Chapter 9: Cryptography

and the Public Key

Infrastructure
Instructor Materials

CCNA Cybersecurity Operations v1.1

Chapter 9: Cryptography and
the Public Key Infrastructure
CCNA Cybersecurity Operations v1.1
Planning Guide

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Chapter 9: Cryptography and
the Public Key Infrastructure

CCNA Cybersecurity Operations v1.1

Chapter 9 - Sections & Objectives
▪ 9.1 Cryptography
• Use tools to encrypt and decrypt data.
• Use cryptography to secure communications.
• Explain the role of cryptography in ensuring the integrity and authenticity of data.
• Explain how cryptographic approaches enhance data confidentiality.

▪ 9.2 Public Key Cryptography

• Explain how the public key infrastructure (PKI) supports network security.
• Explain public key cryptography.
• Explain how the public key infrastructure functions.
• Explain how the use of cryptography affects cybersecurity operations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
9.1 Cryptography

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
What is Cryptography?
Securing Communications
▪ Information security concerns
protecting network infrastructure
devices and securing data as it
travels on the network.
▪ Cryptography helps realize the four
objectives of information security:
• Data Confidentiality - only authorized
users can read the data.
• Data Integrity - the data has not been
altered by unauthorized parties.
• Origin authentication - the data has
actually originated at the expected
source.
• Non-repudiation – the integrity of the
message is irrefutable by the sender.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
What is Cryptography?
Cryptology
▪ Cryptology is the science of making
and breaking secret codes. There are
two disciplines:
• Cryptography –This is the development
and use of codes that are used for
communicating privately. Specifically, it is the
practice and study of techniques to secure
communications.
• Cryptanalysis – This is the breaking of
those codes. Specifically, it is the practice and
study of determining and exploiting
weaknesses in cryptographic techniques.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
What is Cryptography?
Cryptography – Ciphers
▪ A cipher is an algorithm that consists of a series of well-defined steps that can
be followed as a procedure when encrypting and decrypting messages.
▪ The following are types of ciphers that
have been used over the years:
• Substitution cipher – Substitution ciphers
retain the letter frequency of the original
message.
• Transposition cipher - In transposition ciphers,
no letters are replaced; they are simply
rearranged.
• Polyalphabetic ciphers - Polyalphabetic
ciphers are based on substitution, using multiple
substitution alphabets.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
What is Cryptography?
Cryptanalysis – Code Breaking
▪ A number of code breaking (cryptanalysis) methods exist, such as brute-force,
ciphertext, and known-plaintext, among others.

▪ Several methods are used in cryptanalysis:

• Brute-force - The cryptanalyst tries every possible key knowing that eventually one of them will
work.
• Ciphertext - The cryptanalyst has the ciphertext of several encrypted messages but no knowledge of
the underlying plaintext.
• Known-Plaintext - The cryptanalyst has access to the ciphertext of several messages and knows
something about the plaintext underlying that ciphertext.
• Chosen-Plaintext - The cryptanalyst chooses which data the encryption device encrypts and
observes the ciphertext output.
• Chosen-Ciphertext - The cryptanalyst can choose different ciphertext to be decrypted and has
access to the decrypted plaintext.
• Meet-in-the-Middle - The cryptanalyst knows a portion of the plaintext and the corresponding
ciphertext.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
What is Cryptography?
Keys
▪ With modern technology,
security of encryption lies in
the secrecy of the keys, not
the algorithm.
Two terms that are used to describe keys are:
• Key length - Also called the key size, this
is measured in bits. In this course, we will
use the term key length.
• Keyspace - This is the number of
possibilities that can be generated by a
specific key length.
▪ As key length increases, the keyspace
increases exponentially.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
What is Cryptography?
Lab – Encrypting and Decrypting Data Using OpenSSL

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
What is Cryptography?
Lab – Encrypting and Decrypting Data Using a Hacker Tool

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
What is Cryptography?
Lab – Examining Telnet and SSH in Wireshark

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Integrity and Authenticity
Cryptographic Hash Functions
▪ Cryptographic hashes are used to verify and ensure data
integrity.
▪ Hashing is based on a one-way mathematical function that
is relatively easy to compute, but significantly harder to
reverse.
▪ The cryptographic hashing function can also be used to verify
authentication.
▪ A hash function takes a variable block of binary data, called the
message, and produces a fixed-length, condensed
representation, called the hash.
▪ The resulting hash is also sometimes called the message
digest, digest, or digital fingerprint.
▪ With hash functions, it is computationally infeasible for two
different sets of data to come up with the same hash output.
▪ Every time the data is changed or altered, the hash value also
changes.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Integrity and Authenticity
Cryptographic Hash Operation
▪ Mathematically, the equation h= H(x) is used
to explain how a hash algorithm operates.
▪ A cryptographic hash function should have
the following properties:
• The input can be any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for any
given x.
• H(x) is one way and not reversible.
• H(x) is collision free, meaning that two
different input values will result in different
hash values.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Integrity and Authenticity
MD5 and SHA
▪ Hash functions are used to ensure the integrity of a message. They ensure data has not changed
accidentally or intentionally.

▪ Three well-known hashing algorithms are 128-bit MD5, SHA-1, and SHA-2.
• MD5 with 128-bit digest - A one-way function that produces a 128-bit hashed message. MD5 is considered to
be a legacy algorithm. It is recommended that SHA-2 be used instead.
• SHA-1 – Very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160 bit hashed
message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm.
• SHA-2 –Next-generation algorithm and should be used whenever possible.
▪ While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate
changes. There is no unique identifying information from the sender in the hashing procedure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Integrity and Authenticity
Hash Message Authentication Code
▪ To add authentication to integrity assurance, a keyed-hash
message authentication code (HMAC) is used.
▪ To add authentication, HMAC uses an additional secret key as
input to the hash function.

▪ Only the sender and the receiver know the secret key, and the
output of the hash function now depends on the input data and
the secret key.

▪ Only parties who have access to that secret key can compute
the digest of an HMAC function.

▪ If the digest that is calculated by the receiving device is equal

to the digest that was sent, the message has not been altered.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Integrity and Authenticity
Lab – Hashing Things Out

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Confidentiality
Encryption
These two classes differ in how they use keys:

▪ Symmetric encryption algorithms - Encryption algorithms use the same key to encrypt and decrypt data.
They are based on the premise that each communicating party knows the pre-shared key.

▪ Asymmetric encryption algorithms - Encryption algorithms use different keys to encrypt and decrypt
data. They are based on the assumption that the two communicating parties have not previously shared a
secret and must establish a secure method to do so. Asymmetric algorithms are resource intensive and
slower to execute.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Confidentiality
Symmetric Encryption
▪ Symmetric algorithms use the same pre-shared key to encrypt and decrypt data.

▪ Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because
symmetric algorithms use less CPU than asymmetric encryption algorithms.

▪ When using symmetric encryption algorithms, like any other type of encryption, the longer the key,
the longer it will take for someone to discover the key.
▪ Most encryption keys are between 112 and 256 bits. Use a longer key for more secure
communications.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Confidentiality
Symmetric Encryption Algorithms
Encryption algorithms are often
classified as either:
▪ Block ciphers - Block ciphers
transform a fixed-length block
of plaintext into a common
block of ciphertext of 64 or
128 bits.
▪ Stream Ciphers - Stream
ciphers encrypt plaintext one
byte or one bit at a time.

Well-known symmetric encryption algorithms include: Data Encryption Standard (DES),

3DES (Triple DES), Advanced Encryption Standard, (AES) Software-Optimized
Encryption Algorithm (SEAL), Rivest ciphers (RC)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Confidentiality
Asymmetric Encryption Algorithms
▪ Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used
for encryption is different from the key that is used for decryption.
▪ The decryption key cannot, in any reasonable amount of time, be calculated from the encryption
key and vice versa.
▪ Asymmetric algorithms use a public key and a private key.

