WEBVTT 00:04.550 --> 00:16.160 What we are going to be covering today as we talked about it, is this concept of VPNs. 00:18.190 --> 00:18.910 What is VPN? 00:18.940 --> 00:20.170 What is a VPN? 00:21.130 --> 00:21.850 A virtual 00:24.430 --> 00:25.150 private. 00:29.820 --> 00:32.520 What do you think a virtual private network means? 00:33.300 --> 00:39.060 Virtual private network, Right. 00:39.090 --> 00:45.090 It's a virtual private network, which means it's private through something else. 00:45.540 --> 00:46.320 Private through what? 00:46.860 --> 00:48.000 A public domain. 00:48.480 --> 00:52.230 When I talk about VPNs here, I'm going to talk about layer three VPNs. 00:52.260 --> 00:56.010 As I said yesterday, L2, VPNs. 00:56.010 --> 00:58.290 I told you what those are, right? 00:58.320 --> 00:59.790 What are l2 VPNs? 01:00.810 --> 01:02.670 Your Mpls frame relay. 01:03.840 --> 01:04.380 What happened? 01:06.630 --> 01:07.890 Mpls Frame relay. 01:08.040 --> 01:09.090 VLANs. 01:09.780 --> 01:10.350 Right. 01:11.250 --> 01:17.180 So encapsulation at layer two is a VPN, but l2 VPNs. 01:17.190 --> 01:24.720 What we are going to be dealing with are the new kind which deals with layer three encapsulation known 01:24.720 --> 01:25.380 as what? 01:26.130 --> 01:28.030 L3 VPNs. 01:30.330 --> 01:32.000 Now under layer three VPNs. 01:32.010 --> 01:33.750 There are different classifications. 01:34.320 --> 01:35.940 Many different classifications. 01:35.940 --> 01:44.280 You have you can classify them as, let's say, site to site. 01:46.390 --> 01:47.440 What is the side to side? 01:47.470 --> 01:49.750 Side to side means you have two different sides. 01:54.100 --> 01:58.120 Eight connected eventually through the Internet. 01:59.890 --> 02:00.080 Right. 02:00.130 --> 02:04.120 And you want to connect them together, but you want to make sure that it's secure. 02:04.120 --> 02:07.930 So you'll create a tunnel, a VPN, between the two sites. 02:09.400 --> 02:10.820 That would be a site to site VPN. 02:10.840 --> 02:12.160 Now, this can be of many types. 02:12.160 --> 02:14.380 It can be one site to another site. 02:14.410 --> 02:16.750 You can add more sites on top of this. 02:16.750 --> 02:21.190 So maybe you have one here, one here, one here. 02:21.820 --> 02:24.520 But again, these are all sites connecting together. 02:27.460 --> 02:27.720 Right. 02:27.880 --> 02:28.930 That's one kind. 02:29.050 --> 02:29.980 The other way. 02:29.980 --> 02:37.150 The other kind is called remote remote access VPN. 02:38.980 --> 02:42.610 I'm sorry, a remote access VPN. 02:43.420 --> 02:45.040 What is a remote access VPN? 02:45.190 --> 02:52.330 You will have a server sitting somewhere around on the internet. 02:55.430 --> 02:55.700 Right. 02:56.270 --> 02:58.310 And then people. 03:00.870 --> 03:02.700 Sitting at different corners. 03:08.420 --> 03:12.980 Now, this doesn't necessarily have to be a router. 03:12.980 --> 03:17.000 It could be a PC connecting up to the Internet. 03:18.170 --> 03:22.520 This address that he's receiving doesn't have to be a static address, doesn't have to be a leased line 03:22.520 --> 03:23.060 address. 03:23.090 --> 03:26.270 It can be a dynamic address in remote access VPN. 03:27.170 --> 03:31.790 All these people need to connect up to the network, to their corporate network. 03:31.790 --> 03:33.920 HQ is an internet connection. 03:33.920 --> 03:35.750 They can create dynamic tunnels. 03:38.700 --> 03:44.880 With your actual server or your company headquarters. 03:45.810 --> 03:46.220 Right. 03:46.230 --> 03:46.980 Called what? 03:47.130 --> 03:48.030 Remote access. 03:48.030 --> 03:49.380 VPN access. 03:49.380 --> 03:50.550 Something remotely. 03:51.780 --> 03:52.350 Right. 03:53.010 --> 03:55.410 So two types of classifications we saw. 03:55.440 --> 03:57.200 L2 and L3 VPNs. 03:57.210 --> 04:01.200 You could characterize them on the basis of site to site or remote access VPNs. 04:01.230 --> 04:02.400 There are still many more. 04:02.400 --> 04:03.240 We'll see them. 04:03.240 --> 04:06.410 We'll have a look at them when we go to that point. 04:06.420 --> 04:09.450 There's point to point, point to multipoint and some other stuff. 04:09.870 --> 04:10.290 Right. 04:10.290 --> 04:11.820 So now this should be enough. 04:13.170 --> 04:15.930 Now, when I talk about this tunnel, I say a tunnel. 04:15.930 --> 04:16.500 A tunnel. 04:16.500 --> 04:17.550 I talked about a tunnel. 04:18.130 --> 04:20.740 What is this tunnel and how is this secure? 04:20.790 --> 04:23.190 That's what we are going to be talking about today. 04:25.110 --> 04:26.700 What is this tunnel and why? 04:26.730 --> 04:28.350 And how is it secure? 04:29.340 --> 04:40.210 There are two main kind of, let's say, two protocols that support tunneling out there that are very 04:40.210 --> 04:42.460 famous there. 04:42.740 --> 04:45.940 There's IPsec, there is SSL. 04:49.290 --> 04:51.600 The IPsec and SSL SSL. 04:51.630 --> 04:56.730 We are not going to have a look today for a long time to come. 04:57.060 --> 04:59.610 Our main focus is going to be where? 05:02.950 --> 05:03.490 IPCC. 05:03.880 --> 05:06.100 What are the strongest technologies out there? 05:06.280 --> 05:11.230 When you talk about VPNs here in this course, you're talking about IPsec VPNs. 05:11.350 --> 05:14.230 Yes, you do have to worry about SSL VPN, too. 05:14.860 --> 05:17.320 SSL is more widely used than IPsec. 05:18.460 --> 05:24.280 By the time you are over with IPsec and SSL, you will know why SSL is more famous than IPsec. 05:24.400 --> 05:25.840 Is it more secure? 05:25.870 --> 05:27.700 I wouldn't think so. 05:29.530 --> 05:34.330 IPsec, as you will see, has a lot of security measures with SSL. 05:34.330 --> 05:35.720 VPN does not provide you. 05:35.740 --> 05:38.760 But why is SSL more famous? 05:38.770 --> 05:40.780 Because it's easier to implement. 05:40.990 --> 05:42.430 That's the only reason. 05:43.270 --> 05:45.190 And it's widely supported. 05:46.450 --> 05:49.390 It's openly supported by a lot of vendors. 05:49.870 --> 05:50.380 Right. 05:50.380 --> 05:52.210 And everybody is following the same. 05:52.210 --> 05:55.120 So SSL is a little more used than. 05:55.150 --> 05:56.170 IPsec Wigman's. 05:58.240 --> 05:58.690 Okay. 05:59.500 --> 06:02.920 Have you ever heard about the TCP IP suite? 06:02.950 --> 06:05.840 I'm sure you have the TCP IP suite. 06:05.860 --> 06:07.510 What is the TCP IP suite? 06:09.250 --> 06:12.130 A collection of different protocols. 06:12.550 --> 06:13.030 Right. 06:13.060 --> 06:16.530 There's an IP protocol in there somewhere, right? 06:16.540 --> 06:17.680 Somewhere around the same. 06:17.680 --> 06:20.050 There's an IP running, there's OSPF running. 06:20.050 --> 06:28.870 So when you talk about TCP IP, you're talking about the four layers, right? 06:28.870 --> 06:36.280 You had your application layer, then you have your layer three, layer two, layer one. 06:37.150 --> 06:40.270 So all the protocols that are running here, Ethernet. 06:43.310 --> 06:45.340 Our serial frame relay DLC. 06:45.470 --> 06:48.350 Whatever is running here comes under the same suite. 06:50.120 --> 06:50.560 Right. 06:50.570 --> 06:52.610 You have it running here. 06:54.950 --> 06:55.220 Right. 06:55.220 --> 06:57.020 You might have Appletalk, Novell. 06:57.050 --> 06:59.630 All of those things running here also comes under. 07:00.530 --> 07:03.670 Obviously, this is the TCP IP I'm talking about the OSI here. 07:03.680 --> 07:06.680 Only IP runs the TCP IP. 07:09.460 --> 07:09.930 Transport. 07:10.900 --> 07:15.680 Transport is left for an application. 07:15.700 --> 07:16.210 Transport. 07:19.480 --> 07:22.570 L4, L3 and these two are combined, right? 07:24.370 --> 07:25.480 This is L4 L3. 07:25.510 --> 07:25.960 Correct. 07:26.200 --> 07:26.920 Thank you. 07:29.220 --> 07:33.960 The last two are combined into one and this becomes your IP. 07:35.100 --> 07:37.860 On top of this here can be many different protocols. 07:37.860 --> 07:46.470 You can either have L four or you could have EGP, you can have OSPF, you could have ICMP or you could 07:46.470 --> 07:48.810 have TCP, UDP. 07:48.840 --> 07:55.470 If you have TCP, UDP or on layer four, if you're on layer four, you have to go right here. 07:55.470 --> 08:01.770 So you can have port number 80, which leads you to Http and all the different services of TCP, all 08:01.770 --> 08:03.630 the different services of UDP. 08:04.860 --> 08:11.550 All of this comes under were under this big suite of TCP IP. 08:12.630 --> 08:18.810 If you want to have a broader look at it, you can go to the OSI model, which can give you more wider 08:18.810 --> 08:20.670 ranges of protocols. 08:21.300 --> 08:27.810 But my question is, my focus right now for you guys should be have a look at the TCP IP suite just 08:27.810 --> 08:32.200 like TCP IP is a suite exact same way. 08:32.200 --> 08:36.520 Your IPsec is also a suite of protocols. 08:37.870 --> 08:43.840 It's not one protocol, it's a collection, a combination of many different protocols coming together 08:43.840 --> 08:45.430 for a great event. 08:47.230 --> 08:47.680 Right. 08:47.710 --> 08:49.420 You'll see many different things. 