Cryptography PDF

Cryptography © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Cryptography Securing Communications Organizations must provide support to secure the data internally as well as externally. The four elements of securing communications are: Data Integrity - Guarantees that the message was not altered. Origin Authentication - Guarantees that the message is not a forgery and it actually comes from whom it states. Data Confidentiality - Guarantees that only authorized users can read the message. Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Cryptography Cryptographic Hash Functions Hashes are used to verify and ensure data integrity. Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse. A hash function takes a variable block of binary data, called the message, and produces a fixed-length, condensed representation, called the hash. The resulting hash is also sometimes called the message digest, digest, or digital fingerprint. With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output. Every time the data is changed or altered, the hash value also changes. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Test it online https://onlinephp.io/hash Cryptography Cryptographic Hash Operation Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates. As shown in the figure, a hash function H takes an input x and returns a fixed-size string hash value h. A cryptographic hash function should have the following properties: The input can be any length. The output has a fixed length. H(x) is relatively easy to compute for given x. H(x) is one way and not reversible. H(x) is collision free, meaning that two different input values will result in different hash values. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Cryptography MD5 and SHA Hash functions are used to ensure the integrity of a message either accidentally or intentionally. In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to ensure that the message is not altered on its way to the receiver. There are four well-known hash functions: MD5 with 128-bit digest - A one-way function that produces a 128-bit hashed message. MD5 is a legacy algorithm. SHA-1 - Very similar to the MD5 hash functions. SHA-1 creates a 160-bit hashed message and is slightly slower than MD5. SHA-2 - If you are using SHA-2, then SHA- 256, SHA-384, and SHA-512 algorithms should be used. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Cryptography MD5 and SHA (Contd.) While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor. ???? There is no unique identifying information from the sender in the hashing procedure. This means that anyone can compute a hash for any data, as long as they have the correct hash function ( which is standard and available to anyone). Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to transmitted data. To provide integrity and origin authentication, something more is required. Note: Hashing algorithms only protect against accidental changes and does not protect the data from changes deliberately made by a threat actor. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Cryptography Origin Authentication To add origin authentication and integrity assurance, use a keyed-hash message authentication code (HMAC). HMAC uses an additional secret key as input to the hash function. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Cryptography Origin Authentication (Contd.) HMAC Hashing Algorithm An HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a secret key. Only the sender and the receiver know the secret key, and the output of the hash function depends on the input data and the secret key. Only parties who have access to that secret key can compute the digest of an HMAC function. If two parties share a secret key and use HMAC functions for authentication, a properly constructed HMAC digest of a message that a party has received indicates that the other party was the originator of the message. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Cryptography Origin Authentication (Contd.) Creating the HMAC Value As shown in the figure, the sending device inputs data into the hashing algorithm and calculates the fixed- length HMAC digest. This authenticated digest is then attached to the message and sent to the receiver. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Cryptography Origin Authentication (Contd.) Verifying the HMAC Value In the figure, the receiving device removes the digest from the message and uses the plaintext message with its secret key as input into the same hashing function. If the digest that is calculated by the receiving device is equal to the digest that was sent, the message has not been altered. Additionally, the origin of the message is authenticated because only the sender possesses a copy of the shared secret key. The HMAC function has ensured the authenticity of the message. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Confidentiality Data Confidentiality There are two classes of encryption used to provide data confidentiality; asymmetric and symmetric. These two classes differ in how they use keys. Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI). The figure highlights some differences between symmetric and asymmetric encryption. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Confidentiality Symmetric Encryption Symmetric algorithms use the same pre-shared key (secret key) to encrypt and decrypt data. Symmetric encryption algorithms are commonly used with VPN traffic because they use less CPU resources than asymmetric encryption algorithms. When using these algorithms, the longer the key, the longer it will take for someone to discover the key. Most encryption keys are between 112 and 256 bits. Use a longer key for more secure communications. Symmetric encryption algorithms are sometimes classified as a block cipher or a stream cipher. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Confidentiality Symmetric Encryption (Contd.) Block Ciphers Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits. Common block ciphers include DES with a 64-bit block size and AES with a 128-bit block size. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Confidentiality Symmetric Encryption (Contd.) Stream Ciphers Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are basically a block cipher with a block size of one byte or bit. Stream ciphers are typically faster than block ciphers because data is continuously encrypted. Examples include RC4 and A5 which is used to encrypt GSM cell phone communications. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Confidentiality Asymmetric Encryption Asymmetric algorithms, also called public-key algorithms, are designed in a way that the encryption and the decryption keys are different. Asymmetric algorithms use a public key and a private key. Both keys are capable of the encryption process, but the complementary paired key is required for decryption. The process is also reversible. Data that is encrypted with the public key requires the private key to decrypt. Asymmetric algorithms achieve confidentiality and authenticity by using this process. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Asymmetric algorithms are substantially slower than symmetric algorithms. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Confidentiality Asymmetric Encryption - Confidentiality Asymmetric algorithms are used to Example: Data exchange between Bob and Alice provide confidentiality without pre-sharing a password. The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key. The process can be summarized using the formula: Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality When the public key is used to encrypt Alice acquires and Bob decrypts the data, the private key must be used to uses Bob’s public key message with the private decrypt data. to encrypt a message key and as he is the only and then send it to one with the private key, Only one host has the private key; Bob. confidentiality is therefore, confidentiality is achieved. achieved. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Confidentiality Asymmetric Encryption - Authentication The authentication objective of asymmetric algorithms is initiated with the private key encryption process. The process can be summarized using the formula: Private Key (Encrypt) + Public Key (Decrypt) = Authentication When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data. Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender. When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is. This is a form of authentication. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Confidentiality Asymmetric Encryption - Authentication (Contd.) Let's see how the private and public keys can be used to provide authentication to the data exchange between Bob and Alice. Alice uses her private key Bob decrypts using the public key Alice encrypts a message using her After Bob obtains Alice’s public key, he uses it to decrypt private key and sends it to Bob. the message and to authenticate that the message has been received from Alice. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Confidentiality Asymmetric Encryption - Integrity Combining the two asymmetric encryption processes provides message confidentiality, authentication, and integrity. In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key. Alice uses Bob’s Alice encrypts a Bob uses Alice’s Bob uses his private Public Key hash using her public key to key to decrypt the private key decrypt the hash message © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Confidentiality Diffie-Hellman Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to generate an identical shared secret without having communicated before. The new shared key is never actually exchanged between the sender and receiver. The key can be used by an encryption algorithm to encrypt traffic between the two systems as both parties know it. DH operation © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Hybrid Encryption ▪ The Hybrid Encryption primitive combines the efficiency of symmetric encryption with the convenience of public key (asymmetric) cryptography. Anyone can encrypt data using the public key, but only users with the private key can decrypt the data. ▪ Asymmetric encryption is used at the beginning to exchange a symmetric key. After that the symmetric key is used to encrypt the actual data between the transmitter and the receiver. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Public Key Cryptography © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Public Key Cryptography Using Digital Signatures Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation. Digital signatures use asymmetric cryptography. Digital signatures are commonly used in the following two situations: Code signing - Code signing is used to verify the integrity of executable files downloaded from a vendor website. It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files. https://www.youtube.com/watch?v=slh8la6N0Xw Digital certificates - These are used to authenticate the identity of a system with a vendor website and establish an encrypted connection to exchange confidential data. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Public Key Cryptography Digital Signatures for Code Signing Digital signatures are commonly used to provide assurance of the authenticity and integrity of software code. Executable files are wrapped in a digitally signed envelope, which allows the end user to verify the signature before installing the software. Digitally signing code provides several assurances about the code: The code is authentic and is actually sourced by the publisher. The code has not been modified since it left the software publisher. The publisher undeniably published the code. This provides nonrepudiation of the act of publishing. The purpose of digitally signed software is to ensure that the software has not been tampered with, and that it originated from the trusted source as claimed. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Public Key Cryptography Digital Signatures for Code Signing (Contd.) The properties of a file that has a digitally signed certificate are as follows: Properties Description File This executable file was downloaded from the internet and Properties it contains a software tool from Cisco Systems. Digital This tab reveals that the file is from a trusted organization, Signatures Cisco Systems Inc. Digital This window reveals that the file was signed by Cisco Signatures Systems, Inc mentioning the given year, month and time. Details The General tab provides information such as who the Certificate certificate was issued to, and who issued the certificate. It Information also displays the period for which the certificate is valid. Certificate In this tab, you can see the file was signed by Cisco Path Systems, as verified to DigiCert. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Another Example © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Windows Certification manager “certmgr” © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 If there is no certificate is associated with the SW © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Public Key Cryptography Digital Signatures for Digital Certificates A digital certificate enables users, hosts, and organizations to securely exchange information over the Internet. It is used to authenticate and verify that a user who is sending a message is who they claim to be. Digital certificates can also be used to provide confidentiality for the receiver with the means to encrypt a reply ( Example: the public key of the serverO.. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Authorities and the PKI Trust System Public Key Management When establishing an asymmetric connection between two hosts, the hosts will exchange their public key information. Trusted third parties on the Internet validate the authenticity of these public keys using digital certificates. The third-party issues credentials that are difficult to forge. From that point forward, all individuals who trust the third party simply accept the credentials that the third-party issues. The Public Key Infrastructure (PKI) consists of specifications, systems, and tools that are used to create, manage, distribute, use, store, and Illustrates how a driver’s license is revoke digital certificates. analogous to a digital certificate The Certificate Authority (CA) creates digital certificates by tying a public key to a confirmed identify, such as a website or individual. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Authorities and the PKI Trust System The Public Key Infrastructure PKI is needed to support large-scale distribution and identification of public encryption keys. The PKI framework facilitates a highly scalable trust relationship. It consists of the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. The figure shows the main elements of the PKI. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Authorities and the PKI Trust System The Public Key Infrastructure (Contd.) The below figure shows how the elements of the PKI interoperate: © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Certificate Authorities © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 VPN Overview Virtual Private Networks To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. A VPN is virtual link that it carries information within a private network, but that information is transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network. The figure shows a collection of various types of VPNs managed by an enterprise’s main site. The tunnel enables remote sites and users to access main site’s network resources © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 36 securely. VPN Overview VPN Benefits Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites. Major benefits of VPNs are shown in the table. Benefit Description Cost Savings With the advent of cost-effective, high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth. Security VPNs provide the highest level of security available, by using advanced encryption and authentication protocols that protect data from unauthorized access. Scalability VPNs allow organizations to use the internet, making it easy to add new users without adding significant infrastructure. Compatibility VPNs can be implemented across a wide variety of WAN link options including all the popular broadband technologies. Remote workers can take advantage of these high-speed connections to gain secure access to their corporate networks. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 VPN Topologies © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 VPN Topologies Site-to-Site and Remote-Access VPNs A site-to-site VPN is created when VPN terminating devices, also called VPN gateways, are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted between these devices. Internal hosts have no knowledge that a VPN is being used. The VPN gateway encapsulates and encrypts outbound traffic. It then sends the traffic through a VPN tunnel over the internet to a VPN gateway at the target site. Upon receipt, the receiving VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network. Site-to-site VPNs are typically created and secured using IP security (IPsec). © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 VPN Topologies Site-to-Site and Remote-Access VPNs (Cont.) A remote-access VPN is dynamically created to establish a secure connection between a client and a VPN terminating device. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 ▪ An excellent source for security ▪ https://www.youtube.com/playlist?list=PLIFyRwBY_4bTwRX__Zn4-letrtpSj1mzY © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue