Ads 468x60px

18 November 2019

Tips for a Multihoming BGP network



I’ve written about Same BGP Autonomous System Number in two Datacenters recently because I wanted to connect two datacenters through Internet with the same AS Number. However, I have a new task for these days. I have to add more than one ISP to the datacenter. Therefore, I will have to configure BGP properly for several ISPs, which is an interesting and amazing task. It’s also an advanced routing task because a configuration mistake can shut down Internet to customers. I really love networking.

Connecting to Two or more ISPs

Firstly, it’s important to know how Internet routers view our networks. There are lots of websites on the net which are useful to know how other routers can send packets to our networks. There are even routers where we can access freely with read-only access to run commands, which are also useful to see how Internet routes learn our networks. For instance, there are lots of free access routers in the www.routeviews.org website where we can choose a router, access with the Telnet application and finally run commands.

Route Views Project
 
Once we have accessed to a router, we can run commands. It’s important to know what commands we have to execute as well as we have to understand the output. The show ip bgp command is the best one to know how other routers view our networks. For instance, we can run show ip bgp + network IP address to know how many paths there are from one router to our network. We’ll see all paths and the best path, which is the active path. This command is useful to see the BGP topology database.

BGP Topology Database
 
The BGP topology database or BGP forwarding database is a table where all paths are store. This database is updated by the BGP process and we can search how routers can send packets to every network in this database as well as we’ll know attributes such as metric, local preference, weight, etc. It’s important to highlight BGP topology database is different to the routing table because the routing table only has the best path instead of all path as the BGP topology database does.

Routing Table
 
There is an interesting website I’m used to visiting. The Réseaux IP Européens Network Coordination Centre has lots of resources about IPv4 addresses, IPv6 addresses and autonomous system numbers. For instance, we can see easily from the www.ripe.net website how different routers from Internet see our network. Therefore, it’s easy to see from this website if our network is advertised through several ISPs.

RIPE NCC
 
Finally, if you work as a network engineer, you’ll have to understand dynamic routing protocols such as BGP properly. If you are going to advertise your own routes to Internet, you’ll have to know how the BGP protocol works. If you are not sure what you are doing, the best option is to contact with professional services.

Best regards my friends. Keep learning! Drop a line with the first thing you are thinking!

11 November 2019

Así se domina el Mundo



I like reading. I don’t have much time for reading but I like reading at least 10 minutes a day. I’ve needed more than two months for reading the last book, but I’ve finished it. Great!! Así se domina el mundo by Pedro Baños has been the last book I've read. Pedro is a Spanish military and Colonel of the Spanish Army who is specialized in geostrategy, defense, security, terrorism and intelligence. Actually, I didn’t know anything about this man till I’ve read this book. If you like these topics, you can also watch “La mesa del coronel (Cuatro)” where Pedro works as a presenter.

This is a book mainly about geopolitics and geostrategy. These are two concepts I didn’t know very well. Geopolitics is the study of the effects of Earth’s geography (human and physical) on politics and international relations. However, geostrategy, which is a subfield of geopolitics, is a type of foreign policy guided principally by geographical factors as they inform, constrain, or affect political and military planning. Therefore, geopolitics and geostrategy are very important because the world is defined by these two concepts.

If you want to know about geopolitics and geostrategy, you’ll have to study history. The world is like it is today thanks to history. For instance, Crimea was in Ottoman Empire, which recognised the independence of Crimea, but was then conquered by the Russian Empire. During Soviet Union, Crimea was autonomous in the Ukrainian Republic but the Russian Federation wants Crimea goes back to Russia. Today, Crimean people is divided between Russians, Ukrainians, Crimean Tatars, Belarusians, Armenians and others. To sum up, it’s a mess. What’s more, there are lots of mess like this around the world.

We can read in this book some immutable geopolitical principles. These principles are very important to understand why the world and countries make decisions. For example, States are like living being which move mainly by the economy. We can see the trade war between China and US. Both countries are fighting to dominate the world. However, history and allies are also two immutable principles very important in geopolitics.

We can also read some interesting geostrategies in this book. Intimidation is one of the strategies most used by States. We can see how most countries show off military equipment. Russia, North Korea, China, US or even Spain show tanks, fighter aircraft and bombs to intimidate adversaries. However, there are many strategies such as the breaking point or support the division. I’m sure some of them will be well known for you.

In addition, we can read some errors made in geopolitic. Idiosyncrasy is something to take into account in geopolitics because each country and each town is different. There are lots of cultures which has to be taken into account. Religions are also important by lots of people. States can make errors in geopolitics which can be dangerous for the future of the country.

That’s all my friends. If you love geopolitics and geostrategic, you should read this book.

4 November 2019

Ariadnex – Deep Network Intelligence



I work at ARIADNEX since 2009. I’ve learnt a lot about networking and security in these 10 years. I’ve had the chance of configuring dynamic routing protocols such as BGP, OSPF or RIP. I’ve installed and configured lots of switches and routers. I’ve deployed security tools such as SIEM, Antivirus, IDS/IPS, firewalls, etc. I’ve analysed lots of security alerts to know what’s happened in the network. I’ve even been a teacher in IT courses on network, security, hacking and forensics. I’ve been able to do many tasks in these 10 years.

I’ve realised when there are issues with the network, such as slowness or traffic is not going through the best route, companies and IT engineers get crazy. When there are complex issues, we need a DEEP knowledge for a DEEP analysis. We’ll need networking and security tools where we can analyse lots of metrics such as sessions, flows, traffic, etc. We should even be able to download the packet to know what’s going on. What’s more, if we want to know what happened in the past, one day or two days ago, we should also be able to download these packets for a better analysis.

DEEP

Most applications use the NETWORK to send and receive data. Today, the network is very important in most businesses. Therefore, networking monitoring is a must in most companies because if there are issues, we’ll need to check how the network is performing. Companies need a healthy and clean network, where data is going through, because the network is the highway of data. If you are an IT engineer and you are worried about your data, network monitoring is your friend.

NETWORK
 
Sadly, there are lots of companies which don’t know what’s going in their networks. They can’t perform a deep analysis either. However, there are companies which do have network monitor or even they can perform a deep analysis but they don’t have the third important concept. INTELLIGENCE. Intelligence is required to know exactly what the monitoring tools is recording. Intelligence is required to know exactly what events and logs are recording. We can add intelligence to the monitoring tools with books, study and expertise.

INTELLIGENCE
 
There are many adversarial simulation tools which help us to know if the network and security monitoring tool is working well. FlightSIM is my favourite one because we can easily generate malicious traffic such as C&C traffic, DGA traffic, spambot traffic, etc. However, there are many others useful adversarial simulation tools such as Caldera, BT3 or DumpsterFire. It’s up to you which one you want to use to know if your monitoring tools detect malicious traffic.

Adversarial Simulation Tool
 
We can perform Deep Network Intelligence from Ariadnex but we can improve this intelligence with a Network Packet Broker (NPB). Gigamon is a NPB which can be used to resend a copy of the traffic to the monitoring tools. For instance, we can send a copy of the traffic to SSL Intercept appliances, IDS/IPS appliances, etc. Therefore, A-DNI along with a NPB will be the next generation monitoring tool at Ariadnex.

SSL Inspection with Gigamon
 
Regards my friends. What do you think?

28 October 2019

How many teams there are in your company?



There are companies which has already realised they need security engineers to protect services and the information. These companies have at least one or two people who are in charge of the information security. There are also companies which have employees who work with security standards such as PCI-DSS, ISO 27001 or regulations such as GDPR. These people work with lots of paperwork and they have to check procedures, policies, strategies, etc. What’s more, there are also companies which hire a hacking team to know about bugs, misconfigurations and weaknesses that these companies have in their services. However, there are increasingly more people working in the information security. Today, I’m going to write about three new teams: Red Team, Blue Team and Purple Team.

Penetration Testing and Ethical Hacking are well known by most companies which want to identify vulnerabilities and risks on systems and they also want to know if systems can be compromised easily by an attacker. However, Red Team is a group of people who work as adversaries and they are going to test many environments instead of one or two like a pentester does. In addition, it is usually a multidisciplinary team because members come from IT administration, network engineers, Windows and Unix administrations or even developers.

There are many tools which are really useful for the Red Team. For instance, I wrote about RedHunt last month, which is an adversary and intelligence emulator. RedHunt includes security tools such as Caldera, Atomic Red Team, DumpsterFire or Metta. However, there are many other interesting tools for the Red Team. For example, FlightSIM is a utility used to generate malicious traffic such as DGA traffic, requests to known active C2 destinations, etc. Blue Team Training Toolkit (BT3) is another interesting utility that creates realistic computer attack scenarios. Therefore, there are many tools ready for the Red Team.

On the other hand, the Blue Team is a group of people who work to detect attacks and prevent security incidents. They have to identify attacks and intrusions on systems. They have to be alert for reactive or preventive actions as well as they have to block attacks before they succeed. Therefore, they are going to work along with the Red Team. While the Red Team attacks the company, the Blue Team defends the company.

There are lots of well known tools ready for the Blue Team. Antimalware software is a must for endpoints and servers. Network firewalls are installed in most companies. Web Application Firewalls (WAF) are also installed in many companies. SIEM appliances are increasingly installed in companies which want to get logs for analysis and visibility. The Blue Team is more common in most companies than the Red Team.

I think the Red Team and Blue Team tasks are already well understood. However, there are another team, the Purple Team, which is between the Red and Blue teams. The Purple Team is going to use the defensive tactics and controls from the Blue Team and the threats and vulnerabilities found by the Red Team with the aim of maximizes the knowledge of both teams.

Regards my friends. How many teams there are in your company?

21 October 2019

Same BGP AS Number in two Datacenters



I remember the first time I studied dynamic routing protocols such as EIGRP, OSPF and BGP. I hadn’t studied anything about these protocols at University but I wanted to pass the CCNP certification exam because I wanted to deep down in networking. These protocols are not used in LAN networks, thus, it’s unlikely you have to configure and know about EIGRP, OSPF or BGP. However, I wanted the three kings bring me an AS and I got it. Since then, I have to manage an AS and when I have to modify something, I have to know exactly what I’m doing. No doubts! No errors!

Recently, the WAN network I manage has had an important change. Right now, there are two datacenters in different places, geographically speaking, but both datacenters are in the same Autonomous System (AS). They were working properly. In addition, WAN public IP addresses in one datacenter were different from the IP addresses of the other datacenter. However, there was an issue. An important issue. Datacenter couldn’t connect each other. There wasn’t connectivity between datacenters. This is a protection feature enabled by default in BGP networks to prevent loops.

Network Topology

Surfing on the net, searching about this issue, I realised there were lots of network engineers who came across they couldn’t interconnect datacenters which share the same AS. The solution. Easy. The “allowas-infunction in BGP is able to override the loop prevention mechanism in the router and allow an instance of AS to be in the AS_PATH attribute. Therefore, both routers and both datacenters can share the same AS and they can send and receive traffic each other.

Actually, I had to configure the “allowas-in” function in two routers. The first one was a FortiGate “router” where BGP is configured in one site. It is easy to configure due to the fact that the “allowas-in {integer}” command allows the AS number as many times as we set the integer. On the other hand, I also run the “neighbor {IPv4 address} allowas-in {integer}” command in a Cisco router to finally interconnect both datacenter with the same AS number.

AllowAS-in Configuration

However, there is another interesting feature in the BGP protocol which can also be used to interconnect both sites with the same AS number. The AS-Override feature is similar to the AllowAS-in feature but the AS-Override function has to be run in the Provider Edge (PE) router instead of on the Customer Edge (CE) router. The “neighbor {IPv4 address} as-override” command just strip the AS number from the BGP UPDATE before sending it to the CE routers.

AS-Override Configuration

These are two interesting functions I didn’t know. I think even these functions are not in the CCNP curriculum but in the CCIE curriculum. Once you know these features, you will be able to send and receive traffic between sites easily. It’s up to you which one you want to use. If you only have access to CE routers, you’ll run the AllowAS-in function but if you only have access to PE routers, you’ll run the AS-Override function.

Regards my friends. Drop me a line with the first thing you are thinking!!

14 October 2019

F5 BIG-IP APM - SAML



There are lots of companies which use software in the cloud. I mean, there are companies which use Software as a Service (SaaS) in the cloud instead of installing the software on site. This is a great advantage because it is usually cheaper and, what’s more, companies don’t have to be worried about upgrades and maintenance tasks. However, when companies have lots of users which have to access to this software, companies want to manage the user database to allow or deny users to the SaaS application.

OAuth, SAML and OpenID are some standards ready for the decentralized authentication. Therefore, thanks to these standards, companies can use SaaS applications while the user database is on site. For instance, this can be accomplished with SAML or the Security Assertion Markup Language where there are an Identity Provider (IdP) and many Service Providers (SP) as SaaS applications. The IdP could be configured in a pair of F5 BIG-IP APM while the SP would be Google Apps, AWS, Office 365, etc.