08:49.720 --> 08:51.370 Authentication is here. 08:51.640 --> 08:52.990 Encryption is here. 08:53.020 --> 08:59.200 So many different things coming together to provide that one big tunnel, which gives you security in 08:59.200 --> 09:00.520 many different ways. 09:02.320 --> 09:03.790 Okay, let's have a look at that. 09:03.790 --> 09:08.230 Actually, all these technologies coming together. 09:10.060 --> 09:11.260 IPsec Right. 09:14.090 --> 09:18.080 IPsec has mechanisms to provide you. 09:19.220 --> 09:21.470 First of all, it's. 09:24.260 --> 09:25.580 We call it integrity. 09:31.280 --> 09:31.910 Integrity. 09:33.230 --> 09:34.700 What is integrity? 09:35.600 --> 09:39.350 If you look at it with English, pure English, what does integrity mean? 09:45.380 --> 09:46.010 Yes. 09:47.000 --> 09:51.440 Trustworthiness of trustworthiness of data. 09:52.640 --> 09:52.910 Right. 09:52.910 --> 09:59.570 If you talk about it in pure English terms, when we say, okay, this guy has integrity, what does 09:59.570 --> 10:00.260 that mean? 10:01.070 --> 10:05.360 That means he does what he stands for, Right? 10:05.360 --> 10:11.570 So if he says if he says that he's going to do this or if he sees something is right, he will stand 10:11.570 --> 10:12.110 by the right. 10:13.310 --> 10:24.110 If you think about it in data packets, integrity of data means if I send some data from my end, anything 10:24.110 --> 10:26.750 from let's say I have two people here. 10:29.100 --> 10:30.870 I one guy here and one guy here. 10:31.290 --> 10:35.610 If I'm sending him some data, I'm saying I'm going to send it through the Internet. 10:36.150 --> 10:38.190 When I'm sending it through the Internet. 10:38.310 --> 10:39.930 Now, two things can happen. 10:40.950 --> 10:43.650 One is someone can sniff the packet. 10:43.650 --> 10:46.830 Sniffing means he can see what's inside the packet. 10:46.860 --> 10:51.660 Basically get a copy of the packet that isn't that has nothing to do with integrity. 10:51.990 --> 10:55.170 What people could also do is tamper the data. 10:55.200 --> 10:58.740 When I say tamper the data, let's say there's another guy here. 11:01.410 --> 11:09.810 Right when he sees this data is going to from, let's say, Alice to Bob when he sees this data is going 11:09.810 --> 11:10.840 from Alice to Bob. 11:10.860 --> 11:14.880 What this guy can do is he can bring a little anarchy into the system. 11:17.310 --> 11:24.360 Will tamper the data, maybe add certain bytes, maybe remove certain bytes, and then leave the packet 11:24.360 --> 11:26.940 as it is so that it goes to Bob. 11:29.980 --> 11:33.580 When you do this, the integrity of your packet has been broken. 11:35.380 --> 11:38.290 Bob did not receive what Alice sent him. 11:39.520 --> 11:40.720 This is integrated. 11:43.000 --> 11:43.420 Okay. 11:44.380 --> 11:46.600 Have we encountered this before? 11:47.380 --> 11:49.330 Have we seen this before anywhere? 11:51.100 --> 11:52.390 Have we used it? 11:57.760 --> 12:00.190 We have, but not in this general sense. 12:00.190 --> 12:02.680 But we have a little idea of how we use it. 12:02.770 --> 12:04.360 Routing Protocol authentications. 12:06.370 --> 12:09.520 When you have routing protocol, protocol, authentication, what do you do? 12:09.550 --> 12:10.600 Do you send a key? 12:11.170 --> 12:13.240 If you're using clear text, you will send a key. 12:13.240 --> 12:15.850 But if you're not, if you're using MD5 or do you send. 12:17.650 --> 12:18.820 You don't send the key. 12:20.770 --> 12:21.880 You don't send the key. 12:22.000 --> 12:24.020 You use the key to create a hash value. 12:24.040 --> 12:25.540 Then you send that hash value. 12:27.100 --> 12:27.530 Right. 12:27.580 --> 12:30.190 Similarly, what's going to happen here in IPsec? 12:30.220 --> 12:35.320 The protection, the way it provides you is Alice. 12:37.000 --> 12:43.090 When he creates this packet and he creates this packet, he's going to take something of a snapshot 12:43.840 --> 12:44.950 of this packet. 12:45.190 --> 12:48.880 When I say snapshot, I'm talking in simple terms. 12:49.090 --> 12:54.310 He's basically going to make it go through an algorithm, right, using a key. 12:55.540 --> 13:01.180 He will have a key, let's say one key here, and the same key is on the other side. 13:01.660 --> 13:07.420 So what Alice will do is before sending the packet out, he creates the complete packet, makes it go 13:07.420 --> 13:08.290 through the key. 13:10.210 --> 13:12.490 Once it goes through the key, he gets a value. 13:13.960 --> 13:14.830 Hashing value. 13:15.220 --> 13:20.860 That value he hides somewhere inside the packet. 13:24.420 --> 13:24.870 Right. 13:24.870 --> 13:26.400 And then he throws the packet off. 13:27.300 --> 13:36.570 Now, if anybody out there tampers the packet, let's say this guy right here, the intruder, he tampers 13:36.570 --> 13:39.000 the packet again and sends it to the other side. 13:39.030 --> 13:39.480 Bob. 13:39.630 --> 13:42.810 When Bob receives the packet, he's going to do two things. 13:43.500 --> 13:46.890 First thing, he's going to make this packet that he received. 13:46.890 --> 13:47.880 Go through what? 13:48.330 --> 13:49.320 Through the key. 13:49.740 --> 13:51.450 Because both of them have the same key. 13:52.290 --> 13:53.850 He's going to make it go through the key. 13:53.880 --> 13:58.890 Once it goes through the key, he's going to receive a result, a value. 13:59.130 --> 14:01.530 He's going to compare that value to what? 14:03.480 --> 14:07.020 To the value that was given inside that packet by the other guy. 14:09.750 --> 14:10.980 He's going to compare both of them. 14:12.360 --> 14:13.710 Will they be the same? 14:14.760 --> 14:15.870 They will not be the same. 14:15.870 --> 14:16.380 Why? 14:16.410 --> 14:20.370 Because when the packet was coming in, someone tampered it. 14:20.370 --> 14:25.570 So when he makes it go through the algorithm, he'll get a different value than the value that is inside. 14:27.460 --> 14:30.410 So he sees that this packet has been tampered with. 14:30.430 --> 14:32.080 I do not want to accept this. 14:34.560 --> 14:35.400 Is this clear? 14:37.110 --> 14:38.160 Any questions? 14:40.230 --> 14:42.450 Good for everybody, right? 14:42.750 --> 14:44.100 This is integrity. 14:45.330 --> 14:47.710 The other thing, there is a difference between integrity. 14:47.730 --> 14:55.020 Whenever you hear some anything about MD5, whenever you have everything about anything about Sha, 14:56.100 --> 14:59.070 there's two there's two algorithms that help you do this. 14:59.100 --> 15:04.440 This key, when I say it makes it go through the key, it can make it go through the key using either 15:04.470 --> 15:06.150 MD5 or Sha. 15:06.180 --> 15:10.230 These are two mechanisms for integrating MD5 and Sha. 15:13.420 --> 15:20.770 MP5 was most widely used long time back, but now they consider to be because it has a longer key to 15:20.770 --> 15:21.220 be better. 15:21.220 --> 15:23.470 But I mean, there is a huge debate. 15:23.470 --> 15:27.370 If you go to the Internet and you try to look for it, there is a huge debate between MD5 and Sha, 15:27.670 --> 15:28.600 which one is better? 15:28.600 --> 15:35.320 But Sha is right now because they have different variants of Sha, they have Sha 128 Sha 256 out there, 15:35.560 --> 15:36.100 right? 15:36.100 --> 15:42.850 So it's preferred, but again, there are certain scenarios where Sha will not be supported. 15:43.480 --> 15:47.200 So that's why they have the both of them are combined together. 15:47.200 --> 15:48.610 You can use any one of the two. 15:50.500 --> 15:55.810 Now, the good thing about IPsec is, as I said, that it's a combination of protocols. 15:55.840 --> 15:58.270 There is no hard and fast rule that you should use. 15:58.570 --> 15:59.710 You should use MD5. 15:59.920 --> 16:03.520 It's your choice when you create the tunnel, you decide. 16:05.200 --> 16:08.150 For example, I want to create a tunnel right now between Alice and Bob. 16:08.170 --> 16:13.780 I will decide, okay, for these two guys they will use let's say they will use MD5. 16:16.660 --> 16:20.020 Okay, We will see that once we create that tunnel. 16:21.010 --> 16:21.760 Is this clear? 16:21.760 --> 16:22.210 Until now? 16:23.500 --> 16:24.430 Everything good? 16:25.270 --> 16:26.590 This is integrity. 16:27.010 --> 16:29.200 The other thing IPsec provides you. 16:33.530 --> 16:37.010 Is you call it. 16:47.800 --> 16:50.380 The other thing that it provides you is. 16:58.820 --> 16:59.480 Encryption. 16:59.480 --> 17:00.530 What is encryption? 17:10.780 --> 17:12.760 Encryption, right. 17:12.760 --> 17:14.500 It's a very famous term out there. 17:15.640 --> 17:18.060 Encryption, if you want. 17:18.070 --> 17:19.730 Again, the simplest terms. 17:19.750 --> 17:21.190 Scrambling of data. 17:23.410 --> 17:25.000 Encryption is scrambling. 17:25.000 --> 17:28.700 It's different than hashing or hashing or integrity. 17:28.740 --> 17:30.640 Both mean the same. 17:31.660 --> 17:36.400 It means scrambling the data when Alice is sending a message to Bob. 17:37.510 --> 17:38.070 Right. 17:38.080 --> 17:42.430 Let's say he wants to say hello there. 17:46.460 --> 17:48.110 And this packet has integrity. 17:48.160 --> 17:49.760 Now no one can tamper it. 17:50.490 --> 17:50.650 Okay. 17:50.660 --> 17:53.450 So make sure that no one changes anything here. 17:53.900 --> 17:55.730 Otherwise the other guy will not receive it. 17:57.380 --> 18:00.410 Okay, so I send this out there again. 18:00.860 --> 18:03.110 Now, obviously, this guy, the intruder. 