Chapter 7 Criptografia

CCNA Security
Chapter Seven
Cryptographic Systems
© 2009 Cisco Learning Institute. 1

Lesson Planning
• This lesson should take 3-4 hours to present

• The lesson should include lecture,
demonstrations, discussions and assessments
• The lesson can be taught in person or using
remote instruction

Major Concepts
• Describe how the types of encryption, hashes, and digital signatures

work together to provide confidentiality, integrity, and authentication
• Describe the mechanisms to ensure data integrity and authentication
• Describe the mechanisms used to ensure data confidentiality
• Describe the mechanisms used to ensure data confidentiality and
authentication using a public key

Lesson Objectives
Upon completion of this lesson, the successful participant will be

able to:
1. Describe the requirements of secure communications including
integrity, authentication, and confidentiality
2. Describe cryptography and provide an example
3. Describe cryptanalysis and provide an example
4. Describe the importance and functions of cryptographic hashes
5. Describe the features and functions of the MD5 algorithm and of the
SHA-1 algorithm
6. Explain how we can ensure authenticity using HMAC
7. Describe the components of key management

Lesson Objectives
8. Describe how encryption algorithms provide confidentiality

9. Describe the function of the DES algorithms
10. Describe the function of the 3DES algorithm
11. Describe the function of the AES algorithm
12. Describe the function of the Software Encrypted Algorithm (SEAL) and
the Rivest ciphers (RC) algorithm
13. Describe the function of the DH algorithm and its supporting role to
DES, 3DES, and AES
14. Explain the differences and their intended applications
15. Explain the functionality of digital signatures
16. Describe the function of the RSA algorithm
17. Describe the principles behind a public key infrastructure (PKI)

Lesson Objectives
18. Describe the various PKI standards

19. Describe the role of CAs and the digital certificates that they
issue in a PKI
20. Describe the characteristics of digital certificates and CAs

Secure Communications
CSA
MARS
Firewall
VPN
IPS
CSA
VPN Iron Port CSA

Remote Branch CSA
CSA CSA
CSA
CSA
Web Email
Server Server DNS
• Traffic between sites must be secure

• Measures must be taken to ensure it cannot be altered, forged, or deciphered if intercepted

Authentication
• An ATM Personal
Information Number (PIN)
is required for
authentication.
• The PIN is a shared
secret between a bank
account holder and the
financial institution.

Integrity
• An unbroken wax seal on an envelop ensures integrity.

• The unique unbroken seal ensures no one has read the
contents.

Confidentiality
• Julius Caesar
would send
encrypted
messages to his
I O D Q N H D V W generals in the
battlefield.
D W W D F N D W G D Z Q • Even if
intercepted, his
enemies usually
could not read, let
alone decipher,
the messages.

History
Scytale - (700 BC)
Vigenère table
German Enigma Machine
Jefferson encryption device

Transposition Ciphers
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear Text
2
F...K...T...T...A...W.
.L.N.E.S.A.T.A.K.T.A.N Use a rail fence cipher and a
..A...A...T...C...D... key of 3.
3
FKTTAW The clear text message would
LNESATAKTAN
AATCD appear as follows.
Ciphered Text

Substitution Ciphers
Caesar Cipher
1
Clear text
Shift the top

2 scroll over by
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z three characters
(key of 3), an A
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
becomes D, B
becomes E, and
so on.
3
IODQN HDVW The clear text message would
DWWDFN DW GDZQ be encrypted as follows using a
key of 3.
Cipherered text

Cipher Wheel
1
Clear text
2
Shifting the inner wheel by 3, then
the A becomes D, B becomes E,
and so on.
3
IODQN HDVW The clear text message would
DWWDFN DW GDZQ appear as follows using a key of 3.
Cipherered text

