Secure Communications

CSA

MARS

Firewall

VPN
IPS

CSA

VPN Iron Port CSA

Remote Branch CSA
CSA
CSA
CSA
CSA

Web Email Server

Server DNS

• Traffic between sites must be secure

• Measures must be taken to ensure it cannot be altered, forged, or
deciphered if intercepted
 Authentication
• An ATM Personal
Information Number (PIN) is
required for authentication.
• The PIN is a shared secret
between a bank account
holder and the financial
institution.
 Integrity

• An unbroken wax seal on an envelop ensures integrity.

• The unique unbroken seal ensures no one has read the
contents.
 Confidentiality

• Julius Caesar would

send encrypted
messages to his
generals in the
I O D Q N H D V W battlefield.
• Even if intercepted,
D W W D F N D W G D Z Q his enemies usually
could not read, let
alone decipher, the
messages.
 History
Scytale - (700 BC)

Vigenère table

German Enigma Machine

Jefferson encryption device

 Transposition Ciphers
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear Text

2
F...K...T...T...A...W.
.L.N.E.S.A.T.A.K.T.A.N Use a rail fence cipher and a
..A...A...T...C...D... key of 3.

3
FKTTAW The clear text message would
LNESATAKTAN
AATCD appear as follows.
Ciphered Text
 Substitution Ciphers
Caesar Cipher
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear text

Shift the top scroll

2 over by three
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z characters (key of
3), an A becomes
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
D, B becomes E,
and so on.

3
IODQN HDVW The clear text message would be
DWWDFN DW GDZQ encrypted as follows using a key of
3.
Cipherered text
 Cipher Wheel
1
FLANK EAST The clear text message would be
ATTACK AT DAWN encoded using a key of 3.
Clear text

2
Shifting the inner wheel by 3, then the
A becomes D, B becomes E, and so
on.

3
IODQN HDVW The clear text message would appear
DWWDFN DW GDZQ as follows using a key of 3.
Cipherered text
 Vigenѐre Table
  a b c d e f g h i j k l m n o p q r s t u v w x y z
A a b c d e f g h i j k l m n o p q r s t u v w x y z
B b c d e f g h i j k l m n o p q r s t u v w x y z a
C c d e f g h i j k l m n o p q r s t u v w x y z a b
D d e f g h i j k l m n o p q r s t u v w x y z a b c
E e f g h i j k l m n o p q r s t u v w x y z a b c d
F f g h i j k l m n o p q r s t u v w x y z a b c d e
G g h i j k l m n o p q r s t u v w x y z a b c d e f
H h i j k l m n o p q r s t u v w x y z a b c d e f g
I i j k l m n o p q r s t u v w x y z a b c d e f g h
J j k l m n o p q r s t u v w x y z a b c d e f g h i
K k l m n o p q r s t u v w x y z a b c d e f g h i j
L l m n o p q r s t u v w x y z a b c d e f g h i j k
M m n o p q r s t u v w x y z a b c d e f g h i j k l
N n o p q r s t u v w x y z a b c d e f g h i j k l m
O o p q r s t u v w x y z a b c d e f g h i j k l m n
P p q r s t u v w x y z a b c d e f g h i j k l m n o
Q q r s t u v w x y z a b c d e f g h i j k l m n o p
R r s t u v w x y z a b c d e f g h i j k l m n o p q
S s t u v w x y z a b c d e f g h i j k l m n o p q r
T t u v w x y z a b c d e f g h i j k l m n o p q r s
U u v w x y z a b c d e f g h i j k l m n o p q r s t
V v w x y z a b c d e f g h i j k l m n o p q r s t u
W w x y z a b c d e f g h i j k l m n o p q r s t u v
X x y z a b c d e f g h i j k l m n o p q r s t u v w
Y y z a b c d e f g h i j k l m n o p q r s t u v w x
Z z a b c d e f g h i j k l m n o p q r s t u v w x y
 Stream Ciphers
• Invented by the Norwegian Army Signal
Corps in 1950, the ETCRRM machine uses
the Vernam stream cipher method.
• It was used by the US and Russian
governments to exchange information.
• Plain text message is eXclusively OR'ed with
a key tape containing a random stream of
data of the same length to generate the
ciphertext.
• Once a message was enciphered the key
tape was destroyed.
• At the receiving end, the process was
reversed using an identical key tape to
decode the message.
 Defining Cryptanalysis

Allies decipher secret

NAZI encryption code!

