Cryptography is the science of transforming readable messages into an unintelligible form and the later reversal of that process. The application is to send the transformed, unreadable message over an untrusted channel. In the data world, this untrusted channel very often is a public network, such as the Internet.
Cryptography provides four services:
All these services are based on encryption and authentication methods. However, for different applications, different kinds of encryption and authentication techniques are used. Figure 24-1 illustrates examples of the four services.
Figure 24-1. Services of Cryptography
These scenarios are possible:
It might appear that the authenticity service and the nonrepudiation service are fulfilling the same function. Although both address the question of the proven identity of the sender, there is a small difference in the two, which is sometimes quite important: When the receiver needs to be sure about the authenticity of the source, the method and the means that are used to achieve the proof of authenticity can be available to both the sender and the receiver. Because the receiver knows that he or she was not the source, it does not matter that the sender and receiver both know how to treat a message to provide authenticity of the source.
If, however, the receiver has to prove the source of the sender to others, it is not acceptable that the receiver know how the sender treated this message to prove authenticity because the receiver could then have pretended to be the sender.
An example for authenticity versus nonrepudiation is data exchange between two computers of the same company versus data exchange between a customer and a web shop. When the two computers do not have to prove to others which of them sent a message, but just need to make sure that whatever was received by one was sent by the other, the two computers can share the same way of transforming their messages. This practice is not acceptable in business applications such as a web shop. If the web shop knows how a customer transforms messages to prove authenticity of the source, the web shop could easily fake "authentic" orders. Therefore, in such a scenario, the sender must be the only party having the knowledge how to transform messages. Then, the web shop can prove to others that the order must have been sent by the customer. The customer could not argue that the order was faked by the web shop when the web shop does not know how to transform the messages from the customer to make them authentic.
Authentication and Encryption
Authentication functions are used to provide authenticity, integrity, and nonrepudiation. To achieve this, the sender adds (appends) verification data to the actual data. The authenticated data can be information about the sender (such as its identity) or the information that should be passed from the sender to the receiver itself. The receiver checks the verification data added by the sender and, if successful, can confirm authenticity.
There are various ways to create the verification data, the most common being Hash-based Message Authentication Code (HMAC) or digital signatures.
Confidentiality functions are provided by encryption. More precisely, the transformation of cleartext to ciphertext is called encryption, whereas the transformation of the ciphertext back to the original cleartext is called decryption.
Encryption utilizes an encryption algorithm and keys. If the key that is used to encrypt the data and the key that is used to decrypt the data is the same, the encryption algorithm is considered symmetric (with symmetric keys). If the encryption and decryption keys are different, the encryption algorithm is asymmetric (with asymmetric keys).
Although the encryption algorithms are usually well-known, the keys that are used for the encryption have to be secret. Symmetric keys have to be known by both endpoints that want to use a symmetric encryption algorithm for their data exchange. With asymmetric encryption, the sender needs to know only the encryption key, whereas the receiver needs to know only the decryption key.
Desirable features of an encryption algorithm are as follows:
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions