SlideShare a Scribd company logo
1 of 44
Download to read offline
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Network Security
Primer
Authentication and Encryption Techniques
Akshat Sharma,
Cisco Systems
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Core
Distribution
Catalyst
3750 Catalyst
3750
Catalyst
3750
Video-
Conferencing
Units
Server farms
C2960s
C2960s
C2960s
C2960s
C4500
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Web
Auth
VLANs
802.1X ACLs
SGTs
MAB
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
• Defined by IEEE and designed to provide port-based
network access.
• 802.1x authenticates network clients using
information unique to the client and with credentials
known only to the client.
•Service known as port-level authentication
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Username / Password
Directory
alice
c1sC0L1v
Certificate
Authority
Token
Server
Deployment Best Practices
Re-use Existing Credentials
Understand the Limitations of Existing Systems
Common Types
Passwords
Certificates
Tokens
Deciding Factors
Security Policy
Validation
Distribution & Maintenance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• The framework is defined by three authentication
processes:
1. The supplicant
Possibly a standalone device or an end user, such as a
remote user.
2. The authenticator
A device to which the supplicant directly connects and
through which the supplicant obtains network access
permission
3. The authentication server
The authenticator acts as a gateway to the authentication
server, which is responsible for actually authenticating the
supplicant.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Authenticator
(e.g. Switch, Access
Point, PAE)
Supplicant
(Client)
Enterprise NetworkSemi-Public Network /
Enterprise Edge
AuthenticationServer
(Radius Server/LDAP or
Kerberos)
R
A
D
I
U
S
NAS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
• EAP
Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authentication information
Typically rides on top of another protocol such as 802.1x (EAPoL) or
RADIUS/TACACS+, etc.
• EAP Messages
Request
Sent to supplicant to indicate a challenge
Response
Supplicant reply message
Success
Notification to supplicant of success
Failure
Notification to supplicant of failure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
EthernetLaptop computer
802.1X Authenticator/Bridge
Radius Server
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (cred) Radius-Access-Request
EAP-Success
Access blocked
Port connect
Radius-Access-Accept
Access allowed
RADIUSEAPOL
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 15
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
• MAB stands for MAC Authentication Bypass.
• It enables port-based access control using the MAC address of
the endpoint.
• A MAB-enabled port can be dynamically enabled or disabled
based on the MAC address of the device that connects to it.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
• WebAuth is a Layer 3 authentication method.
• After IEEE 802.1X (or MAB) has timed out or failed, the port is
opened long enough to allow the packets required for WebAuth.
• After the port has been opened, the switch enforces a preconfigured
ACL in some VLAN
• At a minimum, the preconfigured ACL should allow the traffic required
to complete the WebAuth process. In most cases, the ACL should at
least allow DHCP (so the client can acquire an address) and DNS (so
the client can trigger WebAuth when using fully qualified domain
names in URLs).
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
802.1Q Trunk
EAP Authentication
AAA
Corporate
Resources
Internet
Employee
Guest User
802.1X fails
MAB : “Printer”
Employee Vlan
Web-Auth
802.1X fails
MAB fails
Guest Vlan
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 21
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
• Brute Force considerations : 128 to 256 bit keys
• Landauer’s Limit  kT ln 2 (10^18 Joules for 128 bits)
• Available Wireless Encryption Techniques:
WEP (outdated)
WPA + TKIP (most compatible, less secure)
WPA2+AES (Most secure)
• DO NOT use WEP!
• PKI infrastructure for strong Authentication and encryption  WPA2-AES
+ PKI based 802.1x
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
• Basically a pseudo random number generator that encrypts data
packets.
• Start with generic 802.11 packet
• Use a secret key plus IV to seed RC4 stream cipher to create
pseudo random number
• Create a CRC-32 of data portion of packet which is then called ICV.
• Data || ICV XOR Pseudo Random Number = Encrypted portion of
WEP Packet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Frame Header Frame Body FCS
Secret Key
(40Bits)
RC4 Algorithm
IV
(24bits)
Generic 802.11 Packet Frame
Shared before communication
begins
Created by
Sending Device
Integrity Check
Algorithm
Frame Body ICV
Frame Header IV Frame Body ICV FCS WEP Packet Frame
Encrypted
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
• Key Generation
• ICV Generation
• Weak Key’s and Weak IV’s
• WEP Attacks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
• The main problem of WEP is Key Generation.
• Secret Key is too small, only 40 Bits.
Very susceptible to brute force attacks.
• IV is too small.
Only 16 Million different possibilities for every packet.
• Secret Keys are accessible to user, therefore not secret.
• Key distribution is done manually.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
• The ICV is generated from a cyclic redundancy check (CRC-32)
Only a simple arithmetic computation. Can be done easily
by anyone.
Not cryptographically secure.
• Easy for attacker to change packet and then change ICV to get
response from AP.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• Certain keys are more susceptible to showing the relationship between
plaintext and ciphertext.
There are approx 9000 weak keys out of the 40 bit WEP
secret key.
• Weak IV will correspond to weak Keys.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
• Replay
Statistical gathering of certain ciphertext that once sent to server will cause
wanted reaction.
• 802.11 LLC Encapsulation
Predictable headers to find ciphertext, plaintext combinations
• Denial of Service Attacks
Flooding the 2.4Ghz frequency with noise.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
• 802.1x
• WPA
• 802.11i
• All much more secure.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 32
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“AxCv;5bmEseTfid3)
fGsmWe#4^,sdgfMwi
r3:dkJeTsY8Rs@!q3
%”
“The quick
brown fox
jumps over
the lazy
dog”
Decryption
Plain-text input
Plain-text outputCipher-text
Same key
(shared secret)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
• Strength:
Simple and really very fast (order of 1000 to 10000 faster than asymmetric
mechanisms)
Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael)
• Weakness:
Must agree the key beforehand
Securely pass the key to the other party
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
• Knowledge of the encryption key doesn’t give you knowledge of the
decryption key
• Receiver of information generates a pair of keys
Publish the public key in a directory
• Then anyone can send him messages that only she can read
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Encryption
“The quick
brown fox
jumps over
the lazy dog”
“Py75c%bn&*)9|fDe^bD
Faq#xzjFr@g5=&nmdFg
$5knvMd’rkvegMs”
“The quick
brown fox
jumps over
the lazy dog”
Decryption
Clear-text Input Clear-text OutputCipher-text
Different keys
Recipient’s
public key
Recipient’s
private key
privatepublic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
• Weakness:
Extremely slow
Susceptible to “known ciphertext” attack
Problem of trusting public key (see later on PKI)
• Strength
Solves problem of passing the key
Allows establishment of trust context between parties
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s public key
(in certificate)
in recovery policy
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope
User’s
public key
(in certificate)
RNG
Randomly-
Generated symmetric
“session” key
Symmetric
encryption
(e.g. DES)
*#$fjda^j
u539!3t
t389E *&@
5e%32^kd
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
*#$fjda^j
u539!3t
t389E *&@
5e%32^kd
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric
decryption
(e.g. DES)
Digital
Envelope
Asymmetric
decryption of
“session” key (e.g. RSA)
Symmetric
“session” key
Session key must be
decrypted using the
recipient’s private key
Digital envelope
contains “session” key
encrypted using
recipient’s public key
Recipient’s
private key
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
• We just solved the problem of symmetric key distribution by using
public/private keys
• But…
• Scott creates a keypair (private/public) and quickly tells the world
that the public key he published belongs to Bill
• People send confidential stuff to Bill
• Bill does not have the private key to read them…
• Scott reads Bill’s messages 
• Solution ? – Remember Digital Signatures ?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Hash
Function
(SHA, MD5)
Jrf843kjfgf*
£$&Hdif*7o
Usd*&@:<C
HDFHSD(**
Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
This is a
really long
message
about
Bill’s…
Asymmetric
Encryption
Message or File Digital Signature128 bits Message
Digest
Calculate a short
message digest from
even a long input using a
one-way message digest
function (hash)
Signatory’s
private key
private
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Jrf843kjf
gf*£$&Hd
if*7oUsd
*&@:<CHD
FHSD(**
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
Asymmetric
decryption
(e.g. RSA)
Everyone has access
to trusted public key of
the signatory
Signatory’s
public key
Digital Signature
This is a
really long
message
about Bill’s…
Same hash function
(e.g. MD5, SHA…)
Original Message
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
? == ?
Are They Same?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• Message is captured.
• Hash value of the message is calculated.
• Sender's private key is retrieved from the sender's digital certificate.
• Hash value is encrypted with the sender's private key.
• Encrypted hash value is appended to the message as a digital signature.
• Message is sent.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
• Sender's public key is retrieved from the sender's digital certificate
• Encrypted hash value is decrypted with the sender's public key.
• Decrypted hash value is compared against the hash value produced on receipt.
• If the values match, the message is valid.
• Message is received.
• Digital signature containing
encrypted hash value is retrieved
from the message.
• Message is retrieved.
• Hash value of the message is
calculated.

