CCNA Security 012- cryptographic systems

11- Cryptographic Systems
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
© 2009 Cisco Learning Institute. 1

Secure Communications
MARS
CSA
Remote Branch VPN
VPN
Iron Port
Firewall
IPS
Web
Server
CSA
Email
Server DNS
CSA
CSA CSA
CSA
CSA
CSA
• Traffic between sites must be secure
• Measures must be taken to ensure it cannot be altered, forged, or
deciphered if intercepted

Authentication
• An ATM Personal
Information Number (PIN)
is required for
authentication.
• The PIN is a shared
secret between a bank
account holder and the
financial institution.

Integrity
• An unbroken wax seal on an envelop ensures integrity.
• The unique unbroken seal ensures no one has read the
contents.

Confidentiality
• Julius Caesar
would send
encrypted
messages to his
generals in the
battlefield.
• Even if
intercepted, his
enemies usually
could not read, let
alone decipher,
the messages.
I O D Q N H D V W
D W W D F N D W G D Z Q

Transposition Ciphers
FLANK EAST
ATTACK AT DAWN
Clear Text
F...K...T...T...A...W.
.L.N.E.S.A.T.A.K.T.A.N
..A...A...T...C...D...
FKTTAW
LNESATAKTAN
AATCD
Ciphered Text
1
2
3
The clear text message would be
encoded using a key of 3.
Use a rail fence cipher and a
key of 3.
The clear text message would
appear as follows.

Substitution Ciphers
Caesar Cipher
FLANK EAST
ATTACK AT DAWN
Clear text
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
IODQN HDVW
DWWDFN DW GDZQ
Cipherered text
1
2
3
Shift the top
scroll over by
three characters
(key of 3), an A
becomes D, B
becomes E, and
so on.
be encrypted as follows using a
key of 3.

Cipher Wheel
FLANK EAST
ATTACK AT DAWN
Clear text
IODQN HDVW
DWWDFN DW GDZQ
Cipherered text
1
2
3
Shifting the inner wheel by 3, then
the A becomes D, B becomes E,
and so on.
appear as follows using a key of 3.

Cryptanalysis Methods
Brute Force Attack
Known Ciphertext
Successfully
Unencrypted
Key found
With a Brute Force attack, the attacker has some portion of
ciphertext. The attacker attempts to unencrypt the ciphertext with
all possible keys.

Mat-in-the-Middle Attack
Known Ciphertext Known Plaintext
Use every possible
decryption key until a result
is found matching the
corresponding plaintext.
Use every possible
encryption key until a
result is found matching
the corresponding
ciphertext.
MATCH of
Ciphertext!
Key found
With a Man-in-the-Middle attack, the attacker has some portion of text
in both plaintext and ciphertext. The attacker attempts to unencrypt
the ciphertext with all possible keys while at the same time encrypt the
plaintext with another set of possible keys until one match is found.

Defining Cryptology
Cryptology
Cryptography
+
Cryptanalysis

Cryptanalysis

Cryptographic Hashes, Protocols,
and Algorithm Examples
IInntteeggrriittyy AAuutthheennttiiccaattiioonn CCoonnffiiddeennttiiaalliittyy
MD5
SHA
HMAC-MD5
HMAC-SHA-1
RSA and DSA
DES
3DES
AES
SEAL
RC (RC2, RC4, RC5, and RC6)
HASH HASH w/Key
Encryption

Hashing Basics
• Hashes are used for
integrity assurance.
• Hashes are based on
one-way functions.
• The hash function hashes
arbitrary data into a fixed-length
digest known as
the hash value, message
digest, digest, or
fingerprint.
Data of Arbitrary
Length
Fixed-Length
Hash Value e883aa0b24c09f

Hashing Properties
XW
hy is x not in
Parens?
(H) Why is H in
Parens?
h e883aa0b24c09f
h = H
(x)
Arbitrary
length text
Hash
Function
Hash
Value

Hashing in Action
• Vulnerable to man-in-the-middle attacks
- Hashing does not provide security to transmission.
• Well-known hash functions
- MD5 with 128-bit hashes
- SHA-1 with 160-bit hashes
Pay to Terry Smith
$100.00
One Hundred and
xx/100
Dollars
Internet
I would like to
cash this
Pay to Alex Jones
$1000.00
One Thousand and
xx/100 Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
check.

