Tải bản đầy đủ (.pdf) (77 trang)
  1. Trang chủ
    2. >>
  2. Công Nghệ Thông Tin
    3. >>
  3. An ninh - Bảo mật

Lecture CCNA security partner - Chapter 12: Fundamentals of Cryptography and VPN Technologies

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.51 MB, 77 trang )

Fundamentals of Cryptography and
VPN Technologies

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Contents
This chapter introduces the concepts of cryptography and VPN
technologies. It covers the following topics:
• Need for VPN and VPN deployment models
• Encryption, hashing, and digital signatures and how they provide
confidentiality, integrity, and nonrepudiation
• Methods, algorithms, and purposes of symmetric encryption
• Use and purpose of hashes and digital signatures in providing integrity
and nonrepudiation
• Use and purpose of asymmetric encryption and Public Key Infrastructure
(PKI)

© 2012 Cisco and/or its affiliates. All rights reserved.

2


VPN Overview
• Historically, a VPN was an IP tunnel.
• Therefore, a generic routing encapsulation (GRE) tunnel is technically a

VPN, even though GRE does not encrypt.
• Today, the use of a VPN implies the use of encryption.


• With a VPN, the information from a private network is transported over a

public network, such as the Internet, to form a virtual network instead of
using a dedicated Layer 2 connection

© 2012 Cisco and/or its affiliates. All rights reserved.

3


Where VPNs Are Found

© 2012 Cisco and/or its affiliates. All rights reserved.

4


VPNs have many benefits
• Cost savings
• Scalability
• Compatibility with broadband technology
• Security

© 2012 Cisco and/or its affiliates. All rights reserved.

5


VPN Types
There are different types of commercially deployed VPNs.

VPN are classified according to the following criteria:
• Based on deployment mode: Site-to-site VPN and remote-access VPN
• Based on Open Systems Interconnection (OSI) layer: Layer 2 VPN
(legacy protocols such as Frame Relay or ATM, and Layer 2 MPLS VPN),
Layer 3 VPN (IPsec and MPLS Layer 3 VPN), and Layer 7 VPN (SSL
VPN)
• Based on underlying technology: IPsec VPN, SSL VPN, MPLS VPN,
other Layer 2 technologies such as Frame Relay or ATM, and hybrid
VPNs combining multiple technologies

© 2012 Cisco and/or its affiliates. All rights reserved.

6


Cisco VPN Solutions

© 2012 Cisco and/or its affiliates. All rights reserved.

7


Site-to-Site VPNs

© 2012 Cisco and/or its affiliates. All rights reserved.

8


Remote-Access VPNs


© 2012 Cisco and/or its affiliates. All rights reserved.

9


Examining Cryptographic Services
Cryptographic services are the foundation for many security
implementations.
The key services provided by cryptography are as follows:
• Confidentiality: The assurance that no one can read a particular piece of
data except the receivers explicitly intended.
• Integrity or data authentication: The assurance that data has not been
altered in transit, intentionally or unintentionally.
• Peer authentication: The assurance that the other entity is who he, she,
or it claims to be.
• Nonrepudiation: A proof of the integrity and origin of data. The sender
can’t repudiate that he or she is the person who sent the data.
• Key management: The generation, exchange, storage, safeguarding,
use, vetting, and replacement of keys.

© 2012 Cisco and/or its affiliates. All rights reserved.

10


Cryptology Overview

© 2012 Cisco and/or its affiliates. All rights reserved.


11


Cryptology Overview
• Cryptology is the science of making and breaking secret codes.
• Cryptology is broken into two separate disciplines: Cryptography is the

development and use of codes, and cryptanalysis is the breaking of
those codes.
• A symbiotic relationship exists between the two disciplines because

each makes the other one better.
• National security organizations employ members of both disciplines and

put them to work against each other.

© 2012 Cisco and/or its affiliates. All rights reserved.

12


The History of Cryptography
• The history of cryptography starts in diplomatic circles thousands of

years ago.
• Messengers from a king’s court would take encrypted messages to

other courts.
• Occasionally, other courts not involved in the communication would


attempt to steal any message sent to a kingdom they considered an
adversary.
• Encryption was first used to prevent this information theft.

© 2012 Cisco and/or its affiliates. All rights reserved.

13


Ciphers

• A cipher is an algorithm for performing encryption and decryption.
• It is a series of well-defined steps that you can follow as a procedure.
• Substitution ciphers simply substitute one letter for another.

© 2012 Cisco and/or its affiliates. All rights reserved.

14


Substitution Cipher
• The cipher attributed to Julius Caesar is a simple substitution cipher.

Every day has a different key, and that key is used to adjust the
alphabet accordingly.
• For example, if today’s key is five, an A is moved five spaces, resulting

in an encoded message using F instead; a B is a G, a C is an H, and so
forth.
• The next day the key might be eight, and the process begins again, so A


is now I, B is J, and so on.

© 2012 Cisco and/or its affiliates. All rights reserved.

