible key values.

 A key that is n bits in size produces a keyspace that has 2n
possible key values.
 Almost every algorithm has weak keys:
– The implementation should prevent the usage of weak keys.
 There can be problems when manually defining keys.
40
Key Length Issues
 If the cryptographic system is trusted, it can only be broken using a brute-
force attack:
– A brute-force attack searches through the keyspace trying all possible
keys and requires a huge amount of time.
– On average, half of the keyspace has to be searched to find the
correct key.
 With modern algorithms, the strength of protection depends solely on the
length of the key as long as:
– The algorithm is trusted.
– The key is generated and maintained securely.
 The choice of key length depends on:
– The sensitivity of data the key is protecting and the desired period of
confidentiality
– The performance requirements of a system—longer keys can mean
lower performance
 The aim is for adequate protection of data.
41
Summary
 Cryptology is the science of cryptanalysis and cryptography.
 Symmetric encryption is used for bulk encryption and
asymmetric algorithms are used for authentication and key
exchange.
 Block ciphers encrypt data in fixed-length blocks. Stream
ciphers encrypt data in blocks one bit long.
 Symmetric algorithms are faster and stronger than asymmetric
algorithms.
 Cryptographic hashes are designed to be irreversible.
 Key management is an essential part of cryptographic security.
Usually the easiest way to breach encryption is to compromise
the keys.
 SSL is an example of a cryptosystem that utilizes symmetric
and asymmetric encryption as well as cryptographic hashes to
provide a complete cryptographic solution.
42
43
TechWiseTV
Technology you can use, from geeks you can trust.
Register now for the next show:

www.cisco.com/go/interact
44
Open Panel QA
Joining us :
Pat Lao – Cisco Technical Consultant

John Rauma – Technical Consultant (Ascolta)
4
During Broadcast
Ask a Question (Click the Hand Icon)
User ID
Question for ??? Or Subject
How does …..?
4
During Broadcast:
Phone Q & A
 To ask a question live and on the air, call:

 US or Canada: 1 – 408 – 576 – 0014
 International: +1 – 408 – 576 – 0014
4
Review and Practice
 Shortcut to the Cisco Learning Network:
cisco.com/go/learnnetspace
A video of “Site-to-Site VPNs:
Cryptography Basics” should be
posted in the next two weeks.
4
Thank you! Don’t forget to fill out our Survey
Alternatively, if the survey

doesn’t popup, click ‘survey
button’ located here on this
page you have open.
4
Deploying Unified Wireless— 5
© 2008 Cisco Systems, Inc. All rights reserved.

Cryptography

Cargado por

Información del documento

Descripción original:

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Cryptography

Cargado por

Copyright:

Formatos disponibles

CCNA Security TV

Allow Up to One Minute for Video to Buffer Slides will

Host: David Major

January 20, 2009 - 8:00 am Pacific, 15:00 GMT

 Site-to-Site VPNs: Cryptography Basics

How does …..?

Alternatively, if the survey

Download slide deck

The science of cryptology has two subdisciplines—

The Vigenère cipher is a polyalphabetic cipher that uses

 Write out the plaintext.

 Transposition is also known as permutation.

Encryption Ciphertext Decryption

 A key is a required parameter for encryption algorithms.

 A sender and receiver must share a secret key.

 Typical key lengths are 40-256 bits.

 DES is an ubiquitous symmetric algorithm developed by IBM in 1975

 DES operates in two block cipher modes:

 To better protect the data, follow these guidelines:

 Asymmetric encryption algorithms are best known as public key

 When the public key is used to encrypt, the corresponding

Public Key (encrypt) + Private Key (decrypt) = Confidentiality

Clear Encryption Encrypted Decryption Clear

Bob’s Public Key Bob’s Private Key

 Alice gets Bob’s public key.

 When the private key is used to encrypt, the corresponding public

Private Key (encrypt) + Public Key (decrypt) = Authentication

Clear Encryption Encrypted Decryption Clear

Alice’s Private Key Alice’s Public Key

 Alice encrypts the message with her private key.

 Used for secure key exchange over insecure channels

1. Agree with peer on a large 1. Agree with peer on a large

2. Select a random integer A 2. Select a random integer B..

3. Generate public key 3. Generate public key

4. Send public key YA. 4. Send public key YB.

5. Generate shared-secret 5. Generate shared-secret

6. Generate shared-secret key 6. Generate shared-secret key

 When choosing algorithms, there are two basic criteria:

 Hashes are based on one-

Basic requirements for a

 Key management deals with the secure generation, verification,

 The keyspace of an algorithm is the set of all possible key values.

Register now for the next show:

Pat Lao – Cisco Technical Consultant

How does …..?

 To ask a question live and on the air, call:

 Shortcut to the Cisco Learning Network:

Alternatively, if the survey

También podría gustarte