▪ Both keys are capable of the encryption process, but the complementary paired key is required for
decryption.
▪ The process is also reversible in that data encrypted with the public key requires the private key to
decrypt.
▪ This process enables asymmetric algorithms to achieve confidentiality, authentication, and integrity.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Confidentiality
Asymmetric Encryption – Confidentiality
▪ Asymmetric algorithms are used to provide
confidentiality without pre-sharing a
password.

▪ The confidentiality objective of asymmetric

algorithms is initiated when the encryption
process is started with the public key.
The process can be summarized using the
formula: Public Key (Encrypt) + Private
Key (Decrypt) = Confidentiality
• When the public key is used to encrypt the
data, the private key must be used to
decrypt the data.
• Only one host has the private key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Confidentiality
Asymmetric Encryption – Authentication
▪ The authentication objective of asymmetric algorithms is
initiated with the private key encryption process.
The process can be summarized using the formula
▪ Private Key (Encrypt) + Public Key (Decrypt) =
Authentication
▪ When the private key is used to encrypt the data, the
corresponding public key must be used to decrypt the
data.
▪ Because only one host has the private key, only that
host could have encrypted the message, providing
authentication of the sender.
▪ When a host successfully decrypts a message using a
public key, it is trusted that the private key encrypted the
message, which verifies the sender.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Confidentiality
Asymmetric Encryption – Integrity
▪ Combining the two asymmetric encryption processes provides message confidentiality,
authentication, and integrity.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Confidentiality
Diffie-Hellman
▪ Diffie-Hellman (DH) is an asymmetric
mathematical algorithm that allows two
computers to generate an identical shared secret
without having communicated before.
▪ The new shared key is never actually exchanged
between the sender and receiver.
▪ However, because both parties know it, the key
can be used by an encryption algorithm to
encrypt traffic between the two systems.
▪ The security of DH is based on the fact that it
uses unbelievably large numbers in its
calculations.
▪ Unfortunately, asymmetric key systems are
extremely slow for any sort of bulk encryption.
This is why it is common to encrypt the bulk of
the traffic using a symmetric algorithm.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
9.2 Public Key Infrastructure

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Public Key Cryptography
Using Digital Signatures
▪ Digital signatures are a mathematical technique used to
provide authenticity, integrity, and nonrepudiation in the form of
code signing and digital certificates.

▪ Digital signatures are commonly used in the following two

situations:
• Code signing –Code signing is used to verify the integrity of
executable files downloaded from a vendor website.
• Digital certificates – These are used to authenticate the identity of a
system and exchange confidential data.

▪ There are three Digital Signature Standard (DSS) algorithms

used for generating and verifying digital signatures:
• Digital Signature Algorithm (DSA)
• Rivest-Shamir Adelman Algorithm (RSA)
• Elliptic Curve Digital Signature Algorithm (ECDSA)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Public Key Cryptography
Digital Signatures for Code Signing
▪ Digital signatures are commonly used to provide
assurance of the authenticity and integrity of software
code.

▪ Executable files are wrapped in a digitally signed

envelope, which allows the end user to verify the signature
before installing the software.
▪ Digitally signing code provides several assurances about
the code:
• The code is authentic and is actually sourced by the
publisher.
• The code has not been modified since it left the software
publisher.
• The publisher undeniably published the code. This provides
nonrepudiation of the act of publishing.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Public Key Cryptography
Digital Signatures for Digital Certificates
▪ A digital certificate enables users,
hosts, and organizations to securely
exchange information over the
Internet.

▪ Specifically, a digital certificate is

used to authenticate and verify that
users sending a message are who
they claim to be.

▪ Digital certificates can also be used

to provide confidentiality for the
receiver with the means to encrypt a
reply.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Authorities and the PKI Trust System
Public Key Management
▪ When establishing an asymmetric connection between two hosts, the hosts will exchange their public key
information.
▪ Trusted third parties on the Internet validate the authenticity of these public keys using digital certificates.
The third party issues credentials that are difficult to forge.
▪ From that point forward, all individuals who trust the third party simply accept the credentials that the third
party issues.

▪ The Public Key Infrastructure (PKI) is an example of a

trusted third-party system referred to as certificate
authority (CA).

▪ The CA issues digital certificates that authenticate the

identity of organizations and users.

▪ These certificates are also used to sign messages to

ensure that the messages have not been tampered
with.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Authorities and the PKI Trust System
The Public Key Infrastructure
▪ PKI is needed to support large-scale distribution and identification of public encryption keys.

▪ The PKI framework facilitates a highly scalable trust relationship.

▪ It consists of the hardware, software, people, policies, and procedures needed to create, manage,
store, distribute, and revoke digital certificates.

▪ Not all PKI certificates are directly received from a CA. A registration authority (RA) is a subordinate
CA and is certified by a root CA to issue certificates for specific uses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Authorities and the PKI Trust System
The PKI Authorities System
▪ Many vendors provide CA servers as a managed service or as an end-user product.

▪ Organizations may also implement private PKIs using Microsoft Server or Open SSL.

▪ CAs issue certificates based on classes which determine how trusted a certificate is.

▪ The class number is determined by how rigorous the procedure was that verified the identity of the holder
when the certificate was issued.
▪ The higher the class number, the more trusted the certificate.

▪ Some CA public keys are preloaded, such as those listed in web browsers.

▪ An enterprise can also implement PKI for internal use.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Authorities and the PKI Trust System
The PKI Trust System
▪ PKIs can form different topologies
Single-Root PKI
of trust. The simplest is the single-
root PKI topology.
On larger networks, PKI CAs may
be linked using two basic
architectures:
• Cross-certified CA topologies -
This a peer-to-peer model in Cross-certified CA
which individual CAs establish
trust relationships with other CAs
by cross-certifying CA certificates.
• Hierarchical CA topologies - The
highest level CA is called the root
CA. It can issue certificates to end
Hierarchical CA
users and to a subordinate CA.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Authorities and the PKI Trust System
Interoperability of Different PKI Vendors
▪ Interoperability between a PKI and its supporting
services is a concern because many CA vendors
have proposed and implemented proprietary
solutions instead of waiting for standards to
develop.

▪ To address this interoperability concern, the IETF

published the Internet X.509 Public Key
Infrastructure Certificate Policy and Certification
Practices Framework (RFC 2527).

▪ The X.509 version 3 (X.509v3) standard defines

the format of a digital certificate.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Authorities and the PKI Trust System
Certificate Enrollment, Authentication, and Revocation
▪ All systems that leverage the PKI must have the CA’s public key, called
the self-signed certificate.
▪ The CA public key verifies all the certificates issued by the CA and is vital
for the proper operation of the PKI.
▪ The certificate enrollment process begins when CA certificates are
retrieved in-band over a network, and the authentication is done out-of-
band (OOB) using the telephone.
▪ The system enrolling with the PKI contacts a CA to request and obtain a
digital identity certificate for itself and to get the CA’s self-signed
certificate.
▪ The final stage verifies that the CA certificate was authentic and is
performed using an OOB method such as the Plain Old Telephone
System (POTS) to obtain the fingerprint of the valid CA identity certificate.
▪ A digital certificate can be revoked if key is compromised or if it is no
longer needed.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Authorities and the PKI Trust System
Lab – Certificate Authority Stores

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Applications and Impacts of Cryptography
PKI Applications
▪ Some of the many applications of PKIs are:
• SSL/TLS certificate-based peer authentication
• Secure network traffic using IPsec VPNs
• HTTPS Web traffic
• Control access to the network using 802.1x authentication
• Secure email using the S/MIME protocol
• Secure instant messaging
• Approve and authorize applications with Code Signing
• Protect user data with the Encryption File System (EFS)
• Implement two-factor authentication with smart cards
• Securing USB storage devices

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
P Applications and the Impacts of Cryptography
Encrypting Network Transactions
▪ Threat actors can use SSL/TLS to introduce regulatory
compliance violations, viruses, malware, data loss, and
intrusion attempts in a network.

