Some notes from Chapter 11. More to follow.
Cryptography is the science of hiding information.
Cryptography Through the Ages:
• Substitution Cipher: Substitutes one character for another according to a formula
• Vigenere Cipher: Encrypts text using different substitution ciphers that are determined by the plain text that is to be encrypted. Susceptible to frequency analysis.
• Transposition Ciphers: Transposes clear text according to a set of characters arranged in a rail.
• One-Time Pads: Cryptography using a random one-time key that performs OR operations. RC4 is one implementation of this general concept.
Encryption Process and Application at Different Layers: In encryption, an algorithm is applied to plain text according to a key. At different layers:
• Application: Encrypted email, secure storage, and messaging.
• Sessions: Secure sessions using SSL or TLS.
• Network: Encrypted packets using the IPSec security suite
• Chosen Plain Text: Observers the cipher text output from plain text
• Chosen Cipher Text: Observers what cipher text decrypts into plaintext
• Birthday: Hash focused brute-force attack
• Meet-in-the Middle: Knows part of the plain text and corresponding cipher text.
• Brute-Force: Every possible key combination is tried.
• Cipher Text-Only: Look for patterns from collections of cipher text encrypted with the same algorithm and key.
• Known Plain-Text: Has some plain text and some cipher text. Analyzes for patterns.
Features of Good Encryption Algorithms:
• Resistant to attacks
• Support variable and long key lengths
• Create an avalanche effect in which small changes in plain text will result in radically different cipher text.
• No import or export restrictions.
Classes of Encryption Algorithms:
• Symmetric – Same key encrypts and decrypts
• Asymmetric – Public/Private key pair encrypts/decrypts
Popular Symmetric Encryption Algorithms:
• DES – 56 bit
• 3DES – 112 and 168 bit
• AES – 128, 192, and 256 bit
• RC2 – 40 and 64 bit
• RC4 – 1 to 256 bit
• RC5 – 0 to 2040
• RC6 – 128, 192, and 256 bit
• IDEA – 128 bit
• Blowfish – 32 to 448 bit
Symmetric Encryption Techniques: Block, Stream, and Message Authentication Codes (MAC).
• DES and 3DES running ECB or CBC
• RSA (asymmetric)
• DES and 3DES running OFB or CFB
Block and Stream Operation: In a block cipher implementation, a fixed group of bits called a block is used statically for the transformation. DES uses two standardized modes for block ciphering: Electronic Code Book (ECB) and Cipher Block Chaining (CBC). ECB is considered insecure as it serially encrypts data. This result is two plaintext data blocks being transformed into two identical cipher text blocks if the same key is used. Therefore, CBC, which uses bitwise scrambling where each block is dependent on the order of the previous block, is considered more secure. Stream ciphers are similar in that they have two modes: Cipher Feedback (CFB), similar to CBC, and Output Feedback (OFB) that uses XORed in generating the cipher text.
Increasing DES Security:
• Frequently change and securely exchange keys.
• Use CBC or OFB mode
• Avoid weak keys
3DES Encryption Process: In the 3DES encryption process, plain text is encrypted 3 different times with 3 different 56-bit keys.
AES: AES uses a Rijndael variable length block cipher to transform plain text multiple times. AES is younger, faster, and stronger than DES.
AES Availability on Cisco Products:
• PIX 6.3 and later
• ASA version 7.0 and later
• VPN 3000 Software 3.6 and later
• Cisco IOS Release 12.2 (13)T and later
SEAL: Seal has lower performance requirements and the 160-bit symmetric encryption algorithm is available on IOS Release 12.3(7)T and later. However:
• Only Cisco routers, on both ends, running IPSec and the k9 subsystem, and IOS Release 12.3.7T may run Seal.
• RC2: variable length replacement for DES. 40 to 64 bits.
• RC4: variable length stream cipher used in SSL. 1-256 bits.
• RC5: fast block cipher. 0 to 2040 bits.
• RC6: Similar to AES. 128, 192, and 256 bits.
Weak Keys: Keys are considered weak when they show regularities.
SSL VPNs: An SSL VPN utilizes symmetric encryption for bulk data encryption and asymmetric encryption for key exchange. The steps to establish a tunnel are:
• Client initiates outbound connection to gateway on port 443.
• Gateway responds with trusted digital signature and public key.
• Client generates the symmetric encryption key that will be used by both parties.
• Gateway’s public key is used to encrypt symmetric key.
• The symmetric key encrypts the SSL Tunnel.