Fortinet SAML service

When we use a decentralized authentication as SAML with F5 APM, there are four steps. Firstly, user logs on to the IdP and is directed to a web portal. Secondly, user selects a SaaS application from the web portal. Thirdly, F5 APM may retrieve attributes from the user database to pass on with the SaaS service provider. Finally, APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser. However, there are another similar configuration with five steps, where the user access the the SaaS service in the first place. It’s up to you which one suit with your infrastructure.

Configuration example
 
There are SaaS services which may require attributes such as account ID, Role or whatever and these attributes have to be sent to the application from the IdP through the user web browser. For instance, AWS SAML assertions use two SAML attributes. The first is used to identify the Username that is associate with the session, and the second identifies the AWS Security Role that should be assigned to the session.

AWS SAML Attributes
 
F5 APM can be configured as an IdP as well as SP. Once you know the concepts, the SAML configuration is easy to deploy in F5 APM thanks to iApps and the Visual Policy Editor (VPE) where the IT engineer is going to answer many questions in the wizard and is going to modify the boxes in the VPE to fit the configuration to the infrastructure. The VPE is an useful tool which help us to add and delete boxes such as a webtop with many SaaS applications.

Visual Policy Editor
 
If you would like to test a configured federated domain with your F5 APM against AWS, you can do it with this Assertion Consumer service URL (https://signin.aws.amazon.com/saml). Once you type the Active Directory credentials, the BIG-IP system should issue SAML Assertion to the SaaS application. Nevertheless, if you have any issue, you can use the Firefox SAML Tracer Plugin, HTTP Watch or Fiddler to trace them.

Regards my friends. Keep learning! Keep studying!

7 October 2019

National Cybersecurity Strategy of Spain



Six years ago I wondered if Spain were sold because most security appliances installed in the public and private sector were made outside of Spain. Most of these technologies are even made outside of the European Union. Therefore, I thought Spain were sold in the cyber war because firewalls, SIEMs, antivirus, etc were out of control. Consequently, I’ve read many security strategies since then, such as the Security Directives for the European Union, DoD Cyber Strategy of the U.S. of America, the National Cyber Strategy of the U.S. of America or the Revue Stratégique Cyberdéfense de France, because I wanted to know how countries mitigate the risk of working without own IT technology.

This weekend I’ve read the National Cybersecurity Strategy of Spain where there are five goals and seven lines of action. For instance, the first goal is the security and resilience of the information and communications for the public sector and essential services. I think this is a very important goal due to the fact that essential services such as water and energy should be protected against cyber attacks.

The second goal highlights the cybercrime where the government of Spain are going to investigate illicit and malicious acts to encourage citizen trust in the cyberspace. This goal wants we trust in the cyberspace which is shared with malicious people. Therefore, we’ll use this space as long as we trust in the cyberspace. Cooperation, collaboration and participation will help to fight against cybercrime.

The third goal about protecting the business and social ecosystem and citizens is my favourite because it encourages companies to “develop cybersecurity products, services and systems specially those that uphold national interest needs to strengthen digital autonomy”. I really love this sentence because they have realised Spain needs to develop products, services and systems to protect them self.

A better cybersecurity culture and technological skills for people are in the fourth goal. This is also an important goal because people have to know there are risks in the cyberspace. Risks such as blackmail, theft, deception, etc are also in the cyberspace. In addition, this goal takes into account the improvement of technological skills which will also be useful to develop new cybersecurity activities.

The last and fifth goal is about the international cyberspace security where Spain gets collaboration and also shares information about best security practices and cybercrime. We can read in this goal lots of forums where Spain participates such as the Internet Governance Forum (IGF), the Organisation for Security and Cooperation in Europe (OSCE) and many more forums. This is also the goal where we can read the support to the European Union.

Regards my friends, drop me a line with the first thing you are thinking!!!

30 September 2019

Training on IT Security



The third edition of IT Security courses in Extremadura will start soon. These courses are delivered for free by FEVAL every year and I was the teacher in the first and second edition. However, I don’t know yet if I’m going to be the teacher in this third edition. I would like to. This edition will be in Badajoz and students will learn security on networks and systems, hacking and also forensics. I think it’s a good chance for learning IT Security if you are interested in infosec because these courses are full of tests and laboratories where students attack and protect systems as in the real world.

The first course, which starts soon, is about basic security on networks and systems, where students take security awareness and configure security appliances such as firewalls and SIEM. For instance, we deployed a virtual firewall and configured OSSIM last year. We also talked about recommendations for protecting networks and systems such as server hardening and best practices for network appliances. In addition, we were talking about the importance of Business Continuity and Disaster Recovery Plans.