More Related Content

What's hot

Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...Cisco Canada
 
Cisco Connect Toronto 2017 - UCS and Hyperflex update
Cisco Connect Toronto 2017 - UCS and Hyperflex updateCisco Connect Toronto 2017 - UCS and Hyperflex update
Cisco Connect Toronto 2017 - UCS and Hyperflex updateCisco Canada
 
Rome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsRome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsCisco DevNet
 
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUICisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUICisco Canada
 
TechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsTechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsRobb Boyd
 
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security ExplainedCloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security ExplainedCisco Canada
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowCisco DevNet
 
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...Cisco Canada
 
Understanding Cisco’s Next Generation SD-WAN Solution with Viptela
Understanding Cisco’s Next Generation SD-WAN Solution with ViptelaUnderstanding Cisco’s Next Generation SD-WAN Solution with Viptela
Understanding Cisco’s Next Generation SD-WAN Solution with ViptelaCisco Canada
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingCisco Canada
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopCisco Canada
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityVuz Dở Hơi
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Packet tracer 6.2 new features
Packet tracer 6.2 new featuresPacket tracer 6.2 new features
Packet tracer 6.2 new featuresSebastien Langlois
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE
 
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi ExperienceCisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi ExperienceCisco Canada
 
CCNAv5 - S1: Chapter 1 Exploring The Network
CCNAv5 - S1: Chapter 1 Exploring The NetworkCCNAv5 - S1: Chapter 1 Exploring The Network
CCNAv5 - S1: Chapter 1 Exploring The NetworkVuz Dở Hơi
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE
 
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1Nil Menon
 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Canada
 

What's hot (20)

Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
 
Cisco Connect Toronto 2017 - UCS and Hyperflex update
Cisco Connect Toronto 2017 - UCS and Hyperflex updateCisco Connect Toronto 2017 - UCS and Hyperflex update
Cisco Connect Toronto 2017 - UCS and Hyperflex update
 
Rome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsRome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat bots
 
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUICisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
 
TechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsTechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICs
 
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security ExplainedCloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
 
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
 
Understanding Cisco’s Next Generation SD-WAN Solution with Viptela
Understanding Cisco’s Next Generation SD-WAN Solution with ViptelaUnderstanding Cisco’s Next Generation SD-WAN Solution with Viptela
Understanding Cisco’s Next Generation SD-WAN Solution with Viptela
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking Workshop
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Packet tracer 6.2 new features
Packet tracer 6.2 new featuresPacket tracer 6.2 new features
Packet tracer 6.2 new features
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi ExperienceCisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
 
CCNAv5 - S1: Chapter 1 Exploring The Network
CCNAv5 - S1: Chapter 1 Exploring The NetworkCCNAv5 - S1: Chapter 1 Exploring The Network
CCNAv5 - S1: Chapter 1 Exploring The Network
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
 
