Cryptography.The science or study of protecting information, whether in transit or at rest.Used to secure communication between two or more parties.Secure communications involves: Authentication, Integrity, Confidentiality.Plaintext refers to any thing you can read whether text or not.Ciphertext refers to something you cant read.More key length, more security.Cryptanalysis.The study and methods used to crack encrypted communications.Encryption by keys provides confidentiality, Encryption by hashes provides integrity.The stronger key gets stronger encryption and the longer the attack will take to be successful.Using a long key and changing it periodically ensures that encryption is uncrackable.Any key with a length over 256 bits is considered uncrackable.Non-Repudiation.The ability to ensure that data sender will not deny their signature on a document or the sending of a message that they originated.
Guarantee that the sender of a message can't later deny having sent the message.Digital signatures & enryption are used to establish authenticity and non- repudiation.Forms of encryption of bits:Substitution.Bits are simply replaced by other bits.Examples.Scytale
Atbash Cipher.Replaces each letter used with another letter the same distance away from the end of the alphabet.A would be sent as a Z and B would be sent as a Y.
So test will be gvhgCaesar cipher.There was a specific key to shift letters for encryption and decryption.Ex. If the key is 3, so A will be shifted to be D.
CCNA Sec 7- Crypto
CCNA Sec Page 1
Vigenere Cipher.Created by Sixteenth-century French cryptographer Blaise de Vigener.Uses a table of raws and columes labled from A to Z to increase the available substitution values and make the substitution more complex.
To get cipher text, first select the column of plain text and then select the row of the key.Sender and receiver have a shared secret key composed of letters.
The intersection of row and column is called cipher text.To decode cipher text, select the row of the key & find the intersection that is equal to cipher text.Vernam Cipher.Created at 1917 by AT&T Bell Labs engineer Gilbert Vernam.The plain text is combined with a random key, or pad, that is the same length as the message.RC4 is an example of this type of cipher.
Concealment Cipher.Creates a message that is concealed in some way.Ex. ' I have been trying to buy Sally some nice jewelry, like gold or silver earrings, but prices nowhave increased', The key is to look at every sixth word in a sentence. So the secret message is "buy gold now".
CCNA Sec Page 2
Transposition.Doesnt replace bits at all; it changes their order altogether.FLANK EAST ATTACK AT DAWN will be NWAD TA KCATTA TSAE KNALFEncryption algorithm.Mathematical formula used with the keys to encrypt and decrypt data.Encryption algorithms methods to encrypt data.Stream ciphers.Bits of data are encrypted as a continuous stream.Readable bits in their regular pattern are fed into the cipher and are encrypted one at a time.This usually by an XOR operation.Suited for hardware usage.XOR operation (exclusive-or).Are at the very core of a lot of computing.Requires two inputs, with encryption algorithms, this would be the data bits and the key bits.Each bit is fed into the operation, one from the data, the next from the key.If the bits match, the output is a 0; if they dont, its a 10 XOR 0 = 0 , 1 XOR 1 = 0 , 0 XOR 1 = 1 , 1 XOR 0 = 1If the key chosen is actually smaller than the data, the cipher will be vulnerable to frequency attacks as it will be used repeatedly in the process.
Block ciphers.Data bits are split up into blocks usually 64 bits at a time and fed into the cipher.Each block of data is then encrypted with the key and algorithm.Blocks are then put through one or more of the following scrambling methods:Considered simpler and slower than stream ciphers.If there is less input data than one full block, the algorithm complete with blanks until 64 bits.
CCNA Sec Page 3
Cryptanalysis.The study and methods used to crack encrypted communications.Keyspace.The number of possibilities that can be generated by a specific key length (2^n).DaR (Data At Rest) [Disk encryption].The data files and folders can be encrypted themselves or encrypt the entire drive.Protects confidentiality of the data stored on a disk even the OS is not active.Done using EFS, and other tools as TrueCrypt.To encrypt a file or folder.~ the file, Properties, Advanced, Encrypt contents to secure dataTo encrypt a folder.cipher /e pathTo encrypt a file.cipher /e /a pathTo decrypt.cipher /d pathFor encryption.TrueCrypt-----------------------------------------------------------------------------------------------------
Encryption types.Symmetric encryption (single key encryption) (shared key encryption).Single key to encrypt & decrypt.Very fast.50 mb/s but asymmetric is 20-200 kb/sA great choice for bulk encryption, due to its speed.Used with EFS.Key distribution and management is difficult as there is no secure way to share the key.The delivery of the key for the secured channel must be done offline.Not practical in a large environment such as the Internet.Doesn't provide non-repudiation.Because everyone has to have a specific key from each partner they want to communicate with, the sheer number of keys needed presents a problem.
Number of keys needed for a mix of users want to communicate together = N (N 1) / 2So 3 persons need 3 keys, but 4 persons need 6 keys to communicate together securelly.Symmetric algorithms.DES.A block cipher that uses a 56-bit key (+ 8 bits reserved for parity).The least significant bit of each byte is a parity bit.Should be set such that there is always an odd number of bits set (1s) in each key byte.Only the 7 most significant bits of each byte are effective for security purposes.Not considered a very secure encryption algorithm, due to the small key size.Describes the DEA (Data Encryption Algorithm).DEA is a symmetric cryptosystem originally designed for implementation in hardware.DEA is also used for single-user encryption, such as encrypting stored files on a hard disk.IDEA (International Data Encryption Algorithm).
CCNA Sec Page 4
IDEA (International Data Encryption Algorithm).A block cipher that uses a 128-bit key.Originally used in PGP (Pretty Good Privacy) 2.0.Was patented and used mainly in Europe.3DES (Triple DES).A block cipher that uses a 168-bit key.Can use up to three 56-bit keys per 64-bit block in a multiple-encryption method.Much more effective than DES, but is much slower as it consumes more processing power.AES (Advanced Encryption Standard).A 128 bit block cipher that offers three different key lengths: 128 bits, 192 bits, and 256 bits.Much effective & faster than DES or 3DES.Considered an uncrackable encryption algorithm.SEAL (Software-Optimized Encryption Algorithm).A stream cipher uses a 160-bit key.Developed in 1993 by Phillip Rogaway and Don Coppersmith.Twofish.A block cipher with key size up to 256 bits.Blowfish.A fast block cipher, largely replaced by AES.Uses a key from 32 to 448 bits, and a 64-bit block size.Blowfish is considered public domain.RC (Rivest Cipher).A block cipher that uses a variable key length up to 2,040 bits.Has several versions from RC2 through RC6RC4.Was a stream cipher.Used frequently within SSL to secure web transactions.Key size 1 - 256RC5.Uses variable block sizes (32, 64, 128).Key size 0 - 2040, 128 suggestedRC6.Uses 128-256 bit blocks.Key size 128, 192, or 256MAC (Message Authentication Code).Requires the sender and receiver to share a secret key.HMAC (Hashed Message Authentication Code).Calculated using a specific algorithm with a secret key.A data integrity algorithm that guarantees the integrity of the message using a hash value.Functions by using a hashing algorithm, such as MD5 or SHA-1.Was designed to be immune to the multicollision attack.At the local device, the message and a shared-secret key are processed through a hash algorithm.The hash algorithm produces a hash value, that is appended to the message.The message is sent over the network.The hash value is recalculated and compared to the sent hash value by the remote host.
CCNA Sec Page 5
The hash value is recalculated and compared to the sent hash value by the remote host.Common HMAC algorithms are HMAC MD5, HMAC SHA1.Asymmetric encryption.2 keys, one for encryption and the other for decryption.Can be used for data encryption, digital signatures.Provides: confidentiality, authentication, nonrepudiation.Slow, Consumes more processing power (the only real downside).Suitable for smaller amounts of data, mails,Asymmetric Encryption keys.Public key.Known and can be sent to anyone, so it's public.In general used for encryption.Private key.Used for digital signing & to decrypt data encrypted with the corresponding public key.A signature is authenticated by decrypting the signature with the sender's public key.Private and kept in a secure location.In general used for decryption.Each key can decrypt only data encrypted by it's corresponding key.Asymmetric algorithms.IPsec.A network layer tunneling protocol running in 2 modes.Tunnel mode.Used between two security gateways or between a host and a security gateway.The original IP packet is encrypted and then it is encapsulated in another IP packet.Transport mode.Protects the payload of the packet but leaves the original IP address in plaintext.The original IP address is used to route the packet through the Internet.Used between hosts.SSH (Secure Shell).A secured version of Telnet.Uses TCP port 22Relies on public key cryptography for its encryption.SSH2.The successor to SSH.More secure, efficient, and portable.Includes a built-in encrypted version of FTP (SFTP).SSL