18:07.630 --> 18:08.770 Let's say James. 18:09.610 --> 18:15.880 Now, James, when he sees this packet, he will not change it, but he can open it and see what's inside 18:15.880 --> 18:16.330 the packet. 18:17.740 --> 18:21.700 So for example, Alice and Bob, they want to exchange credit card information. 18:21.700 --> 18:27.670 They want to exchange banking accounts, those kind of details, which nowadays we do on the Internet, 18:29.470 --> 18:29.740 right? 18:29.740 --> 18:34.090 Let's say they want to do that, but it's going through the public Internet and James is sitting there 18:34.090 --> 18:35.350 waiting for you to do that. 18:35.380 --> 18:37.630 The moment you transfer it, James will see what's inside. 18:38.170 --> 18:39.460 So what do you do? 18:40.960 --> 18:42.370 Integrity was there. 18:42.970 --> 18:46.360 What else am I going to add on top of that encryption? 18:46.480 --> 18:48.190 I'm going to encrypt this data. 18:48.220 --> 18:49.240 Using what? 18:49.960 --> 18:52.030 Using the same key which I had before. 18:52.180 --> 18:57.190 The key I used for hashing the When I say hashing, I mean integrity. 18:57.190 --> 19:00.160 I will use the terms both of them together. 19:00.160 --> 19:03.860 So hashing integrity are the same, right? 19:03.880 --> 19:10.720 So when I'm hashing from this side, using this key, the key that I used, I'll use the same key. 19:10.720 --> 19:11.440 To do what? 19:11.440 --> 19:12.190 Encryption. 19:12.190 --> 19:17.110 When I say encryption, I mean that this data will not be sent as Hello there. 19:20.530 --> 19:22.000 Let's have a look at a sample key. 19:22.030 --> 19:24.440 How a key may look like. 19:24.460 --> 19:25.900 I'm not saying it looks like this. 19:25.930 --> 19:27.700 It may look like a key. 19:27.730 --> 19:28.960 May be something like this. 19:28.990 --> 19:36.370 It may say that A is B, b is C, C is D, and so on and so forth. 19:38.350 --> 19:39.670 Maybe the key is like that. 19:39.690 --> 19:42.910 It's much more obviously complicated than that. 19:43.120 --> 19:45.640 But let's say that this is the key. 19:45.940 --> 19:47.020 So hello there. 19:47.020 --> 19:48.070 Before sending Hello there. 19:48.070 --> 19:49.810 I'm not going to send hello there out. 19:50.740 --> 19:55.240 I'm going to make it go through this key again, not for hashing this time, but for encryption. 19:55.510 --> 19:57.440 So it's going to change certain things here. 19:57.470 --> 19:59.080 H will become I. 19:59.440 --> 20:01.750 E will become f m. 20:01.900 --> 20:09.010 M p u i f s f. 20:10.090 --> 20:11.560 And I'm going to send this out. 20:14.760 --> 20:21.170 So James sees what I have you I Efsf. 20:21.210 --> 20:23.310 Does he understand anything out of that? 20:24.780 --> 20:26.580 Is that intelligent data? 20:28.230 --> 20:29.340 It's not right. 20:30.480 --> 20:31.350 What does he see? 20:31.380 --> 20:35.310 He sees garbage when he sees this packets going through. 20:35.340 --> 20:43.560 He sees i f m m p u i f s f, and it reaches the bomb. 20:43.680 --> 20:45.780 Yes, it is available publicly. 20:46.830 --> 20:49.860 Whenever you send encrypted data, it is available publicly. 20:49.860 --> 20:51.800 But the whole point is what? 20:51.810 --> 20:57.930 That this encrypted data should not be seen intelligently seen by others. 20:57.930 --> 21:00.030 They should not be able to understand what it is. 21:03.090 --> 21:08.790 How will Bob understand what this is using? 21:10.020 --> 21:11.280 He has the same key. 21:13.110 --> 21:14.990 Bob has the same key. 21:15.000 --> 21:16.920 So all he needs to do is use the key. 21:16.950 --> 21:18.960 He will use this key in reverse order. 21:19.560 --> 21:24.900 So for me, we will be becomes a, C becomes B, D becomes C, Eventually he will get to. 21:24.900 --> 21:25.500 Hello. 21:29.200 --> 21:29.740 Hello there. 21:33.310 --> 21:33.600 Right. 21:33.700 --> 21:35.740 Both things are happening through the Internet. 21:37.060 --> 21:43.510 Your packets are getting encrypted as well as integrity is also their hashing is also there 21:46.780 --> 21:52.000 so no one can see what's inside that data and no one can tamper it. 21:53.590 --> 21:55.120 Why is tampering important? 21:55.120 --> 22:00.730 Because he now James cannot see what's inside, but just for the fun of it, because he wants to change 22:00.730 --> 22:03.820 certain stuff, because he wants to make sure that your company is hurt. 22:03.850 --> 22:05.620 He will add more data to it. 22:05.740 --> 22:08.720 P f l m Right. 22:09.250 --> 22:10.270 That's why integrity. 22:14.340 --> 22:18.510 If he even changes a small bit, the other side will not accept the packet. 22:18.540 --> 22:20.160 The whole point is lost. 22:22.320 --> 22:23.040 You get it? 22:24.120 --> 22:25.050 Any questions? 22:27.290 --> 22:33.200 No, this is encryption integrity provided by IPsec. 22:34.700 --> 22:36.230 But there are certain things. 22:37.520 --> 22:43.160 Let's first see what encryption technologies are out there for you, which you can decide from. 22:45.440 --> 22:46.490 You have. 22:46.640 --> 22:48.080 You can use. 22:49.190 --> 22:53.030 There's this algorithm called Des. 22:54.770 --> 22:57.830 There's another one called three Des. 23:00.030 --> 23:00.570 Okay. 23:00.570 --> 23:06.180 And there's another one called This is 128. 23:06.240 --> 23:08.880 This is 192. 23:08.940 --> 23:10.080 This is. 23:12.380 --> 23:13.820 What they stand for. 23:13.850 --> 23:14.990 What they do. 23:15.020 --> 23:15.920 Not important. 23:15.950 --> 23:17.000 How they work. 23:17.030 --> 23:18.470 How the algorithm was created. 23:18.500 --> 23:19.330 Who created it? 23:19.340 --> 23:20.630 When did they create it? 23:21.980 --> 23:23.480 That's not your job. 23:25.130 --> 23:26.720 Understand what your job is. 23:27.560 --> 23:28.070 Right. 23:30.380 --> 23:36.350 When you go, for example, fill up a tyre at a railway station, sorry, railway station. 23:36.650 --> 23:41.120 When you go to, let's say, a gas station, you want to fill up petrol in your car. 23:42.350 --> 23:45.220 Do you ask the guy how the machine is created? 23:45.320 --> 23:47.450 Do you ask him where the tank is? 23:48.590 --> 23:48.980 No. 23:49.010 --> 23:52.670 Do you ask him how the whole thing operates, How you swipe the card? 23:52.670 --> 23:53.060 Nothing. 23:53.060 --> 23:54.440 You don't ask him anything. 23:54.440 --> 23:54.950 Why? 23:54.980 --> 23:59.900 Because you want the practical, you want the petrol, you want the gas. 23:59.900 --> 24:00.500 Right? 24:00.500 --> 24:02.330 So you pay and you get what you want. 24:02.540 --> 24:03.560 Same thing here. 24:03.560 --> 24:05.420 You don't need to know how these work. 24:06.380 --> 24:07.040 Yes. 24:07.070 --> 24:13.120 What you need to know is which one is better, right? 24:13.190 --> 24:15.020 Which one is up in the market right now? 24:15.020 --> 24:17.570 Which one has not been broken in the market right now? 24:19.850 --> 24:20.240 Right. 24:20.720 --> 24:21.800 And stuff like that. 24:21.800 --> 24:22.160 Yes. 24:22.160 --> 24:23.990 You need to know the key sizes. 24:25.850 --> 24:27.320 Why do you need to know the key sizes? 24:27.320 --> 24:29.480 Because there is a rule. 24:29.780 --> 24:37.190 The higher the key size, the higher the key size that you're using, the stronger will be the encryption, 24:37.190 --> 24:38.690 but the slower will be your tongue. 24:39.500 --> 24:41.000 That is understood, right? 24:41.000 --> 24:44.300 Because when I'm sending data before sending the data, I have to encrypt it. 24:44.330 --> 24:46.460 The stronger my key, the bigger my key. 24:46.490 --> 24:52.310 I'll take more time to encrypt and the other side will take more time to decrypt. 24:53.270 --> 24:57.350 So the stronger, the bigger the key, the more time it takes for encryption. 24:57.350 --> 25:02.480 That is not really the case between Des and A's, though. 25:02.510 --> 25:02.930 Why? 25:02.960 --> 25:09.230 Because when the algorithm changes, different A's advanced encryption. 25:09.230 --> 25:13.310 So when A's came through, it was a little faster, even though the key size was bigger. 25:15.790 --> 25:16.110 Okay. 25:16.210 --> 25:19.180 That's when it was created was a 56 bit key. 25:23.920 --> 25:24.910 56 bit key. 25:27.640 --> 25:33.100 It worked for a long time because at that time the concept of encryption was new, so no one tried to 25:33.970 --> 25:35.530 touch it or do anything to it. 25:36.370 --> 25:41.890 But eventually, you know, I mean, hackers evolved much more faster than the security guys, so they 25:41.890 --> 25:43.370 found out a way to break it. 25:43.390 --> 25:47.590 It was broken the moment that happened. 25:48.280 --> 25:49.720 It was a time of panic. 25:49.750 --> 25:59.440 They created days was nothing but days multiplied by itself, three times in a moment of panic. 26:01.210 --> 26:04.660 So the 56 bit key becomes how much? 26:06.040 --> 26:07.330 168 bits. 26:11.960 --> 26:13.130 He does until now. 26:13.250 --> 26:17.030 Very strong, very strong. 26:17.030 --> 26:23.230 I have not heard myself of an instance where it was broken and it was creating in a hurry. 26:23.240 --> 26:24.380 I mean, think about that. 26:26.030 --> 26:28.160 It worked for a long time, three days again. 