Home > Articles > Cryptographic Technologies

Cryptographic Technologies

Contents

  1. CCNA Security 210-260 IINS Exam Topics
  2. Key Topics
  3. CIA Triad
  4. Key Exchange and Management
  5. Hash Algorithms
  6. Symmetric and Asymmetric Encryption
  7. Digital Signatures and RSA Certificates
  8. Study Resources

Chapter Description

In this sample chapter from 31 Days Before Your CCNA Security Exam: A Day-By-Day Review Guide for the IINS 210-260 Certification Exam, you will review learn how to describe key exchange and hash algorithm, compare and contrast symmetric and asymmetric encryption, and describe digital signatures, certificates, and PKI.

From the Book

31 Days Before Your CCNA Security Exam: A Day-By-Day Review Guide for the IINS 210-260 Certification Exam

31 Days Before Your CCNA Security Exam: A Day-By-Day Review Guide for the IINS 210-260 Certification Exam

$34.99

Hash Algorithms

Hashing is a mechanism that is used for data integrity assurance. Hashing is based on a one-way mathematical function that is relatively easy to compute but significantly difficult to reverse. Figure 29-1 illustrates how hashing is performed. Data of an arbitrary length is input into the hash function, and the result of the hash function is the fixed-length hash, which is known as the “digest” or “fingerprint.”

FIGURE 8.3

Figure 29-1 Hash Function

Well-known Hash Functions

Hash functions are helpful when ensuring data is not changed accidentally, such as by a communication error. Although hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes. There is no unique identifying information from the sender in the hashing procedure. Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to transmitted data.

The following are the three most commonly used cryptographic hash functions:

  • Message Digest 5 (MD5): MD5 is a one-way function that makes it easy to compute a hash from the given input data but makes it very difficult to compute input data given only a hash value. MD5 produces a 128-bit hash and is now considered a legacy algorithm that should be avoided.

  • Secure Hash Algorithm 1 (SHA-1): SHA-1 takes a message of up to 2^64 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks. It is now considered legacy and should be avoided when possible.

  • Secure Hash Algorithm 2 (SHA-2): SHA-2 algorithms are the secure hash algorithms that the U.S. government requires by law for use in certain applications. The SHA-2 family includes 224-bit, 256-bit, 384-bit, and 512-bit functions. When choosing a hashing algorithm, use SHA-256 or higher, as they are currently the most secure.

CAUTION

Security flaws were discovered in SHA-1 and MD5. Therefore, it is now recommended that these algorithms be avoided.

Authentication Using Hashing

Two systems that have agreed on a secret key can use the key along with a hash function to verify data integrity of communication between them by using a keyed hash. A message authentication code is produced by passing the message data along with the secret key through a hash algorithm. Only the sender and the receiver know the secret key, and the output of the hash function now depends on the message data and the secret key. Figure 29-2 illustrates how the message authentication code is created. Data of an arbitrary length is input into the hash function, together with a secret key. The result is the fixed-length hash that depends on the data and the secret key. This type of authentication is referred to as keyed-hash message authentication code (HMAC) and adds authentication to integrity assurance.

Figure 29-2

Figure 29-2 HMAC Hashing

HMAC functions can be used with MD5 (HMAC-MD5) or SHA-1 (HMAC-SHA-1). Figure 29-3 illustrates cryptographic authentication in action. The sender, Alice, wants to ensure that the message is not altered in transit and wants to provide a way for the receiver, Bob, to authenticate the origin of the message.

Figure 29-3

Figure 29-3 HMAC in Action

Alice inputs data and the secret key into the hashing algorithm and calculates the fixed-length message authentication code, or fingerprint. This authenticated fingerprint is then attached to the message and sent to Bob. Bob removes the fingerprint from the message and uses the received message with his copy of the secret key as input to the same hashing function. If the fingerprint that is calculated is identical to the fingerprint that was received, then data integrity has been verified. Also, the origin of the message is authenticated, because only Alice possesses a copy of the shared secret key.

Hashing in Cisco Products

Cisco products use hashing for entity authentication, data integrity, and data authenticity purposes such as

  • IPsec gateways and clients use hashing algorithms to verify packet integrity and authenticity.

  • Cisco IOS routers use keyed hashing with secret keys to add authentication information to routing protocol updates.

  • Cisco software images that you can download from Cisco.com have MD5 and SHA-512 based checksums available, so that customers can check the integrity of downloaded images.

6. Symmetric and Asymmetric Encryption | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.