Cryptography: Concepts and Services

Questions and Answers

Which cryptographic service ensures that data is not accessed by unauthorized parties?

• Non-repudiation
• Integrity
• Authentication
• Confidentiality (correct)

Which of the following is a primary goal of authentication in cryptographic services?

• Providing irreversible data transformation
• Verifying the identity of the sender or receiver (correct)
• Ensuring data remains unaltered during transit
• Concealing the data content from unauthorized parties

What cryptographic service provides assurance that data has not been altered in transit or storage?

• Authentication
• Integrity (correct)
• Non-repudiation
• Confidentiality

Which of the following best describes the purpose of hashing in cryptographic integrity?

Creating a unique, fixed-size representation of data to detect changes (C)

What is the primary advantage of using asymmetric encryption over symmetric encryption for key exchange?

Elimination of the need to exchange secret keys (D)

Which of the following algorithms is NOT primarily used for encryption?

SHA (C)

In the context of cryptographic services, what does HMAC provide in addition to data integrity?

Authentication (A)

Which of the following statements is true regarding symmetric encryption?

It requires a secure method to exchange the secret key. (D)

What is the purpose of a digital certificate?

To verify the identity of a user or device (B)

Which entity typically signs a digital certificate?

A Certificate Authority (CA) (D)

What is a key property of digital signatures?

Signatures provide authentication and non-repudiation. (D)

Which of the following describes the role of a Registration Authority (RA) in a PKI?

Verifying the identity of the certificate requester (D)

In asymmetric cryptography, Alice encrypts a message using Bob's public key. Who can decrypt this message?

Only Bob, using his private key (C)

What is the purpose of the Diffie-Hellman key exchange algorithm?

To securely exchange cryptographic keys over a public channel (D)

Which of the following is a characteristic of symmetric encryption algorithms?

They require a secure channel for key distribution. (A)

Which key is used to decrypt a message when using asymmetric encryption?

The receiver's private key (D)

What is the main purpose of a Certificate Authority (CA)?

To issue and manage digital certificates (D)

Which of these choices is considered the LEAST secure method for authentication?

PSK (B)

Which of the following hash algorithms is considered more secure?

SHA-256 (A)

For ensuring Confidentiality with encryption, which combination is considered the MOST secure?

AES (A)

How does asymmetric key cryptography contribute to authentication?

By allowing a sender to encrypt a message digest with their private key, creating a digital signature. (D)

Which of the following best describes the purpose of 'non-repudiation' in the context of cryptographic services?

Preventing a sender from denying that they sent a message. (D)

In a Public Key Infrastructure (PKI), what is the primary responsibility of the Certificate Authority (CA)?

To digitally sign and issue certificates. (D)

Which of the following algorithms would you most likely use if you wanted to focus primarily on performing a 'Key-Exchange'?

Diffie-Hellman (B)

What is the purpose of applying a hash function to data before digitally signing it using asymmetric cryptography?

To reduce the amount of data to be signed, improving efficiency (D)

Which of the following is a key benefit typically associated with implementing VPNs?

Improved network security and cost savings. (B)

In the context of VPN technologies, what is the primary difference between a site-to-site VPN and a remote-access VPN?

Site-to-site VPNs securely connect entire networks, while remote-access VPNs allow individual users to connect to a private network. (C)

Which of the following is a component specifically associated with a remote-access VPN setup?

VPN terminating device and client-side software. (B)

In an IPsec VPN, which protocol provides authentication and integrity but does not provide confidentiality?

AH (Authentication Header). (C)

Which of the following statements best describes the function of the ESP protocol in IPsec?

It provides encryption, integrity, and authentication of the data payload. (D)

Which of the following algorithms is considered the most secure for encryption?

AES (Advanced Encryption Standard). (C)

Which of the following hash algorithms is generally considered more secure?

SHA. (A)

Which of the following is a method to authenticate peers?

Both RSA and PSK. (C)

Diffie-Hellman is uses for:

Key Exchange. (D)

In the context of IPsec, what is the primary function of Internet Key Exchange (IKE)?

To establish and manage security associations (SAs) between devices. (C)

During IKE Phase 1, what is the primary goal?

To establish a secure channel for subsequent negotiations. (A)

Which task is not performed in IKE Phase 2?

Authenticating peers. (B)

When configuring a site-to-site IPsec VPN with pre-shared key authentication, what must match on both VPN endpoints?

