Cisco CCIE Security 350-701 – Cryptography

1. What is Cryptography

The cryptography is a method or technique which is used for securing the communication. So in other words, we can say it’s an art of writing a message, a secret message which is known only to both the sender and the receiver now in the network. Securing the communication is important, especially when you are trying to connect to a remote head office and you’re trying to send some information or maybe you’re trying to access some devices remotely. Now there’s a possibility that an attacker sitting on the internet may try to capture your data. So we need to make sure that the information exchanged between these devices should be secure.

So the traffic between the sites must be secure and we need to take the measures to make sure that the data is not modified by anyone or forged or make sure that someone do not get the actual contents inside your information. Now to prevent that, we use some kind of cryptography mechanisms. So the cryptography mechanisms uses some kind of algorithms which provides a secure communication and protect from the data being stolen. So in Greek words, it’s like a secret writing. That’s what the word actually does. So mainly the cryptography involves a method of encrypting encryption and the decryptions.

Like you want to send some information, probably you are not going to send in a clear text. Instead we are going to send it in some code and technically we call it as cipher text. So we use some kind of algorithms where your plain text is converted into some cipher text. And then once the receiver receives that particular cipher text, he’s going to use some algorithms to get back the information in a clear text. Now there are different types of algorithms being used over the years probably.

So if you just want to understand a basic example of how this cryptography algorithms generally works. So let’s say this is a message, what you want to send, probably this message can be coded into some cipher text, something like this. And the algorithm is like it can be anything which is only known to source. And the receivers, like maybe based on this algorithm, like letter F will written as it actually refers to f refers to A, something like that. There are many other algorithms in general. Like you can also use a forward kind of thing. Like when you write D, it’s nothing but actual A. When you write E, it’s nothing but B. Or you can use some other cipher wheel kind of algorithms.

2. Goals of Cryptography

Now the next thing we’ll discuss about some of the main goals of implementing cryptography in our networks. Now, in order to provide some confidentiality data integrity, origin authentication and some nonrepudiation. The confidentiality means ensuring that no one can see the information by encrypting the data and only the authorized users can view the information, whether the data is on the rest stored in your database or maybe you implement some kind of VPN and the data is going over the Internet. We need to make sure that no one can see the information, so only be seen by both the source and the destinations. So it’s a method of protecting your data by using some kind of encryption and decryption algorithms. Integrity ensures that no one can modify information and if the modification is done, it is only done by the authorized individuals or the systems. So, to provide some integrity, again we use some kind of hashing algorithms which are used on both the ends to make sure that the data is not modified. So even if it is modified, it is not listed on the other end because the hashing codes will not match automatically if the data is modified.

Now, the other option is like date, origin authentication. Because when you’re establishing a connectivity between the two sides, let’s say you’re committing some kind of VPN, we need to make sure that the attacker may actually spoof pertaining to be this user. Let’s say the IP address is 250 zero two. Now, the attacker can spoof as if he’s 250 zero two. So the main goal of the cryptography here is to make sure that the both the feeds are actually authenticated, either by using some some kind of preshade keys or using some kind of signatures.

So we need to make sure that when we establish the connectivity between router to router, or maybe from the PC you are trying to connect to some server, you’re actually connecting to the valid source. It’s not an attacker. The other thing, like non repudiation. Non repudiation means assurance that someone cannot deny something. It is just like you do some kind of transaction, maybe you do some kind of online banking and you cannot actually deny that you did not do these transactions because the bank people, they have the details of the login and you’re actually authorized and they maintain some kind of digital signatures. Probably that is like a proof that you did the transactions. Now the nonrepudiation means the term, right? Repudiate means actually deny.

3. Hashing-How it Works

Now the next thing we’ll try to understand what is exactly hashing. Hashing algorithms are used for providing data integrity. Now, data integrity means ensuring that no one modifies your information. So the hashing works something like this. Let’s say, let’s say you have a sender, is sending some kind of data and hash algorithms is applied to the data and then generate some kind of code or the hash value. And this hash value is actually sent to the receiver along with the data. Now once the receiver receives the data with hash value and based on the data, it’s going to run the algorithm again, the same algorithm on the other side and try to generate the hash value and it’s going to match that hash value which comes along with the data and ensures that both the hash values are same.