Training on IT Security

Students who want to learn more about IT security can take the advanced security course on networks and systems. Last year, this second course was ready for students who wanted to get a deep knowledge about IT Security because we were talking about advanced techniques such as Multipath TCP, HTTP2, Web Application Firewall, XSS, SQLi, etc. In fact, we configured a WAF and we attacked servers to see how this kind of appliance is able to block advanced attacks.

Once the basic security course and the advanced security course on networks and systems are over, the ethical hacking fundamental course starts. This course is for students who want to learn how to attack networks and systems. Therefore, the first two courses are for people how want to know how to protect networks and systems and this one is for learning about vulnerabilities, network scanning, buffer overflows, OSINT, denial of services, etc.

If you really love hacking and you want to learn more about how to hack networks and systems, you have to go to the advanced ethical hacking course. This course was full of advanced laboratories last year. For instance, we created a backdoor for Android systems and we even made a malicious WhatsApp Messenger. In addition, we deployed WebGoat in Kali Linux to test Web Application Vulnerabilities.

The last course in this third edition will be about Digital Forensics . Students learnt how to get evidences and how to analyse them last year. In addition, we played CTFs (Capture The Flag) where students had to find flags in a series of challenges. As a result, they used many tools such FTK Imager, fcrackzip or exiftool. L ast but not least, we also analysed and learnt how a Fileless Malware works.

Regards my friends. I hope this will be interesting for you. Keep studying.

23 September 2019

RedHunt - Adversary Emulation & Intelligence



There are lots of security tools for pentesters. I’ve already worked with Social Engineering Toolkit (SET), Metasploit and many other security tools included in Kali Linux. However, I would like to write about RedHunt in this post. This is an useful operating system for threat emulation and threat hunting which help us to know how secure is our environment. Actually, RedHunt is based on Lubuntu and security tools such as Caldera, Atomic Red Team, DumpsterFire or Metta are included. I’ll write about them.

Caldera is an emulation system which uses an agent in each system we want to know how secure it is. This agent runs commands in the infrastructure as it were an adversary. The results are sent to Caldera where we can see successful attacks. The new version, Caldera 2.0, added the chain mode, as well as the adversary mode, which allow us to orchestrate atomic unit tests into larger attack sequences. I think it is an interesting tool to execute attacks against servers to know the security of the IT infrastructure.

Caldera

Atomic Red Team is another tool included in RedHunt, like Caldera, to execute simple “atomic tests” which is useful for red teams to know how secure is the infrastructure. There are no agents and we can execute scripts against servers to test security controls. It’s an interesting tool to know what attacks we can detect and what attacks we can not detect. In addition, it’s easy to run a test due to the fact that five minutes are enough to execute an “atomic test” with this tool. Therefore, Atomic Red Team is a good library of simple tests to emulate adversaries.

Atomic Red Team
 
RedHunt is full of security tools. If you want a tool for scheduling tasks such as visiting various hacking Websites, downloading a few common hacking tools and scanning the local network, DumpsterFire is your tool. This tool help us to schedule tasks as it were run by a human. For instance, we can open an URL session at 2 PM, wait for 60 seconds, and open another URL session or execute an script. What’s more, there are already Fires or event modules configured in this tool although we can also configure and develop our own.

DumpsterFire
 
Another tool for adversarial simulation is Metta. This security tool is similar to Atomic Red Team where we can test hosts and networks to know if security systems detect attacks. Metta parses a yaml file where we write a list of “actions” which are run one at a time without manual interaction. In addition, Metta does log all output to a json file and to a simple HTML log, which is useful to incorporate the results in a framework for reporting.

Metta
 
I think RedHunt is an interesting virtual machine where we have many security tools to emulate adversaries. It has many tools, useful for red teams and blue teams, which can be run against servers and networks to know how secure is the IT infrastructure.

Regards my friends. Keep learning and test your IT infrastructure as if you were a real adversary.

16 September 2019

No Logo



I have just finished reading a book about brands. All of us know lots of brands. Most people want brand’ shoes, brand’ jeans, brand’ shirts, etc. We want brands because we think brand’ stuff is much better than other stuff which nobody knows. We are willing to pay more for a brand’s shoes than for another shoes that nobody knows. As a result, companies spends lots of money in advertising campaigns. They even pay to celebrities, such as Michael Jordan or Cristiano Ronaldo, lots of money to make advertising campaigns.

