CCNA Security 1.1 Instructional Resource

Transcription

CCNA Security 1.1 Instructional Resource
CCNA Security 1.1
Instructional Resource
Chapter 7 – Cryptographic Systems
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• Explain how cryptology consists of cryptography (encoding messages)
and cryptanalysis (decoding messages) and how these concepts apply
to modern day cryptography.
• Explain how securing communications by various cryptographic
methods, including encryption, hashing and digital signatures, ensures
confidentiality, integrity, authentication and non-repudiation.
• Describe the use and purpose of hashes and digital signatures in
providing authentication and integrity.
• Explain how authentication is ensured.
• Explain how integrity is ensured.
• Explain how data confidentiality is ensured using symmetric encryption
algorithms and pre-shared keys.
• Explain how data confidentiality is ensured using asymmetric algorithms
in a public key infrastructure to provide and guarantee digital certificates.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
9.0 Implement VPN Technologies
9.1 Describe the different methods used in cryptology
9.1.1 symmetric
9.1.2 asymmetric
9.1.3 HMAC
9.1.4 message digest
9.1.5 PKI
© 2012 Cisco and/or its affiliates. All rights reserved.
3
• Secure communication requires integrity, authentication, and
confidentiality.
• Cryptographic services consists of cryptology and cryptanalysis.
• Integrity and authenticity is provided by using cryptographic
hashes
• Integrity is accomplished using MD-5 and SHA-1.
• Authenticity is accomplished using HMAC.
• Confidentiality is accomplished using encryption algorithms such
as DES, 3DES, and AES.
• Public key cryptography is used mostly in asymmetric encryption
using digital signatures and certificate authorities.
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• Chapter 7 Lab A: Exploring Encryption Methods
Part 1: Optional) Build the Network and Configure the PCs
Part 2: Decipher a Pre-encrypted Message Using the Vigenère Cipher
Part 3: Create a Vigenère Cipher Encrypted Message and Decrypt It
Part 4: Use Steganography to Embed a Secret Message in a Graphic
© 2012 Cisco and/or its affiliates. All rights reserved.
5
Cryptology
The science of making and breaking secret codes.
Cryptography
The practice and the study of hiding information.
Cryptanalysis
The practice and study of determining the meaning of
encrypted information (cracking the code), without access to
the shared secret key.
Vigenère Cipher
Cryptography method that encrypts text by using a different
polyalphabetic key shift for every plaintext letter. The different
key shift is identified using a shared key between sender and
receiver. The plaintext message can be encrypted and
decrypted using the Vigenere Cipher Table.
Cryptographic Hashing
Function designed to verify and ensure data integrity and can
also be used to verify authentication.
MD5
Message Digest 5 is a one-way hashing algorithm that was
developed by Ron Rivest and is used in a variety of Internet
applications today.
SHA
Secure Hash Algorithm (SHA) was developed by the U.S.
National Institute of Standards and Technology (NIST) that is
similar to MD5 but is more secure.
© 2012 Cisco and/or its affiliates. All rights reserved.
6
HMAC
A keyed-hash message authentication code (HMAC or
KHMAC) is a type of message authentication code (MAC) that
combines a cryptographic hash function (MD5 or SHA) with a
secret key.
Symmetric encryption
Algorithms use the same key, sometimes called a secret key,
to encrypt and decrypt data. The key must be pre-shared.
Asymmetric encryption
Algorithms use different keys to encrypt and decrypt data
enabling secure messages to be exchanged without having to
have a pre-shared key.
DES
Data Encryption Standard (DES) is a symmetric encryption
algorithm designed by IBM and no longer considered very
secure.
3DES
Triple DES is a symmetric encryption algorithm that encrypts
data three times and is therefore considered much stronger
than DES.
AES
Advanced Encryption Standard released by the U.S. National
Institute of Standards and Technology (NIST) that is stronger
and more efficient than 3DES.
SEAL
The Software-optimized Encryption Algorithm (SEAL) is a
stream cipher that encrypts data continuously and is faster
than DES, 3DES and AES.
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Diffie-Hellman Key Exchange
Is a mathematical algorithm used to securely exchange the
keys that encrypt data, without having communicated before.
Digital signatures
Enables entity authentication and data integrity.
Nonrepudiation
The sending / signing party cannot repudiate (deny) that it has
sent / signed the data.
RSA
A very popular asymmetric public-key algorithm developed by
Ron Rivest, Adi Shamir, and Len Adleman and is based on a
public key and a secret private key. It is mainly used to ensure
confidentiality of data by performing encryption, and to perform
authentication of data or nonrepudiation of data, or both, by
generating digital signatures.
DSA
Digital Signature Algorithm (DSA) asymmetric algorithm used
to perform digital signing.
PKI
Public Key Infrastructure is a framework that consists of the
hardware, software, people, policies, and procedures needed
to create, manage, store, distribute, and revoke digital
certificates.
