SCOR 02

• Cryptography (cryptology).
• The study of the techniques used for encryption and secure communications.
• Cryptanalysis.
• The study of how to crack encryption algorithms or their implementations.
• Ciphers.
• A set of rules, which can also be called an algorithm, about how to perform encryption or decryption.
• Common methods that ciphers:
• Substitution.
• Substitutes one character for another.

• Polyalphabetic.
• This is similar to substitution, but instead of using a single alphabet, it can use multiple alphabets and
switch between them

• Transposition.
• Uses many different options, including the rearrangement of letters.
• Ex. if we have the message “This is secret” we could write it out (top to bot-tom, left to right) as shown.

• One-Time Pad (OTP).

• A good example of a key that is only used once.
SCOR Page 1
• A good example of a key that is only used once.
• If we want to encrypt a 32-bit message, we use a 32-bit key.

• Encryption.

• Block Ciphers.
• A symmetric key cipher that operates on a group of bits called a block.
• May take a 64-bit block of plain text and generate a 64-bit block of cipher text.
• Examples:
- Digital Encryption Standard (DES)
- Triple Digital Encryption Standard (3DES)
- Advanced Encryption Standard (AES)
- Blowfish
- International Data Encryption Algorithm (IDEA)
• Block ciphers may add padding in cases where there is not enough data to encrypt.
• Stream Ciphers (cipher digit stream).
• A symmetric key cipher, where each bit of plaintext data to be encrypted is done 1 bit at a time against the
bits of the key.
-----------------------------------------------------------------------------------------------------------------------
• Symmetric and Asymmetric Algorithms.

SCOR Page 2
• Symmetric.
• Uses the same key to encrypt the data and decrypt the data.

• Examples:
- DES
- 3DES
- AES
- IDEA
- RC2, RC4, RC5, RC6
- Blowfish
• Used for most of the data that we protect in VPNs today.
• Much faster to use symmetrical encryption algorithms.
• The more difficult the key, the more stronger encryption.
• The minimum symmetric key length should be at least 128 bits.

SCOR Page 3
• Asymmetric.
• An example of an asymmetric algorithm is public key algorithms.
• We use two different keys (key pair) that mathematically work together as a pair.
• These keys are the public key and the private key.
• There is a very high CPU cost when using key pairs to lock and unlock data.
• We use asymmetric algorithms for things such as authenticating a VPN peer or generating keying material
that we could use for our symmetrical algorithms.
• The public key is published and available to anyone who wants to use it.
• The private key, and this private key is known only to the device that owns the public-private key pair.
• A typical key length can be anywhere between 2048 and 4096.

• Examples of asymmetrical algorithms.

• RSA (Rivest, Shamir, and Adleman).
• The primary use of this asymmetrical algorithm today is for authentication.
• Also known as Public Key Cryptography Standard (PKCS) #1
• The key length may be from 512 to 2048 (Recommended 1024).
• DH (Diffie-Hellman).
• Allows devices to establish shared secret keys over an untrusted network.
•
SCOR Page 4
• This key will be used with symmetric algorithms as 3DES, AES.
• ElGamal.
• An encryption algorithm invented by Taher Jamal in 1985
• Asymmetrical encryption system is based on the DH exchange.
• DSA (Digital Signature Algorithm).
• Was developed by the U.S. National Security Agency.
• ECC (Elliptic Curve Cryptography).

• Hashes.
• Hashing is a method used to verify data integrity.
• It is a one-way function.
• The result of the hash is a fixed-length small string of data called (digest or message digest or hash).

• If a single bit of the hashed portion of the packet is modified, the hash calculated by the receiver will not
match
• The three most popular types of hashes:
- Message digest 5 (MD5): This creates a 128-bit digest.
- Secure Hash Algorithm1 (SHA-1): This creates a 160-bit digest.
- Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.

SCOR Page 5
• Hashed Message Authentication Code (HMAC).
• It includes in its calculation a secret key.
• The NIST-recommended HMAC function is HMAC-SHA-1.

SCOR Page 6
• Digital Signatures.
• Prove that you are who you say you are.
• Keyspace.
• Refers to all the possible key values for a key.
• The bigger the key, the more secure the algorithm will be.
• But the longer the key, the more the CPU is used for the decryption and encryption of data.

• Next-Generation Encryption Protocols (Suite B).

• Elliptic Curve Cryptography (ECC).

• Replaces RSA signatures with the ECDSA algorithm.
• Replaces the DH key exchange with ECDH.
• AES in the Galois/Counter Mode (GCM) of operation.
• ECC Digital Signature Algorithm.
• SHA-256, SHA-384, and SHA-512.

SCOR Page 7
• IPSec.
• A collection of protocols and algorithms used to protect IP packets at Layer 3.
• It is in use today for both remote-access VPNs and site-to-site VPNs.

• Provides:
• Confidentiality through encryption.
• Data integrity through hashing and HMAC.
• Authentication using digital signatures or using a pre-shared key (PSK) that is similar to a password.
• Key management: by Diffie-Hellman (DH).

• Internet Key Exchange (IKE): does a lot of the negotiating and management needed for IPsec to operate.
• Types of IPSec methods.
• Encapsulating Security Payload (ESP).
• Can do all the features of ipsec.
• Authentication Header (AH).
• Can do many parts of the IPsec objectives, except encryption of the data.
• Not supported on ASA

• Encryption algorithms for confidentiality: DES, 3DES, AES.

• Hashing algorithms for integrity: MD5, SHA.
• Authentication algorithms: Pre-shared keys (PSK), RSA digital signatures.
• Key management: for ex. Diffie-Hellman (DH), which can dynamically generate symmetrical keys.

• SSL (Secure Sockets Layer).