▪ Other SSL/TLS-related issues may be associated with

validating the certificate of a web server. When this
occurs, web browsers will display a security warning. PKI-
related issues that are associated with security warnings
include:
• Validity date range - The X.509v3 certificates specify “not
before” and “not after” dates. If the current date is outside
the range, the web browser displays a message.
• Signature validation error - If a browser cannot validate
the signature on the certificate, there is no assurance that
the public key in the certificate is authentic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
P Applications and Impacts of Cryptography
Encryption and Security Monitoring
▪ Network monitoring becomes more challenging when packets are encrypted.

▪ Because HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to
peek into user traffic.

▪ Here is a list of some of the things that a security analyst could do:
• Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic.
• Enhance security through server certificate validation using CRLs and OCSP.
• Implement antimalware protection and URL filtering of HTTPS content.
• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS)
appliances to identify risks normally hidden by SSL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
9.3 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Chapter Summary
Chapter 9: Cryptography and the Public Key Infrastructure

▪ Securing communications with cryptography consists of four elements:

• Data confidentiality to guarantee that only authorized users can read the message.
• Data integrity to guarantee that the message was not altered.
• Origin authentication guarantees that the message is not a forgery and does actually come from whom it
states.
• Data non-repudiation to guarantee that the sender cannot repudiate, or refute, the validity of a message sent.
▪ Cryptology is the science of making and breaking secret codes. There are two disciplines: Cryptography
and Cryptanalysis.

▪ A cipher is an algorithm that consists of a series of well-defined steps that can be followed as a procedure when encrypting and
decrypting messages.

▪ A number of code breaking (cryptanalysis) methods exist, such as brute-force,

ciphertext, and known-plaintext, among others.

▪ With modern technology, security of encryption lies in the secrecy of the keys, not the algorithm. Specifically the key length and the
keyspace.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Chapter Summary
Chapter 9: Cryptography and the Public Key Infrastructure
(Cont.)
▪ Cryptographic hashes are used to verify and ensure data integrity.

▪ Hash functions make it computationally infeasible for two different sets of data to come up with the same
hash output.
▪ Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.

▪ Three well-known hash functions include:

• MD5 with a 128-bit digest
• SHA-1
• SHA-2
▪ To include authentication along with message integrity, an HMAC is added to as an input to a hash
function. If two parties share a secret key and use HMAC functions for authentication, a properly
constructed HMAC digest of a message that a party has received indicates that the other party was the
originator of the message.
▪ Confidentiality of the data is ensured through one of two types of encryption: symmetric and asymmetric.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Chapter Summary
Chapter 9: Cryptography and the Public Key Infrastructure
(Cont.)
▪ Confidentiality of the data is ensured through one of two types of encryption: symmetric and asymmetric.

▪ Symmetric algorithms use the same pre-shared key to encrypt and decrypt data.

▪ Symmetric encryption algorithms are often classified as either: Block ciphers or Stream Ciphers.

▪ Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for
encryption is different from the key that is used for decryption.
▪ Asymmetric algorithms are used to provide confidentiality without pre-sharing a password. The
confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with
the public key.
▪ The authentication objective of asymmetric algorithms is initiated with the private key encryption process.
Use the formula: Private Key (Encrypt) + Public Key (Decrypt) = Authentication.
▪ Combining the two asymmetric encryption processes provides message confidentiality, authentication,
and integrity.
▪ Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to generate an
identical shared secret without having communicated before.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Chapter Summary
Chapter 9: Cryptography and the Public Key Infrastructure
(Cont.)
▪ Digital signatures are a mathematical technique used to provide authenticity, integrity, and
nonrepudiation in the form of code signing and digital certificates.
▪ Digital signatures are commonly used to provide assurance of the authenticity and integrity of software
code.
▪ A digital certificate enables users, hosts, and organizations to securely exchange information over the
Internet.
▪ The Public Key Infrastructure (PKI) is an example of a trusted third-party system referred to as certificate
authority (CA).
▪ PKI is needed to support large-scale distribution and identification of public encryption keys.

