Making TCP/IP Secure

We have spent a lot of episodes going through a lot of stuff to make our networks
and by doing that we're making networks we've got web servers running and people
are transferring files to each other and domains are being named and life is good
except for one big thing.

There's no real security here.

So what I want to do is warn you that we're about to start this big process of
taking everything we've learned and making it secure and sure we've covered a
little bit of security here and there.

But what I want you to do right now and for the next few episodes is I want you to
put on your security hat and start thinking about how do we lock this down.

How do we protect this.

How do we keep people from the evils of the Internet and how do we keep our nice
Internet from the evils of our people.

So one of the things we do is we have certain philosophies when we talk about

security.

And one of them is the famous CIA of security CIA stands for confidentiality
integrity and availability.

As we begin to take what is basically was invented as a very insecure thing TCP/IP
and make it secure we keep chanting confidentiality integrity and availability.

So let's talk about this for a minute.

First of all when I say confidentiality I want to keep stuff confidential.

Now there's a lot of different ways to do that.

But one of the big ways that we're going to cover in the next few episodes is the
concept of encryption.

How do we take unencrypted data that's flying through the Internet and encrypted so
that nobody can see it.

But the folks we want to see it.

So we're going to be covering all kinds of interesting stuff like different kinds
of encryptions and all that stuff it's a lot of fun.

And I think you're going to enjoy those episodes.

But then after that is integrity just because something is encrypted.

Do I know it came from Mike Meyers popular author if that file was being
transferred and somebody messed it up midstream.

So there's a whole lot of stuff that has to do with integrity.

Integrity means is this good in the way that it should be good.

We use the word non repudiation a lot here.

Basically it says if somebody is handing me something I have no doubt that that's
the person who handed it to me.

So we're going to be going into a lot of integrity tools.

You're going to hear about things like certificates and hashes and stuff like that
that are important for us to deal with.

The CIA of security last is availability Now one of the most dangerous things you
can do is if you put enough locks on the door you can make it so hard to unlock the
door that you're not going to use the door.

So a big issue for us for security is to make sure that we balance the
confidentiality and integrity tools in a way that we can use it.

Also security when we talk about availability is is this thing ready to use.

Is it out there when we need it.

Is it ready to go.

So we're going to be talking about things like high availability and stuff like
that that say this network device this server this whatever it might be is out
there and ready to go.

Also availability would cover something as simple as a backup.

If we lose it do we have a backup available so we can get our data back a big chunk
that deals with the CIA and a lot of people add this to the end of CIA are two
things called authorization and authentication.

Now authentication is the concept of giving someone the right to access something.

So for example a username and password or smart card or something something that
gives you a key to unlock the door to get into a system whatever that system might
be.

And then along with at is something called authorization authorization means OK now
that you're in.

What do you get to do.

So file accesses time of day all of these things kind of come into play.

So what I need you to do starting right now and for the next number of episodes I
need you to be thinking about security.

Keep in mind the idea of CIA and don't forget that also authentication and
authorization come into play just as well.

So get ready and let's get secure.

Security can be broken into three areas:

Confidentiality, integrity and availability

Confidentiality can be addressed through encryption

Confidentiality and integrity must be balanced with availability

Symmetric Encryption

I don't think you'd meet too many people out there any more who don't appreciate
that sometimes data needs to be encrypted.

Now we do encryption all over the place in the computer world everywhere from
encrypting hard drives to encrypting e-mail to encrypting video there's a lot of
kinds of encryption going on.

Now what I want to do at this point in the game is make sure we understand what
encryption really means.

So to do this let's go ahead and start off with a string of text.

So how about I don't know I love Mike Meyers network.

Plus how does that work.

Now what we're going to do here is we're going to encrypt this text now to encrypt
it.

I'm going to start off with an oldie Goldie and anybody who's ever messed with a
secret decoder ring knows about this Caesar cipher.

We're basically we just take a ring and there's the alphabet on one side the
alphabet the other and we turn it and then that increments each value.

So what I'm going to do for starters here is I'm going to increment each position
in the alphabet for each letter by three.

So if we do that all of a sudden I love Mike Meyers network plus turns into
something that looks something like this.

loryhplnhphbhuvqhwzrunsoxv

Now this is certainly encrypted but the problem with an encryption like this is
that anybody who buys crossword puzzle books for a living could probably hack this
in about 12 seconds.

So one of the cool things we have is that when we're working with the computer we
have the ability to really make very very complicated algorithms.

That's the process that stirs up the values.

So one of the things all of these algorithms have in common is something called a
key.

So let's go and put this back to the what we call the plaintext or clear text.

And when I'm going to do this time is I'm going to pick an arbitrary value which
we're going to call the key in this particular example.

I want to use the number 3 2 1 6 7 5 9 4.

So really what we're doing here is we're Creating Mike's algorithm for encryption.

So I'm going to say that the key always has to be eight characters and it has to be
a number between 0 and 9.

