CCNA Sec 7- Crypto

  • Published on
    16-Oct-2015

  • View
    12

  • Download
    0

Embed Size (px)

Transcript

<ul><li><p>Cryptography.The science or study of protecting information, whether in transit or at rest.Used to secure communication between two or more parties.Secure communications involves: Authentication, Integrity, Confidentiality.Plaintext refers to any thing you can read whether text or not.Ciphertext refers to something you cant read.More key length, more security.Cryptanalysis.The study and methods used to crack encrypted communications.Encryption by keys provides confidentiality, Encryption by hashes provides integrity.The stronger key gets stronger encryption and the longer the attack will take to be successful.Using a long key and changing it periodically ensures that encryption is uncrackable.Any key with a length over 256 bits is considered uncrackable.Non-Repudiation.The ability to ensure that data sender will not deny their signature on a document or the sending of a message that they originated.</p><p>Guarantee that the sender of a message can't later deny having sent the message.Digital signatures &amp; enryption are used to establish authenticity and non- repudiation.Forms of encryption of bits:Substitution.Bits are simply replaced by other bits.Examples.Scytale</p><p>Atbash Cipher.Replaces each letter used with another letter the same distance away from the end of the alphabet.A would be sent as a Z and B would be sent as a Y.</p><p>So test will be gvhgCaesar cipher.There was a specific key to shift letters for encryption and decryption.Ex. If the key is 3, so A will be shifted to be D.</p><p>CCNA Sec 7- Crypto</p><p> CCNA Sec Page 1 </p></li><li><p>Vigenere Cipher.Created by Sixteenth-century French cryptographer Blaise de Vigener.Uses a table of raws and columes labled from A to Z to increase the available substitution values and make the substitution more complex.</p><p>To get cipher text, first select the column of plain text and then select the row of the key.Sender and receiver have a shared secret key composed of letters.</p><p>The intersection of row and column is called cipher text.To decode cipher text, select the row of the key &amp; find the intersection that is equal to cipher text.Vernam Cipher.Created at 1917 by AT&amp;T Bell Labs engineer Gilbert Vernam.The plain text is combined with a random key, or pad, that is the same length as the message.RC4 is an example of this type of cipher.</p><p>Concealment Cipher.Creates a message that is concealed in some way.Ex. ' I have been trying to buy Sally some nice jewelry, like gold or silver earrings, but prices nowhave increased', The key is to look at every sixth word in a sentence. So the secret message is "buy gold now".</p><p> CCNA Sec Page 2 </p></li><li><p>gold now".</p><p>Transposition.Doesnt replace bits at all; it changes their order altogether.FLANK EAST ATTACK AT DAWN will be NWAD TA KCATTA TSAE KNALFEncryption algorithm.Mathematical formula used with the keys to encrypt and decrypt data.Encryption algorithms methods to encrypt data.Stream ciphers.Bits of data are encrypted as a continuous stream.Readable bits in their regular pattern are fed into the cipher and are encrypted one at a time.This usually by an XOR operation.Suited for hardware usage.XOR operation (exclusive-or).Are at the very core of a lot of computing.Requires two inputs, with encryption algorithms, this would be the data bits and the key bits.Each bit is fed into the operation, one from the data, the next from the key.If the bits match, the output is a 0; if they dont, its a 10 XOR 0 = 0 , 1 XOR 1 = 0 , 0 XOR 1 = 1 , 1 XOR 0 = 1If the key chosen is actually smaller than the data, the cipher will be vulnerable to frequency attacks as it will be used repeatedly in the process.</p><p>Block ciphers.Data bits are split up into blocks usually 64 bits at a time and fed into the cipher.Each block of data is then encrypted with the key and algorithm.Blocks are then put through one or more of the following scrambling methods:Considered simpler and slower than stream ciphers.If there is less input data than one full block, the algorithm complete with blanks until 64 bits.</p><p>Cryptanalysis.</p><p> CCNA Sec Page 3 </p></li><li><p>Cryptanalysis.The study and methods used to crack encrypted communications.Keyspace.The number of possibilities that can be generated by a specific key length (2^n).DaR (Data At Rest) [Disk encryption].The data files and folders can be encrypted themselves or encrypt the entire drive.Protects confidentiality of the data stored on a disk even the OS is not active.Done using EFS, and other tools as TrueCrypt.To encrypt a file or folder.