I'm starting to prepare for the CCNA Security exam. While reviewing a PDF document of the presentation on this certification from this year Cisco Live conference, the following was said on page 19:
1.) A private key is a key which is known to the person (or system) that owns it.
2.) Public key is known to everyone, but still belongs to a unique individual.
3.) Data encrypted by the public key can only be decrypted by the private key. (Provides confidentiality)
4. Data encrypted by the private key can only get decrypted using the public key. (Provides authenticity)
Ok, lets take a web application that is secured via SSL with a certificate issue by a trusted root provider. Any data encrypted by the client using the public key is pretty safe, because the web server should be the only system with the private key. Lets assume that confidential information is being displayed on the client's browser. This was encrypted by the private key, and theoretically, could be decrypted by anyone if they intercepted the public key being sent to the client. Is this correct?
My concern would be that if someone, lets says, hacked one of our client's wireless network, they could get copies of all of the data being sent from the web application we host to the client, and decrypt that information pretty easily, being able to see the HTML code and any sensitive information that it contains.
This situation is not a MITM attack, but someone just easedropping. Is the only way to 100% protect that traffic is to have mutual authentication using certificates on each side?
Data is generally not encrypted using public/private keys because it is too computationally expensive. The public and private keys are used to encrypt and securely exhange a symmetric key which is then used for encrypting and decrypting the data.
When a user logs onto an SSL site they receive the public key of the website. They (as in their browser) then generates a symmetric key and encrypts this key with the public key of the website. When the website receives this it can then decrypt the symmetric key with it's private key because the symmetric key was encrypted with it's public key.
Now both parties have a secure symmetric key which they can use to encrypt and decrypt the data. So if a person could get hold of the encrypted data in transport they could not decrypt it because they don't have the symmetric key.
The real weakness of a public/private key system is that at some level there must be an acceptance of trust. So Certificate Authorities such as Verisign certify other companies certificates but who certifies Verisign ? And that is where there must be some level of trust ie. we all trust Verisign.
Yes a random key is generated for each SSL session with a particular website.
Note that the public/private keys are still used to authenticate which website you are connecting to be. This is done before the symmetric key generation. It can be either just website authentication or website and client authentication.
Thanks. That makes perfect sense that the client is responsible for generating the symmetric key. Unless someone has a copy of the web server's private key, they should not be able to gain access to the shared key.
This is probably out-of-scope for the CCNA Security, but we are in the middle of deploying a web based application, which will have access to sensitve information, and I wanted to make certain that this information is safe.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :