• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/94

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

94 Cards in this Set

  • Front
  • Back
. Cryptography
Cryptography is the development and use of codes.
. Cryptanalysi
Cryptanalysis is all about the breaking of these code
cipher
cipher is an algorithm for performing encryption and decryption.
Polyalphabetic
It encrypts text
through the use of a series of different Caesar ciphers based on the letters of a particular
keyword.
Ciphertext
Ciphertext represents this text in an unreadable form, whereas decryption is the process of reversing this process.
The goal of encryption
The goal of encryption is to guarantee
the confidentiality of data so that only those who have authorization may read the original message.
Encryption at the session layer:
At the session layer, data is encrypted using a protocol such as Secure Socket Layer
(SSL) or Transport Layer Security (TLS).
Encryption at the network layer
IPSec
attempting to break an algorithm or encrypted ciphertext may use one of a variety
of attacks:
Chosen plain-text attack
■ Chosen ciphertext attack
■ Birthday attack
■ Meet-in-the-middle attack
■ Brute-force attack
■ Ciphertext-only attack
■ Known plain-text (the usual brute-force) attack
Good encryption algorithms have several benefits:
They are resistant to cryptographic attacks.
■ They support variable and long key lengths and scalability.
■ They create an avalanche effect.
■ They have no export or import restrictions.
Symmetric
1 key
Assymetric
2 keys
Classes of Encryption Algorithms
Symmetric encryption algorithms
Asymmetric encryption algorithms
Symmetric encryption algorithms
This class of algorithm employs the same key to
both encrypt and decrypt data.
Asymmetric encryption algorithms
This class of algorithm employs two separate
keys. One key is used to encrypt data, and the
other key is used to decrypt data.
Examples of symmetric encryption algorithms
DES,
3DES,
AES,
IDEA,
RC2/4/5/6,
Blowfish.
Symmetric key called
secret key
It uses key lengths ranging from 40 to 256 bits.
Popular Symmetric Algorithms
DES 56-bit keys
Triple Data Encryption Standard (3DES) 112-bit and 168-bit keys
AES 128-bit, 192-bit, and 256-bit keys
International Data Encryption Algorithm (IDEA) 128-bit keys
RC2 40-bit and 64-bit keys
RC4 1-bit to 256-bit keys
RC5 0-bit to 2040-bit keys
RC6 128-bit, 192-bit, and 256-bit keys
Blowfish 32-bit to 448-bit keys
Symmetric encryption cryptography uses a number of different techniques.
Block ciphers
■ Stream ciphers
■ Message Authentication Codes (MAC)
asymmetric algorithms, often called
often called public-key algorithms, use two different keys.
Examples of asymmetric encryption algorithms are
RSA, ElGamal, elliptic curves, and Diffie-Hellman.
Block Ciphers
Block ciphers use a fixed length or block size. Generally this is 128 bits, but they
can range in size. For instance, DES has a block size of 64 bits.
Here are some of the more common block ciphers:
DES and 3DES, running in Electronic Code Book (ECB) or Cipher Block Chaining
(CBC) mode
■ Skipjack
■ Blowfish
■ RSA
■ AES
■ IDEA
■ Secure and Fast Encryption Routine (SAFER)
Stream Ciphers
Stream ciphers use smaller units of plain text than what are used with block ciphers;
typically they work with bits.
are much faster and
generally do not increase the message size.
Here are some common stream ciphers:
RC4
■ DES and 3DES, running in output feedback (OFB) or cipher feedback (CFB) mode
■ Software Encryption Algorithm (SEAL)
DES uses two different types of ciphers to encrypt or decrypt more than 64 bits
Block ciphers
Stream ciphers
For block cipher mode, DES uses two standardized modes:
Electronic Code Book (ECB)
■ Cipher Block Chaining (CBC)
Cisco IP Security (IPsec) implementation currently uses
DES and Triple Data Encryption Standard (3DES) in CBC mode.
If it is necessary to encrypt or decrypt more than 64 bits of data, two common stream cipher modes may be used:
Cipher feedback (CFB)
Output feedback (OFB)
Considerations for Protecting the Security of DES-Encrypted Data
Change keys
Use a secure channel
Use CBC mode
Avoid weak keys
3DES encryption key
168 bits
The Rijndael Cipher
Keys with a length of 128, 192, or 256 bits may be used to encrypt blocks with a length of 128, 192, or 256 bits.
SEAL is bound by several restrictions:
IPsec must be supported by your Cisco router and the other peer.
■ The k9 subsystem must be supported by your Cisco router and the other peer.
■ Only Cisco equipment supports this feature.
The Rivest Ciphers
RC4 is considered a secure algorithm and as such is often used for file encryption. It is also used frequently to encrypt website traffic within the context of the SSL protocol.
Criteria for Selecting an Encryption Algorithm
Trust in the algorithm by the cryptographic community
Protection against brute-force attacks
The following symmetric encryption algorithms are considered trustworthy:
DES
■ 3DES
■ IDEA
■ RC4
■ AES
Components of Key Management
Key generation
■ Key verification
■ Key storage
■ Key exchange
■ Key revocation and destruction
weak key
A key is said to be weak when it shows regularities in encryption or poor encryption
only way to break a proven cryptographic system
with a bruteforce attack
more sensitive the data,
The more sensitive the data, and the longer the period required
for secrecy, the longer the key that must be used.
hash function
A hash function is a means of turning data into a relatively small number that then may act
as a digital fingerprint of the data. The algorithm that is used substitutes or transposes the data to create this unique fingerprint.
hash “collision”
A hash “collision” (sometimes called a “hash clash”) happens when two distinct
inputs entered into a hash function produce identical outputs.
Application of Hash Functions