So once it compares both hash values, if it is same, if it extracts the same code, it is like a confirmation that the data is not modified by anyone. So if something is modified, then automatically the hash values do not match. So these hash values are irreversible. It’s like one way functions. So it’s not like encryption where you encrypt and decrypt another side. It’s a one way functions generally commonly referred with the names called message digest values or the fingerprint. Or we can say hash values. Like here I got one example to understand and hashing. Let’s assume this is our text or the data, what we generally want to send. Now depending upon the type of the algorithm we use, the most commonly used hashing algorithms are like MD files, Shaw, Shantu.

Now depending upon the number of bits we use, the larger the hack size value is, it is more resistance to attacks. So in simple words, we can say security strength is actually based on the type of algorithm we are using. Like Asha is more secure than MD five and also is on the hash length used. The more bits hash value we use, the more secure.

4. Hashing with HMAC

Now the regular hashing, what we discussed earlier is good for the data when it is stored. But when the data is in the transit, the regular hashing will not provide you something like data integrity or authenticity, because it is more vulnerable to man in the middle attacks. So where attacker can actually modify the hash values, actually data in general. So, to prevent us, we have a solution like key HMAC. So key HMAC uses the same hashing algorithms here also like Shah One or MD five, but only the input changes means we use the same data and we use some hash function.

And this hash function is combined with some keys. So we call it as a secret key, because this key is only known to the sender and the receiver. So this will add authentication to the integrity assurance. Because let’s say if an attacker, even if he captures your data and if it tries to modify, he cannot match the actual hash value unless he has the key. And this key is actually exchanged or unknown between these two parties. And in terms of VPNs like, we’ll be talking about something like defiant algorithms, which are used for securely exchanging the keys between both sides.

So if the key is unknown, probably you cannot match the hash value. So this is, with this solution, actually, we defeat the man in the middle attacks because the attacker in the middle, even though he captures your content, he cannot modify the contents, because if it is modified, then probably the hash value will not match and it will be dropped.

But just to understand this HMAC, I got one basic example. Like, let’s say I’m doing some transaction of $100 and it’s going to generate the hash value. Hash value is not only carries the data, it also based on the key and generate the hash code. And this code is sent along with the data. So this is your data and then the hash value. Now, once the receiver receives, probably he’s going to extract the data, get the data, and then he’s going to run the same hash algorithm along with the key to generate the hash value. And the hash value must match on both the sides. So even if the attacker in the, in the transit, if he captures the data, he cannot modify because he don’t know the keys.

5. What is Encryption – Decryption

Now, encryption and decryption algorithms are commonly used to provide data confidentiality data confidentiality means ensuring that no one can see your contents. So encryption is something done on the sender side. The sender when he says when he wants to send some information on the data, let’s say, which is in a clear text, converts into some cipher text, which is like unreadable format by using some algorithms with some keys. And when the data is sent over the network in the transit and it will go in the form of a cipher text or undoable text. And when the receiver receives actually receive the data in an undoable format, uses the same keys or the same algorithms, convert it back into the plain text. So this really shows that no one see the content because the sender and receiver uses some keys which are only known between these two receiver between these two parties.

6. Encryption Algorithms – Symmetric vs Assymetric

Now there are two types of encryption algorithms can be used like symmetric algorithms, symmetric encryption algorithms or asymmetric encryption algorithms. Now, the major difference between these two is when the sender and the receiver will be using the same key for encryption and the decryptions. Like the sender is, let’s say the sender is going to convert the clear text into unedable format by using some key, let’s say key one. And probably when the receiver receives that encrypted text, he is going to use the same key to decrypt the information. So the same key is used by both the sender and the receivers, which means these two will have a common key and the same key is used for both. So this kind of algorithms we call asymmetric encryption algorithms and they are a little bit easy to perform on the hardware, whether it is on the router or any device.

