Chapter 2: Cryptography PDF

## Chapter 2: Cryptography This chapter covers the following topics: * **Introduction to Cryptography:** Cryptography is widely used today. You need to understand the concepts of secure communications. You also need to know the different encryption and hashing protocols and their uses. * **Fundamentals of PKI:** Public key infrastructure (PKI) is a system of identities, roles, policies and procedures for generating, managing, distributing and revoking public and private keys. This chapter introduces you to the world of cryptography. You will learn what ciphers are and different hashing and encryption algorithms. You’ll also learn details about PKI implementations. ### SCOR 350-701 Exam Objectives The following SCOR 350-701 exam objectives are covered in this chapter: * **Domain 1: Security Concepts** * Describe functions of the cryptography components including hashing, encryption, PKI, SSL, IPsec, NAT-T IPv4 for IPsec, pre-shared key, and certificate-based authorization ### "Do I Know This Already?" Quiz The "Do I Know This Already?" quiz will help you assess your knowledge of the topics in this chapter. If you find the quiz questions challenging, it is recommend that you read the entire chapter thoroughly. Table 2-1 lists the major headings in the chapter and the corresponding "Do I Know This Already?" quiz questions. | Foundation Topics Section | Questions | |---|---| | Introduction to Cryptography | 1-5 | | Fundamentals of PKI | 6-10 | **CAUTION** The goal of self-assessment is to determine your knowledge of the topics in this chapter. If you do not know the answer to a question, or are only partially sure of the answer, you should mark that question as wrong. Incorrectly guessing the answer to a question can skew these results and provide you with a false sense of security. ### Foundation Topics **Introduction to Cryptography** Cryptography, or cryptology, is the study of the techniques used for encryption and secure communications. Cryptographers study and analyze cryptography. They're always creating and analyzing protocols that prevent unauthorized users from reading private messages. Cryptography also supports the following areas of information security: * Data confidentiality * Data integrity * Authentication * Nonrepudiation Cryptography combines various disciplines, including mathematics and computer science. Examples of the use of cryptography include: * Virtual private networks (VPNs) * Ecommerce * Secure email transfer * Credit card chips Every time you visit Facebook, Instagram, or watch a YouTube video in your web browser, you are using cryptographic algorithms. These sites use Transport Layer Security (TLS) to secure their communications. You will learn about these cryptographic algorithms later in the chapter. **Cryptanalysis** Cryptanalysis is the study of how to break encryption algorithms or their implementations. **Ciphers** A cipher is a set of rules, also called an algorithm, that describes how to perform encryption or decryption. There are hundreds of encryption algorithms available, and there are likely more that are proprietary and used only for special purposes, such as governmental use and national security. Common methods used by ciphers include the following: * **Substitution:** This type of cipher substitutes one character for another. For example, a simple substitution cipher can change a letter from the alphabet with another letter. To make it more challenging, you can shift more than just a single character and only choose certain letters to substitute. The exact method of substitution is called the "key." If both parties involved in the encrypted communication understand the key, they can both encrypt and decrypt data. An example of substitution is shown in Figure 2-1. * **Polyalphabetic:** This method is similar to substitution, but it uses multiple alphabets and switches between them based on a trigger character in the encoded message. * **Transposition:** This method rearranges the letters in a message. For example, if the message “This is secret,” you could write it out as shown in Figure 2-2. **Keys** A key is instructions for how to reassemble the characters in the transposition cipher. In the example shown in figure 2-2, the key starts at the top right corner and moves clockwise and spirals inward. **Block and Stream Ciphers** Encryption algorithms can operate on blocks of data at a time, or bits and bytes of data, based on the type of cipher. * **Block Cipher:** A block cipher is a symmetrical key cipher (meaning the same key is used to encrypt and decrypt) that operates on a group of bits called a block. A block cipher encryption algorithm may take a 64-bit block of plaintext and generate a 64-bit block of ciphertext. The key used to encrypt is also used to decrypt. Examples of symmetric block cipher algorithms include: * Advanced Encryption Standard (AES) * Triple Digital Encryption Standard (3DES) * Blowfish * Digital Encryption Stand (DES) * International Data Encryption Algorithm (IDEA) * Serpent * Twofish Block ciphers may add padding when there is not enough data to encrypt to make a full block size. This might result in a small amount of wasted overhead. * **Stream Cipher:** A stream cipher is a symmetrical key cipher (meaning the same key is used to encrypt and decrypt) where the plaintext data to be encrypted is done a bit at a time against the bits of the key stream. The resulting output is a ciphertext stream. Because a given algorithm ciphertext stream does not need to fit in a given block size, there may be less overhead compared to a block cipher that requires padding to complete a block size. **Symmetric and Asymmetric Algorithms** * **Symmetric Encryption Algorithm:** This algorithm uses the same key to encrypt and decrypt data. Two devices connected via a VPN both need the key(s) to successfully encrypt and