26:28.160 --> 26:32.660 But then later they realized that since then they sat down. 26:32.660 --> 26:38.480 I mean, they created a conference, sat down for a long time, devised a new mechanism for encryption 26:38.480 --> 26:45.920 that was advanced advanced encryption system, which does what it has different keys. 26:45.920 --> 26:52.250 But the question is, does that mean the 168 bits of three days is better than the 128? 26:52.820 --> 26:54.620 You cannot compare them together. 26:55.880 --> 26:59.360 It's like comparing cricket and football, right? 26:59.450 --> 27:01.990 You cannot compare Sachin Tendulkar to Lionel Messi. 27:01.990 --> 27:03.350 You can do that. 27:04.340 --> 27:05.300 It's the same thing here. 27:05.300 --> 27:06.280 Three days in a year. 27:06.320 --> 27:08.510 There are two different algorithms that they use. 27:10.950 --> 27:18.780 Right is obviously is right now in the market most widely used since it came into play. 27:21.920 --> 27:22.310 Okay. 27:22.310 --> 27:28.910 So depending upon again, when you're creating a tunnel through your company, depending upon your company 27:28.940 --> 27:34.070 load, the total amount of traffic going through the tunnel, the encryption mechanism that you're going 27:34.070 --> 27:36.470 to be using is not going to be hard and fast. 27:36.470 --> 27:45.050 Only once you have more load in your company, you will use a lesser encryption system as 128 If your 27:45.050 --> 27:50.660 traffic is not that much, you'll use is 256 That is based on real life scenarios. 27:50.660 --> 27:51.800 Experimentation. 27:51.800 --> 27:52.880 Okay, this works best. 27:52.880 --> 27:55.070 This gives me the best speed plus encryption. 27:55.070 --> 27:56.150 Let's use that. 27:58.700 --> 27:58.990 Okay. 28:01.370 --> 28:03.470 Get any questions with encryption? 28:06.090 --> 28:06.390 No. 28:12.370 --> 28:13.260 What are you saying? 28:13.270 --> 28:14.190 People are asking? 28:16.240 --> 28:21.790 We are not it's not actually the same key for hashing and encryption. 28:21.790 --> 28:26.980 You will not always use the same key, but we call this something as keying material. 28:29.020 --> 28:30.910 You use the same keying material. 28:30.910 --> 28:32.280 When I say keying material. 28:32.290 --> 28:33.760 Now, see, this is important. 28:34.630 --> 28:39.430 When I say keying material, this keying material is usually 1024 bits. 28:45.530 --> 28:46.370 Concentrate here. 28:46.370 --> 28:46.730 Yeah. 28:48.050 --> 28:50.570 Both of them will have the same keying material. 28:51.830 --> 28:55.280 Think about keying material as a big box of chocolates. 28:56.480 --> 29:01.370 Both of them have the same amount of chocolates, the same size, the same number of chocolates on both 29:01.370 --> 29:01.820 ends. 29:03.290 --> 29:03.800 Okay. 29:03.830 --> 29:10.730 When they want to do is from this whole bit, they will take out a chunk and this guy will take out 29:10.730 --> 29:13.520 a chunk of, let's say 128. 29:13.520 --> 29:20.900 You want to use 128 So they will take out 128 bit chunks, use that for encryption for MD5. 29:20.930 --> 29:27.920 They will take out more chunks, use that for hashing and MD5 from the same keying material. 29:30.470 --> 29:30.740 Right. 29:30.740 --> 29:38.600 So from the 121 028 bits, you will create small small chunks of keys that you will use later. 29:39.110 --> 29:40.340 I'll explain how this is done. 29:40.340 --> 29:44.210 This is the most important part of the exchange. 29:44.210 --> 29:48.310 The whole the whole point of IPsec will be this. 29:48.320 --> 29:50.990 But before we get there, just keep this in mind though. 29:51.530 --> 29:54.940 Keying material is not just one key that is transferred. 29:54.950 --> 29:55.970 It's material. 29:56.300 --> 29:57.440 It's a keying material. 29:58.100 --> 29:58.640 Right? 30:01.710 --> 30:03.120 Encryption is provided. 30:03.120 --> 30:04.740 Integrity is provided. 30:04.800 --> 30:05.760 Also. 30:09.670 --> 30:11.290 Authentication is provided. 30:16.660 --> 30:22.270 There are two types of Authentications, BSC and PKI. 30:24.340 --> 30:25.630 What is authentication? 30:26.770 --> 30:28.330 How do you say something is authentic? 30:33.870 --> 30:38.760 Eventually, if you buy Twitter, who uses Twitter here? 30:39.540 --> 30:43.470 Does anyone use Twitter here on Twitter or Facebook even? 30:43.620 --> 30:46.110 There are, let's say, 1000 accounts. 30:46.140 --> 30:53.500 Let's say any actor go out there, anyone choose anyone and will be 1000 accounts of that guy. 30:53.520 --> 30:54.330 Let's say Ronaldo. 30:55.200 --> 30:56.220 Cristiano Ronaldo. 30:56.250 --> 31:01.680 1000 people have created 1000 Cristiano Ronaldo accounts because they are fans and they want to get 31:01.680 --> 31:02.490 more likes. 31:03.240 --> 31:03.510 Right. 31:03.510 --> 31:05.610 And, you know, they create those pages. 31:05.610 --> 31:06.900 You see that out there? 31:07.200 --> 31:12.930 Out of those pages, how do you know the one which is the actual one, you will see that there will 31:12.930 --> 31:16.050 be a verified blue tick with their name. 31:17.550 --> 31:20.760 Happens Let me see if I have internet. 31:20.760 --> 31:22.970 I think for any. 31:24.660 --> 31:25.500 Even on the pages. 31:25.500 --> 31:26.190 Yes. 31:41.850 --> 31:42.960 This is a page, right? 31:49.590 --> 31:51.300 This is not verified. 31:52.950 --> 31:53.580 Or is it? 31:55.790 --> 31:56.570 On the verified. 31:56.570 --> 31:58.970 You'll see a tick mark here. 31:58.970 --> 31:59.600 I don't. 32:05.470 --> 32:07.900 See there are many Team Messi. 32:08.320 --> 32:12.330 Lionel Messi de Messi. 32:12.340 --> 32:12.910 You see what? 32:16.040 --> 32:17.120 It's a verified account. 32:17.120 --> 32:25.220 So this is some guy who just created an account named Lionel Messi, and he started tweeting about it. 32:25.490 --> 32:28.370 Then there's another one, which is actually from the team. 32:29.630 --> 32:33.410 Team Messi with the blue Tick, which says it is verified. 32:33.410 --> 32:35.870 So this when you see this account, you see this is authentic. 32:37.280 --> 32:38.150 It has a blue tick. 32:38.180 --> 32:39.050 It is authentic. 32:39.050 --> 32:40.940 I know that this is the actual guy. 32:42.410 --> 32:45.230 So tomorrow when you have to tweet, you will tweet to this guy. 32:47.210 --> 32:47.660 Correct. 32:47.690 --> 32:50.690 This is, again, authenticity. 32:50.720 --> 32:53.930 The same concept comes here in Alice and Bob. 32:54.590 --> 32:59.120 When Alice and Bob are talking, how does Alice know that he's actually talking to Bob? 33:01.640 --> 33:06.950 When I'm trying to create a tunnel with someone, I am going through the public internet. 33:06.980 --> 33:08.600 I'm sending my traffic out. 33:09.380 --> 33:09.710 I know. 33:09.710 --> 33:11.810 I'm sending it to the Bob's address. 33:12.050 --> 33:12.530 Right. 33:12.530 --> 33:17.480 But there may be another guy here who gets that first packet. 33:17.570 --> 33:20.510 Once he gets that first packet, he can send another. 33:20.540 --> 33:25.640 The other negotiations will be between me and him, and I could create the tunnel with him. 33:27.500 --> 33:31.190 I would think I'm doing it with Bob, but I'm actually doing it with someone else. 33:33.650 --> 33:34.160 Correct. 33:34.340 --> 33:35.780 How do I make sure that doesn't happen? 33:35.780 --> 33:37.610 I want to do something for authentication. 33:38.000 --> 33:41.420 I want to authenticate that I am actually creating the tunnel. 33:41.420 --> 33:41.900 With whom? 33:42.740 --> 33:47.830 With Bob, I'm actually doing it with Bob. 33:47.840 --> 33:48.950 How do I do that? 33:49.130 --> 33:50.030 Two ways. 33:50.330 --> 33:52.190 SK and PK. 33:53.690 --> 33:55.430 SK is Pre-shared key. 33:58.980 --> 33:59.790 Pre-shared key. 34:02.280 --> 34:09.570 It's a little different than how I will here have a key installed. 34:09.600 --> 34:17.460 Let's say I'll have Cisco here as a key on the other side also, because these are two sites which belong 34:17.490 --> 34:17.790 to me. 34:17.790 --> 34:19.440 I'm the one who's configuring the tunnel. 34:19.770 --> 34:22.020 I'll go to the other side and also have a pre-shared key. 34:22.050 --> 34:30.900 Not as simple as Cisco, obviously, but it's like a code word, right? 34:30.930 --> 34:35.220 Say they show in the movies When someone is buying drugs, what do you do? 34:35.220 --> 34:37.170 Or maybe doing a nuclear deal? 34:37.170 --> 34:37.830 What do you do? 34:37.860 --> 34:41.670 You call and you have a passcode, right? 34:41.670 --> 34:42.990 So you say that password. 34:42.990 --> 34:46.380 The other guy knows that you are the guy who he wants to sell the drugs to. 34:47.580 --> 34:50.250 The same concept is here, right? 34:50.250 --> 34:57.300 When I'm creating a tunnel with Alice, eventually I'm exchanging certain parameters right through the 34:57.300 --> 34:58.090 exchange. 34:58.090 --> 35:01.390 There will come a point where I'll ask him, Hey, what is your key? 35:03.250 --> 35:07.450 Throughout the exchange, there'll be a point where I'll ask him, What is your key? 35:08.500 --> 35:11.950 The guy will reply, It's Cisco I will send out. 35:11.950 --> 35:13.150 My key is Cisco. 35:13.180 --> 35:14.410 They should match. 35:15.820 --> 35:19.570 If Cisco and Cisco doesn't match, the exchange will be stopped right there. 35:20.860 --> 35:22.030 Authenticity. 35:25.490 --> 35:26.390 Do you understand? 35:27.680 --> 35:28.790 Any questions? 35:31.070 --> 35:36.200 Are you sure that you understand the right. 35:39.980 --> 35:43.820 Will be sent, not shared will be sent for authentication. 35:43.820 --> 35:51.410 So once exchange is taking place in the middle, Alice will send his Cisco along to Bob. 35:52.100 --> 35:54.350 When Bob sees Cisco, he'll match it with his own. 35:55.010 --> 35:55.580 He'll see it. 35:55.600 --> 35:56.000 Cisco. 35:56.000 --> 35:58.460 So for Bob, Alice is authenticated. 35:58.490 --> 36:01.350 Then Bob needs to authenticate himself so he'll send his own Bob. 36:01.430 --> 36:08.450 His key of Cisco sends it to the other guy when Alice receives it, Alice knows that Bob is verified 36:10.130 --> 36:11.540 or Bob is authenticated. 36:13.870 --> 36:14.710 Any questions? 36:17.610 --> 36:21.570 No clear completely. 36:23.040 --> 36:25.920 That's the other one is called PKI. 36:25.950 --> 36:31.320 Now, we will not go into the details of PKI because you have a full VPN dedicated for PKI. 36:31.770 --> 36:32.370 Right. 36:32.370 --> 36:38.600 But I will still give you a faint idea of you see this verified account which I showed you. 36:38.610 --> 36:40.260 How do you think it got verified? 36:42.660 --> 36:43.710 Let's say this was Leo. 36:47.650 --> 36:53.020 Let's say this was Leo Messi and this is me. 36:54.340 --> 37:01.510 Okay, so I'm sitting here and Leo Messi needs to make sure that his Twitter account is verified. 37:02.410 --> 37:03.460 What does he do? 37:03.490 --> 37:06.610 He takes his account, goes to. 37:12.500 --> 37:12.920 Twitter 37:15.620 --> 37:18.830 authority, people who manage Twitter. 37:20.630 --> 37:23.420 He goes to him, tells them, listen, I'm Leo Messi. 37:24.530 --> 37:25.730 They ask him for proof. 37:25.970 --> 37:29.180 He needs to prove himself to this Twitter's guy. 37:29.230 --> 37:31.070 Twitter guys, these guys. 37:31.070 --> 37:36.050 So he goes there, shows himself his card, his face, obviously. 37:36.050 --> 37:37.640 I mean, they see him, they know it's messy. 37:37.640 --> 37:39.830 So he goes there and does everything. 37:39.830 --> 37:44.750 And then once they do that, they ask him for the username and password username, obviously, and they 37:44.750 --> 37:45.920 verify his account. 37:48.630 --> 37:48.990 Right. 37:48.990 --> 37:52.800 So tomorrow when Alice needs to create a connection with him. 37:52.980 --> 37:57.420 Leo Messi does not send out the key, does not have a key. 37:57.450 --> 38:01.020 In this case, he will send out his verified status. 38:01.050 --> 38:06.300 We call this IC identity card on which it will be verified. 38:06.330 --> 38:06.660 Okay. 38:06.660 --> 38:08.190 You have been verified by Twitter. 38:08.880 --> 38:11.730 So once I see it, why will I believe it? 38:15.480 --> 38:17.580 I will believe it because I believe Twitter. 38:19.410 --> 38:21.450 This is a global authority. 38:24.010 --> 38:30.850 If it verifies anybody, that means it's valid, right? 38:32.560 --> 38:35.160 If Twitter verify is messy, I don't need to question it. 38:35.170 --> 38:35.350 Why? 38:35.380 --> 38:37.090 Because I know that Twitter verified it. 38:38.110 --> 38:44.080 The same concept comes into play off in PKI public key infrastructure. 38:45.100 --> 38:51.700 How in this case, what Bob is going to do, you won't have obviously a Twitter authority here. 38:51.700 --> 38:56.260 You'll have something known as CA certificate authority. 38:58.600 --> 38:59.020 Right. 38:59.020 --> 39:08.680 And what Bob will do is he will go to the car and get an IC identity card. 39:10.760 --> 39:14.730 See the details of which we will have to do. 39:14.750 --> 39:16.760 Obviously, that's in your course. 39:16.970 --> 39:18.800 Full details of what's inside that. 39:18.800 --> 39:19.180 I see. 39:19.190 --> 39:20.260 And how does he get that? 39:20.270 --> 39:20.710 I see. 39:20.750 --> 39:26.300 But for us, for now, he gets an I see from the certificate authority. 39:26.330 --> 39:29.270 The certificate authority out there is valid. 39:29.270 --> 39:30.350 Everybody knows it. 39:31.430 --> 39:34.490 So if he authorizes someone, that means he's authorized. 39:36.860 --> 39:37.250 Right. 39:37.250 --> 39:40.430 Same way Alice will go up there and get his. 39:42.650 --> 39:42.980 I see. 39:44.120 --> 39:52.880 Now, when they're creating tunnels, all they need to do is what exchange, I guess you might say. 39:52.880 --> 39:54.110 What about the intruder? 39:54.230 --> 39:58.000 Can he get the IC for the intruder to get to the IC? 39:58.010 --> 40:05.330 He has to go to the certificate authority, prove himself to be a part of my company, which is not 40:05.330 --> 40:11.600 quite as simple as it seems like he has to go there and prove that he's part of me, part of my company. 40:11.600 --> 40:16.850 So he goes there with documents which he doesn't have, so he'll never get that key, which I have. 40:16.880 --> 40:17.720 He will never get that. 40:17.720 --> 40:18.260 I see that. 40:18.260 --> 40:20.810 I got it. 40:21.110 --> 40:21.290 Yeah. 40:23.120 --> 40:23.360 Okay. 40:23.360 --> 40:25.640 We'll do it in more details of how it works. 40:25.640 --> 40:31.730 I just want you to have an overview of how an IC works, how an IC works. 40:33.380 --> 40:35.160 Okay, Let. 40:38.280 --> 40:39.600 It's a certificate. 40:39.630 --> 40:41.100 It's a certificate with the key. 40:42.510 --> 40:43.410 It's a certificate with the key. 40:43.440 --> 40:44.400 I'll explain on that. 40:45.360 --> 40:45.840 Okay. 40:45.840 --> 40:49.110 Now we come to the last part of our IPsec suite. 40:49.140 --> 40:50.730 For now, this is the last part. 40:50.760 --> 40:57.750 We never know what's going to happen further, But for now, out of all this exchange, there is something 40:57.750 --> 41:01.980 which never changed and which was the most important part of this whole thing. 41:02.430 --> 41:03.480 What was that? 41:06.890 --> 41:08.000 This right here. 41:11.360 --> 41:14.360 When I told you encryption, I said it will happen through a key. 41:14.900 --> 41:22.550 When I said authenticity or the key that doesn't use this key, but it has a certain different kind 41:22.550 --> 41:24.440 of key, right? 41:24.470 --> 41:26.480 Then I talked about hashing. 41:27.260 --> 41:28.790 I said hashing will use a key. 41:30.500 --> 41:36.050 The problem with the whole concept is how will both of them have the same? 41:36.860 --> 41:38.150 Since the communication. 41:38.150 --> 41:39.890 All of the communication is where? 41:40.550 --> 41:41.870 Across the internet. 41:42.560 --> 41:47.030 What if when I'm sending him the key across the tunnel? 41:47.510 --> 41:49.730 What if someone snatches this? 41:52.160 --> 41:53.120 I'm done, right? 41:53.510 --> 41:57.220 Wherever I'm sending from then to Bob. 41:57.230 --> 42:02.960 If James is sitting here and he has the same key, doesn't matter how much I encrypt, it doesn't matter 42:02.960 --> 42:09.060 which algorithm I use, he will understand what I'm trying to send. 42:09.840 --> 42:20.070 Is there a way to exchange this key over the internet without James getting it? 42:24.240 --> 42:25.740 Centralized solution for. 42:27.860 --> 42:28.850 For issuing the keys. 42:28.850 --> 42:29.600 That's PCI. 42:29.870 --> 42:32.270 That's the one for ISIS. 42:32.300 --> 42:33.620 That's for authentication. 42:34.370 --> 42:38.060 This key the problem is that for encryption, it will be used always. 42:38.270 --> 42:39.890 That is one challenge. 42:39.920 --> 42:44.090 The other challenge that you guys have is the data. 42:45.140 --> 42:46.670 When you're sending data. 42:47.420 --> 42:48.050 Right. 42:48.140 --> 42:53.120 What hackers will do is they will collect a lot of data. 42:54.260 --> 42:55.910 Why would they collect a lot of data? 42:55.940 --> 43:01.340 Because then if they have a lot of data, they have a lot of sample size to test to try to break down 43:01.340 --> 43:01.700 the key. 43:03.770 --> 43:04.880 For example, you have a sentence. 43:04.880 --> 43:05.540 Hello there. 43:06.260 --> 43:06.830 Right. 43:06.830 --> 43:10.700 Your E is not E, it's F, right. 43:10.850 --> 43:16.760 When you have a big sentence, let's say, for example, he has a full one GB data for you. 43:16.760 --> 43:18.440 There might be a word, say elephant. 43:20.120 --> 43:20.420 Right. 43:20.450 --> 43:21.410 E is repeated twice. 43:21.410 --> 43:22.730 He'll see F twice. 43:23.150 --> 43:24.680 He'll know that it's a vowel. 43:24.950 --> 43:28.680 There's different ways that he can try to figure out your key. 43:30.510 --> 43:35.190 Obviously with 56 bits or 128 bits, it's not as easy. 43:35.370 --> 43:39.750 But they can run it through different algorithms to find out what the key is. 43:39.870 --> 43:42.120 If they have big data sizes available. 43:42.120 --> 43:48.390 So we need to find out a way that not a lot of data goes through the tunnel, which is a big challenge 43:48.390 --> 43:52.500 because all your data should go through the tunnel, right? 43:52.530 --> 43:55.410 That's one challenge that we need to look to. 43:55.440 --> 44:01.890 Not a lot of data should go to the hacker or the attacker to for James to be able to find the key and 44:01.890 --> 44:04.800 to exchange this key without James finding out what the keys. 44:07.970 --> 44:08.450 Okay. 44:08.630 --> 44:09.680 How do we do it? 44:11.810 --> 44:12.980 There are two ways. 44:14.180 --> 44:15.800 There are two ways of doing it. 44:16.340 --> 44:17.690 One is called RSA. 44:19.280 --> 44:21.650 That is a public and a private key. 44:22.040 --> 44:23.750 The other is Diffie-Hellman. 