1
00:00:00,660 --> 00:00:05,860
So once again what is a symmetric algorithm in a symmetrical algorithm.

2
00:00:06,030 --> 00:00:10,560
The same key is used to encrypt and decrypt the message.

3
00:00:10,560 --> 00:00:15,150
An example of a symmetric key algorithm would be a yes.

4
00:00:15,150 --> 00:00:23,820
Notice both the sender and the receiver using the same algorithm as well as the same key.

5
00:00:23,840 --> 00:00:30,890
This can cause a major problem because both the sender and the receiver must know what the key is and

6
00:00:30,890 --> 00:00:33,680
they need a method to communicate this.

7
00:00:33,800 --> 00:00:41,750
The problem is how do I tell the security what the key is if I don't have a secure tunnel established

8
00:00:42,140 --> 00:00:46,370
as yet I need the key to establish a secure tunnel.

9
00:00:47,370 --> 00:00:52,860
But I cannot establish a secure tunnel until we both know what the key is.

10
00:00:52,860 --> 00:00:57,000
So this means that we need to communicate the key out of band.

11
00:00:57,380 --> 00:00:58,710
I need to phone you.

12
00:00:58,990 --> 00:01:07,150
I need to ask you why I need to use some out-of-band method to tell you what to use.

13
00:01:07,150 --> 00:01:14,850
So as an example if I'm in the UK and you're in the US and we want to set up a private VPN between or

14
00:01:14,850 --> 00:01:21,040
out in the U.K. and Iran in the US I would have to phone me and let you know what key to use.

15
00:01:21,210 --> 00:01:28,350
That's fine when we have a simple VPN but it doesn't scale well when we have thousands of routers.

16
00:01:28,440 --> 00:01:31,110
There is an advantage of a symmetrical algorithm.

17
00:01:31,110 --> 00:01:39,100
The good symmetric ciphers are just secure and easy to implement using modern microprocessors and they

18
00:01:39,330 --> 00:01:42,890
tend to be used for bulk encryption.

19
00:01:42,890 --> 00:01:47,690
There are some examples of symmetric key algorithms these days.

20
00:01:47,740 --> 00:01:56,710
Yes and blowfish going explain data encryption standard or days trippled days an Advanced Encryption

21
00:01:56,710 --> 00:01:59,940
Standard or A-S in more detail in upcoming slides.

22
00:02:00,370 --> 00:02:07,990
But for now please realize that we still use symmetric key algorithms in the peahens today because of

23
00:02:07,990 --> 00:02:14,950
the advantage that they can encrypt bulk data quickly and modern microprocessors so their encryption

24
00:02:14,950 --> 00:02:23,120
standard or does is a symmetric encryption algorithm where the same key is used by the sender and receiver.

25
00:02:23,440 --> 00:02:31,670
So notice the sender uses days with a key of 2:59 and the receiver uses days with the key of 2:59.

26
00:02:31,930 --> 00:02:37,830
It was developed by IBM and the U.S. National Security Agency in 1975.

27
00:02:38,570 --> 00:02:41,030
It has a fixed key length of 56.

28
00:02:41,070 --> 00:02:48,400
Let's remember once again that a close a IP address gives you two to the power of 24 combinations days

29
00:02:48,410 --> 00:02:51,990
give you two to the power 56 combinations.

30
00:02:52,040 --> 00:02:59,270
So the algorithm was good but the key length doesn't meet today's security requirements and it's recommended

31
00:02:59,270 --> 00:03:03,120
that you do not use days in today's corporate environments.

32
00:03:03,140 --> 00:03:06,880
The problem is is that it's susceptible to brute force attacks.

33
00:03:07,780 --> 00:03:17,790
By 1998 it does encrypted message was decrypted with in 56 hours and by 1999 it took just over 22 hours

34
00:03:17,790 --> 00:03:23,220
to crack once again days is not recommended in today's environments.

35
00:03:23,460 --> 00:03:31,210
Around the same time triple days was developed trippled days is also a symmetric key algorithm with

36
00:03:31,210 --> 00:03:38,500
the same the uses triple days and the receiver uses triple days and they have the same set of keys.

37
00:03:38,560 --> 00:03:41,090
In this case there are three keys.

38
00:03:41,530 --> 00:03:49,360
The way triple-B is works is that it takes data is encrypted with key one that encrypted text is then

39
00:03:49,360 --> 00:03:53,290
decrypted with a different key key.

40
00:03:53,980 --> 00:03:57,010
And then it's encrypted with a third key.

41
00:03:57,010 --> 00:03:59,240
In this case key three.

42
00:03:59,470 --> 00:04:06,520
So the data is encrypted then decrypted and then encrypted but with different keys.

43
00:04:06,790 --> 00:04:09,820
Now if key one and key three are the same.

44
00:04:10,060 --> 00:04:15,900
This would result in 112 but key length if key one and key 3 are not the same.

45
00:04:15,970 --> 00:04:24,500
It would result in 168 but coolants as you can see the key length is greater than days which was 56

46
00:04:24,500 --> 00:04:25,780
bits in length.

47
00:04:26,240 --> 00:04:31,160
Please note at s.a.a level it's not expected that you understand the details of all these algorithms

48
00:04:31,730 --> 00:04:38,210
but I mention them here because I find it's easier to understand how the paeans work if you have a bit

49
00:04:38,210 --> 00:04:47,880
of knowledge of how the algorithms function yes or Advanced Encryption Standard is the recommended symmetric

50
00:04:47,880 --> 00:04:56,950
key algorithm to use today in corporate environments once again the sender and the receiver use the

51
00:04:56,950 --> 00:05:04,600
same algorithm as well as the same key as this is the symmetric key algorithm Yes comes in different

52
00:05:04,600 --> 00:05:05,540
variants.

53
00:05:05,590 --> 00:05:13,510
Got eight hundred twenty eight point eight hundred ninety two but an 8 is 256 but yes was announced

54
00:05:13,960 --> 00:05:20,680
in 2001 and became a federal government standard in May of 2002.

55
00:05:21,160 --> 00:05:29,780
It was approved by the NSA for top secret information it once again is the recommended algorithm for

56
00:05:29,780 --> 00:05:33,250
the peons in today's corporate environment.

57
00:05:33,290 --> 00:05:36,900
The details of these three algorithms are available on the internet.

58
00:05:36,920 --> 00:05:42,380
Have a look at Wikipedia and other sources for more detailed information of how the algorithms work

59
00:05:43,010 --> 00:05:50,120
but cannot just have an appreciation that does triple days an ace or symmetric key algorithms that can

60
00:05:50,120 --> 00:05:53,540
be useful both encryption and decryption of data.

61
00:05:54,480 --> 00:06:00,810
Now an asymmetric key algorithm uses a different key to encrypt and decrypt.

62
00:06:00,830 --> 00:06:06,650
So for instance the sender would be using a asymmetric algorithm like RSA.

63
00:06:06,830 --> 00:06:10,350
The receiver would be using an algorithm like RSA.

64
00:06:10,600 --> 00:06:16,540
But please notice different keys are used to encrypt and decrypt the data.

65
00:06:18,150 --> 00:06:19,570
Asymmetric key algorithms.

66
00:06:19,620 --> 00:06:26,250
So many of the longstanding problems with symmetric key algorithms like how do you exchange the secret

67
00:06:26,250 --> 00:06:30,480
keys in the first place with a symmetric key algorithm.

68
00:06:30,480 --> 00:06:38,010
For instance how do we send the decided private key to each other without it being intercepted.

69
00:06:38,950 --> 00:06:45,820
When using a symmetric key algorithm once again without a secure channel there is no way to establish

70
00:06:45,820 --> 00:06:47,850
a secure channel.

71
00:06:47,910 --> 00:06:54,300
I need to securely tell you for instance what the shape key is in a symmetric algorithm but we both

72
00:06:54,300 --> 00:07:00,460
need to know what the shade secret key is to establish a secure channel to be able to securely send

73
00:07:00,460 --> 00:07:01,910
the key to one another.

74
00:07:02,050 --> 00:07:05,250
But we can set up the channel because we don't have a key yet.

75
00:07:05,340 --> 00:07:08,430
That means we have to tell each other what the key is out of.

76
00:07:08,670 --> 00:07:14,700
Like by phoning one another asymmetric key algorithms allow us to solve this problem because different

77
00:07:14,700 --> 00:07:19,040
keys are used encryption versus decryption.

78
00:07:19,050 --> 00:07:25,440
Also note asymmetric key algorithms have key lint's far greater than symmetric key algorithms.

79
00:07:25,680 --> 00:07:29,480
The key lengths vary from 512 bytes to 2048.

80
00:07:29,490 --> 00:07:35,400
That's a lot of this information is out of the scope of the course but it's worth knowing so that you

81
00:07:35,400 --> 00:07:40,380
can understand Hoggy peahens work with an asymmetric key algorithm.

82
00:07:40,680 --> 00:07:44,070
You fusee generate what's called a private key.

83
00:07:44,070 --> 00:07:49,240
Now the word private means that you don't tell anyone else what your key is.

84
00:07:49,260 --> 00:07:53,180
In other words a private key is kept to oneself.

85
00:07:53,610 --> 00:08:01,680
No one else gets told what your private key is a public key is derived from a private key.

86
00:08:02,670 --> 00:08:07,410
So firstly a device like Arata will generate a private key.

87
00:08:07,480 --> 00:08:16,380
It will then generate a public key from its private key Please note a private key cannot be generated

88
00:08:16,380 --> 00:08:18,220
from a public key.

89
00:08:18,220 --> 00:08:22,830
A public key can only be generated from a private key.

90
00:08:22,830 --> 00:08:28,380
Now this is not a math course so we not going to get into the mathematics of public and private keys

91
00:08:28,380 --> 00:08:30,410
or derived.

92
00:08:30,570 --> 00:08:36,100
We as network engineers just need to have an appreciation of how they work and then how to configure

93
00:08:36,100 --> 00:08:38,600
them in networking environments.

94
00:08:39,520 --> 00:08:43,530
So to sum up you create a private key which you keep to yourself.

95
00:08:43,780 --> 00:08:50,810
You then generate a public key from your private key your public key is then shared with the world.

96
00:08:52,280 --> 00:08:59,930
Now something encrypted with your private key can only be decrypted by your public key and something

97
00:08:59,930 --> 00:09:05,430
encrypted with your public key can only be decrypted with your private key.

98
00:09:05,430 --> 00:09:12,180
So for instance if a on the left wants to send something to be on the right the way it works is as follows

99
00:09:12,840 --> 00:09:23,310
B generates a private key a public key is then generated from these private key B then shares his public

100
00:09:23,310 --> 00:09:34,560
key with a when he wants to send something to be a encrypts the data with be public key which now knows

101
00:09:35,430 --> 00:09:42,620
the only key that can decrypt something encrypted with the public key is these private key.

102
00:09:42,810 --> 00:09:46,560
And B is the only person that has these private key.

103
00:09:46,970 --> 00:09:53,140
So a encrypts the data with these public key and sends it to B.

104
00:09:53,430 --> 00:09:59,340
B is the only device or person with these private key.

105
00:09:59,400 --> 00:10:04,300
So only B can decrypt the information can get really confusing.

106
00:10:04,300 --> 00:10:12,560
So let me say it again if I want to send something to you that only you can decrypt I would encrypt

107
00:10:12,560 --> 00:10:20,910
the data with your public key if you want to send something to me that only I can decrypt.

108
00:10:21,250 --> 00:10:28,450
You would encrypt that data with my public key because only my private key would be able to decrypt

109
00:10:28,450 --> 00:10:31,460
something encrypted with my public key.

110
00:10:33,990 --> 00:10:41,800
Now how does this apply to the PM's while in 1976 two gentlemen Duffy and Hellman discovered a way out

111
00:10:41,800 --> 00:10:44,320
of the secure channel dilemma.

112
00:10:44,320 --> 00:10:49,990
In other words the issue we had with the transmission of a shady secret across an insecure medium can

113
00:10:49,990 --> 00:10:52,760
be solved by using Diffie Hellman.

114
00:10:52,840 --> 00:10:57,870
They found out that by using a different key certain one way functions could be undone.

115
00:10:58,360 --> 00:11:04,030
The solution called public key cryptography takes advantage of a characteristic of prime and almost

116
00:11:04,060 --> 00:11:05,390
prime numbers.

117
00:11:05,530 --> 00:11:13,150
Specifically how hard it is to find the two factors of a large number that has only two factors both

118
00:11:13,150 --> 00:11:14,760
of which are prime.

119
00:11:14,770 --> 00:11:21,190
This uses things like quadratic residues and if you're a mathematician that will have no meaning I'm

120
00:11:21,190 --> 00:11:28,190
sure now once again we as network engineers do not need to understand the math behind all of these algorithms.

121
00:11:28,450 --> 00:11:33,030
We just have to know when to apply the algorithms in production environments.

122
00:11:33,340 --> 00:11:42,520
So just understand that Diffie Hellman discovered a way to securely create a secure channel to exchange

123
00:11:43,240 --> 00:11:51,040
a shade secret key which is required by algorithms like a triple days and days a cross an insecure medium

124
00:11:51,490 --> 00:11:58,490
like the Internet securely so that no hacker can find out what the shed secret is.

125
00:11:58,670 --> 00:12:02,910
In brief the way home and works is as follows.

126
00:12:03,080 --> 00:12:03,860
The peers.

127
00:12:03,890 --> 00:12:12,440
In other words the two devices involved in a VPN can yield operate a shared secret key based on the

128
00:12:12,530 --> 00:12:17,160
other peers public value and their own secret.

129
00:12:17,180 --> 00:12:24,020
In other words if you and I are going to set up a VPN and we need to create a shared secret key between

130
00:12:24,020 --> 00:12:31,460
us by using complicated mathematics we can create a shared secret securely without other people being

131
00:12:31,460 --> 00:12:33,790
able to work out what that key is.

132
00:12:34,130 --> 00:12:38,350
You need at least one secret ballot to perform this function or calculation.

133
00:12:38,420 --> 00:12:43,310
Remember secret or private keys are not exchanged with other people.

134
00:12:43,700 --> 00:12:51,170
So the attacker has no secret values and needs to perform a discrete logarithm of a public Valley which

135
00:12:51,200 --> 00:12:53,510
is computationally infeasible.

136
00:12:53,510 --> 00:12:57,350
In other words in theory impossible.

137
00:12:57,390 --> 00:13:05,700
So for example yes MTA takes data that we want to see insecurely using an algorithm like a yes.

138
00:13:05,980 --> 00:13:13,080
Being a symmetric key algorithm requires that the same key be used for encryption and decryption.

139
00:13:13,330 --> 00:13:21,400
We want to be able to work out a shared secret key between the sender and receiver securely across an

140
00:13:21,430 --> 00:13:27,190
insecure medium with all kinds of undesirables trying to sniff the network and work out what the password

141
00:13:27,190 --> 00:13:28,280
is.

142
00:13:28,350 --> 00:13:35,500
So both peers need to establish a shared key securely and Diffie Hellman gives us the ability to do

143
00:13:35,500 --> 00:13:37,010
this.

144
00:13:37,110 --> 00:13:43,450
So by using public key cryptography and other words private and public keys we can work out a shared

145
00:13:43,450 --> 00:13:48,620
secret securely without others being able to see that.

146
00:13:48,630 --> 00:13:55,400
So when two people want to set up a VPN they use Diffie Hellman to work out a shared key.

147
00:13:55,410 --> 00:14:01,590
The reason why we need that shade key is symmetric key algorithms like a require that the same key be

148
00:14:01,590 --> 00:14:03,050
used on both sides.

149
00:14:03,120 --> 00:14:08,820
And the reason why we use ABS is because it's good for bulk encryption.

150
00:14:08,820 --> 00:14:15,150
Once the Diffie Hellman key exchange has taken place we can create a shared secret for eight years and

151
00:14:15,150 --> 00:14:16,040
they a.

152
00:14:16,070 --> 00:14:22,890
And the shade key can be used for bulk encryption of data which can be sent across the insecure Internet

153
00:14:23,160 --> 00:14:28,070
securely and only decrypted by the receiving party.