▪ Many vendors provide CA servers as a managed service or as an end-user product. Organizations may
also implement private PKIs using Microsoft Server or Open SSL. CAs issue certificates based on
classes which determine how trusted a certificate is.
▪ PKIs can form different topologies of trust. The simplest is the single-root PKI topology. On larger
networks, PKI CAs may be linked using two basic architectures: Cross-certified CA topologies and
Hierarchical CA topologies.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Chapter Summary
Chapter 9: Cryptography and the Public Key Infrastructure
(Cont.)
▪ Interoperability between a PKI and its supporting services is a concern because many CA vendors have proposed and
implemented proprietary solutions instead of waiting for standards to develop. To address this interoperability concern, the
IETF published the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC
2527). The X.509 version 3 (X.509v3) standard defines the format of a digital certificate.
▪ All systems that leverage the PKI must have the CA’s public key, called the self-signed certificate. The CA public key
verifies all the certificates issued by the CA and is vital for the proper operation of the PKI.
▪ There are many applications of PKIs.

▪ Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion
attempts in a network.
▪ Network monitoring becomes more challenging when packets are encrypted. Because HTTPS introduces end-to-end
encrypted HTTP traffic (via TLS/SSL), it is not as easy to peek into user traffic. Here is a list of some of the things that a
security analyst could do:
• Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic.
• Enhance security through server certificate validation using CRLs and OCSP.
• Implement antimalware protection and URL filtering of HTTPS content.
• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to
identify risks normally hidden by SSL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Chapter 9
New Terms and Commands
• 3DES (Triple DES) • Hash Message Authentication Code (HMAC)
• Advanced Encryption Standard (AES) • Message Digest 5 (MD5)
• asymmetric encryption • Public Key Infrastructure (PKI)
• block ciphers • Rivest ciphers (RC)
• cipher • RSA
• cryptanalysis • Secure Hash Algorithm 1 (SHA-1)
• cryptography • Secure Hash Algorithm 2 (SHA-2)
• cryptology • Software-Optimized Encryption Algorithm (SEAL)
• Data Encryption Standard (DES) • stream ciphers
• Diffie-Hellman (DH) • symmetric encryption
• Digital Signature Algorithm (DSA)
• Digital Signature Standard (DSS)
• EIGamal
• Elliptical curve
• hash
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Cybersecurity Operations Certification
This chapter covers the following areas in the Cybersecurity Operations Certification:

From 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals:

▪ Domain 3: Cryptography
• 3.1 Describe the uses of a hash algorithm
• 3.2 Describe the uses of encryption algorithms
• 3.3 Compare and contrast symmetric and asymmetric encryption algorithms
• 3.4 Describe the processes of digital signature creation and verification
• 3.5 Describe the operation of a PKI

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Cybersecurity Operations Certification (Cont.)
This chapter covers the following areas in the Cybersecurity Operations Certification:

From 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals:

▪ Domain 3: Cryptography
• 3.6 Describe the security impact of the following commonly used hash algorithms:
• MD5
• SHA-1
• SHA-256
• RSA4096
• SHA-512

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Cybersecurity Operations Certification (Cont.)
This chapter covers the following areas in the Cybersecurity Operations Certification:

From 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals:

▪ Domain 3: Cryptography
• 3.7 Describe the security impact of the following commonly used encryption algorithms and secure
communications protocols:
• DES
• 3DES
• AES
• AES256-CTR
• RSA
• DSA
• SSH
• SSL/TLS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Cybersecurity Operations Certification (Cont.)
This chapter covers the following areas in the Cybersecurity Operations Certification:

From 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals:

▪ Domain 3: Cryptography
• 3.8 Describe how the success or failure of a cryptographic exchange impacts security investigation
• 3.9 Describe the following in regards to SSL/TLS:
• Cipher-suite
• X.509 Certificates
• Key exchange
• Protocol version
• PKCS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Cybersecurity Operations Certification (Cont.)
This chapter covers the following areas in the Cybersecurity Operations Certification:

From 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals:

▪ Domain 5: Security Monitoring
• 5.3 Describe the following concepts as they relate to security monitoring:
• Access Control List
• NAT/PAT
• Tunneling
• TOR
• Encryption
• P2P
• Encapsulation
• Load Balancing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58