On both the sender and receivers, typically the length will be in between 56 bit to 512 bits. But whereas a symmetric algorithm means a different keys are used for encryption and decryptions. So which means the sender, when he’s sending a text or converting into a cipher text, let’s say, uses some key. Like the public key, public key is used for encrypting and the recipient, when he receives the cipher text, he is going to convert back into a clear text using some kind of private keys.

So there is a specific key pair which is like a unique key pair used. Probably two different case are used, private and public keys. So I’ll just explain you the process, how exactly it goes. So the asymmetric algorithm is a matter where different cases are used for encryption and decryptions more complex to perform specifically on the hardware because it utilizes more CPU resources. Typically the bit length will be very high. So let’s see how exactly the encryption algorithm works. The basic process, let’s say the sender is sending some information, communicating with a recipient.

The sender is going to convert his plain text into a cipher text by using some keys. Like I said, he’ll be using some public keys. Now this public key is actually the public key of the recipient. So initially the process is like the recipient is going to exchange his public key with a sender and probably whenever the sender is sending the information to this recipient, he’s going to send back or encrypt the data by using a public key which is known by the budget sender. So just like the sender will use a recipient public key, this is the recipient public key and send the cipher text. And once the receiver or the recipient receives, he’s going to use the unique combination of this public key, the private key which is not shared and it is known only to the recipient.

And he’s going to use this, a private key, which is a unique combination, to convert the text back into the plain text. So it is something like if it’s something like only the owner of the key can only decrypt the data and the owner only will have the private key. And to everyone who is actually trying to send information to this owner, he’s going to share his public key. So that’s how the algorithm works. Like the combination of the private and the public key is actually a unique vice versa. There is nothing like two private keys matches the same public key. So there’s nothing like that. Now there are some examples here like some of the commonly used symmetric algorithms which uses the same case like Desk, Triple, des and AES. And some of the less commonly used are like Seal, Idea Blowfish and Serpents. And the symmetric algorithms are more commonly be used in most of the VPN concepts where we try to implement some virtual private networks with IPsec protocols and also can be used for securing the folders hard drives or the application containers. So asymmetric algorithms are more commonly like advanced algorithms like the use cases, they can also will be used in the key establishment IP six SSL, VPNs.

7. Cryptanalysis – Attacks

Now crypt analysis is a study or end the practice which is done by the attacker to extract the code, to extract the actual contents of the encrypted information. Like in the previous sections we discussed about some cryptography. Using cryptography we are going to secure the communication between the two devices. Probably what attacker will do is attacker will try to capture that particular code or the encrypted data and then probably trying to figure out the clear text by using some different types of attacks. And this study, this concept typically we call as tip analysis. So it’s like the attacker using some attacks to crack the code without actually having the keys.

So there are different methods which attacker can use to do these things like there are brute force attacks, the different attacks. In the brute force attacks attacker will have some portion of the cipher text and he will try to run all the kind of depression decryption keys again as a particular cipher text and try to extract the clear text information. Of course it is not going to be easy if you are using a stronger with a more bits encryption algorithms probably but if you’re using some kind of lesser encryption algorithms like Des, it can be cracked fast enough with the current processing powers. Now some of the options attacker can use is known plain text. Now in the known plain text the attacker has some portion of a text, some portion of both a plain text and the cipher text.

Probably he captures some portion of the plain text and the cipher text with some manual attacks and the attacker will try to use some kind of attacker. What he’ll do is he’ll try to encrypt this plain text by using some algorithms and then probably try some keys to get back this information to clear text and compare the combinations or probably match any one of these things.

So we’ll try to use all the combinations until the match exactly form. Now some other options like a cipher text only. In cipher text only the attacker captures some part of the cipher text packets encrypted with the same key and then he will use some analysis in order to find out what might be the possible encryption key. Choose in plain text, the attacker chooses different types of plain text and do some kind of encryption and then he’s going to observe the cipher text and try to match with the cipher text what he captured and then probably find out the encryption key again.