decrypt the data protected using a symmetric encryption algorithm. Examples of symmetric encryption algorithms include: * DES * 3DES * AES * IDEA * RC2, RC4, RC5, RC6 * Blowfish Symmetric encryption algorithms are most frequently used to protect data in VPNs today because they are much faster to use and use less CPU than asymmetric algorithms. * **Asymmetric Encryption Algorithm:** This algorithm uses a public-private key pair. One key encrypts the data and the other key decrypts the data. Examples of asymmetric algorithms include: * RSA * Diffie-Hellman Asymmetric algorithms require more CPU processing power than symmetric algorithms. However, they are more secure. **Hashes** Hashing verifies data integrity. For example, you can verify the integrity of a downloaded software image file by running a verification using a tool like verify md5 in Cisco IOS or a checksum verification in a Linux or macOS operating system. SHA512 checksum (512 bits) output is represented by a 128-digit hexadecimal number, whereas, MD5 produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number. An example of using a hash to verify integrity is if the sender runs a hash algorithm on a packet and attaches it to the packet before sending it to the receiver. The receiver runs the same hash algorithm and compares their results to the results the sender had attached to the packet. If the hash is the same, then they know that the packet is intact. If the hash is different, they know there is an issue with the integrity of the packet. **Cryptographic Hash Function** A cryptographic hash function takes a block of data and creates a small fixed-sized hash value. It is a one-way function, meaning that if two different computers take the same data and run the same hash function, they should get the same fixed-sized hash value. It is not possible to generate the same hash from a different block of data. This is referred to as collision resistance. The result of the hash is a small string of data, which is sometimes referred to as the digest, message digest, or simply the hash. **MD5** This hash function was considered secure for several years, as it used a 128-bit-long hash. However, MD5 is no longer considered secure for use in cryptographic applications. * **Vulnerability to collisions:** A collision is when two different input messages produce the same hash value. MD5 is vulnerable to collision attacks. This means an attacker could create two different input messages that produce the same hash value. As a result, they have the capability to undermine the integrity of digital signatures, digital certificates, and other cryptographic protocols. * **Weakness in the algorithm:** MD5 is based on a relatively simple algorithm that has been easily broken using modern computing resources. It is also vulnerable to many other types of attacks, including pre-image attacks that allow an attacker to create a message for a specific hash value. * **Not longer recommended:** The National Institute of Standards and Technology (NIST) no longer recommends using MD5 in cryptographic applications. **SHA-3** This hash function is designed to secure against known cryptographic attacks, including collision and pre-image attacks. It uses a sponge construction that absorbs data and outputs a fixed-length output ranging from 224 to 512 bits. The hash function can also be used in several modes, including sequential, parallel, and tree modes. SHA-3 is the recommended version of the secure family algorithm. **BLAKE2** This hash function is fast and flexible with strong security, making it good for applications that need to process large amounts of data. It is a good alternative for SHA-2 and MD5 hash functions. **Whirlpool** This cryptographic hash function produces a 512-bit hash value. It is designed to resist many types of attacks, making it a secure option for use in cryptographic applications. **Hashed Message Authentication Code (HMAC)** HMAC uses the mechanism of hashing but includes a secret key. HMAC is a construction that uses a secret key and a hash function to generate a message authentication code (MAC) for a message. HMAC is used for integrity verification. * HMAC-MD5, a legacy algorithm, uses MD5 as its hash function. MD5 as a hash function is not secure. The keys related to the MAC function should be frequently renewed. * HSMAC-SHA-1 is a NIST-recommended HMAC function. **Digital Signatures** When you sign something, it’s a commitment to follow through. It also provides authentication, confirming your identity. In the world of cryptography, a digital signature provides the following core benefits: * Authentication * Data integrity * Nonrepudiation To understand digital signatures, remember the concepts of hash, encryption, and public and private key pairs. * Public and Private Key Pairs: A key pair is a set of two keys that work together as a team. A public key is shared with everyone and a private key is kept secret. The public key can encrypt data. The private key can decrypt data. * Hashing: A message is hashed to create a digest (a fixed length string). * Digital Signature: The hash of a document is encrypted using the private key. If the hash matches what the receiver gets, the digital signature is validated. This means the data is intact (data integrity) and the sender is verified (authentication). **Fundamentals of PKI** Public key infrastructure (PKI) is a system of identities, roles, policies and actions that help generate, manage, distribute, and revoke public and private keys. PKI is designed for the secure transfer of information. The key to secure electronic communications is to securely transfer information and authenticate the parties involved in the communication. **How PKI Works** PKI binds public keys with the identities of people, applications, and organizations. This binding is achieved through issuing and managing digital