44:25.340 --> 44:27.810 What we are going to be doing here is Diffie-Hellman. 44:27.840 --> 44:29.990 Now, first I'll show you what RSA is. 44:31.370 --> 44:32.900 IPsec uses Diffie-Hellman. 44:33.200 --> 44:36.530 But before we get there, I'm talking about key exchange. 44:37.010 --> 44:40.130 Let me explain the two kinds of key exchanges out there. 44:40.700 --> 44:45.560 The fourth is key exchange. 44:46.280 --> 44:48.680 This would be your climax of the movie. 44:49.160 --> 44:52.580 The most important part of the exchange is the key exchange. 44:54.050 --> 44:54.590 Okay. 44:55.370 --> 44:56.330 Let's have a look at. 44:56.330 --> 45:00.140 There are two different kinds of key exchanges that can take place between Alice and Bob. 45:00.740 --> 45:04.820 One is called asymmetric. 45:07.950 --> 45:08.820 The other is. 45:12.460 --> 45:14.050 Does anybody know the difference? 45:17.080 --> 45:22.810 It's the same keys if you use the same key from one side. 45:23.260 --> 45:29.350 Let's say, Alice, the data when it goes through, Alice has the same key. 45:29.560 --> 45:31.710 It uses the same key to encrypt the data. 45:32.230 --> 45:33.880 Send it to the other side. 45:35.530 --> 45:40.060 Bob uses the same key to decrypt the data to get the result. 45:42.490 --> 45:44.740 Okay, so same key on both sides. 45:44.770 --> 45:46.600 This process is faster. 45:48.010 --> 45:53.660 It's faster, but not as secure as asymmetrical. 45:53.880 --> 45:54.460 Asymmetrical. 45:54.490 --> 45:55.840 Have you used it before 46:01.000 --> 46:01.660 in ccnA? 46:01.690 --> 46:02.380 You've used it. 46:04.630 --> 46:05.140 Ssh. 46:05.170 --> 46:05.950 Do you remember? 46:07.270 --> 46:08.680 What does it do? 46:08.710 --> 46:10.150 What is asymmetrical keys? 46:10.180 --> 46:12.430 Asymmetrical keys is a set of keys. 46:12.850 --> 46:16.520 Is a set of public and private keys. 46:17.300 --> 46:18.080 It's a pair. 46:18.950 --> 46:19.580 A pair of keys. 46:19.580 --> 46:23.510 So you'll have a public and a. 46:27.100 --> 46:30.130 I'm talking about such a public and a private key. 46:30.460 --> 46:36.730 So when the client you are the client, you try to create the connection with Alice. 46:36.760 --> 46:40.180 Alice asks you for your username and password. 46:40.180 --> 46:47.020 When your username and password is correct, he will send out what he will send out his public key. 46:50.070 --> 46:50.380 For you. 46:50.710 --> 46:51.870 This is also known as RSA. 46:54.450 --> 46:56.670 He would send out his public key to you. 46:57.510 --> 47:03.870 Now, this public key and the set of keys are usually of the size 1024. 47:03.900 --> 47:08.970 Generally speaking, it can be small also, but generally you keep it around 1024 bits. 47:10.140 --> 47:12.300 Imagine s is how much? 47:12.930 --> 47:13.920 128. 47:15.030 --> 47:16.770 This is 1024. 47:17.340 --> 47:23.520 Once you receive the public key, what Bob is going to do is whatever data now Bob is going to send, 47:25.020 --> 47:30.420 he's going to send it through what, encrypted using the public key. 47:32.790 --> 47:34.240 1024 bit encryption. 47:34.260 --> 47:44.220 Imagine that the only one person in the entire world who can break this 1024 key is Alice. 47:47.240 --> 47:47.980 It's Alice. 47:48.320 --> 47:49.170 No one else. 47:49.190 --> 47:49.700 Why? 47:49.730 --> 47:58.010 Because Alice is the only one who has the other half of the key in a set of private and public keys. 47:58.010 --> 48:02.090 Whatever is encrypted by the private gets decrypted by the public. 48:02.120 --> 48:06.050 Whatever is encrypted by the public gets decrypted by the. 48:07.370 --> 48:09.170 This is encrypted by the public. 48:09.200 --> 48:11.840 The only person in the world who can decrypt it is who. 48:12.650 --> 48:13.400 Alice. 48:18.220 --> 48:19.900 That would. 48:30.150 --> 48:38.310 This was in case of SSH but you could also do is both of Alice and Bob both have a set of keys, a public 48:38.310 --> 48:40.830 and a private two separate keys. 48:41.280 --> 48:43.650 They're not linked together at all. 48:43.680 --> 48:46.740 What they would do is they would exchange which parts? 48:47.040 --> 48:48.060 The public. 48:55.450 --> 48:59.430 So Alice would send his public across her public across. 48:59.440 --> 49:03.550 Bob would send his across. 49:09.010 --> 49:13.930 To the other side right now, When Alice needs to send anything to Bob. 49:13.960 --> 49:16.330 It will encrypt it Using which key? 49:18.190 --> 49:19.270 Bob's public key. 49:20.110 --> 49:21.230 Then I'm sending it to Bob. 49:21.250 --> 49:24.400 I will encrypt using Bob's public key and send it to Bob. 49:24.400 --> 49:26.710 And Bob will be the only one who will be able to decrypt it. 49:26.710 --> 49:29.800 But when Bob sends me the message, how is it going to do? 49:30.730 --> 49:32.430 He's going to use Alice's key. 49:32.440 --> 49:38.050 When he sends it to Alice, he's going to use Alice's Green Key to encrypt the data, and the only person 49:38.290 --> 49:40.120 is Alice who can decrypt it. 49:41.110 --> 49:42.730 Asymmetrical key. 49:43.450 --> 49:44.980 Very, very secure. 49:46.210 --> 49:47.380 Very secure. 49:48.790 --> 49:50.020 Let me show you a video. 50:02.040 --> 50:03.270 At the time of encryption? 50:03.270 --> 50:03.650 Yes. 50:03.660 --> 50:04.620 Before encryption. 50:05.100 --> 50:05.960 Before encryption. 50:05.970 --> 50:08.090 It's not used right now in IPsec. 50:08.100 --> 50:09.480 It's not used much. 50:09.600 --> 50:11.160 It's more used in SSL VPN. 50:12.210 --> 50:14.130 Okay, let me show you this. 50:15.810 --> 50:18.690 If this is what I think it is, 50:23.820 --> 50:24.960 I think this is it. 50:26.610 --> 50:28.020 Hundreds or thousands of. 50:29.310 --> 50:31.500 She invented to specific domains. 50:31.740 --> 50:34.170 And what if you can spread that over a team or even. 50:35.360 --> 50:40.250 All with centralized control and we're managing it with a simple as a yes or a no. 50:40.280 --> 50:44.870 How long does it take to break an asymmetrical key? 50:46.250 --> 50:48.350 This is 2048 bit key. 50:58.250 --> 50:58.730 Can you see? 51:15.170 --> 51:18.590 Go back to the dawn of time when everything was created. 51:20.360 --> 51:26.200 Time spent calculating is how many years is this calculating? 51:26.390 --> 51:30.590 Trying to crack a key, saying how much time it will take to crack this key. 51:39.400 --> 51:41.160 Check out the years increasing. 51:47.090 --> 51:49.520 After over 13 billion years. 51:54.690 --> 51:55.920 You're only this close. 51:56.310 --> 51:56.790 Yeah. 51:56.790 --> 52:05.020 1 in 4000 600,000 chances of getting it right after 13 billion years. 52:05.040 --> 52:09.420 So imagine how secure this symmetrical keying mechanism is. 52:09.690 --> 52:12.840 Asymmetrical between Alice and Bob. 52:26.630 --> 52:27.010 Right. 52:28.430 --> 52:37.580 The keying that you're exchanging public and private, whoever gets the public to get to the private 52:37.640 --> 52:39.380 will take him 13 billion years. 52:40.100 --> 52:42.440 The question is, do we use it in IPsec or not? 52:42.770 --> 52:44.510 We do not use it in IPsec. 52:45.050 --> 52:45.800 Why? 52:48.480 --> 52:48.670 I. 52:48.870 --> 52:49.460 Yes. 52:49.470 --> 52:58.260 It's A1024 bit key or 2048 in terms of the one which I just showed you to, to encrypt data on that 52:58.260 --> 53:01.860 level will take a lot of processor on processing power on Alice. 53:02.160 --> 53:05.070 And plus he has to do to two different things. 53:05.100 --> 53:08.520 He has to make two different decisions for traffic coming in. 53:08.820 --> 53:12.210 He will decrypt it using his private for traffic going out. 53:12.210 --> 53:14.460 He will encrypt it using the other guy's public. 53:14.940 --> 53:16.290 So two different decisions. 53:16.290 --> 53:22.290 First, then the key size is so huge that it will take him a lot of time to encrypt and decrypt. 53:22.440 --> 53:26.010 So although it is a good solution, it will make your tunnel very, very slow. 53:28.290 --> 53:28.800 Right? 53:29.640 --> 53:37.590 So to do that for our main basic principle is at the end of we need to find an exchange so that Bob 53:37.590 --> 53:41.220 and Alice eventually have the same key on both sides. 53:41.220 --> 53:45.270 We will use asymmetric key to get symmetric key. 53:47.540 --> 53:57.260 So we use the mechanism of asymmetric keys only to get the end result, which will be a symmetric key. 53:57.950 --> 53:59.810 When I say a key, it will not be a key. 53:59.840 --> 54:00.740 It will be what? 54:03.820 --> 54:04.780 Keying material. 54:06.010 --> 54:11.710 A big set of a chunk of keys on both ends, which are exactly similar to each other. 54:14.160 --> 54:14.700 Okay. 54:14.730 --> 54:15.990 It will be symmetrical. 54:15.990 --> 54:18.270 When I say symmetrical, it will not. 54:18.300 --> 54:19.920 Alice will not have to think a lot. 54:19.950 --> 54:23.190 Whatever traffic is coming in will use the same key to encrypt it. 54:23.490 --> 54:24.960 It will go to the other side. 54:24.990 --> 54:26.230 Bob will have only one key. 54:26.230 --> 54:27.960 It will use the same key to decrypt it. 54:31.230 --> 54:31.640 Okay. 54:31.650 --> 54:32.420 Symmetrical. 54:33.780 --> 54:35.310 How do you do this? 54:36.420 --> 54:38.980 We do it by using Diffie-Hellman. 54:39.630 --> 54:40.590 Two guys. 54:40.920 --> 54:44.550 This way of key exchange was devised in 1970s. 54:45.420 --> 54:46.110 Since then? 54:46.110 --> 54:47.070 Until now. 54:47.160 --> 54:47.880 Since then. 54:47.880 --> 54:50.490 Until now, they have not been able to break it. 54:51.690 --> 54:59.730 It is so strong that very recently they devised a newer algorithm of which is called ecdsa. 54:59.940 --> 55:05.370 Elliptic curve DHT, which where they actually reduce the size of the key. 55:08.070 --> 55:09.480 Because it was so strong. 55:09.480 --> 55:12.730 It was not broken for 40 years almost. 55:12.750 --> 55:17.640 So what they said was, since it's not broken, why don't we just try and reduce it a little? 55:20.270 --> 55:20.870 That's wrong. 55:23.150 --> 55:24.990 Okay, think about it this way. 55:25.010 --> 55:27.650 You get a little concept out of this. 55:27.680 --> 55:28.880 Think about it this way. 55:29.510 --> 55:32.420 Have you ever seen those locks? 55:35.630 --> 55:39.490 000 unboxes. 55:40.070 --> 55:40.610 Right. 55:41.450 --> 55:44.900 You put your luggage in, you block it, and you put a number on top of it. 55:45.440 --> 55:45.880 Right. 55:45.890 --> 55:48.200 If you want to open this combination. 55:48.230 --> 55:49.880 How long do you think it will take you? 55:50.390 --> 55:51.980 You will try different combinations. 55:51.980 --> 55:56.870 You will try 0010023456789. 55:57.110 --> 55:59.780 You will try different combinations eventually. 56:00.050 --> 56:03.200 Eventually, let's say give and take one hour. 56:03.230 --> 56:05.480 You might be able to solve it and get it out. 56:07.360 --> 56:07.450 Right. 56:07.550 --> 56:08.630 This is three bits. 56:09.350 --> 56:11.750 What happens if you increase one more bit? 56:12.860 --> 56:14.000 How long does it take you? 56:14.030 --> 56:15.380 Does it take you two hours? 56:17.360 --> 56:18.890 It will not take you two hours. 56:19.370 --> 56:21.230 It will take you 24 hours to do it. 56:22.610 --> 56:27.500 Now an extra bit one extra bit doesn't double your time. 56:27.500 --> 56:29.000 It's exponential. 56:31.610 --> 56:32.450 It's exponential. 56:32.450 --> 56:32.840 Why? 56:32.870 --> 56:36.150 Because now you have much more combinations than before. 56:36.540 --> 56:38.190 Add another bit to this. 56:39.270 --> 56:41.010 It becomes quite impossible to solve. 56:42.960 --> 56:46.040 Putting the lock is easy for you. 56:46.040 --> 56:47.270 You choose one, two, three, four, five. 56:47.280 --> 56:48.780 It's locked to open. 56:48.780 --> 56:49.860 The lock is difficult. 56:52.490 --> 56:54.170 To open, it becomes more difficult. 56:54.530 --> 56:56.630 That's the same concept works on. 56:58.790 --> 57:01.490 If you don't know the combination, you will not be able to open it. 57:01.940 --> 57:06.140 Right now imagine uses 128 bit keys. 57:06.260 --> 57:09.290 Imagine how difficult it will be to solve that. 57:11.910 --> 57:15.420 The is the final exchanges, usually around 1024 bit keys. 57:15.810 --> 57:20.520 Eventually you use 128 even that is 128 is so difficult. 57:20.670 --> 57:25.830 Imagine which uses 10241536 bit keys. 57:25.860 --> 57:27.960 Bit keys 768 bit keys. 57:27.990 --> 57:29.070 Quite difficult. 57:30.990 --> 57:32.100 How does it work? 57:33.600 --> 57:35.250 Have you ever mixed paint? 57:36.780 --> 57:38.280 Have you ever mixed two colors? 57:39.090 --> 57:40.680 I don't think this pen does it. 57:41.070 --> 57:43.650 It will just write on top of the other one. 57:43.680 --> 57:44.630 Let me just try. 57:49.580 --> 57:50.210 It does a little. 57:57.990 --> 57:58.810 Is the wrong button. 58:01.930 --> 58:02.650 Alice? 58:03.550 --> 58:04.000 Bob. 58:05.440 --> 58:06.340 James. 58:14.940 --> 58:20.490 If let's say this is green with green, I mix red. 58:25.990 --> 58:26.360 Right. 58:26.410 --> 58:31.120 When you mix two colors together, let's say green and red, right? 58:31.150 --> 58:33.160 Now, green is not exactly green. 58:34.810 --> 58:37.180 Green has many different variations. 58:38.250 --> 58:38.360 Right. 58:38.380 --> 58:39.970 There could be a little bit of white in there. 58:39.970 --> 58:41.610 There could be a little bit of blue in there. 58:41.620 --> 58:45.610 But you have certain variety of, let's say, bottle green here. 58:46.510 --> 58:47.950 You have dark red here. 58:49.510 --> 58:51.310 You mix them together, you get brown. 58:52.420 --> 58:59.710 Is it possible from that brown to get the exact quantity of green and red that you use? 59:00.670 --> 59:01.840 It's very difficult. 59:02.470 --> 59:05.470 Once you mix the colors, how will you separate them? 59:07.300 --> 59:07.720 Can't. 59:10.000 --> 59:10.840 Can separate. 59:10.840 --> 59:15.640 If you have a mixture of colors, you cannot get the original colors out of them because there are thousands 59:15.640 --> 59:20.800 of different calculations where it would you would need thousands of different ways. 59:20.800 --> 59:25.780 You would need to find out which was the exact quantity of red and green that was used to create this 59:25.780 --> 59:26.110 color. 59:27.460 --> 59:27.910 Correct. 59:27.910 --> 59:30.060 That is the same concept uses. 59:30.640 --> 59:36.130 Check this out and concentrate here, because this is very important what Alice and Bob do. 59:36.820 --> 59:39.340 Let's say Bob is the initiator of the connection. 59:39.790 --> 59:43.780 What Bob will do is it will choose a color, let's say yellow. 59:46.710 --> 59:47.580 As the public key. 59:52.880 --> 59:54.530 Both of them, Alice and Bob. 59:54.530 --> 59:56.390 Both of them will use this public key. 59:57.860 --> 59:59.820 This is not a pair of keys. 59:59.840 --> 1:00:01.010 This is just one key. 1:00:01.250 --> 1:00:03.050 It's not a public and a private key. 1:00:03.080 --> 1:00:07.040 They just choose on one color to use as public key by both of them. 1:00:07.370 --> 1:00:09.110 They will not use it anywhere else. 1:00:10.880 --> 1:00:11.320 Okay. 1:00:11.330 --> 1:00:14.050 Both of them have a private key. 1:00:14.060 --> 1:00:16.250 Let's say Alice has Blue. 1:00:18.760 --> 1:00:22.130 Let's say Bob has read as a private key. 1:00:22.150 --> 1:00:23.530 This private key is important. 1:00:25.480 --> 1:00:26.860 Keep your concentration right. 1:00:27.580 --> 1:00:29.950 Both of them have chosen on the yellow public key. 1:00:30.130 --> 1:00:31.300 Both of them will use it. 1:00:32.020 --> 1:00:33.550 Let's say Bob is the initiator. 1:00:33.550 --> 1:00:43.690 What he does is he chooses public yellow and he sends to the other side, not red. 1:00:44.500 --> 1:00:49.120 He will send to the other side Red. 1:00:54.610 --> 1:00:55.800 Plus yellow. 1:01:00.980 --> 1:01:01.970 He mixes his private. 1:01:02.000 --> 1:01:03.290 He's not going to send his private. 1:01:04.370 --> 1:01:05.690 He mixes it with what? 1:01:05.930 --> 1:01:06.620 The yellow. 1:01:08.510 --> 1:01:11.360 Let's say this color here becomes orange. 1:01:12.650 --> 1:01:13.160 Okay. 1:01:13.310 --> 1:01:15.260 So he's sending orange and yellow. 1:01:15.290 --> 1:01:16.790 This is James right here. 1:01:16.790 --> 1:01:17.810 He's an intruder. 1:01:17.840 --> 1:01:19.210 Let's see what he gets. 1:01:19.220 --> 1:01:21.200 Since yellow is public, he will get it. 1:01:22.310 --> 1:01:23.690 He will see the yellow part. 1:01:30.970 --> 1:01:33.040 He'll have yellow Plus what? 1:01:34.600 --> 1:01:35.200 Orange. 1:01:35.320 --> 1:01:36.160 Not red. 1:01:37.480 --> 1:01:41.830 Red plus yellow, which is orange. 1:01:42.910 --> 1:01:46.150 I don't think I have as many combinations of colors, but let's try. 1:01:48.130 --> 1:01:48.310 Right. 1:01:48.310 --> 1:01:49.300 So he will get what? 1:01:53.950 --> 1:01:58.420 Both of these keys are traveling to Alice. 1:02:01.340 --> 1:02:02.540 This is done in one packet. 1:02:02.990 --> 1:02:04.220 In one packet. 1:02:04.250 --> 1:02:10.880 Bob will send a public key separately and a mixture of the public and his private separately to different 1:02:10.880 --> 1:02:11.450 keys. 1:02:11.960 --> 1:02:13.670 They come there to Alice. 1:02:13.820 --> 1:02:15.320 Alice receives the yellow. 1:02:15.470 --> 1:02:19.100 He knows that yellow is here, but he doesn't do anything with the yellow. 1:02:19.280 --> 1:02:22.190 What he does is he mixes this. 1:02:23.900 --> 1:02:25.700 The mixture that he received. 1:02:25.700 --> 1:02:27.170 Mixes it with what? 1:02:34.200 --> 1:02:35.340 To get the final result. 1:02:35.340 --> 1:02:39.120 Let's say this is black. 1:02:41.680 --> 1:02:47.460 He mixes these two to get black, but he needs to sign something also what he signs. 1:02:47.470 --> 1:02:48.520 What do you think he sends back? 1:02:54.820 --> 1:02:55.600 What is he saying? 1:02:57.270 --> 1:03:00.940 Blue and blue, plus yellow. 1:03:03.100 --> 1:03:07.390 He will send back his private. 1:03:09.160 --> 1:03:09.550 Sorry. 1:03:12.740 --> 1:03:18.140 He will send his private plus the same public which both of them chose. 1:03:20.890 --> 1:03:22.550 Let's say this color is green. 