This chapter introduces the concepts of cryptography and covers encryption, hashing, and digital signatures and how these techniques provide confidentiality, integrity, authenticity, and nonrepudiation. You will learn about algorithms, symmetric and asymmetric encryption, digital signatures, and Public Key Infrastructure (PKI).
Fundamentals of Cryptography and VPN Technologies © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter introduces the concepts of cryptography and VPN technologies It covers the following topics: • Need for VPN and VPN deployment models • Encryption, hashing, and digital signatures and how they provide confidentiality, integrity, and nonrepudiation • Methods, algorithms, and purposes of symmetric encryption • Use and purpose of hashes and digital signatures in providing integrity and nonrepudiation • Use and purpose of asymmetric encryption and Public Key Infrastructure (PKI) © 2012 Cisco and/or its affiliates All rights reserved VPN Overview • Historically, a VPN was an IP tunnel • Therefore, a generic routing encapsulation (GRE) tunnel is technically a VPN, even though GRE does not encrypt • Today, the use of a VPN implies the use of encryption • With a VPN, the information from a private network is transported over a public network, such as the Internet, to form a virtual network instead of using a dedicated Layer connection © 2012 Cisco and/or its affiliates All rights reserved Where VPNs Are Found © 2012 Cisco and/or its affiliates All rights reserved VPNs have many benefits • Cost savings • Scalability • Compatibility with broadband technology • Security © 2012 Cisco and/or its affiliates All rights reserved VPN Types There are different types of commercially deployed VPNs VPN are classified according to the following criteria: • Based on deployment mode: Site-to-site VPN and remote-access VPN • Based on Open Systems Interconnection (OSI) layer: Layer VPN (legacy protocols such as Frame Relay or ATM, and Layer MPLS VPN), Layer VPN (IPsec and MPLS Layer VPN), and Layer VPN (SSL VPN) • Based on underlying technology: IPsec VPN, SSL VPN, MPLS VPN, other Layer technologies such as Frame Relay or ATM, and hybrid VPNs combining multiple technologies © 2012 Cisco and/or its affiliates All rights reserved Cisco VPN Solutions © 2012 Cisco and/or its affiliates All rights reserved Site-to-Site VPNs © 2012 Cisco and/or its affiliates All rights reserved Remote-Access VPNs © 2012 Cisco and/or its affiliates All rights reserved Examining Cryptographic Services Cryptographic services are the foundation for many security implementations The key services provided by cryptography are as follows: • Confidentiality: The assurance that no one can read a particular piece of data except the receivers explicitly intended • Integrity or data authentication: The assurance that data has not been altered in transit, intentionally or unintentionally • Peer authentication: The assurance that the other entity is who he, she, or it claims to be • Nonrepudiation: A proof of the integrity and origin of data The sender can’t repudiate that he or she is the person who sent the data • Key management: The generation, exchange, storage, safeguarding, use, vetting, and replacement of keys © 2012 Cisco and/or its affiliates All rights reserved 10 Certificate Authorities PKI Topology Using a Single-Root CA PKI Topology Using Hierarchical CAs © 2012 Cisco and/or its affiliates All rights reserved 63 PKI Topology Using Cross-Certifying CAs © 2012 Cisco and/or its affiliates All rights reserved 64 PKI Standards There are many defined PKCS standards: • PKCS #1: RSA Cryptography Standard • PKCS #3: Diffie-Hellman Key Agreement Standard • PKCS #5: Password-Based Cryptography Standard • PKCS #6: Extended-Certificate Syntax Standard • PKCS #7: Cryptographic Message Syntax Standard • PKCS #8: Private-Key Information Syntax Standard • PKCS #9: Selected Attribute Types • PKCS #10: Certification Request Syntax Standard • PKCS #11: Cryptographic Token Interface Standard • PKCS #12: Personal Information Exchange Syntax Standard PKCS #13: Elliptic Curve Cryptography Standard â 2012 Cisco and/or its affiliates All rights reserved 65 Certificate Signing Request © 2012 Cisco and/or its affiliates All rights reserved 66 Note An example of a distinguished name used as the Subject Name field in an X.509 user certificate would appear as CN=Harry Wales,OU=Sales,O=My Computer,L=My Company,L=Chicago,S=Ohio,C=US where • CN= commonName • OU= organizationalUnitName • O= Organization • L= Locality (City) • S= State • C= US © 2012 Cisco and/or its affiliates All rights reserved 67 Retrieving a CA Certificate The following steps occur to retrieve the CA certificate: Step Alice and Bob request the CA certificate that contains the CA public key Step Upon receipt of the CA certificate, Alice’s