Please enable JavaScript.

Coggle requires JavaScript to display documents.

:star: Basic Integrity and Authenticity :star:, image, image, image, image…

- - - - The example in the figure summarizes the mathematical process. A cryptographic hash function should have the following properties:
        
        The input can be any length.
        
        The output is always a fixed length.
        
        H(x) is relatively easy to compute for any given x.
        
        H(x) is one way and not reversible.
        
        H(x) is collision free, meaning that two different input values will result in different hash values.
  - - - There are four well-known hash functions:
        
        MD5 with 128-bit digest - Developed by Ron Rivest and used in a variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy algorithm and should be avoided and used only when no better alternatives are available. It is recommended that SHA-2 or SHA-3 be used instead.
        
        SHA-1 - Developed by the U.S. National Security Agency (NSA) in 1995. It is very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160-bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm.
        
        SHA-2 - Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever possible.
        
        SHA-3 - SHA-3 is the newest hashing algorithm and was introduced by the National Institute of Standards and Technology (NIST) as an alternative and eventual replacement for the SHA-2 family of hashing algorithms. SHA-3 includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and should be used whenever possible.
  - - - With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output. Furthermore, the hash value changes every time the data is changed or altered. Because of this, cryptographic hash values are often called “digital fingerprints”. These fingerprints can be used to detect duplicate data files, file version changes, and similar applications. These values are used to guard against an accidental or intentional change to the data, or accidental data corruption.
        The cryptographic hash function is applied in many different situations for entity authentication, data integrity, and data authenticity purposes.
  - - - Creating the HMAC Value
        
        the sending device inputs data (such as Terry Smith’s pay of $100 and the secret key) into the hashing algorithm and calculates the fixed-length HMAC digest. This authenticated digest is then attached to the message and sent to the receiver.
      - Verifying the HMAC Vaule
        
        the receiving device removes the digest from the message and uses the plaintext message with its secret key as input into the same hashing function. If the digest that is calculated by the receiving device is equal to the digest that was sent, the message has not been altered. Additionally, the origin of the message is authenticated because only the sender possesses a copy of the shared secret key. The HMAC function has ensured the authenticity of the message.
      - HMAC Hashing Algorithm
        
        an HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a secret key. Hash functions are the basis of the protection mechanism of HMACs.
        Only the sender and the receiver know the secret key, and the output of the hash function now depends on the input data and the secret key. Only parties who have access to that secret key can compute the digest of an HMAC function. This defeats man-in-the-middle attacks and provides authentication of the data origin.
      - Cisco Router HMAC Example
        
        Shows how HMACs are used by Cisco routers that are configured to use Open Shortest Path First (OSPF) routing authentication.
        R1 is sending a link state update (LSU) regarding a route to network 10.2.0.0/16:
        
        R1 calculates the hash value using the LSU message and the secret key.
        
        R2 calculates the hash value using the LSU and its secret key. R2 accepts the update if the hash values match. If they do not match, R2 discards the update.
        
        The resulting hash value is sent with the LSU to R2.
  - - - Data Integrity - Guarantees that the message was not altered. Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is still widely in use. However, it is inherently insecure and creates vulnerabilities in a network. Note that MD5 should be avoided.
      - Origin Authentication - Guarantees that the message is not a forgery and does actually come from whom it states. Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).
      - Data Confidentiality - Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.
      - Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.
- - - - Symmetric keys - Can be exchanged between two routers supporting a VPN
      - Asymmetric keys - Are used in secure HTTPS applications
      - Digital signatures - Are used when connecting to a secure website
      - Hash keys - Are used in symmetric and asymmetric key generation, digital signatures, and other types of applications
      - On average, an attacker has to search through half of the keyspace before the correct key is found. The time that is needed to accomplish this search depends on the computer power that is available to the attacker.
        Current key lengths can easily make any attempt insignificant because it takes millions or billions of years to complete the search when a sufficiently long key is used.
  - - - As key length increase, the keyspace increases exponentially:
        
        A 2-bit (22) key length = a keyspace of 4 because there are four possible keys (00, 01, 10, and 11).
        
