welcome and in this video course we are looking at the cyber ops associate version one course this course is going to cover the skills and knowledge needed for successfully handling the tasks and duties responsibilities of an associate level security analyst working at a security operations center the goal of this video series is to help prepare learners for the cisco 200-201 certification that's focusing on understanding the cisco cyber security operation fundamentals course known as c b r o p s module 21 cryptography so in this module we're going to be looking at a systematic keys we're going to be looking at the pki subsystem that's the public key infrastructure we're going to be looking at integrity and authenticity confidentiality we're going to be looking at public key cryptography and their subsystems as well as applications and impacts of cryptography so what's really funny is oftentimes i get asked what's the important portion of cryptography and that's the integrity and authenticity as well as the confidentiality portions of cryptography those are the key things when we're dealing with cryptography so our first major section is integrity and authenticity and when we look at this we're looking at four main elements data integrity original authentication data confidentiality and data non-reputational the fun part is with the integrity that's guaranteed the message wasn't altered or molested in transit open authentication guarantee that the message is not forged and actually is from who claims it is confidentiality guarantees that only authorized users have read the message and the non-repudiation guarantees that the sender cannot repudiate or refute the validity of the message basically with non-repudiation you cannot repute basically you cannot say i didn't send this it is guaranteed it is verified that you are the individual that sent it or the sender is the one that send it they can't repute or refute that fact all right so what are some of the systems that work with cryptography well one is a hashing function and a hash function takes a plain message or plain text message and you'll go through a hash function using a specific algorithm that will then provide a fixed length hash value if anything was modified in the plain text message anything a space a dot a period anything it changes the hash value the hashing is based off of a one-way mathematical function or formula the hash function will take a variable block binary data called the message and again produces a fixed length based off of the algorithm the resulting hash is also called the message digest or the digest or fingerprint with hash functions it is computational and feasible that two different messages ever calculate to the same hash value every time the data is changed or altered the hash value will also then be altered so it's the formula so if we're looking at a hashing function and there's an algorithm what what's going on so mathematically the equation is little h equals big h x and this is used to explain how it operates and x is going to be the message big h will be the hash function algorithm and then little h will be the hash value so again the hash value equals the hash function and x will be the function of the hash the input can be any length the output is a fixed length the function h x is relatively easy to compute for given x value one way so the function of h x is a one way non-reversible and typically it is collision free meaning there should be very very very very very small possible responses where little x will ever give the same little h value when you do the same hashing function algorithm that's called the collision and it's very very very unlikely that will ever occur so the next question is i keep saying hashing function or algorithm are they all the same are they all created equal and the answer to that is no whether they're not so here we have two very common types we have an md5 and we have a shaw so hashing functions again they ensure the integrity of the message they make sure that the messages were not molested or not modified and there are a few different well-known hash functions shaw has shot 1 2 3 4 5 128 56 512 and so forth so you have the higher versions of shaw sha1 typically is sha-1 it's very similar to md5 and it has a 160-bit hash message slightly slower than md5 but it also now classified really weak md5 is 128 bit digests one-way function produces 128-bit hashed value and is considered a legacy and is also not as secure sha2 that's going to be the family that's going to be the 256 the 512 and greater shaw 3 is the other family which is again more next generation algorithms all right so what do we do how do we make sure that this is correct if we have a payment for example paid to alex values a hundred dollars and we get paid to jeremy and it's a thousand dollars if we actually hash the messages the hashing values will be different and you can see that with the start and ending hash let me grab my pin and again this isn't the full hash value this is a portion of it but they should be different one of the first things that we would ask ourselves is what is the hashing algorithm first is the same algorithm being used on both you cannot use one algorithm on one and one algorithm on the other and compare them that's not how it works the same hashing algorithm has to hash both to verify that the hash values are actually different so the next question is why carry with the hashes so hashing can be used to detect modifications or changes or molestation of the original message and it can be used to guard against deliberate changes that are made by a threat actor if something is sent and it's not modified you're good if it was sent and it was modified you can at least know that there is no unique identifying information from the sender in the hashing procedure it's you don't know what type of hash it is it's just it's a fixed length and that's kind of all you have this means that anyone can compute a hash for any data as long as they have the correct hashing function so if you want to hash a message using shafi or md5 you can as long as you have the data and you have the algorithm you can hash it therefore hashing is vulnerable to typically man in the middle and doesn't provide security to transmit the data the hashing portion is just about integrity and the original authentication and if you want more than that something else is required hashing algorithms only protect against changes and they don't protect against data from changes by a threat actor hashing is the way that you can verify the authenticity of the data if you think the data was modified compare the source to what you received and if they are identical hashes you know they are fine if they're different values you know something went wrong so what does it mean when we talk about the original authentication so essentially we can add authentication and integrity assurance by using an hmac or a hashed message authentication code these are used in addition to a secret key as inputs to the hash function we also have things like message authentication code or a mac and these are methods are also used hmacs are used in many systems ipsec ssh ssl tls and more keep in mind when we talk either hmac or mac in cryptography that is different than a mac in network communication we use the same acronym for multiple things so do keep that in mind when we're talking cryptography or authentication mac is message authentication code not media access control all right so how does hmac fit into our hashing algorithm process so what happens is we have a plain text message we have a date of our collection of data that's x amount large and we have a secret key so this is where the h might come to play because the hmac was going to be using that secret key remember that the hmac is calculated using any algorithm only the sender and the receiver should know the secret key and the output of the hash algorithm will be dependent on that secret key so again only parties who have access to the secret key can compute the digest of the h-match function basically if you try to do this if you want to do an hmac and you don't have the secret key you're not getting the same hash value return that you'd expect so only those with the appropriate secret key should know how to reconstruct it taking data running it through the hashing algorithm with the secret key to get the exact same hash value thus verifying if the message is actually identical so for example paid terry smith hundred dollars with that being the data and we have a secret key we can actually hash it and we would have a hashed value well that would be called the hmac because we used the secret key what we would then do is send it the receiver would then decode it look at the message and then verify it use what they decoded and their secret key and they would hash it the exact same way to compare the two hash values if they are the same then we know that the file was unmolested in transport this is a way to verify the authenticity of the message alright so let's put all of this together so we verify the hmac value we get the received data we have the secret key we hash it as long as we get the same value then we know the generated hmac is verified the integrity of authenticity has been verified if they're not the same then we discard them and we move forward so how does this work for like a cisco router for example so between the two devices we actually have the same ability to look at the links look at the networks look at the addresses uh the types of links the costs and we have the ability to do that and that would be an example of a router hmac and that will be done using like ospf and the router authentication mechanism if the matching hash value is not matched on the other side the matching router r2 in this example would not allow for the connection between the two we do have a lab hashing things out and that's creating hash values using open ssh l and verifying hashes right the next main section is about confidentiality so data confidentiality typically comes in two main flavors and these are the encryption types symmetric and asymmetric so the difference is how they use the keys symmetric one key to encrypt and one key to decrypt sorry sorry that one key to encrypt is the same as the decryption key asymmetric is one encrypt one decrypt different keys for encryption different keys for decrypting when we're looking at a symmetric we're looking at things like des or triple desks or aes and again they have a pre-shared key that is used to encrypt and decrypt the data same key it is faster and it's common with bulk encryption and like vpn type traffic with asymmetric encryption again separate keys for encrypting from decrypting it is a little slower and you commonly see this with like https or accessing secured sites they use things like the rsa algorithm and they use the pki system or the public key infrastructure public key infrastructure allows for the management of these separate keys so again looking at this figure symmetric versus asymmetric symmetric same key to encrypt and decrypt asymmetric one key to encrypt different key to decrypt all right so let's dive a little deeper let's look at symmetric keys a little bit more in depth again pre-shared key they have the same key for