The creation of a well-designed cryptographic hash involves a one-way operation in which no practical way exists to calculate a particular data input that will result in a desired hash value
A hash value, often called
called a “digest” or checksum
Two of the most widely used hash functions
MD5 and SHA-1
a cryptographic hash function is considered insecure:
A previously unseen message that matches a given digest
■ Two different messages having the same message digest, called a collision
most widely used message digest
SHA-1, MD5, and as RIPEMD-160
SHA-1 A hash such as this is defined as “secure” when it is computationally infeasible to
Find a message that corresponds to a given message digest
■ Find two different messages that produce the same message digest
SHA-1 digest bits long:
160 bit
MD5 digest bits long:
128 bits
SHA-1 of two weaknesses:
Weak file processing step
■ Certain math operations in the first 20 rounds have unexpected security issues
Digital Signatures
digital signatures may be used to authenticate an associated input.
Three algorithms generally make up a digital signature scheme:
The key generation algorithm, which is used to randomly produce the key pair (public/
private keys) used by the signer
■ The signing algorithm, which, upon input of a message and a signing key, produces a signature
■ The signature verifying algorithm, which, upon input of a message, a verifying key,
and a signature, is used to either accept or reject the signature
One of the more practical uses of a digital signature in today’s networks
authentication and integrity checking
How RSA Works
The public key in this pair can be known by anyone and can be distributed widely without issue to encrypt messages. After a message
has been encrypted with a specific public key, it may be decrypted only through the use of the matching private key
RSA Attack Vulnerabilities
Timing attack
Adaptive chosen ciphertext
attack
Branch prediction analysis(BPA)
attack
Asymmetric algorithms support two of the primary objectives
their main objectives are confidentiality and authentication.
Asymetric key length
512–4096 bits.
Asymetric Algorithms
RSA
■ Digital Signature Algorithm (DSA)
■ Diffie-Hellman (DH)
■ ElGamal
■ Elliptic Curve Cryptography (ECC)
RSA algorithm,
keys are generally 512 to 2048 bit
RSA is used for two main reasons:
To perform encryption to ensure the confidentiality of data
■ To generate digital signatures to provide authentication of data, nonrepudiation of data, or both
DH algorithm serves as the basis for many of our modern automatic key exchange
methods.
It is used within the Internet Key Exchange (IKE) protocol in IP Security (IPsec) virtual private networks (VPN)
Public Key Infrastructure (PKI), organizations can provide an underlying basis
such as encryption, authentication, and nonrepudiation.
a PKI, an organization can provide
authenticity, confidentiality, integrity, and nonrepudiation services
The following are two very important PKI terms
Certificate authority (CA)
Certificate
we see that five main areas constitute the PKI:
CAs to provide management of keys
■ PKI users (people, devices, servers)
■ Storage and protocols
■ Supporting organizational framework (practices) and user authentication through
Local Registration Authorities (LRA)
■ Supporting legal framework
This topology is often called a root CA. The initial attraction of this PKI topology is its simplicity; however, it also has a number of pitfalls:
It is difficult to scale this topology to a large environment.
■ This topology needs a strictly centralized administration.
■ There is a critical vulnerability in using a single signing private key. If it is stolen, the whole PKI falls apart, because the CA can no longer be trusted as a unique signer.
The hierarchical CA structure
significant increase in scalability and manageability
Cross-Certified CAs
This structure has a
number of flat, single-root CAs. Each of these CAs establishes a trust relationship horizontally by cross-certifying its own CA certificate
Understanding PKI Usage and Keys
The first public and private key pair is used only for encryption. In this combination, the public key encrypts, and the private key decrypts.
■ The second key pair is intended exclusively for signing. In this case, the private key signs, and the public key is used to verify the signature.
If the PKI that is employed requires two key pairs per entity, the user has two certificates as well.
An encryption certificate containing the user’s public key, which encrypts the data
■ A signature certificate containing the user’s public key, which verifies the user’s digital signature
Having an (Registration Authoroty) RA in place allows for the offloading of three main tasks:
Authentication of users when they enroll with the PKI
■ Key generation for users who cannot generate their own keys
■ Distribution of certificates after enrollment
Uses of X.509v3
Website authentication
To support S/MIME
In IPsec VPNs
To implement client certificates
PKCS #7:
extensively is S/MIME
PKCS #10:
The Certification Request Syntax Standard defines the syntax for how
certification requests will be made in a PKI.
Caveats of Using a PKI
A user certificate is
compromised (a private key is stolen)
The CA’s certificate is compromised (the private key is stolen)
The CA administrator’s process
Site-to-Site VPN Elements
Headend VPN device
VPN access device
Tunnel
Broadband service
IPsec offers the following
protections for VPN traffic:
Confidentiality
Integrity
Authentication
IPSec operate to what layer?
Layer 3
(IKE).
Internet Key Exchange (IKE).
IKE Modes
Main mode
Agressive mode
Quick mode
Main mode
Main mode involves three exchanges of information between the IPsec peers. One peer, called the initiator, sends one or more proposals to the other peer, called the responder.