certificates by a certificate authority (CA). **Public Key and Private Key Pairs** A public key and private key work together to generate a secure communication channel. A public key can be shared with everyone and a private key is known only to the owner. The private key is used to decrypt messages encrypted with the public key and vice versa. **Certificate Authorities (CAs)** Certificate authorities (CAs) are trusted entities that create and issue digital certificates. A digital certificate shows that a device or person has a valid public key, and the public key has been bound to the device or person. A certificate authority: * Takes requests from devices for a digital certificate. * Generates certificates that the CA issues. * Informs devices that the CA digitally signed the certificate. * Provides the device with an URL that lets them check if the certificate is valid. * Includes the issuer’s public key. * Includes validity dates. * Includes information on the certificate authority that issued the certificate. * Includes the digital signature of a certificate authority. **Root Certificates** A digital certificate can serve as an electronic document that identifies a device or person. Root certificates identify the CA, and provide the public key of the CA. * Serial Number: The CA server issues and tracks the serial number of the certificate. * Issuer: The CA that issued this certificate. **Identity Certificates** An identity certificate describes a client and contains the public key of that client. The client might be a web server that supports SSL or a router that uses digital signatures for authentication. **X.500 and X.509v3** * X.500 standards focus on directory services and how the directories are organized. Many popular network operating systems have been based on X.500, including Microsoft Active Directory. * X.509 Version 3, a standard for digital certificates, uses naming standards compatible with X.500. A common protocol used for lookups from a directory is Lightweight Directory Access Protocol (LDAP). **Digital Certificates** Information stored inside a digital certificate includes: * **Serial number:** The CA issues and manages the serial number, used to uniquely identify the certificate. * **Signature:** The specific algorithm used for signing the certificate. * **Signature:** The digital signature from the certificate authority. * **Issuer:** The entity or CA that created and issued the certificate. * **Valid from:** The date the certificate became valid. * **Valid to:** The expiration date of the certificate. * **Key Usage:** What the public key in the certificate can be used for. * **Public Key:** The public portion of the public-private key pair generated by the host. * **Thumbprint algorithm:** The hash algorithm that can be checked to see whether the certificate is valid. * **Thumbprint:** The actual hash. * **Certificate revocation list location** The URL that can be checked to see whether the serial number of any certificates issued by the CA have been revoked. ### Authenticating and Enrolling with the CA To use a new CA, you need to first authenticate the CA server and then request your own identity certificate. This is a two-step process: * **Step 1: Authenticate the CA Server:** To authenticate the CA server, you need the CA server’s public key. If you do not have the CA server’s public key, you cannot verify the digital signature. To obtain the CA server’s public key, you can download the root CA certificate. You can use “out-of-band” verification, such as a phone call to the CA. If the hash value you obtain matches the hash on the certificate, you know the certificate is valid. You can then use the public key contained in the certificate to verify future certificates signed by that CA. Web browsers automate this for well-known CAs. * **Step 2: Request an Identity Certificate:** Once you authenticate the CA server, you can request a certificate for your device or person. Include your public key, the certificate authority will issue the certificate and digitally sign it. You need to verify the signature by checking the hash. The hash should match the hash using the CA server’s public key you obtained in step 1. ### Public Key Cryptography Standards (PKCS) PKCS numbers define a format and usage for certificates and their related processes. Several standards are used for PKI, including PKCS # 10, PKCS #7, PKCS #1, PKCS #12, and PKCS #3. * **PKCS #10:** This is the certificate request format that a CA uses to receive a request for a new identity certificate. * **PKCS #7:** This format is a response to a PKCS #10 request. It typically includes the identity certificate. * **PKCS #1:** The RSA cryptography standard. * **PKCS #12:** This format stores both private and public keys, which are protected by a symmetric password-based key. * **PKCS #3:** Diffie-Hellman key exchange standard. ### Simple Certificate Enrollment Protocol (SCEP) The Simple Certificate Enrollment Protocol (SCEP) automates the process of requesting and installing certificates from a CA, providing support for most Cisco devices. This protocol is not an open standard, however, it is convenient because it is supported by most Cisco devices, including both root and identity certificates. ### Revoking Digital Certificates If the device that has a digital certificate is decommissioned or compromised then the device's public key might be obtained. You may ask the CA that issued the certificate, to revoke the certificate. **Certificate Revocation List (CRL)** The CRL is a list of certificates that have been revoked by a CA. CRLs can be accessed by several protocols including LDAP and HTTP. Device administrators can use the CRL to check if the certificate is valid. * **Certificate Revocation List (CRL):** This method checks the serial number of the certificate against the certificates listed in the CRL. The client must