1
00:00:00,380 --> 00:00:05,630
So once again, what is a symmetric algorithm in a symmetrical algorithm?

2
00:00:05,870 --> 00:00:10,160
The same key is used to encrypt and decrypt the message.

3
00:00:10,310 --> 00:00:14,600
An example of a symmetric key algorithm would be a ease.

4
00:00:14,960 --> 00:00:15,830
Notice.

5
00:00:15,860 --> 00:00:22,610
Both the sender and the receiver using the same algorithm as well as the same key.

6
00:00:23,650 --> 00:00:29,830
This can cause a major problem because both the sender and the receiver must know what the key is.

7
00:00:30,550 --> 00:00:33,160
And they need a method to communicate this.

8
00:00:33,670 --> 00:00:38,140
The problem is, how do I tell you securely what the key is?

9
00:00:38,980 --> 00:00:46,270
If I don't have a secure tunnel established as yet, I need the key to establish the secure tunnel.

10
00:00:47,140 --> 00:00:52,270
But I cannot establish the secure tunnel until we both know what the key is.

11
00:00:52,660 --> 00:00:56,830
So this means that we need to communicate the key out of band.

12
00:00:57,220 --> 00:01:06,160
I need to phone you or I need to SMS you or I need to use some out-of-band method to tell you what key

13
00:01:06,160 --> 00:01:06,910
to use.

14
00:01:07,060 --> 00:01:14,650
So as an example, if I'm in the UK and you're in the US and we want to set up a private VPN between

15
00:01:14,650 --> 00:01:20,650
a router in the UK and a router in the US, I would have to phone you and let you know what key to use.

16
00:01:21,010 --> 00:01:27,070
That's fine when we have a simple VPN, but it doesn't scale well when we have thousands of routers.

17
00:01:28,370 --> 00:01:31,520
There is an advantage of a symmetrical QI algorithm though.

18
00:01:31,550 --> 00:01:39,290
Good symmetric ciphers are first secure and easy to implement using modern microprocessors and therefore

19
00:01:39,290 --> 00:01:42,380
tend to be used for bulk encryption.

20
00:01:42,740 --> 00:01:46,250
Here are some examples of symmetric key algorithms.

21
00:01:46,580 --> 00:01:47,570
Days, triple days.

22
00:01:47,600 --> 00:01:48,920
Ace and Blowfish.

23
00:01:50,220 --> 00:01:57,000
I'm going to explain data encryption standard or days, triple days, an advanced encryption standard

24
00:01:57,000 --> 00:01:59,550
or as in more detail in the upcoming slides.

25
00:02:00,150 --> 00:02:08,039
But for now, please realize that we still use symmetric key algorithms in VPNs today because of the

26
00:02:08,039 --> 00:02:13,080
advantage that they can encrypt both data quickly in modern microprocessors.

27
00:02:13,860 --> 00:02:21,240
So data encryption standard or DES is a symmetric encryption algorithm where the same key is used by

28
00:02:21,240 --> 00:02:22,830
the sender and receiver.

29
00:02:23,250 --> 00:02:31,200
So notice the sender uses Des with a key of 1 to 3 and the receiver uses Des with a key of 1 to 3.

30
00:02:31,710 --> 00:02:37,710
It was developed by IBM and the US National Security Agency in 1975.

31
00:02:38,350 --> 00:02:41,590
It has a fixed key length of 56 bits.

32
00:02:42,220 --> 00:02:47,860
Remember once again that a class A IP address gives you two to the power of 24 combinations?

33
00:02:47,890 --> 00:02:51,040
Daisy gives you two to the power of 56 combinations.

34
00:02:51,800 --> 00:02:59,180
So the algorithm was good, but the key length doesn't meet today's security requirements and it's recommended

35
00:02:59,180 --> 00:03:02,690
that you do not use DES in today's corporate environments.

36
00:03:02,930 --> 00:03:06,800
The problem is, is that it's susceptible to brute force attacks.

37
00:03:07,640 --> 00:03:13,670
By 1998, a days encrypted message was decrypted within 56 hours.

38
00:03:14,420 --> 00:03:18,440
And by 1999, it took just over 22 hours to crack.

39
00:03:19,010 --> 00:03:22,520
Once again, data is not recommended in today's environments.

40
00:03:23,330 --> 00:03:26,420
Around the same time, triple days was developed.

41
00:03:27,270 --> 00:03:34,710
Triple DS is also asymmetric key algorithm with the sender uses triple DS and the receiver uses triple

42
00:03:34,710 --> 00:03:38,270
bass and they have the same set of keys.

43
00:03:38,280 --> 00:03:40,680
In this case, there are three keys.

44
00:03:41,370 --> 00:03:46,410
The way triple dez works is that clear text data is encrypted with key one.

45
00:03:47,010 --> 00:03:56,310
That encrypted text is then decrypted with a different key key to and then it's encrypted with a third

46
00:03:56,310 --> 00:03:58,440
key in this case, key three.

47
00:03:59,250 --> 00:04:06,390
So the data is encrypted, then decrypted and then encrypted, but with different keys.

48
00:04:06,510 --> 00:04:12,750
Now, if key one and key three are the same, this would result in 112 bit key length.

49
00:04:13,200 --> 00:04:18,720
If key one and key three are not the same, it would result in 168 bit key length.

50
00:04:19,870 --> 00:04:25,390
As you can see, the key length is greater than DES, which was 56 bits in length.

51
00:04:26,080 --> 00:04:31,240
Please note at CNA level, it's not expected that you understand the details of all these algorithms.

52
00:04:31,570 --> 00:04:38,260
But I mention them here because I find it's easier to understand how VPNs work if you have a bit of

53
00:04:38,260 --> 00:04:40,270
knowledge of how the algorithms function.

54
00:04:41,650 --> 00:04:50,830
A Yes or advanced encryption standard is the recommended symmetric key algorithm to use today in corporate

55
00:04:50,830 --> 00:04:51,760
environments.

56
00:04:52,920 --> 00:05:00,330
Once again, the sender and the receiver use the same algorithm as well as the same key as this is a

57
00:05:00,330 --> 00:05:02,040
symmetric key algorithm.

58
00:05:03,200 --> 00:05:05,330
This comes in different variants.

59
00:05:05,340 --> 00:05:10,770
You've got a 128 bit, a 192, but an A is 256.

60
00:05:10,770 --> 00:05:22,200
But as was announced in 2001 and became a federal government standard in May of 2002, it was approved

61
00:05:22,200 --> 00:05:25,740
by the NSA for top secret information.

62
00:05:26,680 --> 00:05:32,770
It once again is a recommended algorithm for VPNs in today's corporate environment.

63
00:05:33,100 --> 00:05:36,670
The details of these three algorithms are available on the Internet.

64
00:05:36,700 --> 00:05:42,460
Have a look at Wikipedia and other sources for more detailed information of how the algorithms work.

65
00:05:42,820 --> 00:05:49,600
But for now, just have an appreciation that days, triple days and these are symmetric key algorithms

66
00:05:49,600 --> 00:05:53,320
that can be used for bulk encryption and decryption of data.

67
00:05:54,430 --> 00:05:59,920
Now an asymmetric key algorithm uses a different key to encrypt and decrypt.

68
00:06:00,580 --> 00:06:06,040
So, for instance, the sender would be using a asymmetric algorithm like RSA.

69
00:06:06,640 --> 00:06:10,180
The receiver would be using an algorithm like RSA.

70
00:06:10,510 --> 00:06:16,330
But please notice different keys are used to encrypt and decrypt the data.

71
00:06:18,050 --> 00:06:24,230
Asymmetric key algorithms solve many of the longstanding problems with symmetric key algorithms.

72
00:06:24,230 --> 00:06:31,250
Like how do you exchange the secret keys in the first place with a symmetric key algorithm, for instance?

73
00:06:31,430 --> 00:06:37,880
How do we send the decided private key to each other without it being intercepted?

74
00:06:38,760 --> 00:06:45,750
When using a symmetric key algorithm once again without a secure channel, there is no way to establish

75
00:06:45,750 --> 00:06:46,770
a secure channel.

76
00:06:47,730 --> 00:06:53,160
I need to securely tell you, for instance, what the shared key is in a symmetric key algorithm.

77
00:06:53,490 --> 00:06:59,490
But we both need to know what the shared secret key is to establish a secure channel, to be able to

78
00:06:59,490 --> 00:07:01,680
securely send the key to one another.

79
00:07:01,860 --> 00:07:05,050
But we can't set up the channel because we don't have a key yet.

80
00:07:05,070 --> 00:07:10,290
That means we have to tell each other what the key is out of band like by phoning one another.

81
00:07:10,590 --> 00:07:16,470
Asymmetric key algorithms allow us to solve this problem because different keys are used for encryption

82
00:07:16,470 --> 00:07:17,880
versus decryption.

83
00:07:18,920 --> 00:07:25,380
Also note asymmetric key algorithms have key lengths far greater than symmetric key algorithms.

84
00:07:25,400 --> 00:07:29,960
The key lengths vary from 512 bits to 2048 bits.

85
00:07:31,070 --> 00:07:35,510
A lot of this information is out of the scope of the course, but it's worth knowing so that you can

86
00:07:35,510 --> 00:07:39,860
understand how VPNs work with an asymmetric key algorithm.

87
00:07:40,490 --> 00:07:43,310
You firstly generate what's called a private key.

88
00:07:43,880 --> 00:07:48,710
Now the word private means that you don't tell anyone else what your key is.

89
00:07:49,070 --> 00:07:52,970
In other words, a private key is kept to oneself.

90
00:07:53,390 --> 00:07:56,600
No one else gets told what your private key is.

91
00:07:57,600 --> 00:08:01,500
A public key is derived from a private key.

92
00:08:02,430 --> 00:08:06,420
So firstly, a device like a router will generate a private key.

93
00:08:07,290 --> 00:08:12,420
It will then generate a public key from its private key.

94
00:08:13,430 --> 00:08:17,600
Please note a private key cannot be generated from a public key.

95
00:08:18,140 --> 00:08:22,040
A public key can only be generated from a private key.

96
00:08:22,640 --> 00:08:28,010
Now, this is not a math course, so we're not going to get into the mathematics of how public and private

97
00:08:28,010 --> 00:08:29,180
keys are derived.

98
00:08:30,330 --> 00:08:36,059
We as network engineers just need to have an appreciation of how they work and then how to configure

99
00:08:36,059 --> 00:08:38,490
them in networking environments.

100
00:08:39,299 --> 00:08:43,350
So to sum up, you create a private key which you keep to yourself.

101
00:08:43,590 --> 00:08:47,190
You then generate a public key from your private key.

102
00:08:48,300 --> 00:08:50,760
Your public key is then shared with the world.

103
00:08:52,060 --> 00:08:59,860
Now something encrypted with your private key can only be decrypted by your public key, and something

104
00:08:59,860 --> 00:09:04,480
encrypted with your public key can only be decrypted with your private key.

105
00:09:05,190 --> 00:09:10,440
So for instance, if a on the left wants to send something to be on the right.

106
00:09:10,470 --> 00:09:14,580
The way it works is as follows b generates a private key.

107
00:09:15,390 --> 00:09:19,920
A public key is then generated from B's private key.

108
00:09:20,520 --> 00:09:25,020
B then shares is public key with a.

109
00:09:25,760 --> 00:09:35,600
When a wants to send something to be a encrypts the data with B's public key, which a now knows the

110
00:09:35,600 --> 00:09:43,550
only key that can decrypt something encrypted with B's public key is B's private key, and B is the

111
00:09:43,550 --> 00:09:46,280
only person that has B's private key.

112
00:09:46,760 --> 00:09:52,580
So A encrypts the data with B's public key and sends it to B.

113
00:09:53,300 --> 00:10:01,970
B is the only device or person with B's private key, so only B can decrypt the information.

114
00:10:03,120 --> 00:10:04,240
Can get really confusing.

115
00:10:04,240 --> 00:10:05,500
So let me say it again.

116
00:10:05,890 --> 00:10:14,170
If I want to send something to you that only you can decrypt, I would encrypt the data with your public

117
00:10:14,170 --> 00:10:14,740
key.

118
00:10:16,470 --> 00:10:23,640
If you want to send something to me that only I can decrypt, you would encrypt that data with my public

119
00:10:23,640 --> 00:10:31,350
key because only my private key would be able to decrypt something encrypted with my public key.

120
00:10:33,870 --> 00:10:34,020
Now.

121
00:10:34,020 --> 00:10:36,000
How does this apply to VPNs?

122
00:10:36,870 --> 00:10:43,500
Well, in 1976, two gentlemen, Duffy and Hellman, discovered a way out of the secure channel dilemma.

123
00:10:44,160 --> 00:10:49,710
In other words, the issue we had with the transmission of a shared secret across an insecure medium

124
00:10:49,710 --> 00:10:51,720
can be solved by using Duffy Hellman.

