Today, Major problems for network administrators include the following:
• Packet snooping (eavesdropping)—When intruders capture and decode traffic obtaining usernames, passwords, and sensitive data, such as salary increases for the year.
• Theft of data—When intruders use sniffers, for example, to capture data over the network and steal that information for later use.
• Impersonation—When an intruder assumes the role of a legitimate device but, in fact, is not legitimate.
The solution to these and numerous other problems is to provide encryption technology to the IP community and allow network administrators the ability to ensure that data is not vulnerable to any form of attack or intrusion. This ensures that data is confidential, authenticated, and has not lost any integrity during the routing of packets through an IP network.
Encryption is defined as the process by which plain data is converted into ciphered data (a system in which plain text is arbitrarily substituted according to a predefined algorithm) so that only the intended recipient(s) can observe the data. Encryption ensures data privacy, integrity, and authentication.
Cisco IOS routers support the following industry standards to accomplish network layer encryption:-
• DES/3DES
• Digital signature standard (DSS)
• Diffie-Hellman exchange
• MD5
• IPSec
DES is a block cipher algorithm, which means that DES performs operations on fixed-length data streams. DES uses a 56-bit key to encrypt 64-bit datagrams.
3DES is the DES algorithm that performs three times sequentially. Three keys are used to encrypted data, resulting in a 168-bit encryption key.
A typical hacker uses a Pentium III computer workstation and takes approximately 22 hoursto break a DES key. In 3DES’s case, the documented key-breaking times are approximately10 billion years when one million PC III computers are used. Encryption ensures that information theft is difficult [ If a key is 128-bits long then there are 2128 different keys. On average you will have to search half of these keys (2127) before you get lucky.]. in the case of of 3DES its around 2168 which is far way more than DES.
MD5 Message hashing is supported on Cisco IOS routers. A variable-length message is taken, the MD5 algorithm is performed (for example, the enable secret passwords command), and a final fixed-length hashed output message is produced. MD5 is defined in RFC 1321. MD5 produces a 128-bit hash output.
Secure Hash Algorithm (SHA) is the newer, more secure version of MD5, and Hash-based Message Authentication (HMAC) provides further security with the inclusion of a key exchange. SHA produces a 160-bit hash output, making it even more difficult to decipher. SHA follows the same principles as MD5 and is considered more CPU-intensive.
The Diffie-Hellman key exchange takes place over a public domain. With the private key secret, it is very difficult for an outside intruder to generate the same key, and the private key is never exchanged over the public domain, making the process very secure.
• Packet snooping (eavesdropping)—When intruders capture and decode traffic obtaining usernames, passwords, and sensitive data, such as salary increases for the year.
• Theft of data—When intruders use sniffers, for example, to capture data over the network and steal that information for later use.
• Impersonation—When an intruder assumes the role of a legitimate device but, in fact, is not legitimate.
The solution to these and numerous other problems is to provide encryption technology to the IP community and allow network administrators the ability to ensure that data is not vulnerable to any form of attack or intrusion. This ensures that data is confidential, authenticated, and has not lost any integrity during the routing of packets through an IP network.
Encryption is defined as the process by which plain data is converted into ciphered data (a system in which plain text is arbitrarily substituted according to a predefined algorithm) so that only the intended recipient(s) can observe the data. Encryption ensures data privacy, integrity, and authentication.
Basic methodology behind data encryption :-
Step 1:- User data is forwarded over the network.
Step 2:- Data (clear text) is modified according to a key. The key is a sequence of digits that decrypts and encrypts messages. Typically, each device has three keys:
1.) A private key used to sign messages that is kept secret and never shared
2.) A public key that is shared (used by others to verify a signature)
3.) A shared secret key that is used to encrypt data using a symmetric encryption algorithm, such as DES
Step 3:- A mathematical formula is applied to scramble the data. In Figure 5-7, the
mathematical formula is applied during Step 2.
Step 4:- The data flows throughout the network and can be decrypted only if the
correct key is applied.
Cisco IOS routers support the following industry standards to accomplish network layer encryption:-
• DES/3DES
• Digital signature standard (DSS)
• Diffie-Hellman exchange
• MD5
• IPSec
Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES)
DES is one of the most widely used encryption methods. DES turns clear text data into cipher text with an encryption algorithm. The receiving station will decrypt the data from cipher text into clear text. The encryption key is a shared secret key used to encrypt and decrypt messages.DES is a block cipher algorithm, which means that DES performs operations on fixed-length data streams. DES uses a 56-bit key to encrypt 64-bit datagrams.
3DES is the DES algorithm that performs three times sequentially. Three keys are used to encrypted data, resulting in a 168-bit encryption key.
A typical hacker uses a Pentium III computer workstation and takes approximately 22 hoursto break a DES key. In 3DES’s case, the documented key-breaking times are approximately10 billion years when one million PC III computers are used. Encryption ensures that information theft is difficult [ If a key is 128-bits long then there are 2128 different keys. On average you will have to search half of these keys (2127) before you get lucky.]. in the case of of 3DES its around 2168 which is far way more than DES.
Digital Signature Standard (DSS)
Hashing data is one method used to ensure that data has not been tampered with. Hashing involves taking a variable length of data and producing a fixed output. A HASH is defined as a one-way mathematical summary of a message (data) such that the hash value cannot be easily reconstructed into the original message. DSS is a mechanism that protects data from an undetected change while traversing the network.Message Digest 5 (MD5) and Secure Hash Algorithm (SHA)
Several hashing algorithms are available. The two discussed here are MD5 and SHA.MD5 Message hashing is supported on Cisco IOS routers. A variable-length message is taken, the MD5 algorithm is performed (for example, the enable secret passwords command), and a final fixed-length hashed output message is produced. MD5 is defined in RFC 1321. MD5 produces a 128-bit hash output.
Secure Hash Algorithm (SHA) is the newer, more secure version of MD5, and Hash-based Message Authentication (HMAC) provides further security with the inclusion of a key exchange. SHA produces a 160-bit hash output, making it even more difficult to decipher. SHA follows the same principles as MD5 and is considered more CPU-intensive.
Diffie-Hellman
The Diffie-Hellman protocol allows two parties to establish a shared secret over insecure channels, such as the Internet. This protocol allows a secure shared key interchange over the public network, such as the World Wide Web, before any secure session and data transfer is initiated. The Diffie-Hellman ensures that by exchanging just the public portions of the key, both devices can generate a session and ensure data is encrypted and decrypted by valid sources only. Only public keys (clear text) are exchanged over the public network. Using each device’s public key and running the key through the Diffie-Hellmann algorithm generates a common session key. Only public keys will ever be exchanged.The Diffie-Hellman key exchange takes place over a public domain. With the private key secret, it is very difficult for an outside intruder to generate the same key, and the private key is never exchanged over the public domain, making the process very secure.
RSA
RSA is another public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adleman) with a variable key length. RSA’s main weakness is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES or 3DES. Cisco’s IKE implementation uses a Diffie-Hellman exchange to get the secret keys. This exchange can be authenticated with RSA (or pre-shared keys). With the Diffie-Hellman exchange, the DES key never crosses the network, which is not the case with the RSA encryption and signing techniques. RSA is not public domain like DES/3DES, and to apply RSA, you must be licensed from RSA Data Security. An RSA signature is defined as the host (for example PC or routers) public and private key, which is bound with a digital certificate.
No comments:
Post a Comment