OK.

Now what we're going to do is we're going to take that key and we're going to keep
repeating it underneath the clear text.

So we just keep putting it in and keep putting it in.

If it doesn't quite fit on the end who cares.

ilovemikemeyersnetworkplus
32167594321675943216759432

So now we've got our clear text and directly underneath that we have the key that's
being repeated until it covers all of the clear text.

So now I want to still use the Caesar cipher but instead of incrementing everybody
by one common value we use the value of the key.

Now by doing that we get a much more encrypted value that looks something like
this.

ilovemikemeyersnetworkplus
32167594321675943216759432
lnpblrrohofelwbrhvxuypqpxu

Now I'm not saying this isn't hackable it is but it's going to be a lot harder to
hack than that simple Caesar cipher we just saw.

So the algorithm is fantastic.

Now the important thing to appreciate is that in order for someone to be able to
encrypt it we need two things.

We're going to need an algorithm and we're going to need a key value.

So to help you understand the process I brought in an algorithm machine.

So the secret to the algorithm machine is basically this.

We start off with a piece of clear text.

Now keep in mind this clear text could be anything it doesn't even really have to
be text we just use the term clear text but this could be a phone conversation.

This could be a Microsoft Word document.

It could be a web page.

I don't care what it is.

The important thing is that it's in the clear and based on whatever application
we're using it's legible and we can understand it.

So the idea is that in order to encrypt something we have to generate a key we put
the key into the algorithm we run the clear text through the algorithm but it's
done and then we get ciphertext.
So all algorithms work this way.

You're going to have clear text ciphertext some form of algorithm and a key.

Now there's a couple of things you need to appreciate here.

In this particular example we're using what's known as symmetric encryption.

So basically you take the exact same key you put it in the left it running and then
you take your ciphertext you run it through the same algorithm with the same key
and you get clear text.

This is important because if I'm going to send you encrypted text I can assume that
you have the right algorithm box but without the right key you're not going to be
able to decrypt this particular value.

So that's one challenge.

Whenever we send symmetrically encrypted data you always have to have a key with it
symmetric decryption is extremely common.

For example anybody who uses wireless networks you're using either r4 or 8cs
encryption.

You're not doing it but your wireless is doing this for you automatically.

And they take care of all of this for you and it's done.

It is an automatic process.

So remember what we're talking about encryption.

You're going to have clear text ciphertext some form of algorithm and a key.

Cleartext is any unencrypted data

Algorithms use keys to encrypt cleartext into ciphertext

An algorithm that usese the same key to encrypt and decrypt is symmetric encryption

Asymmetric Encryption

One of the big problems with symmetric encryption is that in order for somebody to
decrypt your encrypted data they have to have a copy of the key.

So in a symmetric encryption environment keys are passed around through whatever

the internet the wireless whatever it might be and that can cause potential
problems.

Because if somebody can get their hands on the key and the encrypted text Well they
can pretty much hack it.

So three guys a longtime ago called Rivest Shamir and Edelman created a new
methodology for encryption that they called asymmetric encryption.

Now asymmetric encryption is very very interesting.

And in order for me to show you how it works I'm going to have to enlist some help
from my buddy Mike Jones who Mike Jones.
Ok not the rapper but why not.

He's from Houston.

The big difference between asymmetric and symmetric encryption is that with
asymmetric encryption you don't have one key.

You've got two.

So you have what's called a public key and then you have what's called a private
key.

Now this is kind of cool because public you'll be blue here if you have a public
key and you put it into your algorithm.

The only thing this guy could do the moment that public key is in there is encrypt.

That's it.

Equally if I put in a private key

the only thing this guy can do is decrypt.

Now if you think about this for a minute it's actually pretty cool because what can
take place is I can generate a public and a private key and we actually have
something built in the algorithm that generates these keys.

And what I do is I will send my public key to my JONES Now that I've got Mike Myers
public key.

I'm going to go ahead and send him my public key.

So this process of exchanging keys is known as a data key exchange with a key
exchange.

Either of us can encrypt data and then the encrypted data is sent over the wire.

And then we use our private keys to decrypt the data.

The nice thing about asymmetric encryption is that we don't worry about keys too
much in particular.

Nobody can really do much with a public key other than encrypt something and if
they don't send it to the right person who has the right private key they're not
really going to be able to do too much.

We do tend to protect our private keys and we'll lock them down in some form of
encrypted folders something like that on our hard drives.

And also we tend to have a lot of public keys that we get from a bunch of people so
if I ever want to send Mike Jones any more encrypted stuff I need to keep his
public key around as well as a bunch of other folks.

And those tend to be stored in some kind of local storage or sometimes an online
storage for public keys at least where we can access them easily.

The important thing to remember about public keys is that you're always going to
have a key pair the public key encrypts and the private key decrypts.
Asymmetric encryption uses a public key and a private key

Public keys encrypt, private keys decrypt

For two people to communicate, they must exchange public keys