Close in plain text it is more similar to the previous one where attacker chooses some different types of cipher text and he will convert into decrypt that and then observe the cipher text and tries to identify the encryption keys. The last one is like birthday attack birthday is just like you may have some two different messages, may get the same digest value probably possibilities there it’s so just like you know, this attack is more like a group of 23. People may have the same birthday, which is something around probably about 50%.

8. Asymmetric Encryption – Drawbacks

Now the next thing we will see something about asymmetric key encryption drawbacks. Like we discuss. Some encryption algorithms can be either symmetric or asymmetric. In asymmetric, probably two different keys are used. One key for encryption, other for decryption. So if I just quickly revise the basic process of asymmetric key. Let’s say Alice and the Bob are trying to communicate with each other. The Bob is going to exchange his public key with LS.

The person want LS when he is sending the information, he is going to use the public key which is sent by Bob, and then encrypt the information and send it over the network. And the Bob receives the encrypted information and then uses his private key, which is the combination of this public key which he has sent to decrypt your information. So now the owner who is having the key, only he will be able to decrypt that particular data, which provides a secure, secure communication. Like only owner of the key can decrypt the data.

But one of the possible drawback with this method is like there is a possibility that the main problem is the trust level of the public key exchange. Which means, what if there is an attacker who is trying to spoof as if he’s Bob and trying to communicate with Alice, the first person probably. And then he sends his own public key and Alice is going to think that he’s using the public key of the Bob and send down the information after encrypting.

And probably the communication can go between the attacker and the LS instead of the actual Bob. So this is one of the drawback with the asymmetric algorithms where the attacker in the middle can actually send his own public key and spoof to be the source because the process is actually not authenticated. To fix this, we have some more better way. There is something called public key infrastructure which is used to fix these topics.

9. Public Key Infrastructure – PKI

Now, the next thing, we’ll try to understand something about digital certificates and public key infrastructure. Now, digital certificates are electronic documents which are used to verify the owner of the public key. Like, if you remember, in the previous case, in the previous video, we discussed that the Asymmetric algorithms, generally how they work, the Bob is going to exchange his public key, probably. And based on that, the LS is going to encrypt with a Bob public key.

But the problem with the Asymmetric algorithm is the attacker can actually spoof as if he’s a Bob and he can send his own public key for encryption. So to prevent this, to prevent this kind of Asymmetric algorithm attacks, probably we can use something called digital certificates. Now, digital certificates are nothing but the electronic documents which are used to verify the owner’s ownership of that public key, which means when the Bob is issuing the public key or sharing the public key with the first user, probably that particular public key is actually signed or verified.

The ownership, like it has the public keyed by so and so user belongs to whom. It’s something like verified. And technically, we can call them as something like digital certificates or identity certificates or signatures. And this framework of using these digital certificates we call as PKI public Infrastructure.

Public infrastructure is nothing, but the entire process is referred as public infrastructure, where the digital certificates are mapped with the public keys. So, which means when the Bob is using sharing his public key, it is actually mapped with the digital certificate. And then this public infrastructure is also responsible for storing these certificates in the centralized database and revoking them if required. Now, PKI includes three different options. Like there is something called Certificate authority.

Now, certified authority is nothing but a trusted third party, thirdparty software’s or thirdparty tools who will verify and issue these public keys. So which means when the Bob is exchanging his public key, probably he is going to ensure that his ownership is verified by CA is like a trusted party, which is trusted party of both, and they actually associate the public keys or issue the public keys with certificates.

Certificates are like verifications, verifying the ownership of that particular certificate. So typically, if you want to use this PKI infrastructure, probably you need to associate with the CF and additional certificates. Already I discussed that it’s an electronic document which is attached with a public key, which defines the ownership of the public key. So this way, if the attacker is actually spoofing as if he’s a bug, probably according to CA, he’s not above. So probably that key is not at all used by the other user.