CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 3: Fundamentals of VPN Technology and Cryptography

Lesson 3: Fundamentals of VPN Technology and Cryptography
3.1 Understanding VPNs and Why We Use Them
3.2 Cryptography Basic Components
3.3 Public Key Infrastructure
3.4 Putting the Pieces of PKI to Work

==================================================
3.1 Understanding VPNs and Why We Use Them

What is a Virtual Private Network (VPN)?
“A virtual private network that allows connectivity between two or more devices.”

Those two devices could be computers on the same local-area network or could be connected over a wide-area network.

Two major types of VPNS:
1. Remote access: uses SSL or IPSec VPN tunnel, terminates tunnel at either IOS/ASA and then can access corporate network from anywhere on the internet, as if it is directly connected to the network.
2. Site-to-Site : This is between two routers across WAN, terminate IPSec tunnel so the site A devices can access resources at site B and visa versa.

Examples of VPN Technologies
1. IPSEC
2. SSL
3. MPLS
4. PPTP

The main benefits of using either remote-access or site-to-site VPNs include the following:
Confidentiality: – Only the intended parties can understand the data that is sent.
– Any party that eavesdrops may see the actual packets, but the contents of the packet or the payload are encrypted (also called cipher text)
Data integrity: – Ensuring that the data is accurate from end to end
Authentication: – Peer authentication done in many ways. E.G.) Pre-shared keys, public and private key pairs, certificates, and user authentication in remote-access VPNs
Antireplay protection: – This just means that once a VPN packet has been sent and accounted for, that exact same VPN packet is not valid the second time in the VPN session.
3.2 Cryptography Basic Components

Ciphers
A Cipher is a set of rules, which can also be called an algorithm, about how to perform encryption or decryption.
Common methods that ciphers use
Substitution: substitutes one character for another. For example, substituting each letter from the alphabet with the previous letter of the alphabet.

Polyalphabetic: similar to substitution, but instead of using a single alphabet, it could use multiple alphabets and switch between them by some trigger character in the encoded message.

Transposition: uses many different options, including the rearrangement of letters.
E.G.)

3-2

 

KEYS
– A one-time pad (OTP) is a good example of a key that is only used once.
– Using this method, to encrypt a 32-bit message, a 32-bit key is also used. This is also called the pad, which is used one time only.
– Each bit from the pad is mathematically computed with a corresponding bit from our message, and the results are our cipher text, or encrypted content.
– The pad must also be known by the receiver if he wants to decrypt the message.

Note: Another use of the acronym OTP is for a user’s one-time password, which is a different topic than the OTP (one-time pad).
BLOCK CIPHERS
A block cipher is a symmetric key cipher (same key to encrypt and decrypt) that operates on a group of bits called a block.

E.G.)
– Advanced Encryption Standard (AES)
– Digital Encryption Standard (DES)
– Triple Digital Encryption Standard (3DES)
– Blowfish
– International Data Encryption Algorithm (IDEA)

STREAM CIPHERS
A stream cipher is a symmetric key cipher (same key to encrypt as decrypt), where each bit of plain-text data to be encrypted is done 1 bit at a time against the bits of the key stream, also called a cipher digit stream.
Symmetric vs Asymetirc Encryption Algorithm:

Symmetric Encryption Algorithms
– a.k.a a symmetric cipher, uses the same key to encrypt the data and decrypt the data.
– Two devices connected via a VPN, both need the key or keys to successfully encrypt and decrypt the data that is protected using a symmetric encryption algorithm.

E.G.)
– DES
– 3DES
– AES
– IDEA
– RC2, RC4, RC5, RC6
– Blowfish

Symmetrical encryption algorithmmms are used for most of the data that we protect in VPNs today.
Asymmetirc Encryption Algorithms
An example of an asymmetric algorithm is public key algorithms. Instead of using the same key for encrypting and decrypting, we use two different keys that mathematically work together as a pair. These are called the public and private keys. Together they make a key pair.

E.G.)
– RSA – named after “Rivest, Shamir and Adleman” (investors)
– Diffie-Hellman (DH)
– ElGamal – based on the DH exchange
– Digital Signature Algorithm (DSA) – created by the NSA
– Elliptic Curve Cryptography (ECC)
HASHES
Hashing is a method used to verify data integrity.

4 most popular types of hashes:
1. Message digest 5 (MD5): This creates a 128-bit digest.
2. Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
3. Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
4. Secure Hash Algorithm 3 (SHA-3): Options include a digest between 224 bits and 512 bits.

Hashed Message Authentication Code (HMAC)
– Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.
– Then only the other party who also knows the secret key can calculate the resulting hash that can correctly verify the hash.
– An attacker who is eavesdropping and intercepting packets cannot inject or remove data because he does not have the key or keys used for the calculation.
DIGITAL SIGNATURES
When you sign something, it often represents a commitment to follow through, or at least prove that you are who you say you are. In cryptography a digital signature provides three core benefits:

1. Authentication
2. Data Integrity
3. Nonrepudiation
KEY MANAGEMENT
Key management deals with:
– Generating keys
– Verifying keys
– Exchanging keys
– Storing keys
– at the end of their lifetime, destroying keys
3.3 Public Key Infrastructure

PKI and Public and Private Keys
A key pair is a set of two keys (a private and a public key) that work in combination with each other as a team.
The public key may be shared with everyone, but the private key is not shared with anyone.
Certificate Authorities
A certificate authority (CA) is a system that creates an issues digital certificates.

Inside of a digital certificate is information about the identity of a device, such as:
– its IP Address
– Fully Qualified Domain Name (FQDN)
– The public key of that device

Root and Identity Certificates
A digital certificate can be thought of as an electronic document that identifies a device or person.
– A root certificate contains the public key of the CA server and the other details about the CA server.
– An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client).

3-3a.jpg

3-3b
3.4 Putting the Pieces of PKI to Work

1. Authenticate CA Server by downloading “Root Cert” from the CA server to Client
2. Client can request its own identity certificate, CA server generating the public and private key pair. ID certificate can be for a device or a person, the client can be a PC/firewall/router.

Simple Certificate Enrollment Protocol (SCEP) is used to generate the ID certificate. SCEP is most popular certification method.

Certificate Revocation:
Certificate revocation List (CRL): list of certificate which should be no longer trusted.
Online Certificate Status Protocol (OSCP): Newer certification revocation method. Revoked – irreversible or Hold status – temporary.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s