process the entire list to verify that a particular certificate has not been revoked. **Online Certificate Status Protocol (OCSP):** This is an alternate method for revoking certificates. The client sends a request to find the status of the certificate and then gets a response without having to download the complete list of revoked certificates. **AAA:** Cisco AAA services also provide support for validating digital certificates, which includes a check to see whether a certificate has been revoked. ### Digital Certificates in Practice Digital certificates let clients authenticate a web server to confirm they are connected to the proper server. The connection is secure using HTTPS, TLS, or SSL. The digital certificates can be used for remote-access VPNs, and for authenticating the peers at each end of the VPN. Digital certificates can also be used with IPsec, as well as the 802.1X protocol. 802.1X is used for authentication at the edge of the network, controlling access and requiring authentication using digital certificates for PCS/users before they can progress through the network. ### PKI Topologies There is no single solution for implementing a PKI. * **Single Root CA:** You can only publish a single certificate. This is fine for a small organization. In a large organization, this can create a strain on one server. You may need to publish CRLs on a separate server for fault tolerance. * **Hierarchical CA with Subordinate CAs:** The root CA delegates authority to subordinate or intermediate CAs to create and assign identity certificates for clients. The root CA signs the subordinate CAs’ digital certificates and these subordinate CAs sign the digital certificates of clients. ### Exam Preparation Tasks This chapter is designed to review key topics for the CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide. The exam preparation tasks consist of exercises presented in this chapter and those presented in Chapter 12, “Final Preparation,” plus Pearson Test Prep Software Online exam simulations. **Review All Key Topics** Before attempting the exam, review the key topics from this chapter. Table 2-2 shows the key topics in this chapter and their corresponding page numbers. ### Review Questions Answer the following review questions: 1. Which of the following are examples of common methods used by ciphers? * Transposition * Substitution * Polyalphabetic * Polynomial 2. Which of the following are examples of symmetric block cipher algorithms? * Advanced Encryption Standard (AES) * Triple Digital Encryption Standard (3DES) * DSA * Blowfish * ElGamal 3. Which of the following are examples of hashes? * ASH-160 * SHA-1 * SHA-2 * MD5 4. Which of the following are benefits of digital signatures? * Authentication * Nonrepudiation * Encryption * Hashing 5. Which of the following statements are true about public and private key pairs? * A key pair is a set of two keys that work in combination with each other as a team. * A key pair is a set of two keys that work in isolation. 6. Which of the following entities can be found inside of a digital certificate? * FQDN * DNS server IP address * Default gateway * Public Key 7. Which of the following is true about root certificates? * A root certificate contains information about the user. * A root certificate contains information about the network security device. * A root certificate contains the public key of the CA. * Root certificates never expire. 8. Which of the following are public key standards? * IPsec * PKCS #10 * PKCS #12 * ISO33012 * AES 9. Most digital certificates contain which of the following information? * Serial number * Signature * Thumbprint (fingerprint) * All of these answers are correct. 10. Which of the following is a format for storing both public and private keys using a symmetric password-based key to "unlock" the data whenever the key needs to be used or accessed? * PKCS # 12 * PKCS #10 * PKCS #7 * None of these answers are correct. 11. What is post-quantum cryptography? * The development of cryptographic algorithms that can only be broken by quantum computers. * The use of quantum computers to break traditional cryptographic systems. * The development and deployment of cryptographic algorithms that can withstand attacks from powerful quantum computers. * A project by the NIST to develop quantum computers. 12. What types of mathematical problems are the basis for post-quantum cryptography? * Integer factorization and discrete logarithms. * Lattice-based, code-based, multivariate polynomial-based, and hash-based problems. * Problems solvable only by quantum computers. * Problems that are easily solvable by classical computers. 13. What were the three main tracks of the NIST post-quantum cryptography project? * Key-establishment algorithms, digital signature algorithms, and public-key encryption algorithms. * Quantum computer development, classical cryptographic systems, and quantum-resistant algorithm standardization. * Key-encapsulation mechanisms, existential forgery, and adaptive chosen-message attacks. * Public feedback, algorithm evaluation, and algorithm standardization. 14. What is the Cryptographic Suite for Algebraic Lattices (CRYSTALS) crypto suite composed of? * The algorithms BIKE, Classic McEliece, HQC. * The algorithms Kyber and Dilithium. * A public-key encryption algorithm and a key-encapsulation mechanism. * A public feedback mechanism and a digital signature algorithm. 15. What is the primary purpose of developing quantum-resistant algorithms? * To replace existing cryptographic systems immediately. * To develop as a proactive measure to ensure that our digital infrastructure remains secure in the face of future quantum computers. * To make traditional cryptographic systems obsolete. * To demonstrate the power and potential of quantum computing.

Chapter 2: Cryptography PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue