Describe functions of cryptography components
📘CCNP security (350-701)
(Covering: Hashing, Encryption, PKI, SSL/TLS, IPsec, NAT-T for IPsec, Preshared Key, Certificate-Based Authorization)
Cryptography is the practice of protecting data so that only the intended users can read or modify it. In modern networks, cryptography ensures secure communication, protects sensitive information, and prevents attackers from tampering with traffic.
Below are the major components you must understand for the CCNP Security exam.
1. Hashing
What Hashing Is
Hashing is a one-way mathematical function that converts data into a fixed-length string called a hash value or digest.
Key Features
- One-way → You cannot reverse a hash back to the original data.
- Fixed size → Output length is always the same (e.g., SHA-256 = 256 bits).
- Data integrity → Used to confirm that data has not been altered.
- Fast → Calculated quickly.
Common Hash Algorithms
- SHA-1 (weak today)
- SHA-2 family (e.g., SHA-256, SHA-512)
- MD5 (broken, not recommended)
IT Example
When downloading a firmware file from a vendor site, the vendor provides a SHA-256 hash. After download, your system calculates the hash again.
If both match → file is not tampered with.
Use in Security
- Used in IPsec (e.g., HMAC-SHA) to validate packets
- Used in digital signatures
- Used in password storage (hashed passwords)
Exam Focus
Hashing provides integrity, not confidentiality.
2. Encryption
Encryption is the process of transforming readable data (plaintext) into unreadable form (ciphertext) so that unauthorized users cannot view it.
There are two types:
2.1 Symmetric Encryption
What It Is
Same key is used for encryption and decryption.
Features
- Very fast
- Used for encrypting large amounts of data
- Key distribution is difficult
Common Algorithms
- AES (most widely used today)
- 3DES (older, less secure)
IT Example
A site-to-site IPsec VPN uses AES-256 to encrypt data between two company branches.
2.2 Asymmetric Encryption
What It Is
Uses a public key and a private key pair.
- Public key → shared with anyone
- Private key → kept secret
Features
- Used for secure key exchange
- Used in digital signatures
- Slower than symmetric
Common Algorithms
- RSA
- ECC (Elliptic Curve Cryptography)
IT Example
During SSL/TLS handshake, the server uses its private key to prove its identity to the client.
Exam Focus
- Symmetric = fast, same key
- Asymmetric = key pair, identity, key exchange
- Encryption provides confidentiality
3. PKI (Public Key Infrastructure)
PKI is the system that manages digital certificates and public/private keys in an organization.
What PKI Includes
- CA (Certificate Authority) – Issues certificates
- RA (Registration Authority) – Verifies identity before certificate issuance
- Certificate Repository – Stores certificates
- CRL/OCSP – Revocation checking
- Policies – Certificate lifecycle rules
What a Digital Certificate Contains
- Public key
- Owner identity information
- Expiration date
- Issuer information
- Digital signature from the CA
IT Example
A company uses Microsoft Active Directory Certificate Services to issue certificates to:
- VPN users
- Wireless clients for 802.1X
- Web servers for HTTPS
Why PKI Matters
- Enables secure authentication
- Used for certificate-based VPN
- Enables digital signatures
- Secures communications (HTTPS, SSL/TLS)
Exam Focus
PKI provides:
- Authentication
- Integrity
- Non-repudiation
- Supports certificate-based VPNs
4. SSL / TLS (Secure Sockets Layer / Transport Layer Security)
TLS is the secure version used today (SSL is outdated).
TLS provides encryption between a client and server.
Where It Is Used
- HTTPS websites
- Secure email (IMAPS, SMTPS, POP3S)
- SSL/TLS VPNs
- API communication
What TLS Provides
- Encryption (protect data)
- Authentication (server identity confirmed using certificate)
- Integrity (detect tampering)
TLS Handshake Summary
- Client connects → requests server certificate
- Server sends certificate
- Client validates certificate using CA
- Keys are exchanged securely
- Encrypted communication begins
Exam Tip
TLS uses both:
- Asymmetric cryptography (for handshake)
- Symmetric cryptography (for actual data transfer)
5. IPsec (Internet Protocol Security)
IPsec is a suite of protocols used to secure IP traffic, especially VPNs.
Functions of IPsec
- Confidentiality → encryption (AES, 3DES)
- Integrity → hashing (HMAC-SHA256)
- Authentication → preshared key or certificates
- Anti-replay protection → sequence numbers
Two Main Protocols
- AH (Authentication Header)
- Provides integrity
- Does NOT provide encryption
- Rarely used today
- ESP (Encapsulating Security Payload)
- Provides encryption
- Provides integrity
- Used in almost all IPsec tunnels
IPsec Modes
- Tunnel Mode – most common; used between gateways (e.g., site-to-site VPN)
- Transport Mode – used for end-to-end traffic inside a network
IKE (Internet Key Exchange)
Used to build secure tunnels and negotiate keys.
Two phases:
- Phase 1 – build IKE SA
- Phase 2 – build IPsec SA for actual traffic
6. NAT-T for IPv4 IPsec (NAT Traversal)
Problem
IPsec ESP does not work well through NAT because NAT modifies IP headers, which breaks IPsec integrity checks.
Solution: NAT-T
- IPsec packets are encapsulated inside UDP port 4500
- This allows packets to pass through NAT devices without breaking
IT Example
Remote users behind home routers can connect to corporate IPsec VPNs because NAT-T encapsulates IPsec traffic.
Exam Focus
- NAT breaks IPsec ESP
- NAT-T uses UDP/4500 to fix this
7. Preshared Key (PSK)
A preshared key is a shared secret used for authentication in IPsec IKE Phase 1.
Features
- Simple to configure
- Must match on both sides
- Not scalable for large environments
- Weaker security compared to certificates
IT Example
Two Cisco routers establishing a site-to-site VPN both configure:
crypto isakmp key MySecretKey address 198.51.100.1
If the key matches → authentication succeeds.
Exam Focus
PSK = simple but not scalable.
PSKs do NOT provide identity verification like certificates.
8. Certificate-Based Authorization
Certificate-based authorization uses digital certificates to authenticate users or devices instead of passwords or PSKs.
How It Works
- A device/user presents its certificate.
- The receiving system checks:
- Is the certificate valid?
- Is it issued by a trusted CA?
- Has it expired?
- Is it revoked?
- If valid, access is granted.
Benefits
- Strong authentication
- Automatically scalable
- Hard to fake (requires private key)
- Works with 802.1X, VPN, HTTPS, APIs
IT Example
A company uses certificate-based authentication:
- Remote VPN users must have a certificate on their laptop to connect.
- Firewalls validate the certificate before allowing VPN access.
Exam Focus
Certificate-based authentication is more secure and scalable than preshared keys.
Summary Table
| Component | Provides | Used For |
|---|---|---|
| Hashing | Integrity | Checking data & password storage |
| Symmetric Encryption | Confidentiality | Fast data encryption (e.g., IPsec) |
| Asymmetric Encryption | Authentication, key exchange | TLS handshake, PKI |
| PKI | Certificate management | HTTPS, VPNs, 802.1X |
| SSL/TLS | Confidentiality, integrity, authentication | Secure web & application traffic |
| IPsec | VPN security | Site-to-site & remote-access VPN |
| NAT-T | Enables IPsec through NAT | Remote users behind home routers |
| Preshared Key | Basic authentication | Small VPN deployments |
| Certificate Authorization | Strong authentication | Large enterprises, 802.1X, VPN |
Final Notes for Exam Preparation
For the CCNP Security exam, make sure you understand:
✔ Difference between hashing and encryption
✔ Difference between symmetric and asymmetric encryption
✔ How PKI works (CA, certificates, CRL, OCSP)
✔ TLS handshake basics
✔ IPsec components (IKE, ESP, AH, tunnel mode)
✔ Why NAT-T is required
✔ PSK vs certificate-based authentication
✔ Which protocols provide integrity, authentication, or confidentiality
