Please enable JavaScript.
Coggle requires JavaScript to display documents.
16.-Basic Integrity and authenticity - Coggle Diagram
16.-Basic Integrity and authenticity
16.1 Integrity and Authenticity
16.1.1 Secure Communications
Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states. Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).
Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.
Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.
Data Integrity - Guarantees that the message was not altered. Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is still widely in use. However, it is inherently insecure and creates vulnerabilities in a network. Note that MD5 should be avoided.
16.1.2 Cryptographic Hash Functions
Hashes are used to verify and ensure data integrity. They are also used to verify authentication. Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse.
16.1.3 Cryptographic Hash Operation
Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates. As shown in the figure, a hash function H takes an input x and returns a fixed-size string hash value h
16.1.4 MD5 and SHA
MD5 with 128-bit digest - Developed by Ron Rivest and used in a variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy algorithm and should be avoided and used only when no better alternatives are available. It is recommended that SHA-2 or SHA-3 be used instead.
SHA-1 - Developed by the U.S. National Security Agency (NSA) in 1995. It is very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160-bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm.
SHA-2 - Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever possible.
SHA-3 - SHA-3 is the newest hashing algorithm and was introduced by the National Institute of Standards and Technology (NIST) as an alternative and eventual replacement for the SHA-2 family of hashing algorithms. SHA-3 includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and should be used whenever possible
16.2 Key Management
16.2.1 Characteristics of Key Management
16.2.2 Key Length and Keyspace
Two terms that are used to describe keys are:
Key length - Also called the key size, this is the measure in bits. In this course, we will use the term key length.
Keyspace - This is the number of possibilities that can be generated by a specific key length.
As key length increase, the keyspace increases exponentially:
A 2-bit (22) key length = a keyspace of 4 because there are four possible keys (00, 01, 10, and 11).
A 3-bit (23) key length = a keyspace of 8, because there are eight possible keys (000, 001, 010, 011, 100, 101, 110, 111).
A 4-bit (24) key length = a keyspace of 16 possible keys.
A 40-bit (240) key length = a keyspace of 1,099,511,627,776 possible keys.
16.2.4 Types of Cryptographic Keys
Symmetric keys - Can be exchanged between two routers supporting a VPN
Asymmetric keys - Are used in secure HTTPS applications
Digital signatures - Are used when connecting to a secure website
Hash keys - Are used in symmetric and asymmetric key generation, digital signatures, and other types of applications
16.3 Confidentiality
16.3.1 Data Confidentiality
16.3.2 Symmetric Encryption
Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-shared key, also called a secret key, is known by the sender and receiver before any encrypted communications can take place.
16.3.3 Asymmetric Encryption
Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure. The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa.
Internet Key Exchange (IKE) - This is a fundamental component of IPsec VPNs.
Secure Socket Layer (SSL) - This is now implemented as IETF standard Transport Layer Security (TLS).
Secure Shell (SSH) - This protocol provides a secure remote access connection to network devices.
Pretty Good Privacy (PGP) - This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.