15


The Vigenère Cipher
 

a

b

c

d

e

f

g

h

i

j


k

l

m

n

o

p

q

r

s

t

u

v

w

x

y


z

A

a

b

c

d

e

f

g

h

i

j

k

l

m


n

o

p

q

r

s

t

u

v

w

x

y

z

B

b


c

d

e

f

g

h

i

j

k

l

m

n

o

p

q


r

s

t

u

v

w

x

y

z

a

C

c

d

e

f


g

h

i

j

k

l

m

n

o

p

q

r

s

t

u


v

w

x

y

z

a

b

D

d

e

f

g

h

i

j


k

l

m

n

o

p

q

r

s

t

u

v

w

x

y


z

a

b

c

E

e

f

g

h

i

j

k

l

m

n


o

p

q

r

s

t

u

v

w

x

y

z

a

b

c


d

F

f

g

h

i

j

k

l

m

n

o

p

q

r


s

t

u

v

w

x

y

z

a

b

c

d

e

G

g


h

i

j

k

l

m

n

o

p

q

r

s

t

u

v


w

x

y

z

a

b

c

d

e

f

H

h

i

j

k


l

m

n

o

p

q

r

s

t

u

v

w

x

y

z


a

b

c

d

e

f

g

I

i

j

k

l

m

n

o


p

q

r

s

t

u

v

w

x

y

z

a

b

c

d


e

f

g

h

J

j

k

l

m

n

o

p

q

r

s


t

u

v

w

x

y

z

a

b

c

d

e

f

g

h


i

K

k

l

m

n

o

p

q

r

s

t

u

v

w


x

y

z

a

b

c

d

e

f

g

h

i

j

L

l


m

n

o

p

q

r

s

t

u

v

w

x

y

z

a


b

c

d

e

f

g

h

i

j

k

M

m

n

o

p


q

r

s

t

u

v

w

x

y

z

a

b

c

d

e


f

g

h

i

j

k

l

N

n

o

p

q

r

s

t


u

v

w

x

y

z

a

b

c

d

e

f

g

h

i


j

k

l

m

O

o

p

q

r

s

t

u

v

w

x


y

z

a

b

c

d

e

f

g

h

i

j

k

l

m


n

P

p

q

r

s

t

u

v

w

x

y

z

a

b


c

d

e

f

g

h

i

j

k

l

m

n

o

Q

q


r

s

t

u

v

w

x

y

z

a

b

c

d

e

f


g

h

i

j

k

l

m

n

o

p

R

r

s

t

u


v

w

x

y

z

a

b

c

d

e

f

g

h

i

j


k

l

m

n

o

p

q

S

s

t

u

v

w

x

y


z

a

b

c

d

e

f

g

h

i

j

k

l

m

n


o

p

q

r

T

t

u

v

w

x

y

z

a

b

c


d

e

f

g

h

i

j

k

l

m

n

o

p

q

r


s

U

u

v

w

x

y

z

a

b

c

d

e

f

g


h

i

j

k

l

m

n

o

p

q

r

s

t

V

v


w

x

y

z

a

b

c

d

e

f

g

h

i

j

k


l

m

n

o

p

q

r

s

t

u

W

w

x

y

z


a

b

c

d

e

f

g

h

i

j

k

l

m

n

o


p

q

r

s

t

u

v

X
Y

x
y

y
z

z
a

a
b


b
c

c
d

d
e

e
f

f
g

g
h

h
i

i
j

j
k

k
l


l
m

m
n

n
o

o
p

p
q

q
r

r
s

s
t

t
u

u
v


v
w

w
x

Z

z

a

b

c

d

e

f

g

h

i

j


k

l

m

n

o

p

q

r

s

t

u

v

w

x

y


© 2012 Cisco and/or its affiliates. All rights reserved.

16


Transposition Ciphers
1

Solve the ciphertext.

FKTTAW
LNESATAKTAN
AATCD
Ciphered text

2

Use a rail fence cipher and a key of 3.

3

The clear text message.

F...K...T...T...A...W.
.L.N.E.S.A.T.A.K.T.A.N
..A...A...T...C...D...

FLANK EAST
ATTACK AT DAWN
Clear text


© 2012 Cisco and/or its affiliates. All rights reserved.

17


One-Time Pad Cipher

© 2012 Cisco and/or its affiliates. All rights reserved.

18


Encryption Using One-Time Pad

© 2012 Cisco and/or its affiliates. All rights reserved.

19


Decryption Using One-Time Pad

© 2012 Cisco and/or its affiliates. All rights reserved.

20


Computer Version of a Substitution
Cipher


© 2012 Cisco and/or its affiliates. All rights reserved.

21


Block and Stream Ciphers
Algorithms can operate in two modes:
• Block mode: The algorithm can work on only fixed chunks of data.
• Stream mode: The algorithm can process data bit by bit.
Block ciphers transform a fixed-length block of plaintext into a block of
ciphertext.
Unlike block ciphers, stream ciphers operate on smaller units of plaintext,
typically bits

© 2012 Cisco and/or its affiliates. All rights reserved.

22


Block Cipher
The following are common block ciphers:
• DES and 3DES, running in either Electronic Code Book (ECB) mode or
Cipher Block Chaining (CBC) mode
• Advanced Encryption Standard (AES)
• International Data Encryption Algorithm (IDEA)
• Secure and Fast Encryption Routine (SAFER)
• Skipjack
• Blowfish
• Rivest-Shamir-Alderman (RSA)


© 2012 Cisco and/or its affiliates. All rights reserved.

23


DES ECB Mode Versus DES CBC Mode

© 2012 Cisco and/or its affiliates. All rights reserved.

24


Stream Ciphers
• In stream cipher mode, the cipher uses previous ciphertext and the

secret key to generate a pseudorandom stream of bits, which only the
secret key can generate
Common stream ciphers include the following:
• DES and 3DES, running in output feedback (OFB) or cipher feedback
(CFB) mode
• Rivest Cipher 4 (RC4)
• Software-optimized Encryption Algorithm (SEAL)

© 2012 Cisco and/or its affiliates. All rights reserved.

25


Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×