·         is a framework for a set of protocols for security at the network or packet processing layer of network communication.

·        provides security services at the IP layer

·        determine the algorithm(s) to use for the service(s), and

·        put in place any cryptographic keys required to provide the requested services.

·         used to protect one or more "paths" between a pair of hosts, between a pair of security gateways, or between a security gateway and a host

ESP: (Encapsulating Security Protocol)

·        used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service

·         applied alone, in combination with the IP Authentication Header (AH)

·        and may be employed in two ways: transport mode or tunnel mode

o   transport (not tunnel) mode, ESP is inserted after the IP header and before an upper layer protocol

o   tunnel mode, the 'inner' IP header carries the ultimate source and destination addresses, while an 'outer' IP header may contain distinct IP addresses, e.g., addresses of security gateways.  ESP protects the entire inner IP packet, including the entire inner IP header.

·        ESP is compatible with NAT and PAT, as its authentication and encryption do not incorporate the IP header being modified by NAT.

occurs when two different keys produce equivalent ciphertext from the same plaintext.

describes the algorithm for computing the subkeys for each round in a product cipher from the encryption (or decryption) key.

o   is a 32-bit number that is chosen to uniquely identify a particular SA for any connected device and is placed in AH or ESP datagrams

o    links each secure datagram to the security association.

o   The sending host uses it to identify and select which SA to use to secure every packet. The receiving host uses it to identify and select the encryption algorithm and key used to decrypt packets.

o   KNOWN as public key cryptography

o   Uses a class of algorithms in which the sender has a private key and the receiver has the sender's public key.

o   The public and private keys are generated at the same time, and data encrypted with one key can be decrypted with the other.

o   Data encrypted with the public key can be decrypted with the private key and

o   Data encrypted with the private key can be decrypted with the public key.

o   Data encrypted with the sender's public key CANNOT be decrypted with the receiver's private key. 

o   Asymmetric algorithms are relatively slow, and are NOT suited for encrypting large messages.

Symmetric key Cryptography (ciphers)

Which type of algorithm has the following charateristics:

Known as a Secret Key Cryptography

A class of algorithms in which the sender and receiver share a secret key.Primarily used to achieve confidentiality, but can provide authentication, integrity, and very limited non-repudiation.

Requires that the sender and receiver share a secret key, the first shared key must usually be established through "out-of-band" mechanisms in order to prevent the compromise of the key.

- attack model in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specifically, portions of ciphertext are selected for decryption using trial keys, and compared with corresponding decrypted plaintext.

o   used to find collisions of hash functions. A "collision attack" allows an attacker to find two messages M1 and M2 that have the same hash value in fewer than 2^(L/2) attempts. 

For example:  if an attacker can create a malicious program that results in the same hash value as an innocuous program, the attacker can then substitute the innocuous program with a malicious program.

o   study of the frequency of letters or groups of letters in a ciphertext. The method is used as an aid to breaking classical ciphers.

study of how differences in an input can affect the resultant difference at the output.

For Example:  it is a chosen-plaintext/chosen-ciphertext cryptanalytic attack, where pairs of plaintexts are selected and the difference between the corresponding ciphertext are reviewed and analyzed.

ECB

CFB

CIPHER FEEDBACK BLOCK

With respect to DES, in which mode is the previous cipher text block is encrypted and the resulting output combined with the plaintext block XOR to produce the current cipher text block.

o   similar to CFB mode except that the quantity XORed with each plaintext block is generated independently of both the plaintext and cipher text.

Diffie-Hellman (aka exponential key agreement)

• is a key agreement algorithm used by two parties to agree on a shared secret.
• An algorithm for converting the shared secret into an arbitrary amount of keying material is provided. The resulting keying material is used as a symmetric encryption key.
•  requires that both the sender and recipient of a message have key pairs. By combining one's private key and the other party's public key, both parties can compute the same shared secret number. This number can then be converted into cryptographic keying material.
• The shared secret is NOT sent over the network.
• The protocol depends on the discrete logarithm problem for its security.
• is vulnerable to a man-in-the-middle attack since it does NOT authenticate the participants of the communication.

Discrete Logarithm – Encryption Algorithms

·        El Gama

·        Diffie Hellman

·        Elliptic Curve

Perfect Hash

·        should be a one-way function.

o   A one-way function is a mathematical function that is significantly easier to compute in one direction (the forward direction) than in the opposite direction (the inverse direction).

·        any two different messages of any size should have an exceedingly small probability of having the same hash value.

·        finding a pair of messages M1 and M2 that have the same hash value should take 2^(L/2) attempts, where L is the length of the hash value.

•  by itself, does NOT provide non-repudiation, i.e. protection against false denial of involvement in a communication.
• it's computationally infeasible to derive the original message from its hash
• resists birthday attacks

TLS protocol

• Based on the SSL 3.0 Protocol Specification as published by Netscape.
• Does NOT interoperate with SSL 
•  Composed of two layers:             
• TLS Record Protocol and the TLS Handshake Protocol

Provides:  authentication, confidentiality, integrity and interoperability

• Is used for encapsulation of various higher level protocols
• The connection is private. Symmetric cryptography is used for data encryption (e.g., DES, RC4, etc.)
• The connection is reliable. Message transport includes a message integrity check using a keyed MAC.
• Provides symmetric cryptography is used for data encryption (e.g., DES, RC4, etc.)
•  

o   The peer's identity can be authenticated using asymmetric cryptography

o   The negotiation of a shared secret is secure

o   An attacker cannot modify the communication without being detected

Block cipher

·        Is a symmetric key cipher and operates on a fixed length block of plain text and transforms it into a fixed length block of ciphertext. .

·        Certain modes of operation of a block cipher transform it into a keystream generator and so any block cipher can be used as a stream cipher.  Examples are DES in CFB or OFB modes.

·        On the other hand, a stream cipher operates on individual digits one at a time, and the transformation varies during the encryption.

Confusion

o   Substitution has been identified as a mechanism for primarily confusion

o   The goal is to conceal the statistical connection between the plaintext and ciphertext.

o   Refers to making the relationship between the key and the ciphertext as complex and involved as possible.

MD5 HASH

o   algorithm is designed to be quite fast on 32-bit machines

o   algorithm does not require any large substitution tables

o   provides a 128-bit value

o   provides for data integrity

An algorithm in which the keystream is generated bit by bit, in sync with the arrival of the plaintext. 

For Example:  Since the keystream arrives at the same time as the plaintext, the two must be independent.

Is an algorithm in which the keystream is generated based upon the previously received plaintext and the cryptovarible, or key. 

For example:  Since the keystream must be computed after the arrival of the plaintext, the output of the ciphertext is asynchronous with the arrival of the plaintext. 

Changing the order of the input data so that letters appear in a different order in the output ciphertext - this is also called permutation

This also causes diffusion. 

• It's a block cipher based on Rijindael Block Cipher algorithm
• Has a fixed block size of 128, and a key size of 128, 192, 256

Steps in sending a message digest: 

1. The sender must apply a hash function to the message to create a message digest
2. The message digest must be encrypted with a private key
3. The receiver must apply the same hash function to the message to verify the sender. 

What type of process/encryption is this called?

• Can only be used once
• If the data is not truly random, the security is comprised
• relies on physical security
• unbreakable by exhaustive search

 Symmetric Disadvantages/Issues:

o   impersonation of users upon compromise of secret key

o   key management issues when communicating with large network of users

o   secure distribution of shared secret

Symmetrical Cryptography has the following disadvantages?

Which cipher has the following charateristics:

• Employs a round transformation that consists of 3 layers of transformations
• Has a block length and key length can be specified to 128,192 and 256 bits
• Is an iterated cipher with a variable key length
• Is a block cipher

All of the following are components :

CA - Certificate Authority - confirms identifies of parties sending and receiving electronic communications. similar to a notary

RA - Registration Authority - an entity that is trusted by the CA to register / vouch for the identify of users to a CA

CRL - certificate revocation lists - lists of certificates that have been revoked

X.509 public key certificate - standard / format for defining digital certificates