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
 

Viewers also liked

Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Presentation1 new (1) (1)cf
Presentation1 new (1) (1)cfPresentation1 new (1) (1)cf
Presentation1 new (1) (1)cftoamma
 
Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas Jorge Salazar
 
Network security & cryptography
Network security & cryptographyNetwork security & cryptography
Network security & cryptographypinkutinku26
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Tania Agni
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threatsrashidalkamdah
 
Cryptography and network security
 Cryptography and network security Cryptography and network security
Cryptography and network securityMahipesh Satija
 
Presentation network security
Presentation network securityPresentation network security
Presentation network securitycegonsoft1999
 
Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptographyPavithra renu
 
Network and network security
Network and network securityNetwork and network security
Network and network securityRuchi Gupta
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic conceptsKhoa Nguyen
 
network security, cryptography,steganography
network security, cryptography,steganographynetwork security, cryptography,steganography
network security, cryptography,steganographyNikhil l
 
Pgp security mule
Pgp security   mulePgp security   mule
Pgp security muleSindhu VL
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityNagendra Um
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 

Viewers also liked (20)

Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
Presentation1 new (1) (1)cf
Presentation1 new (1) (1)cfPresentation1 new (1) (1)cf
Presentation1 new (1) (1)cf
 
Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas
 
Networksecurity&cryptography
Networksecurity&cryptographyNetworksecurity&cryptography
Networksecurity&cryptography
 
E securty
E securtyE securty
E securty
 
Party pronto pres new
Party pronto pres newParty pronto pres new
Party pronto pres new
 
Network security & cryptography
Network security & cryptographyNetwork security & cryptography
Network security & cryptography
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threats
 
Cryptography and network security
 Cryptography and network security Cryptography and network security
Cryptography and network security
 
Presentation network security
Presentation network securityPresentation network security
Presentation network security
 
Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptography
 
Network and network security
Network and network securityNetwork and network security
Network and network security
 
Nymble: Blocking System
Nymble: Blocking SystemNymble: Blocking System
Nymble: Blocking System
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic concepts
 
network security, cryptography,steganography
network security, cryptography,steganographynetwork security, cryptography,steganography
network security, cryptography,steganography
 
Pgp security mule
Pgp security   mulePgp security   mule
Pgp security mule
 
Pgp smime
Pgp smimePgp smime
Pgp smime
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 

Similar to Basic Network Security_Primer

Wan Technologies
Wan TechnologiesWan Technologies
Wan TechnologiesAKLI
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Desayuno Tecnico OVN - Xsigo
Desayuno Tecnico OVN - XsigoDesayuno Tecnico OVN - Xsigo
Desayuno Tecnico OVN - XsigoFran Navarro
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
CCNP Switching Chapter 10
CCNP Switching Chapter 10CCNP Switching Chapter 10
CCNP Switching Chapter 10Chaing Ravuth
 
End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center VirtualizationCisco Canada
 
ITE v5.0 - Chapter 6
ITE v5.0 - Chapter 6ITE v5.0 - Chapter 6
ITE v5.0 - Chapter 6Irsandi Hasan
 
Wireless Feature Update
Wireless Feature UpdateWireless Feature Update
Wireless Feature UpdateCisco Canada
 
Itn6 instructor materials_chapter1
Itn6 instructor materials_chapter1Itn6 instructor materials_chapter1
Itn6 instructor materials_chapter1limenih muluneh
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
CCNAv5 - S4: Chapter 4 Frame Relay
CCNAv5 - S4: Chapter 4 Frame RelayCCNAv5 - S4: Chapter 4 Frame Relay
CCNAv5 - S4: Chapter 4 Frame RelayVuz Dở Hơi
 
Cn instructor ppt_chapter4_final
Cn instructor ppt_chapter4_finalCn instructor ppt_chapter4_final
Cn instructor ppt_chapter4_finalLeoo Romo
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
cisco-nti-Day19
cisco-nti-Day19cisco-nti-Day19
cisco-nti-Day19eyad alaa
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
Cisco --introduction-to-storage-area-networking-technologies
Cisco --introduction-to-storage-area-networking-technologiesCisco --introduction-to-storage-area-networking-technologies
Cisco --introduction-to-storage-area-networking-technologiesssuser79fc19
 
Presentation cisco prime for ip ngn technical education series introduction...
Presentation   cisco prime for ip ngn technical education series introduction...Presentation   cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...xKinAnx
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment RoutingMyNOG
 

Similar to Basic Network Security_Primer (20)

2012 ah vegas wlan security fundamentals
2012 ah vegas   wlan security fundamentals2012 ah vegas   wlan security fundamentals
2012 ah vegas wlan security fundamentals
 
Wan Technologies
Wan TechnologiesWan Technologies
Wan Technologies
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Desayuno Tecnico OVN - Xsigo
Desayuno Tecnico OVN - XsigoDesayuno Tecnico OVN - Xsigo
Desayuno Tecnico OVN - Xsigo
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
CCNP Switching Chapter 10
CCNP Switching Chapter 10CCNP Switching Chapter 10
CCNP Switching Chapter 10
 
End-to-End Data Center Virtualization
End-to-End Data Center VirtualizationEnd-to-End Data Center Virtualization
End-to-End Data Center Virtualization
 
ITE v5.0 - Chapter 6
ITE v5.0 - Chapter 6ITE v5.0 - Chapter 6
ITE v5.0 - Chapter 6
 
Wireless Feature Update
Wireless Feature UpdateWireless Feature Update
Wireless Feature Update
 
Itn6 instructor materials_chapter1
Itn6 instructor materials_chapter1Itn6 instructor materials_chapter1
Itn6 instructor materials_chapter1
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
CCNAv5 - S4: Chapter 4 Frame Relay
CCNAv5 - S4: Chapter 4 Frame RelayCCNAv5 - S4: Chapter 4 Frame Relay
CCNAv5 - S4: Chapter 4 Frame Relay
 
Cn instructor ppt_chapter4_final
Cn instructor ppt_chapter4_finalCn instructor ppt_chapter4_final
Cn instructor ppt_chapter4_final
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
 
AlexsanderLima
AlexsanderLimaAlexsanderLima
AlexsanderLima
 
cisco-nti-Day19
cisco-nti-Day19cisco-nti-Day19
cisco-nti-Day19
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Cisco --introduction-to-storage-area-networking-technologies
Cisco --introduction-to-storage-area-networking-technologiesCisco --introduction-to-storage-area-networking-technologies
Cisco --introduction-to-storage-area-networking-technologies
 
Presentation cisco prime for ip ngn technical education series introduction...
Presentation   cisco prime for ip ngn technical education series introduction...Presentation   cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 

Recently uploaded (20)

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 

Basic Network Security_Primer

  • 1. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Network Security Primer Authentication and Encryption Techniques Akshat Sharma, Cisco Systems
  • 2. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 4. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Core Distribution Catalyst 3750 Catalyst 3750 Catalyst 3750 Video- Conferencing Units Server farms C2960s C2960s C2960s C2960s C4500
  • 5. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Web Auth VLANs 802.1X ACLs SGTs MAB
  • 6. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 6
  • 7. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 • Defined by IEEE and designed to provide port-based network access. • 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. •Service known as port-level authentication
  • 8. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Username / Password Directory alice c1sC0L1v Certificate Authority Token Server Deployment Best Practices Re-use Existing Credentials Understand the Limitations of Existing Systems Common Types Passwords Certificates Tokens Deciding Factors Security Policy Validation Distribution & Maintenance
  • 9. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 • The framework is defined by three authentication processes: 1. The supplicant Possibly a standalone device or an end user, such as a remote user. 2. The authenticator A device to which the supplicant directly connects and through which the supplicant obtains network access permission 3. The authentication server The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.
  • 10. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Authenticator (e.g. Switch, Access Point, PAE) Supplicant (Client) Enterprise NetworkSemi-Public Network / Enterprise Edge AuthenticationServer (Radius Server/LDAP or Kerberos) R A D I U S NAS
  • 11. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 • EAP Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information Typically rides on top of another protocol such as 802.1x (EAPoL) or RADIUS/TACACS+, etc. • EAP Messages Request Sent to supplicant to indicate a challenge Response Supplicant reply message Success Notification to supplicant of success Failure Notification to supplicant of failure
  • 12. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • 13. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 14. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 EthernetLaptop computer 802.1X Authenticator/Bridge Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Port connect Radius-Access-Accept Access allowed RADIUSEAPOL
  • 15. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 15
  • 16. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 • MAB stands for MAC Authentication Bypass. • It enables port-based access control using the MAC address of the endpoint. • A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it.
  • 17. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 18. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 • WebAuth is a Layer 3 authentication method. • After IEEE 802.1X (or MAB) has timed out or failed, the port is opened long enough to allow the packets required for WebAuth. • After the port has been opened, the switch enforces a preconfigured ACL in some VLAN • At a minimum, the preconfigured ACL should allow the traffic required to complete the WebAuth process. In most cases, the ACL should at least allow DHCP (so the client can acquire an address) and DNS (so the client can trigger WebAuth when using fully qualified domain names in URLs).
  • 19. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • 20. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 802.1Q Trunk EAP Authentication AAA Corporate Resources Internet Employee Guest User 802.1X fails MAB : “Printer” Employee Vlan Web-Auth 802.1X fails MAB fails Guest Vlan
  • 21. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 21
  • 22. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 • Brute Force considerations : 128 to 256 bit keys • Landauer’s Limit  kT ln 2 (10^18 Joules for 128 bits) • Available Wireless Encryption Techniques: WEP (outdated) WPA + TKIP (most compatible, less secure) WPA2+AES (Most secure) • DO NOT use WEP! • PKI infrastructure for strong Authentication and encryption  WPA2-AES + PKI based 802.1x
  • 23. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 • Basically a pseudo random number generator that encrypts data packets. • Start with generic 802.11 packet • Use a secret key plus IV to seed RC4 stream cipher to create pseudo random number • Create a CRC-32 of data portion of packet which is then called ICV. • Data || ICV XOR Pseudo Random Number = Encrypted portion of WEP Packet
  • 24. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Frame Header Frame Body FCS Secret Key (40Bits) RC4 Algorithm IV (24bits) Generic 802.11 Packet Frame Shared before communication begins Created by Sending Device Integrity Check Algorithm Frame Body ICV Frame Header IV Frame Body ICV FCS WEP Packet Frame Encrypted
  • 25. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 • Key Generation • ICV Generation • Weak Key’s and Weak IV’s • WEP Attacks
  • 26. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 • The main problem of WEP is Key Generation. • Secret Key is too small, only 40 Bits. Very susceptible to brute force attacks. • IV is too small. Only 16 Million different possibilities for every packet. • Secret Keys are accessible to user, therefore not secret. • Key distribution is done manually.