Vigenѐre Table
a b c d e f g h i j k l m n o p q r s t u v w x y z
A a b c d e f g h i j k l m n o p q r s t u v w x y z
B b c d e f g h i j k l m n o p q r s t u v w x y z a
C c d e f g h i j k l m n o p q r s t u v w x y z a b
D d e f g h i j k l m n o p q r s t u v w x y z a b c
E e f g h i j k l m n o p q r s t u v w x y z a b c d
F f g h i j k l m n o p q r s t u v w x y z a b c d e
G g h i j k l m n o p q r s t u v w x y z a b c d e f
H h i j k l m n o p q r s t u v w x y z a b c d e f g
I i j k l m n o p q r s t u v w x y z a b c d e f g h
J j k l m n o p q r s t u v w x y z a b c d e f g h i
K k l m n o p q r s t u v w x y z a b c d e f g h i j
L l m n o p q r s t u v w x y z a b c d e f g h i j k
M m n o p q r s t u v w x y z a b c d e f g h i j k l
N n o p q r s t u v w x y z a b c d e f g h i j k l m
O o p q r s t u v w x y z a b c d e f g h i j k l m n
P p q r s t u v w x y z a b c d e f g h i j k l m n o
Q q r s t u v w x y z a b c d e f g h i j k l m n o p
R r s t u v w x y z a b c d e f g h i j k l m n o p q
S s t u v w x y z a b c d e f g h i j k l m n o p q r
T t u v w x y z a b c d e f g h i j k l m n o p q r s
U u v w x y z a b c d e f g h i j k l m n o p q r s t
V v w x y z a b c d e f g h i j k l m n o p q r s t u
W w x y z a b c d e f g h i j k l m n o p q r s t u v
X x y z a b c d e f g h i j k l m n o p q r s t u v w
Y y z a b c d e f g h i j k l m n o p q r s t u v w x
Z z a b c d e f g h i j k l m n o p q r s t u v w x y

Stream Ciphers
• Invented by the Norwegian Army Signal

Corps in 1950, the ETCRRM machine
uses the Vernam stream cipher method.
• It was used by the US and Russian
governments to exchange information.
• Plain text message is eXclusively OR'ed
with a key tape containing a random
stream of data of the same length to
generate the ciphertext.
• Once a message was enciphered the
key tape was destroyed.
• At the receiving end, the process was
reversed using an identical key tape to
decode the message.

Defining Cryptanalysis
Allies decipher secret

NAZI encryption code!
Cryptanalysis is from the Greek words kryptós (hidden), and analýein (to loosen or to
untie). It is the practice and the study of determining the meaning of encrypted
information (cracking the code), without access to the shared secret key.

Cryptanalysis Methods
Brute Force Attack
Known Ciphertext
Successfully
Unencrypted
Key found
With a Brute Force attack, the attacker has some portion of

ciphertext. The attacker attempts to unencrypt the ciphertext with
all possible keys.
Meet-in-the-Middle Attack
Known Ciphertext Known Plaintext

Use every possible Use every possible
decryption key until a result encryption key until a
is found matching the result is found matching
corresponding plaintext. the corresponding
ciphertext.
MATCH of
Ciphertext!
Key found
With a Meet-in-the-Middle attack, the attacker has some portion of

text in both plaintext and ciphertext. The attacker attempts to
unencrypt the ciphertext with all possible keys while at the same time
encrypt the plaintext with another set of possible keys until one match
is found.
Choosing a Cryptanalysis Method
The graph outlines the

1
frequency of letters in the
English language.
For example, the letters E,
T and A are the most
popular.
There are 6 occurrences of the cipher

letter D and 4 occurrences of the cipher
letter W.
2 Replace the cipher letter D first with
IODQN HDVW
DWWDFN DW GDZQ popular clear text letters including E, T,
and finally A.
Cipherered text
Trying A would reveal the shift pattern of 3.
Defining Cryptology
Cryptology
Cryptography Cryptanalysis

Cryptanalysis

Cryptographic Hashes, Protocols,
and Algorithm Examples
Integrity Authentication Confidentiality
MD5 HMAC-MD5 DES

SHA HMAC-SHA-1 3DES
RSA and DSA AES
SEAL
RC (RC2, RC4, RC5, and RC6)
HASH HASH w/Key
NIST Rivest Encryption

Hashing Basics
• Hashes are used for

integrity assurance. Data of Arbitrary
Length
• Hashes are based on
one-way functions.
• The hash function hashes
arbitrary data into a fixed-
length digest known as
the hash value, message
digest, digest, or
fingerprint.
Fixed-Length
Hash Value
e883aa0b24c09f

Hashing Properties
Arbitrary X
length text Why is x not in
Parens?
h = H (x)
Hash
Function
(H)
Why is H in
Parens?
Hash h e883aa0b24c09f
Value

Hashing in Action
•Vulnerabl
e to man-in-the-middle attacks
- Hashing does not provide security to transmission.
•Well-
known hash functions I would like to
- MD5 with 128-bit hashes cash this
- SHA-1 with 160-bit hashes check.
Internet
Pay to Terry Smith Pay to Alex Jones
$100.00 $1000.00
One Hundred and xx/100 One Thousand and xx/100
Dollars Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
MD5
• MD5 is a ubiquitous hashing

algorithm
• Hashing properties
- One-way function—easy to
compute hash and infeasible to MD5
compute data given a hash
- Complex sequence of simple
binary operations (XORs,
rotations, etc.) which finally
produces a 128-bit hash.

SHA
• SHA is similar in design to the MD4 and MD5

family of hash functions
- Takes an input message of no more than 264 bits
- Produces a 160-bit message digest
• The algorithm is slightly slower than MD5. SHA

• SHA-1 is a revision that corrected an unpublished
flaw in the original SHA.
• SHA-224, SHA-256, SHA-384, and SHA-512 are
newer and more secure versions of SHA and are
collectively known as SHA-2.

Hashing Example
In this example the clear text entered is displaying hashed

results using MD5, SHA-1, and SHA256. Notice the
difference in key lengths between the various algorithm. The
longer the key, the more secure the hash function.

Features of HMAC
• Uses an additional secret

key as input to the hash Data of Arbitrary Secret
function Length + Key
• The secret key is known to

the sender and receiver
- Adds authentication to
integrity assurance
- Defeats man-in-the-middle
attacks Fixed Length
Authenticated e883aa0b24c09f
Hash Value
• Based on existing hash
functions, such as MD5 The same procedure is used for
and SHA-1. generation and verification of
secure fingerprints
HMAC Example
Data Received Data Secret Key

Pay to Terry Smith $100.00 Secret
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars Key One Hundred and xx/100 Dollars
HMAC HMAC
(Authenticated 4ehIDx67NMop9 (Authenticated 4ehIDx67NMop9
Fingerprint) Fingerprint)
Pay to Terry Smith $100.00 If the generated HMAC matches the

One Hundred and xx/100 Dollars sent HMAC, then integrity and
authenticity have been verified.
4ehIDx67NMop9 If they don’t match, discard the
message.
Using Hashing
Data Integrity Data Authenticity
e883aa0b24c09f
Fixed-Length Hash
Value
Entity Authentication
• Routers use hashing with secret keys

• Ipsec gateways and clients use hashing algorithms
• Software images downloaded from the website have checksums
• Sessions can be encrypted

Key Management
Key Generation Key Verification
Key
Management Key Storage
Key Exchange
Key Revocation and Destruction

Keyspace
DES Key Keyspace # of Possible Keys
56-bit 256 72,000,000,000,000,000
111111111111111111111111
11111111111111111111111111111111
Twice as
57-bit 257 144,000,000,000,000,000 much time
111111111111111111111111
11111111111111111111111111111111 1 Four time as

much time
58-bit 258 288,000,000,000,000,000

111111111111111111111111
11111111111111111111111111111111 11 With 60-bit DES

an attacker would
require sixteen
59-bit 259 576,000,000,000,000,000 more time than
111111111111111111111111 56-bit DES
11111111111111111111111111111111 111
60-bit 260 1,152,000,000,000,000,000

111111111111111111111111
For each bit added to the DES key, the attacker would require twice the amount of time to
11111111111111111111111111111111 1111
search the keyspace.
Longer keys are more secure but are also more resource intensive and can affect throughput.

Types of Keys
Symmetric Asymmetric Digital
Hash
Key Key Signature
Protection up
to 3 years 80 1248 160 160
Protection up
to 10 years 96 1776 192 192
Protection up
to 20 years 112 2432 224 224
Protection up
to 30 years 128 3248 256 256
Protection against
quantum computers 256 15424 512 512
 Calculations are based on the fact that computing power will continue to
grow at its present rate and the ability to perform brute-force attacks will
grow at the same rate.
 Note the comparatively short symmetric key lengths illustrating that
symmetric algorithms are the strongest type of algorithm.
Key Properties
Shorter keys = faster

processing, but less secure
Longer keys = slower

processing, but more
secure

Confidentiality and the OSI Model
• For Data Link Layer confidentiality, use proprietary link-

encrypting devices
• For Network Layer confidentiality, use secure Network Layer
protocols such as the IPsec protocol suite
• For Session Layer confidentiality, use protocols such as
Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
• For Application Layer confidentiality, use secure e-mail, secure
database sessions (Oracle SQL*net), and secure messaging
(Lotus Notes sessions)

Symmetric Encryption
Pre-shared
Key key Key
Encrypt Decrypt
$1000 $!@#IQ $1000
• Best known as shared-secret key algorithms

• The usual key length is 80 - 256 bits
• A sender and receiver must share a secret key
• Faster processing because they use simple mathematical operations.
• Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.

Symmetric Encryption and XOR
The XOR operator results in a 1 when the value of either

the first bit or the second bit is a 1
The XOR operator results in a 0 when neither or both of

the bits is 1
Plain Text 1 1 0 1 0 0 1 1
Key (Apply) 0 1 0 1 0 1 0 1
XOR (Cipher 1 0 0 0 0 1 1 0
Text)
Key (Re-Apply) 0 1 0 1 0 1 0 1
XOR (Plain Text) 1 1 0 1 0 0 1 1

Asymmetric Encryption
Two separate
keys which are
Encryption Key not shared Decryption Key
Encrypt Decrypt
$1000 %3f7&4 $1000
• Also known as public key algorithms

• The usual key length is 512–4096 bits
• A sender and receiver do not share a secret key
• Relatively slow because they are based on difficult computational
algorithms
• Examples include RSA, ElGamal, elliptic curves, and DH.

Asymmetric Example : Diffie-Hellman
Get Out Your Calculators?

Symmetric Algorithms
Symmetric Key length Description

Encryption (in bits)
Algorithm
DES 56 Designed at IBM during the 1970s and was the NIST standard until 1997.
Although considered outdated, DES remains widely in use.
Designed to be implemented only in hardware, and is therefore extremely slow
in software.
3DES 112 and 168 Based on using DES three times which means that the input data is encrypted
three times and therefore considered much stronger than DES.
However, it is rather slow compared to some new block ciphers such as AES.
AES 128, 192, and 256 Fast in both software and hardware, is relatively easy to implement, and
requires little memory.
As a new encryption standard, it is currently being deployed on a large scale.
Software Encryption 160 SEAL is an alternative algorithm to DES, 3DES, and AES.
Algorithm (SEAL) It uses a 160-bit encryption key and has a lower impact to the CPU when
compared to other software-based algorithms.
The RC series RC2 (40 and 64) A set of symmetric-key encryption algorithms invented by Ron Rivest.
RC4 (1 to 256) RC1 was never published and RC3 was broken before ever being used.
RC5 (0 to 2040) RC4 is the world's most widely used stream cipher.
RC6 (128, 192, and RC6, a 128-bit block cipher based heavily on RC5, was an AES finalist
256)
developed in 1997.
Symmetric Encryption Techniques
Enc
Mes rypted
blank blank 1100101 01010010110010101 sag
e
01010010110010101
64 bits 64bits 64bits
Block Cipher – encryption is completed

in 64 bit blocks
Enc
Mes rypted
sag
e
0101010010101010100001001001001 0101010010101010100001001001001
Stream Cipher – encryption is one bit

at a time

Selecting an Algorithm
DES 3DES AES
The algorithm is trusted by Been Yes Verdict is still

the cryptographic community replaced by out
3DES
The algorithm adequately No Yes Yes
protects against brute-force
attacks

DES Scorecard
Description Data Encryption Standard
Timeline Standardized 1976
Type of Algorithm Symmetric
Key size (in bits) 56 bits
Speed Medium
Time to crack Days (6.4 days by the COPACABANA machine, a specialized

(Assuming a computer could try 255 cracking device)
keys per second)
Resource Consumption Medium

Block Cipher Modes
ECB CBC
Message of Five 64-Bit Blocks Message of Five 64-Bit Blocks
Initialization
Vector
DES
DES
DES
DES
DES
DES
DES
DES
DES
DES
Considerations
• Change keys frequently to help

prevent brute-force attacks. DES
• Use a secure channel to

communicate the DES key from
the sender to the receiver.
• Consider using DES in CBC
mode. With CBC, the
encryption of each 64-bit block
depends on previous blocks.
• Test a key to see if it is a weak
key before using it.