and Bob’s systems verify the validity of the certificate using public-key cryptography © 2012 Cisco and/or its affiliates All rights reserved 68 Certificate Enrollment After retrieving the CA certificate, Alice and Bob perform the following steps to submit certificate requests to the CA, as shown in Figure 12-34: Step Alice’s and Bob’s systems forward a certificate request that includes their public keys along with some identifying information All of this information is encrypted using the public key of the CA Step Upon receipt of the certificate requests, the CA administrator telephones Alice and Bob to confirm their submittals and the public keys Step The CA administrator issues the certificate by adding some additional data to the certificate request, and digitally signing it all Step Either the end user manually retrieves the certificate or SCEP automatically retrieves the certificate, and the certificate is installed onto the system © 2012 Cisco and/or its affiliates All rights reserved 69 Authentication Using Certificates Having installed certificates signed by the same CA, Bob and Alice are now ready to authenticate each other Step Bob and Alice exchange certificates The CA is no longer involved Step Each party verifies the digital signature on the certificate by hashing the plaintext portion of the certificate, decrypting the digital signature using the CA public key, and comparing the results If the results match, the certificate is verified as being signed by a trusted third party, and the verification by the CA that Bob is Bob and Alice is Alice is © 2012 Cisco and/or its affiliates All rights reserved 70 Certificate Revocation Process © 2012 Cisco and/or its affiliates All rights reserved 71 Certificate Revocation Methods © 2012 Cisco and/or its affiliates All rights reserved 72 Where We Find Certificates Being Used © 2012 Cisco and/or its affiliates All rights reserved 73 Digital Certificates and CAs A PKI has the following characteristics: • To authenticate each other, users have to obtain the certificate of the CA and their own certificate These steps require the out-of-band verification of the processes After this verification is complete, the presence of the CA is no longer required until one of the certificates that is involved expires • Public-key systems use asymmetric keys where one is public and the other one is private One of the features of these algorithms is that whatever is encrypted using one key can only be decrypted using the other key This provides nonrepudiation • Key management is simplified because two users can freely exchange the certificates The validity of the received certificates is verified using the public key of the CA, which the users have in their possession • Because of the strength of the algorithms involved, you can set a very long lifetime for the certificates, typically a lifetime measured in years © 2012 Cisco and/or its affiliates All rights reserved 74 The disadvantages of using trusted third parties relate to key management • A user certificate is compromised (stolen private key): • The certificate of the CA is compromised (stolen private key): The CA administrator: â 2012 Cisco and/or its affiliates All rights reserved 75 Summary The key points covered in this chapter are as follows: • A cryptosystem is made up of a combination of hashing, symmetric, and asymmetric algorithms • Symmetric algorithms use a single key for encrypting and decrypting Generally speaking, symmetric algorithms are the strongest and fastest algorithms and therefore are used for most encryption • Hashing algorithms use a one-way process designed to provide integrity Usually, successful decryption of a digest provides proof of integrity and authenticity • Asymmetric algorithms use a key pair for the encrypting/decrypting process One key encrypts, and the other key decrypts • RSA is a widely used algorithm for public-key cryptography • A PKI uses asymmetric encryption to provide confidentiality, integrity, and authentication services • PKI solutions are based on digital certificates and a trusted third party trust model © 2012 Cisco and/or its affiliates All rights reserved 76 © 2012 Cisco and/or its affiliates All rights reserved 77 ... This chapter introduces the concepts of cryptography and VPN technologies It covers the following topics: • Need for VPN and VPN deployment models • Encryption, hashing, and digital signatures and. .. Site-to-site VPN and remote-access VPN • Based on Open Systems Interconnection (OSI) layer: Layer VPN (legacy protocols such as Frame Relay or ATM, and Layer MPLS VPN) , Layer VPN (IPsec and MPLS... Layer VPN) , and Layer VPN (SSL VPN) • Based on underlying technology: IPsec VPN, SSL VPN, MPLS VPN, other Layer technologies such as Frame Relay or ATM, and hybrid VPNs combining multiple technologies