encrypting and decrypting most key encryption keys are about between 112 and 256 bits the longer the key the more secure symmetric encryption algorithm is sometimes classified as a black block or stream cipher they can do it in blocks or in streams here is a example of a block cipher a block cipher will take blocks of chunks of data maybe 64 bits if we're using dash it is 64 bits if it's aes it's 728 bit blocks and then it goes to the algorithm and it will then encrypt the message a streaming cipher basically it's one bit at a time instead string deciphers will encrypt the plain text one byte or one bit at a time the ciphers are basically a block cipher with a block size of either one bit or one byte stream ciphers are typically faster than block ciphers because it's continuously being encrypted examples of stream ciphers could be like an rc4 or a5 which that's what a lot of the gsm cell phone communications are used for encryption all right so other forms of symmetric key encryption again aes is going to be the most most common we have a sill or rc or dash or triple desk realistically aes is the one that you need to pay the most attention to that is the current and strongest version of symmetric key encryption that is currently being used it offers combinations of 128 bit 192 bit and 256 key length and they encrypt 128 192 and 256 bit long data blocks all right so now that we talked about some metric let's talk about asymmetric again asymmetric is also called the public key algorithm they're based on different encryption and decryption based keys asymmetric we use a public key and a private key both keys are capable of the encryption process but they complemently pair with one another for decryption the process is reversible so data that is encrypted with a public key will require the private key to decrypt it so let me grab my pin we have our plain text we use our encryption key public keying will be encrypted and to decrypt it we will need the private key asymmetric algorithms achieve confidentiality and authenticity by using this process normally the key lengths are between 512 and 4900 sorry 4096. the asymmetric algorithms are substantially slower than symmetric but they do offer a much larger bit size and different keys so common ones for asymmetric are going to be things like dh or a digital signature standard or the elliptical curve dh is going to be a big one for vpn technologies this algorithm will allow the two parties to agree on a key and they will be part of a key exchange so how does this work so basically the private basically the public key will encrypt it the private key will decrypt it that provides the confidentiality public key encrypts the message private key decrypts the message so when there is a public key in use to encrypt the data the private key must be used to decrypt the data public key encrypt private key decrypt so this process can be summarized using the formula private key encryption public key decrypt this allows for authentication you'll notice i'm gonna go back one slide public key encrypt private key decrypt confidentiality authentication private key encrypt public key decrypt authentication they are switched when we're talking confidentiality public key is the encryption private key is the decryption for confidentiality for authentication private key encrypt public key decrypt they are different so i want to point that out when the private key is used to encrypt the data the corresponding private the corresponding key to that private key the public key must be used to decrypt the data because only one host has the private key only the host could have encrypted the message providing authentication for the sender so let's go through an example here we have alice sending a message to bob alice will use her private key to encrypt the message bob will get the encrypted message and will use alice's public key to decrypt the message alice's public key will decrypt the message thus allowing us to read the message so if we want to combine we can do that if we have a plain text we can use bob's public key if we have a hash we could use alice's private key we send that over we get the encrypted hash from bob's public key plus alice's public key we get a hash then we could use bob's private key to decrypt it so combining the two asymmetric encryption processes provide messaging confidentiality and authentication and integrity this is a lot more complicated than they needed to make it but essentially we can hash the messages and then we could use the keys to encrypt the hash the dh the diffie-hellman is an asymmetric algorithm that allows two computers to generate an identical shared secret without having communicated before the new shared key is never actually exchanged just calculated individually the key can be used by an encryption algorithm to encrypt traffic between the two systems following our two examples so the data exchange using ipsec vpn or ssh data is exchanged basically the dh is calculated and verifying the keys so that we can then actually get a shared secret message or shared key secret key without ever actually having been any communication with one another before dh groups are group 1 2 5 14 15 16 and they are all going to be based off of the different bits group 1 is 768 bits group 2 is 1024 bits group 14 is 2048 bits realistically most people use groups 2 or 14 but it's when you're doing the vpn you're going to look at what is actually functional the dh key agreement can also be on the electrical curve in cryptography and those are dh groups 19 20 24 and they're also supported by cisco ios but they are outside the scope of this realistically understanding the dh group is looking at asymmetric keys and understanding the bit length we do have a video in our chat or in our course shell explaining kind of cryptography at a very low level we have a lab for encrypting and decrypting we have a lab for setting up our scenario and actually encrypting a file as well as encrypting and recovering an encrypted password we have a lab examining telnet and ssh so we have a lot of labs in this chapter moving on to our next section is our public key cryptography so we know that this is asymmetric and we know that public key is dealing with key exchanges so the first use of the public key cryptography is going to be digital signatures these are mathematical techniques used to provide authentic authenticity integrity and non-repudiation you notice digital signatures typically on like https type websites they use a digital certificate to trust the different websites so again digital signatures are symmetric the digital signatures are commonly used in two situations digital certificates and code signing that way we can provide some type of integrity of files after they've been verified the digital signature standard or dss algorithm is used for generating and verifying digital signatures and they are things like the dsa rsa and the ecdsa realistically the digital signature algorithm and the rsa are the two big types of certificate standards or algorithms that we should be looking at the rsa is a encryption standard use algorithm that is becoming more difficult to break when we look at an asymmetric encryption digital signatures are commonly used to provide some level of assurance authenticity and integrity again looking at either the code or looking at a web content when they're signed with a certificate we trust the third party retrusts the website because we trust the signer of the certificate you go to your bank how do you know that it's the bank website the bank has a certificate that was issued by like their assigned well we trust the bank because we trust their assign that's how that digital certificate trust hierarchy works when we install an application the publishers of the software have a digital certificate for the software we install the software because again we trust the publisher basically this provides a certain level of non-refutation that that code if it has a signature was verified so digital signatures code signing if we're looking at a certificate we normally see a issue two could be a company or could be a website issued by who's actually issuing it it will be done through a certificate authority or ca and it will give a valid date range if we look at the details we can see the details of it normally we would look at the certificate path that's where our computer or our device is saving the certificate we have certificate information we have digital signature details and we have the sage the digital signature itself basically we look at the details and we can see the details of the certificate at our level the big one is issued to issued by and the valid date range when we look at the details we can look at a much more in-depth view of the certificate like the encryption type and things like that but oftentimes that is way outside the scope of what the average person is going to be looking at the digital signature for a digital certificate will look at things like issue 2 issued by an expiration date if we look at a physical certificate it's the same thing we look at who issued it who they issued it to and what the expiration date is that way we can have an independent verify that that is actually legitimate whether it's a physical certificate or a digital certificate okay so now let's try to look at this in a more realistic or real world scenario so we'll look through a scenario where we are using the digital signature so bob orders something they have a confirmed order and with that they're going to purchase something off of the website so bob will confirm the order and his computer will create a hash of the confirmation the computer will encrypt the hash with bob's private key the encrypted hash which is the digital signature will be added to the document and then the order confirmation is then sent to alice over the internet they can compare the two as well as the order form and the signature if long as they are equal then we know we are good the further this through what we are going to do on the receiving side so when alice receives this digital certificate signature the process will kind of go in reverse alice will receive the and accept the order from bob's computer looking at bob's digital signature and bob's public key alice computer will then decrypt the signature using bob's public key which reveals the assumed hash value of the sending device they will verify the hash are the same if they are the same then they will move forward if the hash is matched the document must be authentic that means the confirmation was sent by bob and has not changed thus the order is complete all right the next section is about the authorities and the overall pki trust system because oftentimes we don't think about how we verify our trust documents so we have a public key management so when we establish an asynchronous connection between two machines they will exchange key information a trusted third party on the internet will validate the authenticity of the public keys using digital certificates these third parties issue credentials that are very difficult to forge not impossible but difficult to forge from that point forward all the individuals will trust the third party simply accept the credentials that the third party has issued the overall pki infrastructure consists of very specific specifications systems and tools and all of these are used in creating managing and distributing using storing and revoking digital certificates the big thing here is we have a centralized authority called a certificate authority these certificate authorities cas are used to create the digital certificates by typing a public key information or a public key key to confirm identity such as a website or other individual this allows us to confirm the identity of something because we trust the third party and who they trust we inherently will trust so the pki infrastructure in a nutshell we have a support system or some type of framework that will facilitate that trust we have the certificate containing the entity or the individual's public key and that is issued by the certificate authority that validates and issues the certificate the certificate store will reside on a local computer and the local computer will verify it the certificate authority is a trusted third party that manages the keys the certificate database will actually be checked periodically to verify the certificate key is one valid and two hasn't been revoked so this is the general framework used to describe the public key infrastructure looking at it in a different way we have a certificate authority they are the ones that are issuing the certificates so they will issue us a certificate we may look at the certificate and we may verify their certificate and when we go to verify they will verify it through the certificate database to verify that they are legitimate the certificate authority so that it is not bogged down they will actually use a registration authority as a subordinate certificate authority so the registration authorities the ras will act on behalf of a certificate authority we could also have subordinate certificate authorities that act on behalf of a root or top level certificate authority issuing certificates on their behalf so let's look at the certificate or the pki authority systems so we know that the top level is certificate authority that the ca many vendors will do provide ca services as well as other managed services to end users organizations may also implement private systems says issue certificates based on classes and the classes are going to be based off of a description so class 0 is used for testing in situations no checks have been performed class 1 is used by individuals who require verification of an email class 2 is used by organizations for proof of identity is required class 3 is used for servers and software signing class 4 is used for online business transactions between companies and then class 5 are used for private organizations or government security so these are the six main classes the class numbers determined by how the rigorous the procedure is how much do we want to verify not all certificates are created equal if you want to have a trusted site that is the highest level security you may go for a class 5. if you are a business selling something online you'd go for class four if you are a personal website not really doing anything you may go for a class one maybe a class two the higher the class the more money you're paying the higher the class the more trusted the certificate is so we have a few different types of topologies for these systems we have a single root pki topology and that is where everyone goes to the root certificate authority to get certificates we have a cross certified certificate authority and that is where we have a root certificate authority and they actually then issue certificates through their subordinates that way the certificate authorities this the main cas are not bogged down but the fun part with that is the main certificate authorities can still issue certificates directly to individuals if they want this is more of a peer-to-peer model and this is kind of makes a little bit more less centralized we have a hierarchy certificate authority and that is where the root ca does not issue certificates to subordinates they only issue them to subordinate certificate authorities those certified authorities then issue them to computers or servers or other things here the root ca the highest level ca issues certificates only to subordinate certificate authorities while they can also still issue them to end users they're typically not done in that manner the interoperability of the different pki vendors the different vendors don't really matter it's more of a which one is the most trusted that's the thing is they're all fairly well trusted so the main interoperability between apki and its supporting services is the concern because the different vendors have proposed different implement priority solutions to address this the internet task force has published the internet x 509 public key infrastructure certificate policy and that is actually rfc 2527 and this outlines how all the different certificate authorities are supposed to behave so when i said all certificate authorities kind of do the same thing that's because they all should be following the x 509 version standard currently the x 509 version 3 standard defines the format of the certificates ldap and the x500 are the protocols that are used to query the directory services like active directory for verifying usernames and passwords that is different than a digital certificate that is 509 a x 500 again is more like ldap with active directory so a certificate should be have an enrollment authentication and a some type of revocation or revoking process these certificate authorities typically will have a certificate key that verifies the certificate that are issued