CA
Certificate authority is a trusted third-party entity that issues /
signs certificates. Every CA also has a certificate containing its
public key, signed by itself which is called a CA certificate or a
self-signed CA certificate.
© 2012 Cisco and/or its affiliates. All rights reserved.
8
PKIX
Workgroup formed by the IETF to create PKI standards.
X.509
Standard developed by PKIX which details common formats
and PKI related protocols to be used by different PKI vendors.
PKCS
Public-Key Cryptography Standards (PKCS) published by
RSA Laboratories that provides basic interoperability of
applications that use public-key cryptography.
© 2012 Cisco and/or its affiliates. All rights reserved.
9
• There is very little change from the previous version.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
• Chapter 7 is mostly theory based and its goal is to introduce
students to cryptographic systems used to secure data in
networks.
• The lab is designed to introduce students to the Vigenère cipher
and the use of steganography.
• An alternative would be to use the Terms and Acronyms table with
only the first column listing the terms and acronyms and then
have students add the descriptions to each.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• Have the students research other encryption methods and write a
short one paragraph describing it.
Example of other ciphers include: ADFGVX, Affine, Alberti, Atbash, Autokey,
Bifid, Book, Caesar, Dvorak, Four-square, Great, Hill, Keyword, Nihilist, Onetime pad, Permutation, Pigpen, Playfair, Polyalphabetic, Polybius, Rail Fence,
Reihenschieber, Reservehandverfahren, ROT13, Running key, Scytale, Smithy
code, Solitaire, Straddling checkerboard, Substitution, Tap code, Transposition,
Trifid, Two-square, and VIC cipher.
Groups students in pairs and have them encrypt and then decrypt each others
message using first the Caesar cipher and then the Vigenère cipher.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
• To explain symmetric encryption, assume Alice and Bob
exchange messages on a regular basis.
Alice first puts the secret message in a box, and locks the box using a padlock
to which she has a key.
She then sends the box to Bob through regular mail.
When Bob receives the box, he uses an identical copy of Alice's key (which he
has somehow obtained previously, maybe by a face-to-face meeting) to open
the box, and reads the message.
Bob can then use the same padlock to send his secret reply.
The advantage of asymmetric encryption is that Alice and Bob never need to
send a copy of their keys to each other.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• To explain asymmetric encryption, assume Alice and Bob
exchange messages on a regular basis.
Bob and Alice have separate padlocks.
First, Alice asks Bob to send his open padlock to her through regular mail,
keeping his key to himself.
When Alice receives it she uses it to lock a box containing her message, and
sends the locked box to Bob.
Bob can then unlock the box with his key and reads the message from Alice.
To reply, Bob must similarly get Alice's open padlock to lock the box before
sending it back to her.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• To explain public-key encryption use the analogy of a locked
mailbox with a mail slot.
The mail slot is exposed and accessible to the public; its location (the street
address) is in essence the public key.
Anyone knowing the street address can go to the door and drop a written
message through the slot; however, only the person who possesses the key
can open the mailbox and read the message
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• To explain digital signatures, an analogy is the sealing of an
envelope with a personal wax seal.
The message can be opened by anyone, but the presence of the seal
authenticates the sender.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• To explain PKI, we could use someone coming in from an
international flight and going through customs and immigration.
The arriving passenger cannot simply verbally claims to be John Doe.
The customs office doesn't know the person he has no way of knowing
whether he is trustworthy.
Instead, the customs officer relies on a trusted third party in the form of a
government passport issuing office.
The passport office goes through the process of confirming a person's identity
before issuing a passport.
The passenger then uses this passport to confirm to the customs officer that
they are who they say they are.
Because the person has a passport, and the customs officer trusts the
passport office the person is permitted into the country.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
• There are many areas of classroom discussion in this chapter.
Discussion can include and are not limited to the following:
Is there such a thing as an unbreakable encryption algorithm.
Do you record your passwords somewhere? How do you keep them safe?
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• There are many movies that include cryptography in them. Have
students research some of these movies.
Examples of movies with encryption in them include National Treasure,
DaVinci Code, Angels and Demons, A Beautiful Mind, Clear and Present
Danger, Runaway Jury, Live Free or Die Hard, U-571, Sneakers, Swordfish,
Windtalkers, The Mummy, …
Examples of TV shows with encryption in them include: 24, Criminal Minds,
NCIS, The X Files, Star Trek, Stargate, Alias, …
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• http://en.wikipedia.org/wiki/Cryptography
• http://en.wikipedia.org/wiki/Encryption
• http://www.rsa.com/
• http://datatracker.ietf.org/wg/pkix/charter/
• http://datatracker.ietf.org/wg/pkix/
• http://www.nist.gov/computer-security-portal.cfm
© 2012 Cisco and/or its affiliates. All rights reserved.
20
© 2011 Cisco and/or its affiliates. All rights reserved.
21