        A 3-bit (23) key length = a keyspace of 8, because there are eight possible keys (000, 001, 010, 011, 100, 101, 110, 111).
        
        A 4-bit (24) key length = a keyspace of 16 possible keys.
        
        A 40-bit (240) key length = a keyspace of 1,099,511,627,776 possible keys.
  - - - For example, the factors of 12 would be 1 x 12, 2 x 6, and 3 x 4. Therefore, a 1024-bit number is a very large number with many factors. Increasing that number to a 2048-bit number creates even more factors. Of course, this advantage is lost if an easy way to factor large numbers is found, but cryptographers consider this possibility unlikely.
        The rule “the longer the key, the better” is valid, except for possible performance reasons. Shorter keys equal faster processing, but are less secure. Longer keys equal slower processing, but are more secure.
  - - - Key Exchange
      - Key Storage
      - Key Verification
      - Key Lifetime
      - Key Generation
      - Key Revocation and Destruction
- - - - Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
        
        Alice uses public key
        
        Bob decrypt message with private key
        
        Alice acquires Bob’s public key.
  - - - Private Key (Encrypt) + Public Key (Decrypt) = Authentication
      - When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data. Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender. Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message. When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is. This is a form of authentication.
  - - - Examples of protocols that use asymmetric key algorithms include:
        
        Internet Key Exchange (IKE) - This is a fundamental component of IPsec VPNs.
        
        Secure Socket Layer (SSL) - This is now implemented as IETF standard Transport Layer Security (TLS).
        
        Secure Shell (SSH) - This protocol provides a secure remote access connection to network devices.
        
        Pretty Good Privacy (PGP) - This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.
  - - - Alice encrypts a hash using her private key
        
        Alice also wants to ensure message authentication and integrity. Authentication ensures Bob that the document was sent by Alice, and integrity ensures that it was not modified Alice uses her private key to cipher a hash of the message. Alice sends the encrypted message with its encrypted hash to Bob.
      - Bob uses Alice´s public key to descrypt the hash
        
        Bob uses Alice’s public key to verify that the message was not modified. The received hash is equal to the locally determined hash based on Alice’s public key. Additionally, this verifies that Alice is definitely the sender of the message because nobody else has Alice’s private key.
      - Alice uses Bob´s public key
        
        Alice wants to send a message to Bob ensuring that only Bob can read the document. In other words, Alice wants to ensure message confidentiality. Alice uses the public key of Bob to cipher the message. Only Bob will be able to decipher it using his private key.
      - Bob uses his private key to decrypt the message
        
        Bob uses his private key to decipher the message.
  - - - Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits. Common block ciphers include DES with a 64-bit block size and AES with a 128-bit block size.
      - Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are basically a block cipher with a block size of one byte or bit. Stream ciphers are typically faster than block ciphers because data is continuously encrypted. Examples of stream ciphers include RC4 and A5 which is used to encrypt GSM cell phone communications.
  - - - Data is exchanged using an IPsec VPN
      - SSH data is exchanged
      - The colors in the figure will be used instead of complex long numbers to simplify the DH key agreement process. The DH key exchange begins with Alice and Bob agreeing on an arbitrary common color that does not need to be kept secret. The agreed-on color in our example is yellow.
        Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose blue. These secret colors will never be shared with anyone. The secret color represents the chosen secret private key of each party.
        
        Alice and Bob now mix the shared common color (yellow) with their respective secret color to produce a public color. Therefore, Alice will mix the yellow with her red color to produce a public color of orange. Bob will mix the yellow and the blue to produce a public color of green.
        Alice sends her public color (orange) to Bob and Bob sends his public color (green) to Alice
        
        Alice and Bob each mix the color they received with their own, original secret color (Red for Alice and blue for Bob.). The result is a final brown color mixture that is identical to the partner’s final color mixture. The brown color represents the resulting shared secret key between Bob and Alice.
        Diffie-Hellman uses different DH groups to determine the strength of the key that is used in the key agreement process. The higher group numbers are more secure, but require additional time to compute the key. The following identifies the DH groups supported by Cisco IOS Software and their associated prime number value: