SAD/U5 Topic 5 Cryptography and Authentication
Cryptography is an important aspect when we deal with network security. ‘Crypto’ means secret or hidden. Cryptography is the science of secret writing with the intention of keeping the data secret. Cryptanalysis, on the other hand, is the science or sometimes the art of breaking cryptosystems. These both terms are a subset of what is called as Cryptology.
The flowchart depicts that cryptology is only one of the factors involved in securing networks. Cryptology refers to study of codes, which involves both writing (cryptography) and solving (cryptanalysis) them. Below is a classification of the
crypto-terminologies and their various types.
Cryptography is classified into symmetric cryptography, asymmetric cryptography and hashing. Below are the description of these types.
- Symmetric key cryptography
It involves usage of one secret key along with encryption and decryption algorithms which help in securing the contents of the message. The strength of symmetric key cryptography depends upon the number of key bits. It is relatively faster than asymmetric key cryptography. There arises a key distribution problem as the key has to be transferred from the sender to receiver through a secure channel.
- Assymetric key cryptography
It is also known as public key cryptography because it involves usage of a public key along with secret key. It solves the problem of key distribution as both parties’ uses different keys for encryption/decryption. It is not feasible to use for decrypting bulk messages as it is very slow compared to symmetric key cryptography.
It involves taking the plain-text and converting it to a hash value of fixed size by a hash function. This process ensures integrity of the message as the hash value on both, sender\’s and receiver\’s side should match if the message is unaltered.
- Classical attacks:
It can be divided into a) Mathematical analysis and b) Brute-force attacks. Brute-force attacks runs the encryption algorithm for all possible cases of the keys until a match is found. Encryption algorithm is treated as a black box. Analytical attacks are those attacks which focuses on breaking the cryptosystem by analysing the internal structure of the encryption algorithm.
- Social Engineering attack
It is something which is dependent on the human factor. Tricking someone to reveal their passwords to the attacker or allowing access to the restricted area comes under this attack. People should be cautious when revealing their passwords to any third party which is not trusted.
- Implementation attacks
Implementation attacks such as side-channel analysis can be used to obtain a secret key. They are relevant in cases where the attacker can obtain physical access to the cryptosystem.
The administrator can take an access to a router or a device through console but it is very inconvenient if he is sitting far from the place of that device. So, eventually he has to take remote access to that device.
But as the remote access will be available by using an IP address therefore it is possible that an unauthorized user can take access using that same IP address therefore for security measures, we have to put authentication. Also, the packets exchange between the device should be encrypted so that any other person should not be able to capture that sensitive information. Therefore, a framework called AAA is used to provide that extra level of security.
AAA (Authentication, Authorization, Accounting)
AAA is a standard based framework used to control who is permitted to use network resources (through authentication), what they are authorised to do (through authorization) and capture the actions performed while accessing the network (through accounting).
Process by which it can be identified that the user, which want to access the network resources, valid or not by asking some credentials such as username and password. Common methods are to put authentication on console port, AUX port or vty lines.
As a network administrator, we can control how a user is authenticated if someone wants to access the network. Some of these methods include using the local database of that device (router) or sending authentication request to an external server like ACS server. To specify the method to be used for authentication, default or customised authentication method list are used.
It provide capabilities to enforce policies on network resources after the user has gain access to the network resources through authentication. After the authentication is successful, authorisation can be used to determine that what resources the user is allowed to access and the operations that can be performed.
For example, if a junior network engineer (who should not access all the resources) wants to access the device then the administrator can create a view which will allow particular commands only to be executed by the user (the commands that are allowed in the method list). The administrator can use authorization method list to specify how the user is authorised to network resources i.e through local database pr ACS server.
It provide means of monitoring and capturing the events done by the user while accessing the network resources.It even monitors how long the user has an access to the network. The administrator can create an accounting method list to specify what should be accounted and to whom the accounting records should be send.
AAA implementation: AAA can be implemented by using the local database of the device or by using an external ACS server.
- local database
If we want to use the local running configuration of the router or switch to implement AAA, we should create users first for authentication and provide privilege levels to user for Authorization.
- ACS server
This is the common method used. An external ACS server is used (can be ACS device or software installed on Vmware) for AAA on which configuration on both router and ACS required. The configuration include creating user, separate customised method list for authentication, Authorisation and Accounting.
The client or Network Access Server (NAS) sends authentication request to ACS server and the server takes the decision to allow the user to access the network resource or not according to the credentials provided by the user.