  • 27. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 • The ICV is generated from a cyclic redundancy check (CRC-32) Only a simple arithmetic computation. Can be done easily by anyone. Not cryptographically secure. • Easy for attacker to change packet and then change ICV to get response from AP.
  • 28. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 • Certain keys are more susceptible to showing the relationship between plaintext and ciphertext. There are approx 9000 weak keys out of the 40 bit WEP secret key. • Weak IV will correspond to weak Keys.
  • 29. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 • Replay Statistical gathering of certain ciphertext that once sent to server will cause wanted reaction. • 802.11 LLC Encapsulation Predictable headers to find ciphertext, plaintext combinations • Denial of Service Attacks Flooding the 2.4Ghz frequency with noise.
  • 30. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 • 802.1x • WPA • 802.11i • All much more secure.
  • 31. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 32. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 32
  • 33. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Encryption “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3) fGsmWe#4^,sdgfMwi r3:dkJeTsY8Rs@!q3 %” “The quick brown fox jumps over the lazy dog” Decryption Plain-text input Plain-text outputCipher-text Same key (shared secret)
  • 34. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 • Strength: Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms) Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael) • Weakness: Must agree the key beforehand Securely pass the key to the other party
  • 35. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 • Knowledge of the encryption key doesn’t give you knowledge of the decryption key • Receiver of information generates a pair of keys Publish the public key in a directory • Then anyone can send him messages that only she can read
  • 36. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Encryption “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^bD Faq#xzjFr@g5=&nmdFg $5knvMd’rkvegMs” “The quick brown fox jumps over the lazy dog” Decryption Clear-text Input Clear-text OutputCipher-text Different keys Recipient’s public key Recipient’s private key privatepublic
  • 37. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 • Weakness: Extremely slow Susceptible to “known ciphertext” attack Problem of trusting public key (see later on PKI) • Strength Solves problem of passing the key Allows establishment of trust context between parties
  • 38. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 As above, repeated for other recipients or recovery agents Digital Envelope Other recipient’s or agent’s public key (in certificate) in recovery policy Launch key for nuclear missile “RedHeat” is... Symmetric key encrypted asymmetrically (e.g., RSA) Digital Envelope User’s public key (in certificate) RNG Randomly- Generated symmetric “session” key Symmetric encryption (e.g. DES) *#$fjda^j u539!3t t389E *&@ 5e%32^kd
  • 39. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 *#$fjda^j u539!3t t389E *&@ 5e%32^kd Launch key for nuclear missile “RedHeat” is... Symmetric decryption (e.g. DES) Digital Envelope Asymmetric decryption of “session” key (e.g. RSA) Symmetric “session” key Session key must be decrypted using the recipient’s private key Digital envelope contains “session” key encrypted using recipient’s public key Recipient’s private key
  • 40. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 • We just solved the problem of symmetric key distribution by using public/private keys • But… • Scott creates a keypair (private/public) and quickly tells the world that the public key he published belongs to Bill • People send confidential stuff to Bill • Bill does not have the private key to read them… • Scott reads Bill’s messages  • Solution ? – Remember Digital Signatures ?
  • 41. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Hash Function (SHA, MD5) Jrf843kjfgf* £$&Hdif*7o Usd*&@:<C HDFHSD(** Py75c%bn&*)9|fDe^b DFaq#xzjFr@g5=&n mdFg$5knvMd’rkveg Ms” This is a really long message about Bill’s… Asymmetric Encryption Message or File Digital Signature128 bits Message Digest Calculate a short message digest from even a long input using a one-way message digest function (hash) Signatory’s private key private
  • 42. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Jrf843kjf gf*£$&Hd if*7oUsd *&@:<CHD FHSD(** Py75c%bn&*) 9|fDe^bDFaq #xzjFr@g5= &nmdFg$5kn vMd’rkvegMs” Asymmetric decryption (e.g. RSA) Everyone has access to trusted public key of the signatory Signatory’s public key Digital Signature This is a really long message about Bill’s… Same hash function (e.g. MD5, SHA…) Original Message Py75c%bn&*) 9|fDe^bDFaq #xzjFr@g5= &nmdFg$5kn vMd’rkvegMs” ? == ? Are They Same?
  • 43. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 • Message is captured. • Hash value of the message is calculated. • Sender's private key is retrieved from the sender's digital certificate. • Hash value is encrypted with the sender's private key. • Encrypted hash value is appended to the message as a digital signature. • Message is sent.
  • 44. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 • Sender's public key is retrieved from the sender's digital certificate • Encrypted hash value is decrypted with the sender's public key. • Decrypted hash value is compared against the hash value produced on receipt. • If the values match, the message is valid. • Message is received. • Digital signature containing encrypted hash value is retrieved from the message. • Message is retrieved. • Hash value of the message is calculated.