• There is not an IPsec client or software currently running on everybody’s computer.
• Even if there were, not everyone has a certificate or a PSK for authentication.
• Every web browser on every computer supports SSL.

SCOR Page 8
SCOR Page 9
• Public Key Infrastructure.

• Key pair.
• A set of two keys that work in combination with each other as a team.
• The public key may be shared with everyone.
• The private key is not shared with anyone.
• FUNDAMENTALS OF PKI
• Public key infrastructure (PKI) is a set of identities, roles, policies, and actions for the creation, use,
management, distribution, and revocation of public and private keys.
• PKI binds public keys with the identities of people, applications, and organizations.
• This “binding” is maintained by the issuance and management of digital certificates by a certificate
authority (CA).

• Digital Signing.

SCOR Page 10
• CA (Certificate Authority).
• A computer or entity that creates and issues digital certificates.
• Inside the certificate the ip and the FQDN and the public key for the issuer.
• In the final certificate is a URL that other devices can check to see whether this certificate has been revoked
and the validity date.
• Most web browsers maintain a list of the more common trusted public CA servers.
• Root certificate.
• Contains the public key of the CA server and the other details about the CA server.
• Commercial CAs charge a fee to issue and maintain digital certificates.

SCOR Page 11
• Identity certificate.
• Similar to a root certificate, but it describes the client and contains the public key of the client.

• X.500 and X.509v3 Certificates.

• X.500.
• A series of standards focused on directory services and how those directories are organized.
• Popular network operating systems have been based on X.500, including Microsoft Active Directory.
• X.509 Version 3.
• A standard for digital certificates
• LDAP is a common protocol that is used to do lookups from a directory.
• Most digital certificates contain:

SCOR Page 12
• Most digital certificates contain:
• Serial number.
• Issued and tracked by the CA that issued the certificate.
• Assigned by the CA and used to uniquely identify the certificate.
• Subject.
• The person or entity that is being identified.
• The subject of the root certificate is the CA itself.
• Signature algorithm.
• The specific algorithm that was used for signing the digital certificate.
• Signature.
• The digital signature from the certificate authority.
• Issuer.
• The entity or CA that created and issued the digital certificate.
• Valid from.
• The date the certificate became valid
• Valid to.
• The expiration date of the certificate.
• Key usage.
• The functions for which the public key in the certificate may be used
• Public key.
• The public portion of the public and private key pair generated by the host whose certificate is issued.
• Thumbprint algorithm.
• The hash algorithm used for data integrity.
• Thumbprint.
• The actual hash.
• Certificate revocation list location.
• The URL that can be checked to see whether the serial number of any certificates issued by the CA have
been revoked

• Enrolling with the CA.

• Step 1: Trust the CA server.
• You cannot verify the signature on a certificate until you have the CA public key.
• You could download and install the root certificate.
• Step 2: Request your own identity certificate.
• This involves generating a public-private key pair and including the public key portion in any requests.
• The CA takes all of your information and generate an identity certificate, and sent it back to you.

SCOR Page 13
• PKCS (Public Key Cryptography Standards).
• A PKI standard that control the format and use of certificates, including requests to a CA for new
certificates, the format for a file that is going to be the new identity certificate, and the file format and usage
access for certificates.
• PKCS#10.
• A format of a certificate request sent to a CA that wants to receive its identity certificate.
• Includes the public key for the entity desiring a certificate.
• PKCS#7.
• A format that can be used by a CA as a response to a PKCS#10 request.
• The response itself will very likely be the identity certificate that had been previously requested.
• PKCS#12.
• A format for storing both public and private keys using a symmetric password-based key to “unlock” the
data whenever the key needs to be used or accessed.
• PKCS#3.
• Diffie-Hellman key exchange.
• Simple Certificate Enrollment Protocol (SCEP).
• Automate most of the process for requesting and installing an identity certificate.
• It is not an open standard (developed by Cisco in association with a few other vendors)
• Supported by most Cisco devices and allow it to get and install both root and identity certificates.
• Revoked Certificates.
• A certificate contains information on where an updated list of revoked certificates can be obtained.
• Peers check this URL to check the validity of the certificate.
• The revoked certificates are listed based on its serial number.
SCOR Page 14
• The revoked certificates are listed based on its serial number.
• Basic ways to check certificates validity:
• Certificate Revocation List (CRL).
• A list of certificates, based on their serial numbers, that had initially been issued by a CA but have since
been revoked and as a result should not be trusted.
• Could be accessed by several protocols, including LDAP and HTTP.
• Could also be obtained via SCEP.
• Online Certificate Status Protocol (OCSP).
• Alternative to CRLs.
• Client simply sends a request to find the status of a certificate and gets a response without having to know
the complete list of revoked certificates.
• AAA.
• Cisco AAA services also provide support for validating digital certificates.
• Uses for Digital Certificates.
• Can be used for clients who want to authenticate a web server using HTTPS, SSL, TLS.
• SSL remote-access VPNs.
• With IPSec for authentication with certificate.
• Can also be used with protocols such as 802.1X
• PKI Topologies.
• Single Root CA.
• The first and the main CA server.
• Subordinate CAs
• Secondery for the root.
• The root CA delegates the authority (to the subordinate CAs) to create and assign identity certificates.
• The root CA signs the digital certificates of its subordinate or intermediate CAs, and the subordinate CAs
are the ones to issue certificates to clients.
• For a client to verify the “chain” of authority, the client needs both the subordinate CA’s certificate and the
root certificate.

SCOR Page 15
• Cross-Certifying CAs.
• You could have a CA with a horizontal trust relationship over to a second CA so that clients of either CA
could trust the signatures of the other CA.

SCOR Page 16