CCNA Security – Chapter 7 – Cryptography

Cryptology is the science of making and breaking secret codes. The development and use of codes is called cryptography, and breaking codes is called cryptanalysis.
!
Many modern networks ensure authentication with protocols such as HMAC. Integrity is ensured by implementing either MD5 or SHA-1. Data confidentiality is ensured

through symmetric encryption algorithms, including DES, 3DES, and AES, or asymmetric algorithms, including RSA and the public key infrastructure (PKI). Symmetric

encryption algorithms are based on the premise that each communicating party knows the pre-shared key. Asymmetric encryption algorithms are based on the assumption

that the two communicating parties have not previously shared a secret and must establish a secure method to do so.
!
!
Authentication can be accomplished with cryptographic methods. This is especially important for applications or protocols, such as email or IP, that do not have

built-in mechanisms to prevent spoofing of the source.
!
When enabling encryption, readable data is called plaintext, or cleartext, while the encrypted version is called ciphertext. The plaintext readable message is

converted to ciphertext, which is the unreadable, disguised message. Decryption reverses the process. A key is required to encrypt and decrypt a message. The key is

the link between the plaintext and ciphertext.
!
!
Using a hash function is another way to ensure data confidentiality. A hash function transforms a string of characters into a usually shorter, fixed-length value or

key that represents the original string. The difference between hashing and encryption is in how the data is stored. With encrypted text, the data can be decrypted

with a key. With the hash function, after the data is entered and converted using the hash function, the plaintext is gone. The hashed data is simply there for

comparison. For example, when a user enters a password, the password is hashed and then compared to the stored hashed value. If the user forgets the password, it is

impossible to decrypt the stored value, and the password must be reset.
!
!
Authentication, integrity, and confidentiality are components of cryptography. Cryptography is both the practice and the study of hiding information.
!
Each of these encryption methods uses a specific algorithm, called a cipher, to encrypt and decrypt messages. A cipher is a series of well-defined steps that can be

followed as a procedure when encrypting and decrypting messages.
!
There are several methods of creating cipher text:
Transposition
Substitution
Vernam
!
!
Brute-Force Attack
Ciphertext-Only Attack
Known-Plaintext Attack
Chosen-Plaintext Attack
Chosen-Ciphertext Attack
Meet-in-the-Middle
!
Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse.
!
The procedure takes a variable block of data and returns a fixed-length bit string called the hash value or message digest.
!
For instance, given a CRC value, it is easy to generate data with the same CRC. With hash functions, it is computationally infeasible for two different sets of data to

come up with the same hash output.
!

These are two well-known hash functions:
Message Digest 5 (MD5) with 128-bit digests
Secure Hash Algorithm 1 (SHA-1) with 160-bit digests
!
Both MD5 and SHA-1 are based on MD4. This makes MD5 and SHA-1 similar in many ways. SHA-1 and SHA-2 are more resistant to brute-force attacks because their digest is

at least 32 bits longer than the MD5 digest.
!
!
SHA-1 involves 80 steps, and MD5 involves 64 steps. The SHA-1 algorithm must also process a 160-bit buffer instead of the 128-bit buffer of MD5. Because there are

fewer steps, MD5 usually executes more quickly, given the same device.
!
In cryptography, a keyed-hash message authentication code (HMAC or KHMAC) is a type of message authentication code (MAC). An HMAC is calculated using a specific

algorithm that combines a cryptographic hash function with a secret key. Hash functions are the basis of the protection mechanism of HMACs.
!
The cryptographic strength of the HMAC depends on the cryptographic strength of the underlying hash function, on the size and quality of the key, and the size of the

hash output length in bits.
!
IPsec virtual private networks (VPNs) rely on HMAC functions to authenticate the origin of every packet and provide data integrity checking.
!
In practice, most attacks on cryptographic systems are aimed at the key management level, rather than at the cryptographic algorithm itself.
!
Two terms that are used to describe keys are key length and keyspace. The key length is the measure in bits, and the keyspace is the number of possibilities that can

be generated by a specific key length. As key lengths increase, the keyspace increases exponentially:
!!
!!!
A 2-bit (2^2) key length = a keyspace of 4, because there are four possible keys (00, 01, 10, and 11).
A 3-bit (2^3) key length = a keyspace of 8, because there are eight possible keys (000, 001, 010, 011, 100, 101, 110, 111).
A 4-bit (2^4) key length = a keyspace of 16 possible keys.
A 40-bit (2^40) key length = a keyspace of 1,099,511,627,776 possible keys.
!
!
Choose the key length so that it protects data confidentiality or integrity for an adequate period of time. Data that is more sensitive and needs to be kept secret

longer must use longer keys.
!
!
Choose the key length so that it protects data confidentiality or integrity for an adequate period of time. Data that is more sensitive and needs to be kept secret

longer must use longer keys.
!
Cryptographic keys are sequences of bits that are input into an encryption algorithm together with the data to be encrypted.
!
!
Because both parties are guarding a shared secret, the encryption algorithms used can have shorter key lengths. Shorter key lengths mean faster execution. Symmetric

algorithms are generally much less computationally intensive than asymmetric algorithms.
!

Asymmetric EncryptionSymmetric Encryption

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s