• Switch is a Layer 2 network device, it forward frames based on the destination MAC address.
• MAC Address table: When switch receives frame from new source MAC address, it creates an entry in its MAC address table or content addressable memory (CAM) table. This entry is the receiving port and the source MAC address of the frame.
• Flooding: when switch forward a frame, it will check its CAM table for the destination MAC address. If there is an entry for the destination MAC, it forwards to that port, otherwise it forwards to all ports, except the port the frame was originally received from, this is called flooding.
• Switching Loops and Broadcast storm: in muti-linked networks, redundent links can form a loop, called switching loop. A frame with new source MAC address can tranverse a switching loop and gets repeatly broadcasted, which is called broadcast storm. To prevent broadcast storm, STP protocal is used.

There are 3 main switch transmission methods:

• Store-and-Forward: stores a receiving frame in memory and runs CRC check, and only forward frame if CRC passes.
• Cut-Trough: only looks at enough of the frame for destination and forward.
• Fragment-Free: checks the first 64 tytes of a frame before forwarding, because most of the collision happened in the first 64 bypes.

Common Hashing Algorithms include, Message Digest 5 (MD5), Secure Hash Algorithm (SHA).

Message Digest 5 (MD5) is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity. However, it has been shown that MD5 is not collision resistant. cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found also to be vulnerable). most U.S. government applications now require the SHA-2 family of hash functions.

MD5 processes a variable-length message into a fixed-length output of 128 bits.

Firstly, the input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512.

Secondly, a 128-bit state, divided into four 32-bit words, denoted A, B, C and D, are initialized to certain fixed constants.

The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. Figure 1 illustrates one operation within a round.

Figure 1. one round of MD5 operation. M_i denotes a 32-bit block of the message input, and K_i denotes a 32-bit constant, different for each operation. _s denotes a left bit rotation by s places; s varies for each operation. denotes addition modulo 2³²

There are four possible functions F; a different one is used in each round:

denote the XOR, AND, OR and NOT operations respectively.

Secure Hash Algorithm (SHA): The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function.

SHA-1  processes a variable-length message into a fixed-length output of 160 bits, the process is similar to MD5.

Firstly, the input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512.

Secondly, a 160-bit state, divided into five 32-bit words, denoted A, B, C, D and E, are initialized to certain fixed constants.

The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of five similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. Figure 2 illustrates one operation within a round.

Figure 2. one round of SHA-1 operation. F is a nonlinear function that varies; _n denotes a left bit rotation by n places; n varies for each operation; W_t is the expanded message word of round t; K_t is the round constant of round t; denotes addition modulo 2³²

SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA-512) designed by the National Security Agency (NSA) and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA-2 includes a significant number of changes from its predecessor, SHA-1. SHA-2 consists of a set of four hash functions with digests that are 224, 256, 384 or 512 bits.

SHA-256 and SHA-512 are novel hash functions computed with 32- and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are simply truncated versions of the first two, computed with different initial values.

At this point, we should already understood how MD5, SHA1 works, so I will paste the the processing diagram of SHA2 here without explainations.

Figure 3. One iteration in a SHA-2 family compression function. The blue components perform the following operations:

The bitwise rotation uses different constants for SHA-512. The given numbers are for SHA-256. The red is an addition modulo 2³²

The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

About 3 million people visit the Taj Mahal every year. This blog was viewed about 53,000 times in 2010. If it were the Taj Mahal, it would take about 6 days for that many people to see it.

In 2010, there were 65 new posts, growing the total archive of this blog to 289 posts. There were 7 pictures uploaded, taking up a total of 142kb.

The busiest day of the year was December 24th with 581 views. The most popular post that day was Answers for IInterconnecting Cisco Networking Devices (ICND) Practice Questions – Module 5.

Where did they come from?

The top referring sites in 2010 were en.wordpress.com, google.com, techtutorials.net, google.co.in, and search.conduit.com.

Some visitors came searching, mostly for network topologies, icnd1 breakdown, ethernet standards chart, icnd2, and csma cd vs csma ca.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

Answers for IInterconnecting Cisco Networking Devices (ICND) Practice Questions – Module 5 August 2009
2 comments

ICND1 and ICND2 break down June 2009
3 comments

Answers for Interconnecting Cisco Networking Devices (ICND) Practice Questions – Module 2 August 2009
1 comment

ICND1 break down — Network Topologies June 2009

Answers for Interconnecting Cisco Networking Devices (ICND) Practice Questions-Module 4 August 2009

Because symmetric key algorithms are nearly always much less computationally intensive, it is common to exchange a key using a key-exchange algorithm and transmit data using that key and a symmetric key algorithm.

Popular asymmetric encryption algorithms are RSA, Diffie-Hellman, ElGamal, and ECC.

• RSA
• Diffie-Hellman
• ElGamal
• ECC

Symmetric-key algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits and encrypt them as a single unit.

Some examples of symmetric algorithms include DES, Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA.

• For decades, DES (Data Encryption Standard) was the standard block cipher. It maps 64-bit blocks of plaintext into 64-bit blocks of ciphertext using a series of permutations and substitutions. An exclusive-OR is performed on the result with the input, and this sequence is repeated 16 times, using a different ordering of the key bits each time. The key length is, in effect, 56 bits. DES is
• Over the years, DES was found to be vulnerable, and a stronger variant, called triple-DES, or 3DES, was recommended. Triple DES (3DES ) is a variant of DES. Instead of the single key that DES uses, triple DES uses a “key bundle” which comprises three DES keys, K₁, K₂ and K₃, each of 56 bits. The encryption algorithm is:  ciphertext = E_K3(D_K2(E_K1(plaintext))) I.e., DES encrypt with K₁, DES decrypt with K₂, then DES encrypt with K₃. Decryption is the reverse: plaintext = D_K1(E_K2(D_K3(ciphertext))) I.e., decrypt with K₃, encrypt with K₂, then decrypt with K₁. Each triple encryption encrypts one block of 64 bits of data.

It is easy to see how key complexity affects an algorithm when you look at some of the encryption algorithms that have been broken. The Data Encryption Standard (DES) uses a 56-bit key, allowing 72,000,000,000,000,000 possible values, but it has been broken by modern computers. The Triple DES (3DES) uses a 128-bit key, or 340,000,000,000,000,000,000,000,000,000,000,000,000 possible values. You can see the difference in the possible values, and why 128 bits is generally accepted as the minimum required to protect sensitive information.

Because of the advancement of technology and the progress being made in quickly retrieving DES keys, NIST put out a request for proposals for a new Advanced Encryption Standard (AES). It called for a block cipher using symmetric key cryptography and supporting key sizes of 128, 192, and 256 bits. After evaluation, the NIST had five finalists: MARS, RC6, Rijndael, Serpent, Twofish.

In the fall of 2000, NIST picked Rijndael to be the new AES. It was chosen for its overall security as well as its good performance on limited capacity devices.

AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits. The blocksize has a maximum of 256 bits, but the keysize has no theoretical maximum.

AES operates on a 4×4 array of bytes, termed the state (versions of Rijndael with a larger block size have additional columns in the state). Most AES calculations are done in a special finite field.

The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext. Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

Here’s an easy to follow AES Rijndael tutorial. To merely pass the CompTIA Security+ test, you may only interested in the last video — the security aspect of AES. If you want to know details of the Rijndael algorithm, you’d better go over all the 5 videos.

• First step in the encryption process, SubBytes

• Steps of the encryption process, ShiftRows, MixColumns, and the AddRoundKey steps. Explain how the XOR logic gate works.

• Explain how the Round Key (a longer version of the original key) gets derived using the Key Schedule from the original, shorter key.

• Decryption process of AES

• Security aspects of AES

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure.

Historical pen and paper ciphers used in the past are sometimes known as classical ciphers. They include simple substitution ciphers and transposition ciphers. For example “GOOD DOG” can be encrypted as “PLLX XLP” where “L” substitutes for “O”, “P” for “G”, and “X” for “D” in the message. Transposition of the letters “GOOD DOG” can result in “DGOGDOO”.

Modern encryption methods can be divided by two criteria: by type of key used, and by type of input data.

By type of key used ciphers are divided into:

• symmetric key algorithms (Private-key cryptography), where the same key is used for encryption and decryption.
• asymmetric key algorithms (Public-key cryptography), where two different keys are used for encryption and decryption.

In a symmetric key algorithm (e.g., DES and AES), the sender and receiver must have a shared key set up in advance and kept secret from all other parties; the sender uses this key for encryption, and the receiver uses the same key for decryption. In an asymmetric key algorithm (e.g., RSA), there are two separate keys: a public key is published and enables any sender to perform encryption, while a private key is kept secret by the receiver and enables only him to perform correct decryption.

Type of input ciphers data can be distinguished into two types:

• block ciphers, which encrypt block of data of fixed size.