MD5
• MD5 is a ubiquitous hashing
algorithm
• Hashing properties
- One-way function—easy to
compute hash and infeasible to
compute data given a hash
- Complex sequence of simple
binary operations (XORs,
rotations, etc.) which finally
produces a 128-bit hash.
MD5

SHA
• SHA is similar in design to the MD4 and
MD5 family of hash functions
- Takes an input message of no more than 264 bits
- Produces a 160-bit message digest
• The algorithm is slightly slower than MD5.
• SHA-1 is a revision that corrected an
unpublished flaw in the original SHA.
• SHA-224, SHA-256, SHA-384, and SHA-
512 are newer and more secure versions of
SHA and are collectively known as SHA-2.
SHA

Hashing Example
In this example the clear text entered is displaying hashed
results using MD5, SHA-1, and SHA256. Notice the
difference in key lengths between the various algorithm. The
longer the key, the more secure the hash function.

Features of HMAC
• Uses an additional secret
key as input to the hash
function
• The secret key is known
to the sender and receiver
- Adds authentication to
integrity assurance
- Defeats man-in-the-middle
attacks
• Based on existing hash
functions, such as MD5
and SHA-1.
Data of Arbitrary
Length
Fixed Length
Authenticated
Hash Value
+ Secret
Key
e883aa0b24c09f
The same procedure is used for
generation and verification of
secure fingerprints

HMAC Example
Data
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
HMAC
(Authenticated
Fingerprint)
Secret
Key
4ehIDx67NMop9
4ehIDx67NMop9
Received Data
HMAC
(Authenticated
Fingerprint)
Secret Key
4ehIDx67NMop9
If the generated HMAC matches the
sent HMAC, then integrity and
authenticity have been verified.
If they don’t match, discard the
message.

Using Hashing
e883aa0b24c09f
Fixed-Length Hash
Value
Data Integrity
Entity Authentication
Data Authenticity
• Routers use hashing with secret keys
• IPSec gateways and clients use hashing algorithms
• Software images downloaded from the website have checksums
• Sessions can be encrypted

Keyspace
DES Key Keyspace # of Possible Keys
56-bit
256
11111111 11111111 11111111
11111111 11111111 11111111 11111111
72,000,000,000,000,000
57-bit
257
11111111 11111111 11111111
11111111 11111111 11111111 11111111 1
144,000,000,000,000,000
58-bit
258
11111111 11111111 11111111
11111111 11111111 11111111 11111111 11
288,000,000,000,000,000
59-bit
259
11111111 11111111 11111111
11111111 11111111 11111111 11111111 111 576,000,000,000,000,000
Twice as
much time
Four time as
much time
With 60-bit DES
an attacker would
require sixteen
more time than
56-bit DES
For each 60-bit
added to the DES key, the attacker 1w,1o5u2l,d0 0re0,q0u0i0re,0 0tw0,i0c0e0 t,h00e0 amount of time to
search the keyspace.
Longer keys are more secure but are also more resource intensive and can affect throughput.
260
11111111 11111111 11111111
11111111 11111111 11111111 11111111 1111

Types of Keys
Digital Hash
Signature
Asymmetric
Key
Symmetric
Key
Protection up 80 1248 160 160
to 3 years
to 10 years
to 20 years
to 30 years
Protection against 256 15424 512 512
quantum computers
Calculations are based on the fact that computing power will continue to
grow at its present rate and the ability to perform brute-force attacks will
grow at the same rate.
Note the comparatively short symmetric key lengths illustrating that
symmetric algorithms are the strongest type of algorithm.