by the ca and this is vital for the proper operations for the pki system the certificate enrollment process is used by the host to enroll in the pki to do so the certificate will actually retrieve in band over a network and the authentication is done out of band using a telephone for example or some other out-of-band mechanism the system will enroll the pki contact the ca to request and obtain the digital certificate this in itself will be self-signed by the certificate authority basically the final stage will verify the certificates or tip the ca certificate that was self-signed that was authentic and will then perform an out-of-band method for obtaining the fingerprint of the valid certificate authority identity basically they want to verify the certificate authority and make sure that it was actually the one that was self-signed making sure it was signed by the appropriate certificate authority even if it is self-signed only the root certificate authority can self-sign everything else below it must verify against the root certificate this is actually a lovely in-depth process that we needed to go deeper into and typically within the cisco realm you just have to understand that the hierarchy and the purpose of the certificates not so much the in-depth process because this actually is not even deep enough for the actual enrollment authentication and revocation of it uh in one of my server lectures i've actually discussed certificate authority and pki way more in-depth anywho so after we get done with that we do have a certificate lab and we actually look through the certificate lab so that we understand the certificate a certificate authority and checking format in the middle all right so moving on the last main section is about the application and impact of cryptography so pki is used by many different things to perform some basic security ssl or tls for certificate-based peer authentication or https web-based traffic or vpn traffic or sending secure email or sending secure messaging or encrypted file systems or code signing or smart cards or storage devices or or or or lots of stuff use pki and performing and protecting and encrypting their information and data data so an encrypted network transaction for example will actually need a valid certificate if we're doing vpn the vpn itself will use a certificate often and they're going to be looking at the date range the certificate error if the certificate has any errors if the certificate has been revoked or anything like that when we go to a website we're looking at http over ssl or via ssl tls or ssl in this regard are going to be the exact same thing tls is the newer version of ssl and are taking over the older version of ssl oftentimes when we are actually verifying a website content and encrypting the data over a network we are actually doing that with the certificate that is issued so the security analyst must know how to circumvent and solve these types of issues so here's a few different types configure rules to distinguish between ssl and non-ssl based traffic https and versus non-https traffic enhance security through service certificate validation using the appropriate cr crl's certificate revoke lists implement anti-malware for protection of url filtering and https based content and deploy things like appropriate ids and ips's so that they can actually prevent intrusions based off of invalid https based traffic cryptography is also very dynamic it's always changing it's always growing it's always been modified an algorithm today may be insecure tomorrow so it really just depends on what we are going through there are two main ways in which cryptography impacts security investigations first attackers can direct can be directed and specifically targeting the encryption algorithms themselves or the security investigator could also affect the data or the originality of the data because it's hidden in plain sight by encrypting the data if the data is encrypted it's hard for the investigator to actually review because it's encrypted so really just depends on the purpose that you're trying to get sometimes people encrypt data just because they want to encrypt the data it doesn't mean anything malicious it just could be you want to secure your stuff data encryption is becoming second hand in almost any type of modern-day device your mobile phone has encryption windows 10 windows 11 has built-in encryption macs linux machines all have built-in encryption so encryption is becoming pretty standard place now all right so we are wrapping up our cryptography summary we looked at a ton of things we looked at the elements of cryptography integrity authentication confidentiality non-repudiation we looked at hashing and hashing messages we looked at different types of encryption asymmetric versus symmetric we looked at different protocols deaths triple aes versus rsa and the pki model we looked at public key encryption private key decryption for confidentiality we looked at private key for encryption public key for decryption for authentication we looked at the overall components of a pki system that would be the specifications the systems the tools the way that they manage distribute use store revoke all the digital certificates the components of a pki system and we looked at many of the common features of the pki system and that is all for this chapter if you have any questions or anything please feel free to reach out again with this material being able to ask questions and discuss some of the topics in the lecture help build long-term retention so do not be afraid to communicate with this topic again i'm here if you need anything thank you you