~ the file, Properties, Advanced, Encrypt contents to secure dataTo encrypt a folder.cipher /e pathTo encrypt a file.cipher /e /a pathTo decrypt.cipher /d pathFor encryption.TrueCrypt-----------------------------------------------------------------------------------------------------</p><p>Encryption types.Symmetric encryption (single key encryption) (shared key encryption).Single key to encrypt &amp; decrypt.Very fast.50 mb/s but asymmetric is 20-200 kb/sA great choice for bulk encryption, due to its speed.Used with EFS.Key distribution and management is difficult as there is no secure way to share the key.The delivery of the key for the secured channel must be done offline.Not practical in a large environment such as the Internet.Doesn't provide non-repudiation.Because everyone has to have a specific key from each partner they want to communicate with, the sheer number of keys needed presents a problem.</p><p>Number of keys needed for a mix of users want to communicate together = N (N 1) / 2So 3 persons need 3 keys, but 4 persons need 6 keys to communicate together securelly.Symmetric algorithms.DES.A block cipher that uses a 56-bit key (+ 8 bits reserved for parity).The least significant bit of each byte is a parity bit.Should be set such that there is always an odd number of bits set (1s) in each key byte.Only the 7 most significant bits of each byte are effective for security purposes.Not considered a very secure encryption algorithm, due to the small key size.Describes the DEA (Data Encryption Algorithm).DEA is a symmetric cryptosystem originally designed for implementation in hardware.DEA is also used for single-user encryption, such as encrypting stored files on a hard disk.IDEA (International Data Encryption Algorithm).</p><p> CCNA Sec Page 4 </p></li><li><p>IDEA (International Data Encryption Algorithm).A block cipher that uses a 128-bit key.Originally used in PGP (Pretty Good Privacy) 2.0.Was patented and used mainly in Europe.3DES (Triple DES).A block cipher that uses a 168-bit key.Can use up to three 56-bit keys per 64-bit block in a multiple-encryption method.Much more effective than DES, but is much slower as it consumes more processing power.AES (Advanced Encryption Standard).A 128 bit block cipher that offers three different key lengths: 128 bits, 192 bits, and 256 bits.Much effective &amp; faster than DES or 3DES.Considered an uncrackable encryption algorithm.SEAL (Software-Optimized Encryption Algorithm).A stream cipher uses a 160-bit key.Developed in 1993 by Phillip Rogaway and Don Coppersmith.Twofish.A block cipher with key size up to 256 bits.Blowfish.A fast block cipher, largely replaced by AES.Uses a key from 32 to 448 bits, and a 64-bit block size.Blowfish is considered public domain.RC (Rivest Cipher).A block cipher that uses a variable key length up to 2,040 bits.Has several versions from RC2 through RC6RC4.Was a stream cipher.Used frequently within SSL to secure web transactions.Key size 1 - 256RC5.Uses variable block sizes (32, 64, 128).Key size 0 - 2040, 128 suggestedRC6.Uses 128-256 bit blocks.Key size 128, 192, or 256MAC (Message Authentication Code).Requires the sender and receiver to share a secret key.HMAC (Hashed Message Authentication Code).Calculated using a specific algorithm with a secret key.A data integrity algorithm that guarantees the integrity of the message using a hash value.Functions by using a hashing algorithm, such as MD5 or SHA-1.Was designed to be immune to the multicollision attack.At the local device, the message and a shared-secret key are processed through a hash algorithm.The hash algorithm produces a hash value, that is appended to the message.The message is sent over the network.The hash value is recalculated and compared to the sent hash value by the remote host.</p><p> CCNA Sec Page 5 </p></li><li><p>The hash value is recalculated and compared to the sent hash value by the remote host.Common HMAC algorithms are HMAC MD5, HMAC SHA1.Asymmetric encryption.2 keys, one for encryption and the other for decryption.Can be used for data encryption, digital signatures.Provides: confidentiality, authentication, nonrepudiation.Slow, Consumes more processing power (the only real downside).Suitable for smaller amounts of data, mails,Asymmetric Encryption keys.Public key.Known and can be sent to anyone, so it's public.In general used for encryption.Private key.Used for digital signing &amp; to decrypt data encrypted with the corresponding public key.A signature is authenticated by decrypting the signature with the sender's public key.Private and kept in a secure location.In general used for decryption.Each key can decrypt only data encrypted by it's corresponding key.Asymmetric algorithms.IPsec.A network layer tunneling protocol running in 2 modes.Tunnel mode.Used between two security gateways or between a host and a security gateway.The original IP packet is encrypted and then it is encapsulated in another IP packet.Transport mode.Protects the payload of the packet but leaves the original IP address in plaintext.The original IP address is used to route the packet through the Internet.Used between hosts.SSH (Secure Shell).A secured version of Telnet.Uses TCP port 22Relies on public key cryptography for its encryption.SSH2.The successor to SSH.More secure, efficient, and portable.Includes a built-in encrypted version of FTP (SFTP).SSL (Secure Sockets Layer).Encrypts data at the transport layer, and above, for secure communication across the Internet.Uses RSA encryption and digital certificates.Originally developed by Netscape, and has been universally accepted on the Web.SSL session establishment steps.The user makes an outbound connection to TCP port 443.The server responds with a digital certificate.The user's computer generates a shared secret key that both parties use.This key is encrypted with the public key of the server and transmitted to the server.