125
00:10:52,740 --> 00:10:57,570
They found out that by using a different key, certain one way functions could be undone.

126
00:10:58,200 --> 00:11:03,990
The solution, called public key cryptography takes advantage of a characteristic of prime and almost

127
00:11:03,990 --> 00:11:11,640
prime numbers, specifically how hard it is to find the two factors of a large number that has only

128
00:11:11,640 --> 00:11:14,220
two factors, both of which are prime.

129
00:11:14,550 --> 00:11:18,210
This uses things like quadratic residues.

130
00:11:18,600 --> 00:11:21,600
Now, unless you're a mathematician, that'll have no meaning, I'm sure.

131
00:11:22,400 --> 00:11:27,950
I once again, we as network engineers do not need to understand the math behind all of these algorithms.

132
00:11:28,220 --> 00:11:32,720
We just have to know when to apply the algorithms in production environments.

133
00:11:33,170 --> 00:11:42,620
So just understand that Duffy Hellman discovered a way to securely create a secure channel to exchange

134
00:11:43,130 --> 00:11:50,120
a shared secret key which is required by algorithms like AI's triple days and days across an insecure

135
00:11:50,120 --> 00:11:57,530
medium like the internet securely so that no hacker can find out what the shared secret is.

136
00:11:58,480 --> 00:11:59,470
In brief.

137
00:12:00,190 --> 00:12:03,750
The way Duffy Hillman works is as follows The peers.

138
00:12:03,760 --> 00:12:12,220
In other words, the two devices involved in a VPN can yield or create a shared secret key based on

139
00:12:12,220 --> 00:12:16,390
the other peers, public value and their own secret.

140
00:12:16,960 --> 00:12:23,980
In other words, if you and I are going to set up a VPN and we need to create a shared secret key between

141
00:12:23,980 --> 00:12:31,390
us by using complicated mathematics, we can create a shared secret securely without other people being

142
00:12:31,390 --> 00:12:33,400
able to work out what that key is.

143
00:12:33,910 --> 00:12:38,230
You need at least one secret value to perform this function or calculation.

144
00:12:38,230 --> 00:12:45,430
Remember, secret or private keys are not exchanged with other people, so the attacker has no secret

145
00:12:45,430 --> 00:12:53,360
values and needs to perform a discrete logarithm of a public value which is computationally infeasible.

146
00:12:53,380 --> 00:12:56,350
In other words, in theory, impossible.

147
00:12:57,180 --> 00:13:05,040
So for example, yes, I'm clear text data that we want to send securely using an algorithm like ease

148
00:13:05,360 --> 00:13:12,390
as being a symmetric key algorithm requires that the same key be used for encryption and decryption.

149
00:13:13,050 --> 00:13:21,360
We want to be able to work out a shared secret key between the sender and receiver securely across an

150
00:13:21,360 --> 00:13:27,150
insecure medium with all kinds of undesirables, trying to sniff the network and work out what the password

151
00:13:27,150 --> 00:13:27,540
is.

152
00:13:28,140 --> 00:13:35,430
So both peers need to establish a shared key securely, and Duffie Hellman gives us the ability to do

153
00:13:35,430 --> 00:13:36,000
this.

154
00:13:36,950 --> 00:13:43,370
So by using public key cryptography, in other words, private and public keys, we can work out a shared

155
00:13:43,370 --> 00:13:47,420
secret securely without others being able to see that.

156
00:13:48,410 --> 00:13:54,920
So when two piers want to set up a VPN, they use Duffy Holman to work out a shared key.

157
00:13:55,310 --> 00:13:58,340
The reason why we need that shared key is symmetric.

158
00:13:58,340 --> 00:14:02,860
Key algorithms like these require that the same key be used on both sides.

159
00:14:02,870 --> 00:14:07,670
And the reason why we use these is because it's good for bulk encryption.

160
00:14:08,600 --> 00:14:11,690
Once the Diffie Hellman Key Exchange has taken place.

161
00:14:11,900 --> 00:14:18,590
We can create a shade secret for a is and therefore A is, and the shade key can be used for bulk encryption

162
00:14:18,590 --> 00:14:27,380
of our data, which can be sent across the insecure internet securely and only decrypted by the receiving

163
00:14:27,380 --> 00:14:27,980
party.