3DES Scorecard
Description Triple Data Encryption Standard
Timeline Standardized 1977
Key size (in bits) 112 and 168 bits
Speed Low
Time to crack 4.6 Billion years with current technology

(Assuming a computer could try 255
keys per second)
Resource Consumption Medium

Encryption Steps
The clear text from Alice is

encrypted using Key 1. That
ciphertext is decrypted
using a different key, Key 2.
1 Finally that ciphertext is
encrypted using another
key, Key 3.
When the 3DES ciphered text

2 is received, the process is
reversed. That is, the
ciphered text must first be
decrypted using Key 3,
encrypted using Key 2, and
finally decrypted using Key 1.

AES Scorecard
Description Advanced Encryption Standard
Timeline Official Standard since 2001
Key size (in bits) 128, 192, and 256
Speed High
Time to crack 149 Trillion years

keys per second)
Resource Consumption Low

Advantages of AES
• The key is much stronger due to the key length

• AES runs faster than 3DES on comparable hardware
• AES is more efficient than DES and 3DES on
comparable hardware
The plain text is now
encrypted using 128
AES
An attempt at
deciphering the text
using a lowercase,
and incorrect key

SEAL Scorecard
Description Software-Optimized Encryption Algorithm
Timeline First published in 1994. Current version is 3.0 (1997)
Key size (in bits) 160
Speed High
Time to crack Unknown but considered very safe

keys per second)
Resource Consumption Low

Rivest Codes Scorecard
Description RC2 RC4 RC5 RC6
Timeline 1987 1987 1994 1998
Type of Algorithm Block cipher Stream Block cipher Block cipher

cipher
Key size (in bits) 40 and 64 1 - 256 0 to 2040 bits 128, 192, or
(128 256
suggested)

DH Scorecard
Description Diffie-Hellman Algorithm
Timeline 1976
Type of Algorithm Asymmetric
Key size (in bits) 512, 1024, 2048
Speed Slow
Time to crack Unknown but considered very safe

(Assuming a computer could try
255 keys per second)
Resource Medium
Consumption

Using Diffie-Hellman
Alice Bob
Shared Secret Calc Shared Secret Calc
1 5, 23 1 5, 23
3
2 6 56mod 23 = 8 8
1. Alice and Bob agree to use the same two numbers. For example, the base number g= 5
and prime number p= 23
2. Alice now chooses a secret number x= 6.
3. Alice performs the DH algorithm: gx modulo p = ( 56 modulo 23) = 8 (Y) and
sends the new number 8 (Y) to Bob.
Using Diffie-Hellman
Alice Bob
Shared Secret Calc Shared Secret Calc
5, 23 5, 23
6 56mod 23 = 8 8 15 4
19 515 mod 23 = 19
19 mod 23 = 2 2
5
6
6 815 mod 23 =
15, performed the DH algorithm:

4. Meanwhile Bob has also chosen a secret number x=
g modulo p = (515 modulo 23)

x 23 = 19 (Y) and sent the new number 19 (Y) to
Alice. The result (22) is the same
for both Alice and Bob.
196 modulo 23) = 2.
5. Alice now computes Yx modulo p = (
This number can now be
used as a shared secret
key by the encryption
6. Bob now computes Y modulo p = (86 modulo 23) = 2.
x algorithm.