Celebrities also take into account they are working for these companies. Therefore, they have to speak very well about these brands and they have to wear the clothes for which they are sponsor. I remember a press conference where Cristiano Ronaldo showed off again and again a luxury diamond watch. I think he scratched his face and his lips from time to time just to show the “amazing” watch. However, famous people also have to be careful about what companies they are sponsor because some of them could ruin their own personal brand.

Luxury diamond watch

Superstars could ruin their own personal brand when they support manufacturers which make products without taking into consideration the workers’ rights and human rights. Companies increasingly make products in east countries such as China, Vietnam or Indonesia where workers earn very little money. In addition, these factories don’t have the minimum security measures. They don’t have a well air condition and hygiene. Consequently, people work in high risk factories and they work lots of hours for a low wage.

Bangladesh factory collapse

There are lots of east people who work in bad working conditions and this is the main reason why we can buy products very cheap. Mainly, U.S. companies have the idea and invest in them, european people work for the idea, and finally, east workers manufacture the product. However, working for a low salary is also increasingly usual in west countries. There are not factories and there are not enough jobs for everybody. Therefore, west people have a low salary and these people buy cheap products, which are make in east factory with low wages. It’s a dangerous virtuous cycle.

Wealthy people is getting richer and poor people is getting poorest. Thereby, there are people who have realised we have to do something. There are demonstrations and strikes in front of malls. There are billboards which are destroyed or repainted. There are even foundations, such as Adbusters Media Foundation, which fight to counter pro-consumerist advertising. It's up to you if you want to fight for your rights.

Adbusters cover

To sum up, companies no longer manufacture products but brands. Most people want brands and we want to buy cheap things. Companies have outsource the manufacturing process and most factories are in east countries. We don’t bother products are made by people who work lots of hours for a low wage, or we don’t want to know about it. It’s time to thing about consumerism.

Regards my friends. A nice book, like this one, can change your mind!

9 September 2019

Asymmetric Encryption Algorithms



I remember a security administrator who told me he couldn’t enable encryption in a site to site VPN because the firewalls couldn’t encrypt high throughput traffic. He said the firewalls didn’t have enough CPU for VPN data encryption. Obviously, those firewalls weren’t well sized for his requirements. Encryption needs powerful CPU and/or powerful cryptographic cards but it also requires to choose the right cipher suites. Maybe, this security administrator didn’t have a good firewall to encrypt the site to site VPN but, maybe, he didn’t know either there are several encryption algorithms, and if they are configured properly, you will be able to get what you want.

I learnt at University how public-key cryptosystems work. It’s easy to understand. There are two keys. A public key and a private key. The public key is well-known for everyone. It’s like an open padlock. However, the private key is only known by the owner. It’s like the key to open the padlock. Therefore, when someone wants to send something encrypted into the padlock, only the owner can open the padlock and read the message. RivestShamirAdleman (RSA) is one of the first public-key cryptographic system and it’s the most used for data transmission.

Public Key Encryption

There is an alternative to the RSA. It’s the Digital Signature Algorithm (DSA). This algorithm was developed by the U.S government and it has the same security degree as RSA. However, it employs different mathematical algorithms for signing and encryption. DSA is also an asymmetric encryption scheme, like RSA, and it’s faster for signing but slower for verifying. Therefore, DSA is not a good choice if there is performance issues on the client side.

Diffie-Hellman is another algorithm I've learned, but this one, while I've been working with Virtual Private Networks (VPN). It’s an asymmetric algorithm useful to determine a secret key between peers. Firstly, peers agree to use a key, which could be listen by an attacker. Secondly, they use a private secret key, which is only known by each of them. Finally, these two keys are used to get a new one, which is the final key for the encryption process. This final key is, computationally speaking, difficult to get by an attacker.

Diffie-Hellman Key Exchange

These three algorithms are well-known by most security engineers. However, Elliptic Curve Cryptography (ECC) or Elliptic Curve Digital Signature Algorithm (ECDSA) is increasingly used because ECC cryptography provides much strong security than RSA or DSA with smaller keys. Therefore, ECC cryptography is the best option for mobile devices due to the fact that it requires less computational overhead.

Elliptic Curve Digital Signature Algorithm

On the whole, when you are going to configure encryption for whatever, it’s better to know what algorithm fits with your architecture because if you don’t choose the right one, the network performance could be degraded.

Regards my friends. Have a nice day!
Related Posts Plugin for WordPress, Blogger...

Entradas populares