Cryptanalysis is from the Greek words kryptós (hidden), and analýein (to
loosen or to untie). It is the practice and the study of determining the
meaning of encrypted information (cracking the code), without access to
the shared secret key.
 Cryptanalysis Methods
Brute Force Attack

Known Ciphertext

Successfully
Unencrypted
Key found

With a Brute Force attack, the attacker has some portion of ciphertext.
The attacker attempts to unencrypt the ciphertext with all possible keys.
 Meet-in-the-Middle Attack
Known Ciphertext Known Plaintext
Use every possible decryption Use every possible
key until a result is found encryption key until a result
matching the corresponding is found matching the
plaintext. corresponding ciphertext.

MATCH of
Ciphertext!
Key found

With a Meet-in-the-Middle attack, the attacker has some portion of text in

both plaintext and ciphertext. The attacker attempts to unencrypt the
ciphertext with all possible keys while at the same time encrypt the plaintext
with another set of possible keys until one match is found.
 Choosing a Cryptanalysis Method
The graph outlines the
1
frequency of letters in the
English language.
For example, the letters E, T
and A are the most popular.

There are 6 occurrences of the cipher letter D

and 4 occurrences of the cipher letter W.
Replace the cipher letter D first with popular
2
IODQN HDVW clear text letters including E, T, and finally A.
DWWDFN DW GDZQ
Trying A would reveal the shift pattern of 3.
Cipherered text
 Cryptographic Hashes, Protocols,
and Algorithm Examples
Integrity Authentication Confidentiality

DES
HMAC-MD5 3DES
MD5
HMAC-SHA-1 AES
SHA
RSA and DSA SEAL
RC (RC2, RC4, RC5, and RC6)

HASH HASH w/Key

NIST Rivest Encryption

 Hashing Basics
• Hashes are used for
integrity assurance.
• Hashes are based on Data of Arbitrary
Length
one-way functions.
• The hash function hashes
arbitrary data into a fixed-
length digest known as the
hash value, message digest,
digest, or fingerprint.

Fixed-Length
e883aa0b24c09f
Hash Value
 Hashing Properties

Arbitrary
length text
X
Why is x not in
Parens?

h = H (x)

Hash
Function (H)
Why is H in
Parens?

Hash h e883aa0b24c09f
Value
 Hashing in Action
• Vulnerable to man-in-the-middle attacks
– Hashing does not provide security to transmission.
• Well-known hash functions
– MD5 with 128-bit hashes I would like to
cash this check.
– SHA-1 with 160-bit hashes

Internet

Pay to Terry Smith Pay to Alex Jones

$100.00 $1000.00
One Hundred and xx/100
One Thousand and xx/100
Dollars Dollars
4ehIDx67NMop9 12ehqPx67NMoX

Match = No changes
No match = Alterations
 MD5
• MD5 is a ubiquitous hashing
algorithm
• Hashing properties
– One-way function—easy to compute
hash and infeasible to compute data
given a hash
MD5
– Complex sequence of simple binary
operations (XORs, rotations, etc.)
which finally produces a 128-bit
hash.
 SHA
• SHA is similar in design to the MD4 and MD5
family of hash functions
– Takes an input message of no more than 264 bits
– Produces a 160-bit message digest
• The algorithm is slightly slower than MD5. SHA
• SHA-1 is a revision that corrected an
unpublished flaw in the original SHA.
• SHA-224, SHA-256, SHA-384, and SHA-512 are
newer and more secure versions of SHA and are
collectively known as SHA-2.
 Hashing Example

In this example the clear text entered is displaying hashed results

using MD5, SHA-1, and SHA256. Notice the difference in key
lengths between the various algorithm. The longer the key, the
more secure the hash function.
 Features of HMAC
• Uses an additional secret
key as input to the hash Data of Arbitrary Secret
function Length + Key

• The secret key is known to

the sender and receiver
– Adds authentication to
integrity assurance
– Defeats man-in-the-middle
attacks Fixed Length
e883aa0b24c09f
• Based on existing hash Authenticated
Hash Value
functions, such as MD5 and
The same procedure is used for
SHA-1. generation and verification of secure
fingerprints
 HMAC Example

Data Received Data Secret Key

Pay to Terry Smith $100.00 Secret Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars Key One Hundred and xx/100 Dollars