Shorter keys = faster
processing, but less secure
Longer keys = slower
processing, but more
secure
Key Properties

Symmetric Encryption
Pre-shared
key
Key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
• Best known as shared-secret key algorithms
• The usual key length is 80 - 256 bits
• A sender and receiver must share a secret key
• Faster processing because they use simple mathematical operations.
• Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.

Symmetric Algorithms
Symmetric
Encryption
Algorithm
Key length
(in bits) Description
DES 56
Designed at IBM during the 1970s and was the NIST standard until 1997.
Although considered outdated, DES remains widely in use.
Designed to be implemented only in hardware, and is therefore extremely
slow in software.
3DES 112 and 168
Based on using DES three times which means that the input data is
encrypted three times and therefore considered much stronger than DES.
However, it is rather slow compared to some new block ciphers such as
AES.
AES 128, 192, and 256
Fast in both software and hardware, is relatively easy to implement, and
requires little memory.
As a new encryption standard, it is currently being deployed on a large scale.
Software
Encryption
Algorithm (SEAL)
160
SEAL is an alternative algorithm to DES, 3DES, and AES.
It uses a 160-bit encryption key and has a lower impact to the CPU when
compared to other software-based algorithms.
The RC series
RC2 (40 and 64)
RC4 (1 to 256)
RC5 (0 to 2040)
RC6 (128, 192,
and 256)
A set of symmetric-key encryption algorithms invented by Ron Rivest.
RC1 was never published and RC3 was broken before ever being used.
RC4 is the world's most widely used stream cipher.
RC6, a 128-bit block cipher based heavily on RC5, was an AES finalist
developed in 1997.

Asymmetric Encryption
Two separate
keys which are
not shared
Encryption Key Decryption Key
Encrypt Decrypt
$1000 %3f7&4 $1000
• Also known as public key algorithms
• The usual key length is 512–4096 bits
• A sender and receiver do not share a secret key
• Relatively slow because they are based on difficult computational
algorithms
• Examples include RSA, ElGamal and DH.

How Asymmetric Encryption works ?
Computer A acquires
Computer B’s public key
A Private Key
Computer
A
B Private Key
Can I get your Public Key please?
Here is my Public Key.
Computer B
Public Key
Computer A
Public Key Computer
B
Computer A transmits
The encrypted message
to Computer B
Computer A uses Computer B’s
public key to encrypt a message
using an agreed-upon algorithm
Computer B uses its private key to
decrypt and reveal the message

Asymmetric Key Algorithms
Key
length
(in bits)
Description
DH 512, 1024,
2048
Invented in 1976 by Whitfield Diffie and Martin Hellman.
Two parties to agree on a key that they can use to encrypt messages
The assumption is that it is easy to raise a number to a certain power, but
difficult to compute which power was used given the number and the outcome.
Digital Signature
Standard (DSS) and
Digital Signature
Algorithm (DSA)
512 - 1024
Created by NIST and specifies DSA as the algorithm for digital signatures.
A public key algorithm based on the ElGamal signature scheme.
Signature creation speed is similar with RSA, but is slower for verification.
RSA encryption
algorithms 512 to 2048
Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977
Based on the current difficulty of factoring very large numbers
Suitable for signing as well as encryption
Widely used in electronic commerce protocols
EIGamal 512 - 1024
Based on the Diffie-Hellman key agreement.
Described by Taher Elgamal in 1984and is used in GNU Privacy Guard software,
PGP, and other cryptosystems.
The encrypted message becomes about twice the size of the original message
and for this reason it is only used for small messages such as secret keys

Digital Signatures
• The signature is authentic and
not forgeable: The signature is
proof that the signer, and no one
else, signed the document.
• The signature is not reusable:
The signature is a part of the document and cannot be moved to a
different document.
• The signature is unalterable: After a document is signed, it cannot
be altered.
• The signature cannot be repudiated: For legal purposes, the
signature and the document are considered to be physical things.
The signer cannot claim later that they did not sign it.

CCNA Security 012- cryptographic systems

CCNA Security 012- cryptographic systems

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to CCNA Security 012- cryptographic systems (20)

Recently uploaded (20)

CCNA Security 012- cryptographic systems

Editor's Notes