</p><p> CCNA Sec Page 6 </p></li><li><p>This key is encrypted with the public key of the server and transmitted to the server.The router decrypts the packet to get the key with it's private key.This key will be used to encrypt the SSL session.It is being largely replaced by TLS.</p><p>TLS (Transport Layer Security).The successor to SSL.Uses an RSA algorithm of 1024 and 2048 bits.PGP (Pretty Good Privacy).A computer program that provides cryptographic privacy and authentication and often used to increase the security of email communications.</p><p>Encrypts data at the transport layer, and above for secure communication across the Internet.Uses RSA encryption and digital certificates.It is being largely replaced by TLS (Transport Layer Security).ECC (Elliptic Curve Cryptosystem).Uses points on an elliptical curve, in conjunction with logarithmic problems, for encryption and signatures.</p><p>A good choice for mobile devices, as it uses less processing power than other methods.El Gamal.Not based on prime number factoring.Uses the solving of discrete logarithm problems for encryption and digital signatures.RSA.Achieves strong encryption through the use of two large prime numbers.Factoring these numbers creates key sizes up to 4,096 bits.Diffie-Hellman.Used as a key exchange protocol in SSL and IPSec encryption.Can be vulnerable to man-in-the-middle attacks, if the use of digital signatures is waived.</p><p> CCNA Sec Page 7 </p></li><li><p>Hash.One-way mathematical algorithm that generates a specific fixed-length number (hash value).Used to provide data integrity and verify authentication.Sent along with the message to the recipient.If even a single bit of the data is changed during the transmission, the hash value will change.The result will be either a retransmission of the data or a complete shutdown of the session.Changeable filelds are not included in the hash calculation as the TTL field.When you download a large file, it may contain another file called MD5SUM or something similar, that will contains the correct fingerprints.</p><p>Hashing prevents the data from being changed accidentally, such as by a communication error.Data signing involves the creation of an MD5 message digest of the document.Then encrypted by the senders private key.Hash algorithms.MD5 (Message Digest algorithm).Created by Ronald Rivest.Produces a 128-bit hash value output, expressed as a 32-digit hexadecimal.Despite it's serious flaws, and the advancement of other hashes, MD5 is still used for file verification on downloads and, in many cases, to store passwords.</p><p>SHA-1 (Secure Hash Algorithm).Developed by the NSA (National Security Agency).Produces a 160-bit value.Corrected a flaw in the original SHA-0 algorithm.SHA-0 was also a 160-bit value.</p><p> CCNA Sec Page 8 </p></li><li><p>In late 2005, a serious flaws became apparent to SHA-1 &amp; so started to produce SHA-2.Although theoretically SHA-1 can be cracked, there havent been any proven cases of it.SHA-2.Holds four separate hash functions that produce outputs of 224, 256, 384, and 512 bits.Not widely used, although it was designed as a replacement for SHA-1.RIPEMD-160Collision attack. The attack against hashing algorithms.Collision occurs when 2 or more files create the same output, which is not supposed to happen.Tha hacker creates a second file that produces the same hash value output as the original, then he pass off the fake file as the original.</p><p>There are only so many combinations the hash can create given an input.MD5 will generate 2^128 possible combinations.Given a hash value for an input, you can duplicate it over time using the same hash and applying it to different inputs.</p><p>The hacker to get the password from a hash, he compares data inputs and the hash values they present until the hashes match.</p><p>Some people sat down and started running every word, phrase, and compilation of characters they could think of into a hash algorithm, and results were stored in the rainbow table for use later.</p><p>To protect against collision attacks and the use of rainbow tables, use salt.Salt.A collection of random bits that are used as a key in addition to the hashing algorithm.Used to protect against collision attacks and the use of rainbow tables.Coz the bits, and length are random, a good salt makes a collision attack very difficult to pull off.Every time a bit is added to the salt it adds a power of 2 to the complexity of the number of computation involved to derive the outcome.</p><p>Windows password hashes are not salted.SAM DB can be protected using the syskey.Windows login hashing.LM (LAN Manager) hash storage.A win NT encryption method (but weak).LM Authentication (DES) was used with Windows 95/98 machines.Has 6 different levels, 0 is the Win XP def...</p></li></ul>