CCNA Security – Chapter 7 Case Study © 2009 Cisco Learning

advertisement
CCNA Security – Chapter 7 Case Study
Objectives
•
Explain how securing communications by various cryptographic methods, including encryption,
hashing and digital signatures, ensures confidentiality, integrity, authentication and nonrepudiation.
•
Describe the use and purpose of hashes and digital signatures in providing authentication and
integrity.
•
Explain how data confidentiality is ensured using symmetric encryption algorithms and pre-shared
keys.
•
Explain how data confidentiality is ensured using asymmetric algorithms in a public key
infrastructure to provide and guarantee digital certificates.
Scenario 7.1
Superior Health Care System Corporation is implementing web-based e-commerce services including
patient billing, payments and insurance claim processing. As you know, this is very sensitive information
and with both corporate and personal liability considerations in assuring this information is safe. I am
entrusting your team to protect both the confidentially and integrity of this information.
In preparing for this transition, I want your team to be trained in cryptography.
Tasks 7.1
Use the Cryptool utility to observe and record the result of using different cryptographic systems. Use
Microsoft Notepad to create the following secret message. Record the results in the table below:
Superior Health Care System Corporation believes in information confidentiality, integrity and
availability.
Note: Save file as case-study message file.txt
Cryptographic
System
MD5 Hash
SHA Hash
HMAC (MD5)
Password = cisco
RC4 = 8-bit
key = AA
DES(ECB)
56-bit
key=All “A’s”
Result
© 2009 Cisco Learning Institute
CCNA Security – Chapter 7 Case Study
Answer
Cryptographic
System
MD5 Hash
SHA Hash
HMAC (MD5) +
Password =
cisco
RC4 = 8-bit
key = AA
DES(ECB)
56-bit
key=All “A’s”
Result
88 F8 65 BA 02 8B 22 31 F8 DD 3E C4 28 97 F2 EC
59 AA 3C C7 7C E3 69 C4 0A E5 94 5F D9 D7 EE 3E 39 CF 05 85
d6 80 f0 90 d1 91 48 45 39 d8 23 50 d5 4f af df
B0 1D 1F 82 30 51 BE 35 FD 39 13 E4 C1 44 13 AF F0 54 4F 85 A8 67 AB 2B 87
B6 71 CD 7F 64 DB 93 9C 36 8E 38 4C 9F F9 69 E0 90 94 7D EC FC A7 5F 8D 52
1D 06 9E 70 70 66 3C 42 82 0A 40 A7 58 0A 53 86 14 FD 99 B4 F2 55 C1 8C A5
F3 01 CB 90 92 91 6A 14 93 5C 25 92 09 A5 33 F8 8C 7C CF C4 23 5F 4D 45 1C
FC E8 38 1F 47 DD 86 D0
9D 42 62 A2 2A 55 A5 66 6D 7C B0 18 03 41 A6 9C 83 55 77 E6 22 7D F3 D3 0D
C4 7A 2B DC B6 A9 99 78 B5 87 66 DB EB 05 1C CD CD 2D B8 F2 81 5A 5C E9 A4
D1 BF 7E F7 77 0D E7 95 AB 81 26 E3 8B 92 68 F9 EF A1 DC 55 A6 9C D9 0E 05
BA 69 8D F5 2A 42 C5 16 C6 4A 14 E9 CB 0A F2 95 A1 38 EC B8 58 A2 5D 22 E9
8B 2A 6E BE F3 7C 4F AE 2B E0 BF 66
Scenario 7.2
An important part of the new e-commerce will be key management. Key management is often considered
the most difficult part of designing a cryptosystem. Many cryptosystems have failed because of mistakes
in their key management, and all modern cryptographic algorithms require key management procedures.
In practice, most attacks on cryptographic systems are aimed at the key management level, rather than at
the cryptographic algorithm itself. There are several essential characteristics of key management to
consider:
•
Generation – It was up to Caesar to choose the key of his cipher. The Vigenere cipher key is also
chosen by the sender and receiver. In a modern cryptographic system, key generation is usually
automated and not left to the end user. The use of good random number generators is needed to
ensure that all keys are likely to be equally generated so that the attacker cannot predict which
keys are more likely to be used.
•
Verification – Some keys are better than others. Almost all cryptographic algorithms have some
weak keys that should not be used. With the help of key verification procedures, these keys can
be regenerated if weak keys occur. With the Caesar cipher, using a key of 0 or 25 does not
encrypt the message, so it should not be used.
•
Storage – On a modern multi-user operating system that uses cryptography, a key can be stored
in memory. This presents a possible problem when that memory is swapped to the disk, because
a Trojan Horse program installed on the PC of a user could gain access to the private keys of that
user.
•
Exchange – Key management procedures should provide a secure key exchange mechanism
that allows secure agreement on the keying material with the other party, probably over an
untrusted medium.
© 2009 Cisco Learning Institute
CCNA Security – Chapter 7 Case Study
•
Revocation and Destruction – Revocation notifies all interested parties that a certain key has
been compromised and should no longer be used. Destruction erases old keys in a manner that
prevents malicious attackers from recovering them.
Tasks 7.2
Please have your team discuss each of these considerations and propose possible implementations and
solution for each.
Key Management
Considerations
Proposed Solutions
Key Generation
Key Verification
Key Storage
Key Exchange
Key Revocation and
Destruction
© 2009 Cisco Learning Institute
CCNA Security – Chapter 7 Case Study
Tasks 7.3
The selection and implementation of encryption systems for Superior Health Care System Corporation is
critical to the safe transmission and storage of sensitive information. Please have your group draft an
Encryption Policy for use throughout Superior Health Care System Corporation. Also, please discuss how
best to implement this Encryption Policy and guarantee it’s use by employees.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
© 2009 Cisco Learning Institute
Download