Asymmetric Key Characteristics
Encryption Decryption
Key Key
Plain Encryption Encrypted Decryption Plain
text text text
• Key length ranges from 512–4096 bits

• Key lengths greater than or equal to 1024 bits can be trusted
• Key lengths that are shorter than 1024 bits are considered
unreliable for most algorithms

Public Key (Encrypt) + Private Key
(Decrypt) = Confidentiality
Computer A acquires
Computer B’s public key
Can I get your Public Key please? Bob’s Public
1 Key
Here is my Public Key.
Bob’s Public
Computer A transmits Bob’s Private
2 4
Key The encrypted message Key
Computer
Computer to Computer B Encrypted
Text B
A
Encryption Encryption
Algorithm Algorithm
Encrypted 3 Computer B uses

Text its private key to
decrypt and reveal
Computer A uses Computer B’s
the message
public key to encrypt a message
using an agreed-upon algorithm

Private Key (Encrypt) + Public Key
(Decrypt) = Authentication
Bob uses the public key to
Alice encrypts a message successfully decrypt the message
with her private key and authenticate that the message
did, indeed, come from Alice.
Alice’s Private
1 Key
Encrypted
Text
Encryption
Alice transmits the 4
Alice’s Public
Key
Algorithm encrypted message Encrypted

2 to Bob Text
Encrypted
Computer Text
3 Computer Encryption
A B
Algorithm
Alice’s Public Can I get your Public Key please?

Key
Here is my Public Key
Bob needs to verify that the message

actually came from Alice. He requests
and acquires Alice’s public key

Asymmetric Key Algorithms
Key length Description
(in bits)
DH 512, 1024, Invented in 1976 by Whitfield Diffie and Martin Hellman.

2048 Two parties to agree on a key that they can use to encrypt messages
The assumption is that it is easy to raise a number to a certain power, but difficult to
compute which power was used given the number and the outcome.
Digital Signature 512 - 1024 Created by NIST and specifies DSA as the algorithm for digital signatures.
Standard (DSS) and A public key algorithm based on the ElGamal signature scheme.
Digital Signature
Algorithm (DSA) Signature creation speed is similar with RSA, but is slower for verification.
RSA encryption 512 to 2048 Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977
algorithms Based on the current difficulty of factoring very large numbers
Suitable for signing as well as encryption
Widely used in electronic commerce protocols
EIGamal 512 - 1024 Based on the Diffie-Hellman key agreement.

Described by Taher Elgamal in 1984and is used in GNU Privacy Guard software,
PGP, and other cryptosystems.
The encrypted message becomes about twice the size of the original message and
for this reason it is only used for small messages such as secret keys
Elliptical curve 160 Invented by Neil Koblitz in 1987 and by Victor Miller in 1986.
techniques Can be used to adapt many cryptographic algorithms
Keys can be much smaller

Security Services- Digital Signatures
• Authenticates a source,
proving a certain party
has seen, and has signed,
the data in question
• Signing party cannot
repudiate that it signed
the data
• Guarantees that the data
has not changed from the
time it was signed Authenticity
Integrity
Nonrepudiation

Digital Signatures
• The signature is authentic and

not forgeable: The signature is
proof that the signer, and no one
else, signed the document.
• The signature is not reusable:
The signature is a part of the document and cannot be moved to a
different document.
• The signature is unalterable: After a document is signed, it cannot be
altered.
• The signature cannot be repudiated: For legal purposes, the signature
and the document are considered to be physical things. The signer cannot
claim later that they did not sign it.

The Digital Signature Process
The sending device creates

a hash of the document
The receiving device Validity of the digital
Data accepts the document signature is verified
Confirm with digital signature
and obtains the public key Signature Verified
Order
0a77b3440…
1 hash Signed Data 6
Signature Confirm
Key Order 4
____________
Encrypted 0a77b3440…
hash Signature is
2 Signature
Algorithm verified with
The sending device 3 the verification
encrypts only the hash key
0a77b3440…
with the private key
of the signer The signature algorithm Verification
5
generates a digital signature Key

and obtains the public key
Code Signing with Digital Signatures
• The publisher of the software attaches a digital signature to the

executable, signed with the signature key of the publisher.
• The user of the software needs to obtain the public key of the
publisher or the CA certificate of the publisher if PKI is used.

DSA Scorecard
Description Digital Signature Algorithm (DSA)
Timeline 1994
Type of Algorithm Provides digital signatures
Advantages: Signature generation is fast
Disadvantages: Signature verification is slow

RSA Scorecard
Description Ron Rivest, Adi Shamir, and Len Adleman
Timeline 1977
Type of Algorithm Asymmetric algorithm
Key size (in bits) 512 - 2048
Advantages: Signature verification is fast
Disadvantages: Signature generation is slow

Properties of RSA
• One hundred times slower than

DES in hardware
• One thousand times slower
than DES in software
• Used to protect small amounts
of data
• Ensures confidentiality of data
thru encryption
• Generates digital signatures for
authentication and
nonrepudiation of data

Public Key Infrastructure
Alice applies for a driver’s license.
She receives her driver’s license

after her identity is proven.
Alice attempts to cash a check.
Her identity is accepted after her

driver’s license is checked.

Public Key Infrastructure
PKI terminology to remember:

PKI:
A service framework (hardware, software, people, policies
and procedures) needed to support large-scale public key-
based technologies.
Certificate:
A document, which binds together the name of the entity
and its public key and has been signed by the CA
Certificate authority (CA):
The trusted third party that signs the public keys of
entities in a PKI-based system

CA Vendors and Sample Certificates
http://www.verisign.com http://www.entrust.com
http://www.verizonbusiness.com/
http://www.novell.com
http://www.rsa.com/
http://www.microsoft.com

Usage Keys
• When an encryption certificate is used much more frequently than a

signing certificate, the public and private key pair is more exposed due
to its frequent usage. In this case, it might be a good idea to shorten
the lifetime of the key pair and change it more often, while having a
separate signing private and public key pair with a longer lifetime.
• When different levels of encryption and digital signing are required
because of legal, export, or performance issues, usage keys allow an
administrator to assign different key lengths to the two pairs.
• When key recovery is desired, such as when a copy of a user’s private
key is kept in a central repository for various backup reasons, usage
keys allow the user to back up only the private key of the encrypting
pair. The signing private key remains with the user, enabling true
nonrepudiation.

The Current State
X.509
• Many vendors have proposed and implemented

proprietary solutions
• Progression towards publishing a common set of
standards for PKI protocols and data formats

X.509v3
• X.509v3 is a standard that

describes the certificate
structure.
• X.509v3 is used with:
- Secure web servers: SSL
and TLS
- Web browsers: SSL and
TLS
- Email programs: S/MIME
- IPsec VPNs: IKE

X.509v3 Applications
SSL S/MIME
Internet
Mail
External Server
Web Server EAP-TLS
Cisco
Secure
Internet Enterprise ACS
Network
CA
Server
VPN
IPsec Concentrator
• Certificates can be used for various purposes.

• One CA server can be used for all types of authentication
as long as they support the same PKI procedures.

RSA PKCS Standards
• PKCS #1: RSA Cryptography Standard

• PKCS #3: DH Key Agreement Standard
• PKCS #5: Password-Based Cryptography Standard
• PKCS #6: Extended-Certificate Syntax Standard
• PKCS #7: Cryptographic Message Syntax Standard
• PKCS #8: Private-Key Information Syntax Standard
• PKCS #10: Certification Request Syntax Standard
• PKCS #12: Personal Information Exchange Syntax Standard
• PKCS #13: Elliptic Curve Cryptography Standard
• PKCS #15: Cryptographic Token Information Format Standard

Public Key Technology
PKCS#7
PKCS#10
CA
Certificate
Signed
Certificate
PKCS#7
• A PKI communication protocol used for VPN PKI enrollment

• Uses the PKCS #7 and PKCS #10 standards

Single-Root PKI Topology
• Certificates issued by one CA

• Centralized trust decisions
• Single point of failure
Root CA

Hierarchical CA Topology
Root CA
Subordinate
CA
• Delegation and distribution of trust

• Certification paths

Cross-Certified CAs
CA2
CA1
CA3
• Mutual cross-signing of CA certificates

Registration Authorities
After the Registration

Authority adds specific
information to the
2 CA certificate request and
Completed Enrollment
Request Forwarded to
the request is approved
CA under the organization’s
policy, it is forwarded
Hosts will submit on to the Certification
certificate requests RA Authority
to the RA 3
1
Certificate Issued
Enrollment
request
The CA will sign the certificate

