Hello and welcome. My name is Tyler McMinn, and this is the Aruba Network Security Basics course part 2, where we're looking at the 11th video discussing Diffie-Hellman and recommended algorithms going into the future. In the previous video, we finished off for discussion on symmetric key exchange and we looked at hashing algorithms. Without further ado, let's talk about Diffie-Hellman. Taking a look at Diffie-Hellman, this can get really complicated as if what we've talked about isn't. But suffice to say what Diffie-Hellman came up with, and these were two guys that developed this secure key agreement or a secure Data agreement, what they came up with was a way for Alice and Bob to be able to communicate a shared secret, it could be key between each other, even with Mallory right in the middle watching everything they send to each other. Alice creates a private and public value, we won't call it a key, let's just call it a value. Bob does the same. Then they're going to exchange their public values with each other. Alice, when she receives Bob's public value, and Alice sends Bob her public value, she now has two very important things. She has her private secret, which is related to her public value and she has Bob's resulting public value, but not Bob's private, nor does Alice share her private with anybody that needs to stay private, so that piece of information stays on the side of the fence that needs to be on. But with Bob's public information, Alice is able to generate a shared secret, and Bob is able to generate the same shared secret between each other. What Mallory would be missing in the middle here is Mallory would only be privy to the public results. She wouldn't have either of their private keys which would be needed to discern what the shared secret was. Why go through all of this? Well, we use this all the time, whenever you go to a website like Bank of America or Capital One Bank or something like that, some banking website, you'll set up a secure TLS tunnel. You're using Diffie-Hellman key exchange or secure agreement exchange for that to be set up. Typically a stronger way of doing it called elliptic curve than a more traditional just doing large factor prime numbers, which is prime modulus, the original way but with elliptic curve higher security with the same size values and what you end up with is a symmetric key of 128 bits or 256 bits or whatever the bank wants that both you know and the bank's websites know, but anybody sniffing your traffic at the coffee shop or your house, whatever, would not be able to discern that symmetric key. Diffie-Hellman is an automated, very fast way for two parties to communicate a shared value, a shared secret or a key, without needing to create the key on one side and get it to the other side when it's untrusted, there's no way that Alice can walk that key over unless you'd like physically walks it over to Bob. So this is something you can do across an untrusted network and trust in the fact that you both end up at the same key and no one's able to discern what the key was except for Alice and Bob. Hopefully, that explains it, but we use this all the time. So same key derived, but the key itself is never actually transmitted, we use it to just XOR as a cipher encryption when we are very quickly and Curtin traffic between Bob and Alice. Some of these recommended algorithms and you don't need to memorize all of these. But essentially this is the original standard that we've had for years with WPA, WPA2, block ciphers, message authentication, key agreement. These are all just different methods that are used in the encryption process for what we do 1,000 times a day on our phones, on our laptops, on our computers where we are encrypting data using AES or even the older triple DES and we are authenticating the integrity and the identity of ourselves and those people who were talking to using these message authentication algorithms. There's a bunch. The number is usually referred to the key sizes, so the larger the number and usually the better. The key agreement Diffie-Hellman with elliptic curve is generally what you want to shoot for there. The CNSA transition, that stands for the Commercial National Security Algorithms Suite. This is a sign-off algorithm to try and make your network systems in your computers ready for the next version of hackers and the next version of quantum computing that's threatening our safety with these smaller, older algorithms. Basically, what it's trying to do is establish a standard that's easily achievable with today's hardware to prepare for tomorrow's attacks that may come about, that's essentially it. With good security, one step you can take is to get rid of these older algorithms that maybe older devices still would want to run on and move towards these newer algorithms, except you got to weigh the fact on what's no longer going to work. I have an old printer downstairs that still only runs on WPA. It doesn't support WPA2, it still has to run in 2.4 gigahertz. It has got all these old requirements. I mean, I should probably junk it, I guess or get it on the wire somehow. In fact, that's what I did. I wired it up to a computer down there, so it's not even on the wireless just because it was becoming such a hassle. Rather than me running an unsecure or insecure network at my house using older algorithms that are easily cracked, I just found another way to get it on the network that's much less likely to be a threat and as a lot less of a hassle. Should you use WPA2? Should you move it to WPA3? Yeah, try it, see what breaks. See if you can upgrade, it might be an easy fix, but at the end of the day you're secure in your network. That's what this class is about. Hopefully, this was informative for you. I know we went into quite a lot looking back here at our hash algorithms, looking at symmetric key exchange and using the Diffie-Hellman secure key agreement, which is done 1,000 times a day, to be able to establish a secured, or I should say a shared secret securely across an untrusted network here. Then finally a list of recommended algorithms going into the future. In the next video we're going to be looking at asymmetric encryption, certificates and something called PKI. I can't wait. I'll see you guys the next one. Thank you very much.
