CCNA-SEC Lec#6 | Fundamentals of VPN and Cryptography “Part-2”

Following what we started at the previous lecture about the main guidelines of cryptography, We are about discuss all about Hashing and Authentication Techniques and Algorithms.
Let’s start….
Hashing Algorithms
As mentioned before Hashing is a function to achieve Data Integrity which can be defined as how to insure that data is not tampered or altered while transmission.
The main idea of Hashing is a process that takes a block of data and run the a defined algorithm to create a small fixed-sized hash value, then attach that value to the block of data and transmit it.
Which meaning if we have a two different computers (Transmitter & Receiver) take the same data and run the same hash function, they should get the same fixed-sized hash value.
Using a hash to verify integrity is the sender running a hash algorithm on each packet and attaching that hash to the packet. The receiver runs the same hash against the packet and compares his results against the results the sender had (which were attached to the packet, as well). If the hash generated matches the hash that was sent, we know that
the entire packet is intact. If a single bit of the hashed portion of the packet is modified, the hash calculated by the receiver will not match, and the receiver will know that the packet had a problem, specifically with the integrity of the packet.
The three most popular types of hashes are as follows:
Message digest 5 (MD5): This creates a 128-bit digest.
Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.

Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.

 Hashed Message Authentication Code (HMAC)
Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type. Then only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. When this mechanism is used, an attacker who is eavesdropping and intercepting packets cannot inject or remove data from those packets without being noticed because he cannot recalculate the correct hash for the modified packet because he does not have the key or keys used for the calculation.
Authentication Algorithms
It is about how to confirm the identity of the host sending data, using pre-shared keys or RSA Digital signatures to can authenticate the peer at the other end of the VPN tunnel.

■ Pre-shared key
Pre-shared key is an agreed character string in advance between both parties as the authentication key of the session; A pre-shared key is an example of symmetric cryptography as the key is a same on both sides.


The 0 before the Pre-Shared key specifies that the key is not encrypted.

■ RSA Digital Signatures
As a matter of fact, signature scheme consists of three related operations as below:
• Key pair generation produces a public/private key pair.
• Signature operation produces a signature for a message with a private key.
• Verification operation checks a signature with a public key.

Key Management
As cleared on our long discussion about  world of cryptography, The key is the one of the most important player here, as  We have symmetric keys that can be used with symmetric algorithms such as hashing and encryption. We have asymmetric keys such as public-private key pairs that can be used with asymmetric algorithms such as digital signatures, among other things.

A key pair is a set of two keys that work in combination with each other as a team. In a typical key pair, you have one public key and one private key. The public key may be shared with everyone, and the private key is not shared with anyone.

For example,  If we use the public key to encrypt data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
Diffie-Hellman (DH)

Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, it  can be used to dynamically generate symmetrical keys to be used by symmetrical algorithms.
Diffie-Hellman Groups are used to determine the strength of the key used in the Diffie-Hellman key exchange process; Higher Diffie-Hellman Group numbers are more secure, but Higher Diffie-Hellman Groups require additional processing resources to compute the key. at below an examples from DH groups.
Group 1 – 768 bits
Group 2 – 1024 bits
Group 5 – 1536 bits
Group 14 – 2048 bits
Group 16 – 4096 bits
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#5 | Fundamentals of VPN and Cryptography

As mentioned before at our previous lectures, the main objective for any security model to achieve the three essential targets of confidentiality, data integrity &  authentication.
So, Virtual private network “VPN” is considered as a security deployment framework.
What is a VPN?
VPN allows  a logical connection between two devices over a wide-area network “WAN” connection using the Internet as a transport mechanism.
Types of VPNs :
There are two major categories into which VPNs could be placed :-
 ■ Remote-access VPNs: Some users might need to build a VPN connection from their individual computer to the corporate headquarters,  Remote-access VPNs can use IPsec or Secure Shell (SSL) technologies for their VPN.
■ Site-to-site VPNs: The other main VPN implementation is by companies that may have two or more sites that they want to connect securely together, so that each site can communicate with the other site or sites. This implementation is called a site-to-site VPN. Site-to-site VPNs traditionally use a collection of VPN technologies called IPsec.
 There are a two technology types to implement a VPN with its security features.
IPsec: Implements security of IP packets at Layer 3 of the OSI model, and can be used for site-to-site VPNs and remote-access VPNs.

■ SSL: Secure Sockets Layer implements security of TCP sessions over encrypted SSL tunnels of the OSI model, and it can be used for remote-access VPNs (as well as being used to securely visit a web server that supports it via HTTPS).
 Cryptography Basic Components

We are about to have a look about the three essential targets for any security model “confidentiality, data integrity &  authentication” before going to discuss the cryptography components.

■ Confidentiality
it means that only the intended parties can understand the data that is sent,  using encryption Algorithms to prevent the theft of data.
■ Data Integrity
It is about ensure that data is not tampered or altered while transmission, using a hashing algorithm to make sure the sent data is accurate from end to end.
■ Authentication
It confirms the identity of the host sending data, using bother pre-shared keys or RSA Digital signatures to can authenticate the peer at the other end of the VPN tunnel.

All of us now know that confidentiality is a function of encryption, data integrity is a function of hashing, and authentication is the process of proving the identity of the other side of the tunnel. Now it is time to take a look at how those methods are implemented and the choices you have for each.

Encryption Algorithms
Encryption is the process of converting a plain-text message into cipher-text which can be decoded back into the original message,  An encryption algorithm along with a key is used in the encryption and decryption of data.
The type and length of the keys depend upon the encryption algorithm and the amount of security needed. In the symmetric encryption a single key is used to encrypt the data and decrypt the data.
In the asymmetric encryption the encryption key and the decryption key are different. One is a public key by which the sender can encrypt the message and the other is a private key by which a recipient can decrypt the message.
 Symmetric encryption Algorithms
Symmetric encryption algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit.
 Common examples of symmetric encryption algorithms include the following:
  Advanced Encryption Standard (AES) : It is also known as Rijndael, and it is a block cipher.

Digital Encryption Standard (DES) : It is a block cipher with 64-bit block size that uses using a 56-bit key.
Triple Digital Encryption Standard (3DES) : It uses a 64-bit key, the idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys.
Blowfish : Blowfish has a 64-bit block size and a variable key length – from 32 bits to 448 bits.
International Data Encryption Algorithm (IDEA) : it uses a 128 bit key. This key length makes it impossible to break by simply trying every key.
Asymmetric encryption Algorithms
Asymmetric algorithms (public key algorithms) use different keys for encryption and decryption,  Instead of using the same key for encryption and decryption, we use two different keys that mathematically work together as a pair. Let’s call these keys the public key and private key.
Examples of asymmetrical algorithms include the following:

• RSARivest-Shamir-Adleman is the most commonly used public key encryption algorithm,  The key length may be from 512 to 2048, and a minimum size for good security is at least 1024.
• Diffie-Hellman (DH) :  DH is an asymmetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network,  The interesting thing about DH is that although the algorithm itself is asymmetrical, the keys generated by the exchange are symmetrical keys that can then be
used with symmetrical algorithms.

• Digital Signature Algorithm (DSA)

Finally, Asymmetrical algorithms require more CPU processing power than a symmetrical algorithm, while Asymmetrical algorithms are more secure than symmetrical ones.
We will continue at our next lecture the rest of Cryptography Basic Components, such as the Hashing Algorithm and the used techniques to achieve the authentication also.
By: Hatem Farag | CCIE#54446