Ahh the refreshing scent of cryptography. It’s like a fresh rose on valentines day.
In my last post you learned about VPNs. I showed you the nitty gritty itty details about the protocol and both phases (hopefully you didn’t phase out when you got to that part… pun intended)
So today we’re doing something that I love. We’re going to review the concepts you learned in the previous guides and then explore the thought provoking world of PKI. Public Key Infrastructure baby.
You know what time it is!
Alright so let’s review a few things first.
Do you remember the purpose of a hash?
If we filched a file form the internet and squeeze it through a hash algo the digest should match the digest posted on the vendor’s website. If it differed that could be a harbinger of something bad.
It could mean there’s malware in the file or bits have been corrupted but the bottom line is that the integrity of the file can’t be trusted so it shouldn’t be used in a production environment.
MD5 is a popular hashing algorithm is 128bits long. SHA is also another one. The cool thing about hashing is that even adding single period will result in a completely different digest in the file.
It’s that freggin’ sensitive.
Each hashing algorithm has its own idiosyncrasies. For example, SHA comes in lemon bitter 160bits, sour apple 265bits and my favorite: buttery popcorn 512bit flavors.
Having more bits is like having more sprinkles. It just gets better.
More bits equals more accuracy but it also makes the encryption/decryption process more onerous.
HMAC is hashing on steroids because it uses a common session key as the input for the hashing function. So if a man-in-the-middle doesn’t have the key he can’t trick anyone.
Have you ever seen two cars collide? It actually almost happened to me when I was a kid.
My mom was driving our dilapidated Chevy Sprint on the service road when, moments after switching lanes, a late model Mercedes came barreling at us at an extremely high velocity. It was one of the scariest moment of my life.
Thank God there was no collision there.
Well, in cryptography you can have two hashes that crash into each other too. For example, it’s possible that, although unlikely, you could run the same hashing machine on two different data chunks but get the same digest.
That’s bad because it bruises the accuracy of the hashing function.
The original MD5 and SHA algos were susceptible to collisions which is why most people uses the higher bit SHA 256 and SHA 512 variants. The more prone the algorithm is to collision the less assurance we have that the data integrity is accurate so you want to make sure you’re using a large bit depth.
AES, DES and 3DES are all symmetrical block ciphers with AES being the strongest of the bunch. In the same way, AES 256 is better than AES 128 but it hits the CPU a little harder. Even AES 128 is better than 3DES, so when in doubt go with AES.
AES 128 does a repetition of 10 cycles on the encryption block and AES 256 does 14 cycles of repetition. 3DES only repeats the encryption cycle 3 times which is one of the reasons its inferior to AES. Different keys are used for each round so it’s pretty secure.
Gettin’ Diffie wit’ it
Diffie-Hellman is an asymmetric algorithm and is mainly responsible for generating session keys.
Yup, you read that right. DH is an asymmetric algorithm used to generate private symmetric keys.
In IKE Phase 1 of the VPN negotiation process, both devices negotiate which flavor of DH they will use. There’s DH group 1, 2, 5 and 7; each number being progressively stronger than the previous number.
Then in the second phase of IKE, both devices will actually use DH to generate and exchange the session keys. But that’s not the intriguing part.
The really mind boggling thing about DH is that an attacker can eavesdrop on the negotiation process. An attacker can capture and analyze every single packet being sent between both parties and by the time the algorithm finishes, both the sender and receiver will have a session key but the hacker will still have no idea what the session key is.
DH lets us use an unprotected network to negotiate and exchange shared secret keys.
Deny! deny! deny!
Alright, one last thing and then we’ll be done.
I was once watching an episode of Jersey Shore (don’t ask me why) when the Situation was “caught in the act”. The evidence was unequivocal: he did it but against all reason he still categorically refused to admit the crime.
I remember him chanting:
deny! deny! deny!
And that reminds me of another benefit of encryption. It can also prevent the sender from denying who he is. This is called non-repudiation and it’s implemented with digital signatures. Since the sender is the only one who has access to his private key, when he encrypts a message with the private key and sends it to you you you now have undeniable proof that it came from that sender.
One of the most interesting features of cryptography is that most encryption algorithms are well known and published. In other words, anyone can looking how the AES algorithm works. The algorithm isn’t a secret. Thus, the security of the entire thing depends on protecting the private key. It’s all about the keys man.