Fundamentals of Cryptography and
VPN Technologies
© 2012 Cisco and/or its affiliates. All rights reserved.
1
Contents
This chapter introduces the concepts of cryptography and VPN
technologies. It covers the following topics:
• Need for VPN and VPN deployment models
• Encryption, hashing, and digital signatures and how they provide
confidentiality, integrity, and nonrepudiation
• Methods, algorithms, and purposes of symmetric encryption
• Use and purpose of hashes and digital signatures in providing integrity
and nonrepudiation
• Use and purpose of asymmetric encryption and Public Key Infrastructure
(PKI)
© 2012 Cisco and/or its affiliates. All rights reserved.
2
VPN Overview
• Historically, a VPN was an IP tunnel.
• Therefore, a generic routing encapsulation (GRE) tunnel is technically a
VPN, even though GRE does not encrypt.
• Today, the use of a VPN implies the use of encryption.
• With a VPN, the information from a private network is transported over a
public network, such as the Internet, to form a virtual network instead of
using a dedicated Layer 2 connection
© 2012 Cisco and/or its affiliates. All rights reserved.
3
Where VPNs Are Found
© 2012 Cisco and/or its affiliates. All rights reserved.
4
VPNs have many benefits
• Cost savings
• Scalability
• Compatibility with broadband technology
• Security
© 2012 Cisco and/or its affiliates. All rights reserved.
5
VPN Types
There are different types of commercially deployed VPNs.
VPN are classified according to the following criteria:
• Based on deployment mode: Site-to-site VPN and remote-access VPN
• Based on Open Systems Interconnection (OSI) layer: Layer 2 VPN
(legacy protocols such as Frame Relay or ATM, and Layer 2 MPLS VPN),
Layer 3 VPN (IPsec and MPLS Layer 3 VPN), and Layer 7 VPN (SSL
VPN)
• Based on underlying technology: IPsec VPN, SSL VPN, MPLS VPN,
other Layer 2 technologies such as Frame Relay or ATM, and hybrid
VPNs combining multiple technologies
© 2012 Cisco and/or its affiliates. All rights reserved.
6
Cisco VPN Solutions
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Site-to-Site VPNs
© 2012 Cisco and/or its affiliates. All rights reserved.
8
Remote-Access VPNs
© 2012 Cisco and/or its affiliates. All rights reserved.
9
Examining Cryptographic Services
Cryptographic services are the foundation for many security
implementations.
The key services provided by cryptography are as follows:
• Confidentiality: The assurance that no one can read a particular piece of
data except the receivers explicitly intended.
• Integrity or data authentication: The assurance that data has not been
altered in transit, intentionally or unintentionally.
• Peer authentication: The assurance that the other entity is who he, she,
or it claims to be.
• Nonrepudiation: A proof of the integrity and origin of data. The sender
can’t repudiate that he or she is the person who sent the data.
• Key management: The generation, exchange, storage, safeguarding,
use, vetting, and replacement of keys.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
Cryptology Overview
© 2012 Cisco and/or its affiliates. All rights reserved.
11
Cryptology Overview
• Cryptology is the science of making and breaking secret codes.
• Cryptology is broken into two separate disciplines: Cryptography is the
development and use of codes, and cryptanalysis is the breaking of
those codes.
• A symbiotic relationship exists between the two disciplines because
each makes the other one better.
• National security organizations employ members of both disciplines and
put them to work against each other.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
The History of Cryptography
• The history of cryptography starts in diplomatic circles thousands of
years ago.
• Messengers from a king’s court would take encrypted messages to
other courts.
• Occasionally, other courts not involved in the communication would
attempt to steal any message sent to a kingdom they considered an
adversary.
• Encryption was first used to prevent this information theft.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
Ciphers
• A cipher is an algorithm for performing encryption and decryption.
• It is a series of well-defined steps that you can follow as a procedure.
• Substitution ciphers simply substitute one letter for another.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
Substitution Cipher
• The cipher attributed to Julius Caesar is a simple substitution cipher.
Every day has a different key, and that key is used to adjust the
alphabet accordingly.
• For example, if today’s key is five, an A is moved five spaces, resulting
in an encoded message using F instead; a B is a G, a C is an H, and so
forth.
• The next day the key might be eight, and the process begins again, so A
is now I, B is J, and so on.
© 2012 Cisco and/or its affiliates. All rights reserved.
15
The Vigenère Cipher
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
A
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
B
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
C
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
D
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
E
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
F
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
G
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
H
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
I
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
J
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
K
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
L
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
M
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
N
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
O
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
P
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
Q
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
R
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
S
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
T
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
U
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
V
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
W
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
X
Y
x
y
y
z
z
a
a
b
b
c
c
d
d
e
e
f
f
g
g
h
h
i
i
j
j
k
k
l
l
m
m
n
n
o
o
p
p
q
q
r
r
s
s
t
t
u
u
v
v
w
w
x
Z
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
© 2012 Cisco and/or its affiliates. All rights reserved.
16
Transposition Ciphers
1
Solve the ciphertext.
FKTTAW
LNESATAKTAN
AATCD
Ciphered text
2
Use a rail fence cipher and a key of 3.
3
The clear text message.
F...K...T...T...A...W.
.L.N.E.S.A.T.A.K.T.A.N
..A...A...T...C...D...
FLANK EAST
ATTACK AT DAWN
Clear text
© 2012 Cisco and/or its affiliates. All rights reserved.
17
One-Time Pad Cipher
© 2012 Cisco and/or its affiliates. All rights reserved.
18
Encryption Using One-Time Pad
© 2012 Cisco and/or its affiliates. All rights reserved.
19
Decryption Using One-Time Pad
© 2012 Cisco and/or its affiliates. All rights reserved.
20
Computer Version of a Substitution
Cipher
© 2012 Cisco and/or its affiliates. All rights reserved.
21
Block and Stream Ciphers
Algorithms can operate in two modes:
• Block mode: The algorithm can work on only fixed chunks of data.
• Stream mode: The algorithm can process data bit by bit.
Block ciphers transform a fixed-length block of plaintext into a block of
ciphertext.
Unlike block ciphers, stream ciphers operate on smaller units of plaintext,
typically bits
© 2012 Cisco and/or its affiliates. All rights reserved.
22
Block Cipher
The following are common block ciphers:
• DES and 3DES, running in either Electronic Code Book (ECB) mode or
Cipher Block Chaining (CBC) mode
• Advanced Encryption Standard (AES)
• International Data Encryption Algorithm (IDEA)
• Secure and Fast Encryption Routine (SAFER)
• Skipjack
• Blowfish
• Rivest-Shamir-Alderman (RSA)
© 2012 Cisco and/or its affiliates. All rights reserved.
23
DES ECB Mode Versus DES CBC Mode
© 2012 Cisco and/or its affiliates. All rights reserved.
24
Stream Ciphers
• In stream cipher mode, the cipher uses previous ciphertext and the
secret key to generate a pseudorandom stream of bits, which only the
secret key can generate
Common stream ciphers include the following:
• DES and 3DES, running in output feedback (OFB) or cipher feedback
(CFB) mode
• Rivest Cipher 4 (RC4)
• Software-optimized Encryption Algorithm (SEAL)
© 2012 Cisco and/or its affiliates. All rights reserved.
25