A block cipher consists of two paired algorithms, one for encryption, E, and the other for decryption, E⁻¹. Both algorithms accept two inputs: an input block of size n bits and a keyof size k bits, yielding an n-bit output block. For any one fixed key, decryption is the inverse function of encryption, so that

for any block M and key K. M is termed the plaintext and C the ciphertext.

For each key K, E_K is a permutation (a bijective mapping) over the set of input blocks. Each key selects one permutation from the possible set of 2ⁿ!.

The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. One of several modes of operation is generally used along with a padding scheme to allow plaintexts of arbitrary lengths to be encrypted.

Most block ciphers are constructed by repeatedly applying a simpler function. This approach is known as iterated block cipher. Each iteration is termed around, and the repeated function is termed the round function; anywhere between 4 to 32 rounds are typical.

Usually, the round function R takes different round keys K_i as second input, which are derived from the original key:

where M₀ is the plaintext and M_r the ciphertext, with r being the round number.

Frequently, key whitening is used in addition to this. At the beginning and the end, the data is modified with key material (often with XOR, but simple arithmetic operations like adding and subtracting are also used).

Here is an example video of block cipher:

• stream ciphers, which encrypt continuous streams of data.

Block ciphers can be contrasted with stream ciphers — a block cipher operates on fixed-length groups of bits, called blocks, with an unvarying transformation; a stream cipher operates on individual digits one at a time, and the transformation varies during the encryption.

Stream ciphers can be viewed as approximating the action of a proven unbreakable cipher, the one-time pad (OTP), sometimes known as the Vernam cipher. A one-time pad uses a key stream of completely random digits. The keystream is combined with the plaintext digits one at a time to form the ciphertext. This system was proved to be secure by Claude Shannon in 1949. However, the keystream must be (at least) the same length as the plaintext, and generated completely at random. This makes the system very cumbersome to implement in practice, and as a result the one-time pad has not been widely used, except for the most critical applications.

A stream cipher makes use of a much smaller and more convenient key — 128 bits, for example. Based on this key, it generates a pseudorandom keystream which can be combined with the plaintext digits in a similar fashion to the one-time pad. However, this comes at a cost: because the keystream is now pseudorandom, and not truly random, the proof of security associated with the one-time pad no longer holds: it is quite possible for a stream cipher to be completely insecure.

Cryptography is the practice and study of hiding information, in order to achieve privacy, authentication, data integrity, and non-repudiation.

A message that is sent in its original form is called plaintext, even though these days it might not be text at all, but an image, for example. The secretly encoded message is called ciphertext, which is what results from the plaintext by applying an encryption algorithm, called a cipher. If the encryption is reversed, the process is called decryption.

• Symmetric Encryption

Applying a cipher typically requires one more piece of information – that is the key, which must be selected before applying a cipher to encrypt a message. If the same key is used to encrypt and decrypt a message, then we call the algorithm a symmetric encryption scheme. Sharing or distributing the key becomes a challenge. Imagine a group of people want to communicate, they have to create a secret key for each two persons, and the number of secrete keys grow exponentially as more people joins the communication.

• Asymmetric Encryption

It will be nice to have two keys, one key is used for encryption and another key is used for decryption. A message receiver can then made encryption key publicly available (public key), while hold the decrption key secret (private key). Everyone can then encrypt a plaintext with the public key and send the ciphertext to the message receiver through public network. Hackers who sniffed the ciphertext won’t be able to decrypt it, because only the intended receiver (private key holder) is able to decipher the message.  Such algorithms are called asymmetric encryption schemes. They are also known as Public Key Cryptography algorithms.

• Hash

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the “message“, and the hash value is sometimes called the message digest or simply digest. Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication.

If you want to explore further, Here is a pretty comprehensive introduction from Google University.

So what is a Public Key Infrastructure or PKI? It is a system designed to manage the issue of binding public keys and identities across multiple applications. It’s purpose is to establish a level of trust during digital communication. PKI compose of a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

In technical terms, it is the combination of:

• a Registration Authority (or RA), in charge of verifying people’s identity and associating that identity with their public key
• a Certification Authority (or CA), in charge of generating certificates, i.e. signing people’s public key and identity information with its own private key
• a validation system that can confirm whether a specific certificate produced by this CA is still valid or not (for example, because the associated private key was lost or compromised, or because some information contained within has changed)

The following short video shows how PKI provides web security to the customers of an online pencile store.