CWNP CWSP – Module 03 – Encryption Ciphers and Methods

1. Encryption Ciphers and Methods

Now in this module, we’re going to talk a lot about encryption ciphers and the different types of methods that we’re going to use when it comes to securing our traffic. So we’re going to start off with a pretty long dissertation for me about encryption basics. Probably tell you more than you want to know about some of the different types of algorithms, and then, of course, we’ll assign those into why it’s important for us with the wireless LAN encryption methods. Again, we’re going to have a little bit of talk about web we came from, then the temporal key CCMP, and how we incorporated that with WPA WPA Two. And then we’ll even have a bit of a discussion about some proprietary implementations of encryption.

2. Encryption Basics

All right, encryption basics. I’m going to draw out a lot of pictures to give you ideas of some of the differences. But what we have to start with was the fact that WiFi was considered an unbounded medium because again, it was using radio frequency. If we’re going across a copper wire or an optical cable, obviously it’s not unbounded. Those electrons, those photons, they don’t escape. They don’t get transmitted around everybody in the world or anybody that’s in close proximity. Maybe copper if you had a sniffer on it. But that’s a different story. So unbounded meaning that it was innately unsecure. And we talked about encryption, I think in a previous part of our course of changing what we call the plaintext and decipher text and back again, right.

Remember that process was plain text. We had some sort of encryption algorithm that turned that plain text into ciphertext. And the receiver would have the same use, the same algorithm and the same key to be able to turn it back into plain text again. And that’s just the entire process of going back and forth. Now, one of the weaknesses I told you was how do both sides know what the encryption key is? That becomes a challenge because obviously I can’t email you the key because I’d have to email it in plain text because I can’t encrypt it because you don’t know the key. Kind of like, I guess the phrase we used to use was a catch 22. So that’s where I’m going to draw out these different types of encryption. We’ll talk about the asymmetric, which is using a pair of keys, why that’s important and symmetric using a single key. What I’ve just described up here was the symmetric type of encryption where we had the same key for both. And we use that for bulk data because it is technically not as consuming of resources, CPU, memory, the rest of it, to be able to do symmetric encryption. But asymmetric certainly has some of its own benefits.

That does take a lot of overhead, but we’re going to see how we use both. And the thing to remember is they use a private and public key as a key pair. So you have to use one key to encrypt, and then when you do that, you need to use the other key to decrypt. I guess I could have put the word two in there, but hey, that’s all right. We’ll fit it in there. There we go. Now it looks like I can write a sentence. So it didn’t matter which key you use first. Well, I mean, it does, but it didn’t matter in this general description. If I use the private key to encrypt it, then you would have to have a public key to decrypt it. A lot of it’s a part of what we call the public key infrastructure. And let’s talk about how that works. And let me just go outside of the idea of wireless. Let’s just talk about these encryption types with something that you might commonly do, which is that you want to connect somewhere to your bank and do a little online banking and you want to be able to make sure your communications are secure. And we often use what’s called the Secure Socket Layer as a method of doing the encryption.

And what I want you to know is that we’re going to use both asymmetric and symmetric encryption to be able to set up the session. So what’s the first problem? The first problem is that we don’t have a common symmetric key between us and the bank. I mean, I don’t think when you signed up online that they printed it out on the screen for you because again, they couldn’t send it encrypted. So we’re going to talk about how this works. And generally speaking, every one of these online places that you want security with is going to have some sort of a certificate. And that certificate is done to authenticate that you are actually connected to your bank and not a hacker pretending to be your bank. And they also contain, along with a lot of other information, their public key. This is important for you to understand. So you start, right, you start by making the connection and when you start you’re asking the bank hey, I want to set up an encrypted session.

So what the bank does is it sends you their certificate. And remember, their certificate has the public key on it. Out of thin air, randomly, you’re going to choose a key, a random key that you want to use for symmetric encryption. But here I need to send it to the bank so it knows what key I’m using. So we take that bank’s public key, see if I can make a better B than that. There we go. We take that public key and we encrypt that information and we send them that encrypted key. Because we use their public key, the only key they can use to decrypt it is their private key. And so when they use their private key, then they know what that random key is that we sent them. Now that’s how it’s supposed to work. Private keys are never to be shared with anybody. They’re meant to be stored securely and safely. But the idea is that everybody knows what the public key is.

Now that we know both sides have the same symmetric key, now we can set up what we call that Secure Socket Layer. In other words, now I can encrypt everything with that random key and they know what that random key is. And I say random because literally, as long as the key is of sufficient strength, length and everything else, it is kind of up to the client to generate that key because generally speaking, we don’t send a certificate to the bank to give them our public key. So that’s one use of asymmetric encryption, to be able to use it to generate that or to securely send that symmetric key. So that is the back and forth process. Now, to give you one other example of asymmetric, because I think symmetric, I hope intuitively makes sense, we both have to have the same key. It could come when it, let’s say, sending an email. I mean, I’m just giving you other uses of symmetric and we want to send this email off to somebody. Well, we have two options.

Well, there’s actually a lot of options, but again, I’m just using these as analogies. If I am Bob, and I don’t know why when we talk about encryption, they always use the names Bob and Alice. I don’t know. So I’m going to stick with their standards. Let’s say Bob decides to encrypt this letter with his private key, all right, and sends it to Alice. Alice would then need to have Bob’s public key to unencrypted. The problem is anybody who intercepts that email can also retrieve Bob’s public key. That’s why it’s called public. It’s everywhere, anybody can have it. So I really am not protecting the message from being read. But what it does is it proves to Alice that it was sent by Bob because Bob’s public key is the one that opened it or decrypted it. So in that case, we’re kind of using it as a way of what some people would call authentication, others might call it nonrepudiation.

I’m not going to spell that word because I don’t have room for it. But non repudiation means Bob can also not deny having sent that unless Bob wants to tell the world his private key has been compromised. Another option we have is that if Bob wants to make sure only Alice can read that email, then Bob can use his public key, or I’m sorry, he can use Alice’s public key to encrypt it and send that email off to Alice and only Alice can open it with her private key. So now we know that if anybody intercepts it, they can’t read it. And believe it or not, we actually use a combination of both of these options, along with some hashing, to be able to do message authentication, which is a method of both making sure only Alice can read it and that Alice can prove Bob sent it and can make sure that it hasn’t been tampered with. On its way. But that’s again, just another example of asymmetric encryption. So I’m just trying to give you a kind of a picture since you are going to be expected to know these different types of encryption and how we use them. And asymmetric is one that maybe we don’t talk about enough.

3. Stream and Block Ciphers

Now, stream and block ciphers. Another interesting thing. Stream ciphers or stream encryption is done on a bit by bit basis. You might have remembered that I mentioned if we had a message and all of our messages, no matter how we send them. So that’s the actual message we want to send is a combination of ones and zeros. And what happens is, when we have an encryption key, we have this key stream here’s, where the longer the key, the better. So we might have a key, maybe it’s of the same length, maybe the key is only half the length of the message. So we end up repeating the key over and over again and we use that exclusive or to so that’s the key to come up with the ciphertext all right, over the top of there. And so that’s a stream.

So we’re doing the encryption bit by bit. Now, one of the weaknesses, some people would say, with stream encryption is that we are repeating the key over and over again. And given enough data, patterns might arise that somebody who’s doing crypt analysis can use to eventually crack what that key is. Now, there is this, what’s called perfect encryption, where the actual key that’s being used will be a random key built to be the exact same size as the message. So there are no patterns being developed in there. But then both sides need to have that key. That is considered one of the only unbreakable types of encryption. Now, block ciphers. So. Examples of block ciphers. RC four, RC five, des. Triple des. What they do is they take 64 bits of a message and encrypt that message. And the most famous one, if we’re going to talk about history, is Des, the data encryption standard.

Now, there’s actually four different types of block ciphering that Des does. Triple Des does it as well, but it just does Des three different times. I’ll explain some of those and AES is you’re going to find it’s very similar to Des. But here’s what they would do is they would look at a message or 64 bit block, right, that’s 64 ones and zeros, and they would use their key to encrypt that 64 bit part of the message. And so now they have 64 bits of ciphertext. And then what they do is they take that 64 bits of ciphertext to use it as the key to encrypt the next 64 bits. I keep saying bytes, sorry about that, bits of plain text. So technically speaking, the key used to decrypt the second block is different than the original key. And then they just keep this little pattern going until they encrypt the entire message. So that gets rid of a lot of the problems of seeing patterns being repeated over and over again.

But the problem with Des is that it used what we call a 56 bit key, so we could decipher it by coming up. I mean, my computer, my laptop could generate all 56 bits of possible keys to decrypt this process and figure out what the message was. So it wasn’t considered very strong. So let me just say that was Des. Triple Des. Did the Des three times. What it would do, basically, is take and do Des with key number one. Then, before it sent the message, it would take that encrypted message and reencrypt it using Des, but reencrypt it with a different key, and then take that encrypted message, reencrypt it again with Des. And that would be a third key. And so we’re actually doing Des three different times. So you’d have to be able to crack this one, which how do you know if it’s cracked? Because if you crack that third key, you’d be left with another ciphertext that you’d have to try to crack again and then try to crack again. Now, they called it 168 bits because you did it three times.

So if you did multiplication, that’s 168 bits. Now, technically speaking, another option of triple Des was to do Des the first time with a key and then decrypt it with a different key. So now you’re decrypting an encrypted message with the wrong key, so it’s still garbage. And then they would reencrypt that with, again, either the same first key or maybe a third key. So there’s a lot of different, again, forms of how triple Des was done. Now, the Advanced Encryption standard is also going to do a block cipher. It also works in a chaining type of mode.

The big thing about here, right, these were 56 bit keys, each and every single one of them. And it’s not exactly the same, but the big difference is it started off with 128 bit key. Now, when AES first came out first came out, it’s been out for many years. When it first came out, we were told that if you had a system that could crack triple Des in 30 seconds, that same system to crack AES could take over 100 years or more to be able to crack it. Now, technologies have changed, and so likewise with AES, the great part about this was that the key could still continue to get longer and longer.

Why don’t we just start off with a longer key? Well, it took a lot more computing power, but then as time goes on, we have more computing power, so we can continue to increase that key. The idea is to stay ahead of what is it, Moore’s Law, I think one of the founders of intel that said, every two years we’re seeing the performance double. And, of course, the size of the chip shrink almost in half. So but these block ciphers, again, are symmetric. And as I said, the encryption is being done on a block of data.