The pre-shared key and the IPsec policies. (B)

What is the purpose of an extended access list when configuring IPsec?

To define the traffic that will be encrypted and protected by the VPN. (A)

What is the function of a crypto map?

It binds together various components, such as the ACL, IPsec transform set, and peer IP address, into a single policy. (A)

Which command is used to apply a crypto map to an interface?

interface <interface-id> then crypto map <map-name> (D)

After configuring a crypto map, what command is essential to verify the IPsec VPN tunnel is operational?

show crypto isakmp sa and show crypto ipsec sa. (D)

What command on a Cisco router is used to configure the pre-shared key for IKE?

crypto isakmp key <key-string> address <peer-address> (B)

Which command is used to define the parameters for data encryption and authentication used in IPsec?

crypto ipsec transform-set (D)

When configuring an IPsec VPN, the command set pfs group24 is used within the crypto map configuration. What does pfs stand for?

Perfect Forward Secrecy. (A)

If a newly configured crypto map remains disabled even after configuring an access list and peer, what key element might be missing?

The crypto map has not been applied to an interface. (C)

After applying a crypto map to an interface, what message confirms ISAKMP is active?

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON (A)

What happens if you do not put in the correct access list when attempting to perform the key exchange?

Phase 1 would not complete. (D)

Which of the following correctly identifies how to test and verify that interesting traffic is working?

All of the other answers. (B)

When verifying that the VPN is working, what does QM_IDLE mean?

This means Quick Mode Phase 2 is completed and the VPN Tunnel is up! (A)

Flashcards

Cryptography

The process of encoding messages to keep them secret.

Authentication

Verifying the identity of a user, device, or other entity in a computer system.

Integrity

Ensuring that data is not altered or corrupted during transmission or storage.

Confidentiality

Protecting information from unauthorized access.

Key Management & Exchange

The procedures and mechanisms for generating, distributing, storing, and revoking cryptographic keys.

Public Key Cryptography

A cryptographic system using pairs of keys: public keys (widely distributed) and private keys (known only to the owner).

Confidentiality with Encryption

A cryptographic service that ensures only authorized parties can access the content of a message or data.

Hashing

A process that transforms data of any size into a fixed-size string of bytes. It detects data modification.

Symmetric Encryption

Encryption where the same key is used to encrypt and decrypt data.

Asymmetric Encryption

Encryption where different keys are used to encrypt and decrypt data.

Key Exchange

The process of securely exchanging cryptographic keys between two parties so that only they can read the message.

CIA Services Framework

A framework of confidentiality, integrity, and authentication services that protects data.

Symmetric Encryption Algorithms

An algorithm where the same secret key is used for both encryption and decryption.

Asymmetric Encryption

Using different keys for encryption and decryption to provide confidentiality.

Peer Authentication Methods

Methods for verifying identities to prevent spoofing. Most to least secure -> RSA, PSK.

Integrity

Guarantees that data has not been altered in transit by calculating hashes.

Integrity: Hash Algorithms

The hash value should be different.

HMAC

A keyed-hash message authentication code that uses a cryptographic key and a hash function.

Key Exchange: Digital Signatures

An encryption algorithm that refers to private and public keys.

Diffie-Hellman Key Exchange

A method of exchanging cryptographic keys securely.

Digital Certificate

An electronic document that proves the ownership of a public key.

PKI Framework

An infrastructure that establishes trust and authenticity in online transactions using digital certificates.

Certification Authority (CA)

An entity that verifies the identity of certificate requests and issues certificates.

Registration Authority

The process of obtaining a digital certificate from an authority.

VPN

A secured, private network that uses the public network (Internet) to connect remote sites or users together.

VPN Benefits

Reduced infrastructure costs by using the internet. Increased security through encryption and authentication. Increased scalability and reach.

Site-to-Site VPN

Connects entire networks (e.g., branch to HQ). No special client software is needed on end-user devices.

Remote-Access VPN

Allows individual users to connect securely to a private network, needs client software.

IPsec

A suite of protocols that provides a secure channel between two networks or devices over the Internet.

Authentication Header (AH)

Provides integrity using a hash function and authentication but does not provide encryption.

Encapsulating Security Payload (ESP)

Provides confidentiality (encryption), integrity, and authentication. Uses encryption to keep data secret.

Internet Key Exchange (IKE)

Security protocol that provides a method to negotiate security associations in the VPN tunnel.

IPsec Negotiation

The negotiation of security parameters and establishment of a secure tunnel in IPsec.

Pre-Shared Key (PSK)

A method of authentication where both sides share the same secret key.

Interesting Traffic

Defines the traffic that will be protected by the VPN. Uses access control lists (ACLs).

IPsec Transform Set

Specifies the encryption algorithm and authentication method used by IPsec. Example: ESP-AES-SHA.

Crypto Map

A set of rules applied to an interface to trigger IPsec protection. Contains ACL, transform set, and peer information.

IKE Phase 1

The first phase of IKE, negotiates ISAKMP policy to create a secure tunnel.

IKE Phase 2

The second phase of IKE, negotiates IPsec policy for securing traffic across the tunnel.

Study Notes

Introduction to VPNs

• VPNs provide cost savings, security, scalability, and compatibility.
• VPNs allow business partners, regional offices, SOHOs, and mobile workers to securely connect to a main site.
• VPN connections can be established using Layer 3 IPsec.
• VPNs connect branch offices, mobile users, and SOHOs through the internet to a central site.

VPN Technologies

• Two main types of VPNs exist: remote-access, and site-to-site.
• Remote-Access VPNs:
  • Require a client to initiate a VPN connection.
  • Include a VPN Terminating Device.
• Site-to-Site VPNs:
  • Do not require client knowledge of the VPN.
  • Include a VPN Terminating Device.

IPsec VPN Components

• IPsec provides a framework of security protocols to achieve secure transmissions across IP networks.
• IPsec includes:
  • Authentication Header (AH).
  • Encapsulating Security Payload (ESP).
  • Internet Key Exchange (IKE).
• IPsec offers choices for:
  • IPsec Protocol.
  • Confidentiality.
  • Integrity.
  • Authentication.
  • Diffie-Hellman.

Understanding Confidentiality with Encryption

• Encryption transforms data.
• Unauthorized users are not able to read the data.
• Encryption algorithms include DES (56-bit key), 3DES (56-bit key x3), AES (128, 192, or 256-bit key lengths), and SEAL (160-bit key length).
• AES provides more security then other algorythms

Integrity with Hash Algorithms

• Secure hash algorithms ensure the integrity of information
• Hash Algorithms include MD5 (128 bits) and SHA (160 bits).

Authentication Methods

• PSK involves using authentication keys and IDs
• RSA involves using Digital Signatures

Key Exchange with Diffie-Hellman

• Diffie-Hellman includes DH1, DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH24

IPsec Protocols: AH and ESP

• Authentication Header (AH) ensures data integrity and authentication but does not encrypt data.
• Router creates a hash and transmits it to peer.
• Peer router compares the recomputed hash to the received hash.
• ESP encrypts the data payload while providing integrity and authentication.

Transport and Tunnel Modes

• ESP and AH can be applied in transport or tunnel mode.

Internet Key Exchange (IKE) Protocol

• Phase 1 negotiates ISAKMP policy to create a tunnel.
• Phase 2 negotiates IPsec policy for sending secure traffic across the tunnel.
• Phase 2 negotiates Security Associations (SAs)

Configuring Site-to-Site IPsec VPNs with CLI

• Configuration Steps:
  • Configure ISAKMP policy.
  • Configure the IPsec policy.
  • Configure and apply a crypto map.
  • Apply the IPsec policy.
  • Verify the IPsec VPN.

Important Topology Addresses For Configuration

• Site 1 has the address 10.0.1.0/24
• Site 2 has the address 192.168.1.0/24
• R1 has the address 172.30.2.1
• R2 has the address 172.30.2.2

Describing IPsec Negotiation

• Host A sends interesting traffic to Host B
• R1 and R2 negotiate an IKE Phase 1 session.
• R1 and R2 negotiate an IKE Phase 2 session.
• Information is exchanged via the IPsec tunnel.
• The IPsec tunnel is terminated.

ISAKMP policy configuration

• Show crypto isakmp default policy
• AES with 128 bit keys is default
• Secure Hash Standard is default
• Rivest-Shamir-Adleman Signature is default
• IKE policy lifetime is 86400 seconds, no volume limit

Apply the configured crypto map to the interface

• The configured crypto map must be applied to an interface for IPsec protection to take effect.