Exchange #1: The responder selects a proposal it received from the initiator.
Exchange #2: Diffie-Hellman (DH) securely establishes a shared secret key over the unsecured medium.
Exchange #3: An Internet Security Association and Key Management Protocol (ISAKMP) session is established. This secure session is then used to negotiate an IPsec session.
Aggressive mode
Aggressive mode more quickly achieves the same results as main
mode, using only three packets.
Quick mode
Quick mode negotiates the parameters (that is, the SA) for the IPsec session. This negotiation occurs within the protection of an ISAKMP
session.
IPSec Protocols
Authentication Header (AH) protocol
Security Payload (ESP) protocol
AH and ESP can operate in one of two modes
transport mode or tunnel mode
Transport mode:
Transport mode uses a packet’s original IP header, as opposed to adding a tunnel header.

transport mode is frequently used for remoteaccess VPNs, where a PC running VPN client software connects to a VPN termination device at a headquarters location.
Tunnel mode
Tunnel mode, unlike transport mode, encapsulates an entire packet. As a result, the encapsulated packet has a new header (that is, an IPsec header). This new header has source and destination IP address information that reflects the two VPN
termination devices at different sites. Therefore, tunnel mode is frequently used in an IPsec site-to-site VPN.
Cisco router with an appropriate IOS offers the
following:
Voice and video-enabled VPN
IPsec stateful failover
Dynamic multipoint VPN
Integration of IPsec with MPLS
Cisco Easy VPN
consider the following prioritized list of objectives when creating your VPN design:
Providing secure connectivity
■ Meeting reliability, performance, and scalability requirements
■ Offering options for availability

The ability to authenticate VPN users
■ Implementing security features for traffic before and after it passes through the IPsec VPN tunnel
IPsec VPN Monitoring Commands
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp
debug crypto isakmp
Shows detailed information about the IKE Phase 1
(ISAKMP) and IKE Phase 2 (IPsec) negotiations
show crypto isakmp sa
Shows all existing IKE Phase 1 (ISAKMP) security
associations
show crypto ipsec sa
Shows all existing IKE Phase 2 (IPsec) security
associations