How It All Fits Together
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now sometimes I get the question.
00:00
I understand each one of
00:00
these little pieces as you're teaching it,
00:00
Kelly, but how does it all come in together?
00:00
That's such an important question
00:00
because we can memorize a lot of facts.
00:00
But if we can't make the connections,
00:00
that doesn't really help us,
00:00
doesn't help us on the exam.
00:00
It certainly doesn't help us in the real world.
00:00
We've got applications, we've
00:00
got protocols, cryptosystems, algorithms.
00:00
You know what is the question really?
00:00
Let's talk about this.
00:00
Let's look at this idea.
00:00
We have these various layers that are
00:00
necessary for secure communications.
00:00
You and I are most familiar with
00:00
their applications and that's where we usually start.
00:00
I'm sitting at Chrome or
00:00
Firefox or whatever my web browser is.
00:00
We're going to look at this with web traffic,
00:00
and I'm going to connect to a web server.
00:00
Now that web server's running software like
00:00
Apache or
00:00
Internet Information Services IIS for Microsoft.
00:00
Our applications are going to communicate.
00:00
In order from system to
00:00
system to communicate, we need to protocol.
00:00
Web traffic uses the HTTP protocol.
00:00
Now, if I want a secure connection
00:00
then instead I'm going to use
00:00
the HTTPS protocol and that S says,
00:00
we need a secure environment,
00:00
which means we need a cryptosystem.
00:00
A cryptosystem is a framework that supports security.
00:00
You know, a lot of times people talk about SSL and
00:00
TLS protocols and I
00:00
don't really have a problem with that understand.
00:00
But really they're cryptosystems,
00:00
they're not protocols, they're frameworks for security.
00:00
The fact that I used HTTPS says we
00:00
>> need to implement TLS.
00:00
>> That's a cryptosystem,
00:00
and the cryptosystem provides
00:00
the structure for encryption and for authentication.
00:00
But to get those, we need an actual algorithm.
00:00
TLS is the cryptosystem that requires
00:00
the algorithm that's AES to be used for instance.
00:00
We have layer upon layer.
00:00
I use Chrome and the protocol
00:00
HTTPS that requires the cryptosystem, SSL,
00:00
or TLS that uses the algorithm AES,
00:00
and really without any one of these pieces,
00:00
we don't have communication.
00:00
We can look at this also for mail,
00:00
my mail application is Outlook.
00:00
Maybe I'm connecting to an exchange mail server,
00:00
those are my apps.
00:00
The protocols we use,
00:00
we might be using secure SMTP,
00:00
we can use secure POP or IMAP,
00:00
but we're using secure protocols that require
00:00
a cryptosystem and the cryptosystem
00:00
would be either S/MIME or PGP,
00:00
and S/MIME stands for
00:00
secure multi-part Internet Mail Extensions.
00:00
That's the standard space certificate-based,
00:00
PKI-based environment that's used by
00:00
default when we're using things like
00:00
digital signatures or PGP,
00:00
which is a proprietary application that you would have
00:00
to download the software in order to use it.
00:00
That cryptosystem that needs
00:00
an algorithm to perform the actual math,
00:00
AES is what S/MIME going to use by default.
00:00
PGP and I don't know if you remember this from earlier,
00:00
but because PGP is proprietary,
00:00
it uses its own proprietary algorithm called the idea.
00:00
Our applications use protocols
00:00
for the rules of communication,
00:00
how the applications, how
00:00
the systems communicate with each other.
00:00
If we use a secure protocol and then
00:00
a cryptosystem is necessary to support protection,
00:00
and that protection actually comes
00:00
through a specific algorithm,
00:00
which are the actual math functions
00:00
that provide the encryption.
00:00
Layer upon layer,
00:00
multiple different elements working
00:00
together for the common goal.
00:00
Now another thing that I tried to stress to people
00:00
is you're not just
00:00
going to be using one algorithm either.
00:00
I always think about
00:00
cryptographic algorithms like I think grocery shopping.
00:00
I'm going to go shopping at the crypto mart.
00:00
When I go to the grocery store,
00:00
I don't go down every single aisle,
00:00
if I do that it will take forever,
00:00
I'm going to wind up with a shopping cart packed
00:00
full of unnecessary stuff.
00:00
I have a list, I know what I need and I go
00:00
down the aisles that provide what I need.
00:00
That's the same idea when we're looking at encryption.
00:00
Which algorithm do I use?
00:00
Well, I'm probably going to use multiple algorithms,
00:00
but I'm only going to use the algorithms that I need.
00:00
Here I am shopping at the crypto Mart
00:00
and I'm getting ready to have a secure connection,
00:00
one of the first things I decide I want to do is I want
00:00
to find a way to exchange keys.
00:00
I'm going to use an asymmetric key exchange,
00:00
that ultimately I can do symmetric data exchange.
00:00
I'm going to go down the asymmetric key exchange aisle,
00:00
and I might find a box of Diffie-Hellman or
00:00
a carton of ElGamal, I'm going to pick that up.
00:00
Then I go down the symmetric data exchange aisle
00:00
and I might buy a can of AES,
00:00
maybe six-pack of triple DES
00:00
or a case of blowfish or two fish,
00:00
whatever it is, then I need integrity.
00:00
I'm going to shop in the integrity aisle
00:00
and pick up a jar of MD5 or SHA-1,
00:00
then I may need authenticity,
00:00
that's where I go and I get RSA or DSA,
00:00
RSA much more likely and I'll have an aisle for
00:00
non-repudiation and that's where I
00:00
use SHA-1 and RSA together.
00:00
SHA-1 gives me the integrity piece,
00:00
RSA gets me authentication,
00:00
the two together give me non-repudiation.
00:00
The idea is rarely in a secure connection,
00:00
am I just using a single algorithm?
00:00
You can think of, each secure process
00:00
requires an algorithm.
00:00
To get keys distributed, I need Diffie-Hellman.
00:00
Once keys are distributed between parties,
00:00
the data's protected via AES.
00:00
We may need integrity verification,
00:00
that's where SHA-1 and SHA-2 come in.
00:00
We may need digital signatures,
00:00
we get SHA-1 and RSA together.
00:00
The idea is one algorithm doesn't do it all,
00:00
doesn't necessarily mean that you need
00:00
to use all algorithms either.
00:00
But which algorithms you need are going to be
00:00
dictated by what functions you're trying to perform.
00:00
Usually, that's all controlled within
00:00
the application and you and I
00:00
>> don't ever go and say, oh,
00:00
>> I'm going to use cast
00:00
for this function and I'm going to use DSA for another.
00:00
But the application developers
00:00
that write the programs applications that we're
00:00
using are going to be
00:00
incorporating these different algorithms
00:00
for different functions based
00:00
on what our users are going to need.
00:00
Hopefully, this section
00:00
has been useful in just pulling it all together
00:00
and looking at the ideas that
00:00
we have so we have the applications,
00:00
protocols, cryptosystems, algorithms,
00:00
and then also that last piece about looking at
00:00
the various algorithms and using
00:00
the ones that satisfy our needs and our requirements.
Up Next
Instructed By
Similar Content