HMAC HMAC
(Authenticated 4ehIDx67NMop9 (Authenticated 4ehIDx67NMop9
Fingerprint) Fingerprint)

Pay to Terry Smith $100.00 If the generated HMAC matches the sent
One Hundred and xx/100 Dollars HMAC, then integrity and authenticity
have been verified.
4ehIDx67NMop9 If they don’t match, discard the
message.
 Using Hashing
Data Integrity Data Authenticity

e883aa0b24c09f
Fixed-Length Hash
Value

Entity Authentication

• Routers use hashing with secret keys

• Ipsec gateways and clients use hashing algorithms
• Software images downloaded from the website have checksums
• Sessions can be encrypted
 Symmetric Encryption
Pre-shared
Key key Key

Encrypt $!@#IQ
Decrypt
$1000 $1000

• Best known as shared-secret key algorithms

• The usual key length is 80 - 256 bits
• A sender and receiver must share a secret key
• Faster processing because they use simple mathematical operations.
• Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.
 Asymmetric Encryption
Two separate
keys which are
Encryption Key Decryption Key
not shared

Encrypt %3f7&4
Decrypt
$1000 $1000

• Also known as public key algorithms

• The usual key length is 512–4096 bits
• A sender and receiver do not share a secret key
• Relatively slow because they are based on difficult computational
algorithms
• Examples include RSA, ElGamal, elliptic curves, and DH.
 Asymmetric Example : Diffie-Hellman
Get Out Your Calculators?
 Symmetric Algorithms
Symmetric Key length
Encryption Description
Algorithm (in bits)

Designed at IBM during the 1970s and was the NIST standard until 1997.
Although considered outdated, DES remains widely in use.
DES 56
Designed to be implemented only in hardware, and is therefore extremely
slow in software.

Based on using DES three times which means that the input data is
3DES 112 and 168 encrypted three times and therefore considered much stronger than DES.
However, it is rather slow compared to some new block ciphers such as AES.
Fast in both software and hardware, is relatively easy to implement, and
AES 128, 192, and 256 requires little memory.
As a new encryption standard, it is currently being deployed on a large scale.

Software SEAL is an alternative algorithm to DES, 3DES, and AES.

Encryption 160 It uses a 160-bit encryption key and has a lower impact to the CPU when
Algorithm (SEAL) compared to other software-based algorithms.

RC2 (40 and 64) A set of symmetric-key encryption algorithms invented by Ron Rivest.
RC4 (1 to 256) RC1 was never published and RC3 was broken before ever being used.
The RC series RC5 (0 to 2040) RC4 is the world's most widely used stream cipher.
RC6 (128, 192, RC6, a 128-bit block cipher based heavily on RC5, was an AES finalist
and 256) developed in 1997.
Symmetric Encryption Techniques
Encr
y
Mes pted
blank blank 1100101 s ag e
01010010110010101 01010010110010101

64 bits 64bits 64bits

Block Cipher – encryption is completed

in 64 bit blocks

Encr
y
Mes pted
s ag e

0101010010101010100001001001001 0101010010101010100001001001001

Stream Cipher – encryption is one bit

at a time
 DES Scorecard
Description Data Encryption Standard

Timeline Standardized 1976

Type of Algorithm Symmetric

Key size (in bits) 56 bits

Speed Medium

Time to crack Days (6.4 days by the COPACABANA machine, a specialized

(Assuming a computer could try
cracking device)
255 keys per second)

Resource
Medium
Consumption
 3DES Scorecard
Description Triple Data Encryption Standard

Timeline Standardized 1977

Type of Algorithm Symmetric

Key size (in bits) 112 and 168 bits

Speed Low

Time to crack
(Assuming a computer could try 4.6 Billion years with current technology
255 keys per second)

Resource
Medium
Consumption
 Encryption Steps
The clear text from Alice is
encrypted using Key 1. That
ciphertext is decrypted using a
1 different key, Key 2. Finally
that ciphertext is encrypted
using another key, Key 3.

When the 3DES ciphered text is

2
received, the process is reversed.
That is, the ciphered text must
first be decrypted using Key 3,
encrypted using Key 2, and
finally decrypted using Key 1.
 AES Scorecard
Description Advanced Encryption Standard

Timeline Official Standard since 2001

Type of Algorithm Symmetric

Key size (in bits) 128, 192, and 256

Speed High

Time to crack
(Assuming a computer could try 149 Trillion years
255 keys per second)

Resource
Low
Consumption
 Advantages of AES

• The key is much stronger due to the key length

• AES runs faster than 3DES on comparable hardware
• AES is more efficient than DES and 3DES on comparable
hardware

The plain text is now

encrypted using 128
AES

An attempt at
deciphering the text
using a lowercase, and
incorrect key
 Asymmetric Key Characteristics

Encryption Decryption
Key Key
Plain Encryption Encrypted Decryption Plain
text text text

• Key length ranges from 512–4096 bits

• Key lengths greater than or equal to 1024 bits can be trusted
• Key lengths that are shorter than 1024 bits are considered
unreliable for most algorithms
 Public Key (Encrypt) + Private Key
(Decrypt) = Confidentiality
Computer A acquires
Computer B’s public key
Can I get your Public Key please? Bob’s Public Key
1
Here is my Public Key.

Bob’s Public Key

Computer A transmits Bob’s Private
2 4 Key
The encrypted message Encrypted Computer
Computer to Computer B Text
B
A
Encryption Encryption
Algorithm Algorithm

Encrypted 3 Computer B uses

Text
its private key to
Computer A uses Computer B’s decrypt and reveal
public key to encrypt a message the message
using an agreed-upon algorithm
 Private Key (Encrypt) + Public Key
(Decrypt) = Authentication
Bob uses the public key to
Alice encrypts a message successfully decrypt the message
with her private key and authenticate that the message
Alice’s Private
did, indeed, come from Alice.
1 Encrypted
Key
Text

Alice’s Public
Encryption
Alice transmits the 4 Key
Algorithm
encrypted message Encrypted
2 Text
to Bob
Encrypted
Computer Text
3 Computer
Encryption
Algorithm
A B
Alice’s Public Can I get your Public Key please?
Key Here is my Public Key

Bob needs to verify that the message

actually came from Alice. He requests
and acquires Alice’s public key
 What is a VPN?
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client

CSA

VPN
Internet Firewall
SOHO with a Cisco
DSL Router Corporate Network
VPN

WAN

 Virtual: Information within a private network is transported

VPN over a public network.
Regional branch with  Private: The traffic is encrypted to keep the data confidential.
a VPN enabled
Cisco ISR router
 Layer 3 VPN
IPSec

VPN
IPSec
Internet
SOHO with a Cisco DSL
Router

• Generic routing encapsulation (GRE)

• Multiprotocol Label Switching (MPLS)
• IPSec
 Types of VPN Networks
Business Partner Remote-access
with a Cisco Router
VPNs
Mobile Worker
with a Cisco
VPN Client

CSA

MARS
VPN
SOHO with a Cisco Internet Firewall

DSL Router

Site-to-Site VPN
IPS
VPNs WAN

VPN
Iron Port CSA
Regional branch with CSA CSA CSACSA
a VPN enabled CSA
Cisco ISR router
Web Email
Server Server DNS
 Site-to-Site VPN
Business Partner
with a Cisco Router
Hosts send and receive normal
TCP/IP traffic through a VPN gateway

CSA

MARS
VP
N
SOHO with a Internet Firewall

Cisco DSL Router

Site-to-Site VPN
IP
VPNs WAN S

VPN
Iron Port CSA

Regional branch with CSA CSA CSACSA

a VPN enabled CSA
Cisco ISR router
Web Email
Server Server DNS
Remote-Access VPNs
Remote-access
VPNs
Mobile Worker
with a Cisco
VPN Client CSA

MARS

Internet Firewall

VPN
IPS

Iron Port CSA

CSA CSA CSA CSA

CSA

Web Email Server

Server DNS
 VPN Client Software

R1 R1-vpn-cluster.span.com

“R1”

In a remote-access VPN, each host

typically has Cisco VPN Client software
 Cisco IOS SSL VPN
• Provides remote-access
connectivity from any
Internet-enabled host
• Uses a web browser and SSL
encryption
• Delivers two modes of
access:
– Clientless
– Thin client
 Cisco VPN Product Family
Remote-Access
Product Choice Site-to-Site VPN
VPN

Cisco VPN-Enabled Router Secondary role Primary role

Cisco PIX 500 Series Security Appliances Secondary role Primary role

Cisco ASA 5500 Series Adaptive Security

Primary role Secondary role
Appliances

Cisco VPN
Primary role Secondary role
3000 Series Concentrators

Home Routers Primary role