Today we’re going to look into how we can make it safer to send traffic on networks. By embracing encryption we can protect the data that devices use to communicate with each other. So let me start by saying cryptography is an abstruse topic. Entire tomes have been written by pedantic professors with PhDs. My goal isn’t to explore the nuances of the math (although it is interesting!) Instead, I want you to have a big picture understanding of the basics of cryptography. In this four part series you’re going to learn:
- Exactly what is Encryption?
- What is the encryption key and why is it a big deal?
- The two types of encryption algorithms explained
- Have some integrity!
- “Can I have your autograph?” said the leary user to the server
I’ll explain what all this mean in articles later in the series but for now let’s get started with the bare bones basics.
I’m so excited you decided to join me on this adventure. I promise you’ll come out of this feeling confident and less confused.
Today we’re going to talk about the enigmatic world of Information Security, colloquially known as InfoSec. Despite the complexity of this field there are really only two states of information:
Data in motion is moving. Data at rest is staying.
Now by data I’m referring to any piece of digital information. The 10 page resignation email sitting in your drafts folder is data at rest. The iPhone photographs of your cat is data at rest. The streaming music collection of Taylor Swift is data in motion. The magic that happens in the interwebs after you submit your credit card number to Amazon is data in motion. All your Excel workbooks, Visio diagrams and Powerpoint power slides are all data!
Data is everywhere but not all data is created equally.
For example, the resignation letter is substantially more important than the “Hey, what are you doing?” text message you just sent your wife. The iPhone photographs of your cat are significantly less important than the picture you snapped of your social security card. Your gigantic Taylor Swift music collection is less important than the personal email she sent you saying you are her favorite fan.
You get the idea.
So today you’re going to learn about how we can protect data that is both moving and staying.
How Cisco thinks about Data Protection
Cisco is the preeminent company that designs, makes, and sells networking equipment.. It’s like the Xerox of copiers; the Coca Cola of soft drinks and the Google of search engines. Cisco is big!
And that’s why I want talk about data protection as Cisco thinks about it.
When you think about information security there are three areas that should concern us:
- The Data Plane
- The Management Plane
- The Control Plane
These are three three primary places where attacks can occur and therefore places where we need to implement countermeasures.
The Data Plane is where the data is forward or passed through the network to the correct destination. Switches are forwarding the frames at layer 2 and the routers are forwarding the packets at layer 3. HTTPS, DNS fall within this category.
The Management Plane refers to our ability to manage a network device. If we can’t SSH into a router or switch then that’s a issue of information security in the management plane.. The place where log messages are sent and reports are generated would also fall into this management function.
The Control Plane is the inside communication path used by your network.
Think about a coterie of friends or the President’s cabinet. There is inside information that only a select group of people (or devices) need to know about. So protecting the control plane ensures that keepalive messages and routing updates can be exchanged between authorized devices without the fear of interception or modification. It refers to any time the CPU of a network device is engaged.
Keepalives and routing updates force the router to process that information which influences the CPU; it has to think about it! So you want to make sure your network devices don’t do too much useless thinking (think: Denial of Service Attack).
Wow, I said thinking a lot haha. Okay so here’s the summary:
- Data Plane is about forwarding data
- Management Plane is about logging into network devices
- Control Plane is about protecting the CPU from spiking.
All three planes actually fall within a very important security topic known as the CIA.
Haha, I just realized that sounds like the Central Intelligence Agency. But that’s not the acronym I have in mind.
The CIA refers to keeping information confidential. It also means the information should have integrity meaning it is whole and hasn’t been changed. The A in CIA means the data needs to be always available. It’s there when you need it.
So let’s talk about this a little more because I think it’s super important.
You’re the king
Let’s say you’re the king of some superpower nation. Let’s call it Mightymorphia. I don’t know why that came to mind but stick with me lol.
As the mighty king of Mightymorphia you decide to declare war on Annoyingnisia. It’s a small country in the middle of the Atlantic that continually tries to enslave your people and subject them to high taxes. It’s time for justice!
So you draft a military campaign and email it to your trusted advisors. The email contains every detail of the attack including:
- The amount of men you plan to send
- When you’ll send them
- Where your men will be stationed
Do you think this is valuable intel for Annoyingnisia’s department of defense? You bet!
And that’s the point:
Confidentiality is all about secrecy.
The way we do that in network security is through encryption. And encryption is super super cool.
The Fiction of Encryption
Despite what you may hear in the media, encryption won’t make your data indomitable. Given enough motivation and time an adversary could crack the code and read your secret information. Let me show you what I mean with a simple example.
Let’s kick start your imagination again.
Pretend you work in the US Postal Service and you’re looking for a quick way to lose your job and go to jail. So you start opening and reading every letter that passes your way…
Most letters are bills, junk mail offers or maudlin love letters from 16 year olds but one letter in particular was extremely interesting.
This is what it said:
Kl Srvw Riilfh Hpsorbhh, wkdqn brx iru rshqlqj ph dqg frpsurplvlqj wkh hqfubswlrq nhb. Vlqfh brx duh uhdglqj wklv brx reylrxvob nqrz d wklqj ru wzr derxw Fhdvdu Flskhuv! Wkdqnv iru hdyhvgursslqj rq ph. L krsh brx jhw iluhg. - Vlqfhuhob Pu Zlhugr
What language is that? Some words can’t be pronounced because there are no vowels! It’s impossible to figure out what this means right?
Ha! That’s the fiction of encryption. The key to understanding the message is to know the key (pun intended) that was used to encipher the message.
Just as a car key opens a car door and your house key opens your house door an encryption key opens the door of your mind to understanding encrypted messages.
If you had the encryption key that was used to create the encrypted message (also known as ciphertext) then you could easily view the plaintext message.
Well it turns out the above example is using a very well known and weak encryption algorithm called a Caesar Cipher. The key I used was very simple:
I just offset each letter of the alphabet by three characters. So an H becomes a K and an i becomes an l (lowercase L). Now it’s obvious that the first word “Kl” is “Hi” because you have the key I used to create the ciphertext.
Here’s the plaintext message:
Hi Post Office Employee, thank you for opening me and compromising the encryption key. Since you are reading this you obviously know a thing or two about Ceasar Ciphers! Thanks for eavesdropping on me. I hope you get fired. - Sincerely Mr Wierdo
Here’s what the message looks like if I changed the key from a 3 character offset to a 20 character offset.
Bc Jimn Izzcwy Ygjfisyy, nbuhe sio zil ijyhcha gy uhx wigjligcmcha nby yhwlsjncih eys. Mchwy sio uly lyuxcha nbcm sio ivpciomfs ehiq u nbcha il nqi uvion Wyumul Wcjbylm! Nbuhem zil yupymxlijjcha ih gy. C bijy sio ayn zclyx. - Mchwylyfs Gl Qcylxi
Look at that! You instantly changed the ciphertext just by changing one small value in the key: the offset.
That’s how encryption works.
The example I just provided is extremely rudimentary but the math used in the real encryption algorithms today is mind boggling. We’re not going to get into that because I don’t understand how all that stuff works.
The Bottom Line
In this article you learned the difference between data at rest and data in motion. Then we talked about the data, management and control planes. And we finished up with a simple example of data encryption using the Caesar substitution cipher.
In the next guide we’ll break down to the two types of encryption (symmetric and asymmetric) and we’ll dive a little deeper into the enigmatic world of data encryption. Check back on the site tomorrow!