request and send it back to
the host

Retrieving the CA Certificates
Alice and Bob telephone the CA
administrator and verify the public key
and serial number of the certificate
Out-of-Band
Out-of-Band Authentication of
Authentication of the CA Certificate
the CA Certificate CA
Admin POTS
3
POTS 3
CA
1 CA
1
Certificate
CA
Certificate
Enterprise Network
2
2
Alice and Bob request the CA certificate Each system verifies the
that contains the CA public key validity of the certificate
Submitting Certificate Requests
The CA administrator telephones to
The certificate is confirm their submittal and the public
retrieved and the key and issues the certificate by
certificate is installed 2 adding some additional data to the
onto the system request, and digitally signing it all
Out-of-Band Out-of-Band
Authentication of Authentication of
the CA Certificate CA the CA Certificate
Admin
POTS POTS
CA
1 Certificate
3 1 Certificate Request 3
Request
Enterprise Network
Both systems forward a certificate request which

includes their public key. All of this information is
encrypted using the public key of the CA
Authenticating
Bob and Alice exchange certificates. The CA is no longer involved
2 2
Private Key (Alice) Private Key (Bob)

Certificate (Alice)
Certificate (Alice) Certificate (Bob)
Certificate (Bob)
CA Certificate CA Certificate
Each party verifies the digital signature on the certificate by hashing the
plaintext portion of the certificate, decrypting the digital signature using the
CA public key, and comparing the results.

PKI Authentication Characteristics
• To authenticate each other, users have to obtain

the certificate of the CA and their own certificate.
These steps require the out-of-band verification of
the processes.
• Public-key systems use asymmetric keys where
one is public and the other one is private.
• Key management is simplified because two users
can freely exchange the certificates. The validity
of the received certificates is verified using the
public key of the CA, which the users have in their
possession.
• Because of the strength of the algorithms,
administrators can set a very long lifetime for the
certificates.


Chapter 7 Criptografia

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapter 7 Criptografia

Hochgeladen von

Copyright:

Verfügbare Formate

CCNA Security

© 2009 Cisco Learning Institute. 1

• This lesson should take 3-4 hours to present

© 2009 Cisco Learning Institute. 2

• Describe how the types of encryption, hashes, and digital signatures

© 2009 Cisco Learning Institute. 3

Upon completion of this lesson, the successful participant will be

© 2009 Cisco Learning Institute. 4

8. Describe how encryption algorithms provide confidentiality

© 2009 Cisco Learning Institute. 5

18. Describe the various PKI standards

© 2009 Cisco Learning Institute. 6

VPN Iron Port CSA

• Traffic between sites must be secure

© 2009 Cisco Learning Institute. 7

© 2009 Cisco Learning Institute. 8

• An unbroken wax seal on an envelop ensures integrity.

© 2009 Cisco Learning Institute. 9

© 2009 Cisco Learning Institute. 10

Scytale - (700 BC)

German Enigma Machine

Jefferson encryption device

© 2009 Cisco Learning Institute. 11

© 2009 Cisco Learning Institute. 12

Shift the top

© 2009 Cisco Learning Institute. 13

© 2009 Cisco Learning Institute. 14

© 2009 Cisco Learning Institute. 15

• Invented by the Norwegian Army Signal

© 2009 Cisco Learning Institute. 16

Allies decipher secret

© 2009 Cisco Learning Institute. 17

Brute Force Attack

With a Brute Force attack, the attacker has some portion of

Known Ciphertext Known Plaintext

With a Meet-in-the-Middle attack, the attacker has some portion of

The graph outlines the

There are 6 occurrences of the cipher

© 2009 Cisco Learning Institute. 21

© 2009 Cisco Learning Institute. 22

Integrity Authentication Confidentiality

MD5 HMAC-MD5 DES

HASH HASH w/Key

NIST Rivest Encryption

© 2009 Cisco Learning Institute. 23

• Hashes are used for

© 2009 Cisco Learning Institute. 24

© 2009 Cisco Learning Institute. 25

• MD5 is a ubiquitous hashing

© 2009 Cisco Learning Institute. 27

• SHA is similar in design to the MD4 and MD5

• The algorithm is slightly slower than MD5. SHA

© 2009 Cisco Learning Institute. 28

In this example the clear text entered is displaying hashed

© 2009 Cisco Learning Institute. 29

• Uses an additional secret

• The secret key is known to

Data Received Data Secret Key

Pay to Terry Smith $100.00 If the generated HMAC matches the

Data Integrity Data Authenticity

• Routers use hashing with secret keys

© 2009 Cisco Learning Institute. 32