1:03:24.080 --> 1:03:26.360 So what he sends to the other side is. 1:03:28.310 --> 1:03:29.750 What does the intruder get? 1:03:31.830 --> 1:03:32.810 That's what he said. 1:03:32.810 --> 1:03:35.060 So he also gets green. 1:03:36.350 --> 1:03:38.600 The question is, what does Bob do? 1:03:38.630 --> 1:03:43.190 He adds to his red this green to get what color? 1:03:44.180 --> 1:03:45.110 Think about it. 1:03:45.860 --> 1:03:47.840 This black was made up of what? 1:03:47.870 --> 1:03:50.900 Blue plus red. 1:03:51.890 --> 1:03:52.790 Plus yellow. 1:03:54.320 --> 1:03:55.760 Because this color here was red. 1:03:55.760 --> 1:03:56.210 Plus yellow. 1:03:56.210 --> 1:03:56.480 Right. 1:03:56.630 --> 1:03:58.240 So blue plus red, plus yellow. 1:03:58.250 --> 1:03:59.240 He got black. 1:03:59.480 --> 1:04:00.470 What is this color? 1:04:00.470 --> 1:04:03.620 A combination of blue plus yellow. 1:04:03.800 --> 1:04:04.520 Plus red. 1:04:08.400 --> 1:04:09.480 Which is the same thing. 1:04:09.480 --> 1:04:12.240 So this guy will get also. 1:04:15.170 --> 1:04:18.890 Yeah, prime numbers. 1:04:19.040 --> 1:04:25.640 The concept is similar, but this is a little different because James here is receiving the yellow. 1:04:25.670 --> 1:04:27.470 He's receiving the orange. 1:04:27.470 --> 1:04:28.850 He's receiving the green. 1:04:31.130 --> 1:04:33.290 See, Bob's private key is somewhere here. 1:04:34.890 --> 1:04:36.560 Alice's private key is somewhere here. 1:04:36.830 --> 1:04:38.420 James needs to figure out. 1:04:39.410 --> 1:04:41.840 He tries to open it and to see what is the actual. 1:04:41.840 --> 1:04:44.030 If he receives that private key, that's it for him. 1:04:47.630 --> 1:04:48.710 Do you see what's happening? 1:04:48.800 --> 1:04:49.640 Alice? 1:04:50.150 --> 1:04:53.330 Alice is sending his private key to the other side. 1:04:53.780 --> 1:04:58.400 The other guy is mixing his private with my private to get black in the middle. 1:04:58.430 --> 1:05:01.190 The yellow is only there to create confusion. 1:05:03.050 --> 1:05:05.160 Alice needs to send his private to the other side. 1:05:05.180 --> 1:05:07.880 He mixes it with the yellow and sends it to the other side. 1:05:08.210 --> 1:05:11.000 The other guy mixes all three colors to get black. 1:05:11.030 --> 1:05:14.960 He sends his private to me, mixed again in the same yellow. 1:05:16.870 --> 1:05:17.220 Right. 1:05:17.250 --> 1:05:18.360 I get his private key. 1:05:18.380 --> 1:05:21.740 I mix it with my private key again to get the same color yellow. 1:05:21.860 --> 1:05:22.640 Same between the two. 1:05:22.640 --> 1:05:25.910 Because they chose the same yellow only to create anarchy. 1:05:26.030 --> 1:05:27.470 Only to create what? 1:05:27.740 --> 1:05:28.850 Confusion in the middle. 1:05:29.750 --> 1:05:32.000 The actual stuff is private plus private. 1:05:32.300 --> 1:05:35.960 Eventually, both of them will have their private keys combined together. 1:05:36.380 --> 1:05:38.990 But there is yellow in there just to create confusion. 1:05:38.990 --> 1:05:41.480 So they add that yellow also to get the final color. 1:05:41.660 --> 1:05:41.960 Black. 1:05:42.350 --> 1:05:45.570 Black was never transferred or transported between the two. 1:05:46.860 --> 1:05:48.420 Black was never sent across. 1:05:51.240 --> 1:05:52.760 A combination of yellow and private. 1:05:52.770 --> 1:05:58.050 A combination of yellow and private on both ends was sent across to finally get the result. 1:06:00.120 --> 1:06:01.550 Finally equipped. 1:06:03.970 --> 1:06:05.440 Think Which one? 1:06:07.570 --> 1:06:08.320 This one. 1:06:09.160 --> 1:06:11.350 The question is, can he decrypt this part? 1:06:12.160 --> 1:06:13.240 Can't he open this? 1:06:13.240 --> 1:06:13.930 This is just like. 1:06:13.930 --> 1:06:17.770 That's why I said mixing of paints for him to find out the actual one. 1:06:17.770 --> 1:06:19.450 He has to open the paints together. 1:06:20.680 --> 1:06:22.630 These are 1024 bit keys. 1:06:22.960 --> 1:06:26.800 He'll have to open 102 and try different combinations of 1024 bits. 1:06:26.830 --> 1:06:28.210 Imagine how big that is. 1:06:32.410 --> 1:06:32.860 Yeah, that's. 1:06:32.860 --> 1:06:34.630 That's a different that's a different case. 1:06:34.630 --> 1:06:35.590 That's a different case. 1:06:35.590 --> 1:06:36.550 I'll explain that. 1:06:36.550 --> 1:06:39.280 But do you understand how this key exchange takes place? 1:06:39.280 --> 1:06:41.320 This key exchange is called Diffie-Hellman. 1:06:43.780 --> 1:06:47.980 The Diffie Hellman Ditch the name of the guys. 1:06:48.400 --> 1:06:52.810 The the interesting part is if you go to Diffie, Hellman, 1:06:55.930 --> 1:07:00.460 if you open Diffie, Hellman and you open any page. 1:07:00.460 --> 1:07:04.900 So let's say Wikipedia page of Diffie Hellman, you will find the algorithm used for Diffie. 1:07:04.900 --> 1:07:05.770 Hellman right there. 1:07:09.390 --> 1:07:10.350 It's an open algorithm. 1:07:14.960 --> 1:07:15.170 Okay. 1:07:15.170 --> 1:07:15.980 Maybe not here. 1:07:31.260 --> 1:07:31.740 Right here. 1:07:34.410 --> 1:07:35.460 It's open. 1:07:36.940 --> 1:07:38.080 Algorithm is open. 1:07:38.100 --> 1:07:39.790 It's an open warning. 1:07:39.810 --> 1:07:40.770 Okay, listen. 1:07:40.860 --> 1:07:42.040 This is what it is. 1:07:42.060 --> 1:07:43.250 I'm using this. 1:07:43.260 --> 1:07:44.070 Try to block it. 1:07:44.160 --> 1:07:45.060 Just like that key. 1:07:45.090 --> 1:07:46.500 You know how it works. 1:07:46.680 --> 1:07:48.030 You don't have the key on a lock. 1:07:48.030 --> 1:07:48.720 Works. 1:07:49.140 --> 1:07:51.180 You just have to try the combination and open it. 1:07:51.210 --> 1:07:55.500 But the challenge is, when you have more combinations, how will you do it? 1:07:56.700 --> 1:08:00.720 It doesn't work on the concept of the algorithm being hidden. 1:08:00.960 --> 1:08:04.440 It works on the concept of too many calculations. 1:08:06.800 --> 1:08:10.610 So you have to do a lot of processing for you to be able to open that key. 1:08:11.090 --> 1:08:18.470 And you saw how much it takes to open up a asymmetric key, A1024 bit key. 1:08:18.500 --> 1:08:20.780 How much will it take for you to open it? 1:08:21.470 --> 1:08:22.730 Can you make a random guess? 1:08:24.230 --> 1:08:25.310 Can you make a random guess? 1:08:25.550 --> 1:08:28.040 You can, but your possibilities are two raised to power. 1:08:28.040 --> 1:08:29.120 1024. 1:08:29.930 --> 1:08:31.310 For that guess to be right. 1:08:32.750 --> 1:08:33.740 Two Raise to power. 1:08:33.740 --> 1:08:34.760 1024. 1:08:36.170 --> 1:08:36.730 Yeah. 1:08:37.320 --> 1:08:38.570 One one over two. 1:08:38.570 --> 1:08:38.990 Raise to power. 1:08:38.990 --> 1:08:39.660 1024. 1:08:39.680 --> 1:08:41.720 How much is that two raised to power? 1:08:41.750 --> 1:08:43.880 Ten is 1024. 1:08:44.420 --> 1:08:45.860 11 is 2048. 1:08:45.950 --> 1:08:50.300 12 Is it doubles each bit that you add, the combination is double. 1:08:51.260 --> 1:08:52.940 Imagine how much two raise to power. 1:08:52.940 --> 1:09:02.240 1024 is 32 bits in an IP address gives you how many addresses a lot to power. 1:09:02.240 --> 1:09:02.660 32. 1:09:02.690 --> 1:09:03.040 Right. 1:09:03.050 --> 1:09:04.430 So many different addresses. 1:09:04.550 --> 1:09:12.420 If you do two power 33, that's double of the total amount of addresses you get on 32 bits, you increase 1:09:12.420 --> 1:09:13.710 one bit, it doubles. 1:09:14.820 --> 1:09:18.060 So imagine that's quite impossible. 1:09:18.060 --> 1:09:22.320 That's why they have reduced now said that this is too much. 1:09:22.920 --> 1:09:24.450 They reduce the size. 1:09:24.750 --> 1:09:26.190 That's how secure it is. 1:09:28.730 --> 1:09:32.870 What is secure to open that color to get the real color out of the mix one. 1:09:35.170 --> 1:09:36.700 Write your Diffie-Hellman works. 1:09:36.700 --> 1:09:43.540 The whole job of your Diffie-Hellman is here to mix these two colors together, the yellow and the red 1:09:43.810 --> 1:09:45.520 to get this part. 1:09:47.080 --> 1:09:49.930 Any questions, Any part that you did not understand? 1:09:51.550 --> 1:09:52.870 Before we move further 1:09:55.690 --> 1:09:59.860 at the end there will be that black is never exchanged. 1:10:00.670 --> 1:10:01.990 They don't need to exchange it. 1:10:03.100 --> 1:10:06.730 See, I know that the mechanism is you and me are communicating. 1:10:06.730 --> 1:10:11.830 I need to make sure that your private and my private are mixed somehow to get the black. 1:10:12.100 --> 1:10:13.300 So you choose the private? 1:10:13.300 --> 1:10:14.200 I choose the private. 1:10:14.230 --> 1:10:18.730 It's all an automated process for Diffie-Hellman. 1:10:18.730 --> 1:10:19.780 You don't have to do anything. 1:10:19.780 --> 1:10:20.920 It does it automatically. 1:10:20.950 --> 1:10:22.090 He will choose his private. 1:10:22.090 --> 1:10:23.200 I will choose my private. 1:10:23.230 --> 1:10:24.640 We need to mix them together. 1:10:24.640 --> 1:10:26.320 So I want to send him my private. 1:10:26.320 --> 1:10:27.250 But how do I send it? 1:10:27.250 --> 1:10:28.270 I mix it with the color. 1:10:28.570 --> 1:10:31.270 I give him the color separately and I give him the mixture separately. 1:10:32.320 --> 1:10:34.040 This is the color which I mixed it with. 1:10:34.040 --> 1:10:37.030 And this is the color which is the mixed part of it. 1:10:37.040 --> 1:10:44.840 He uses the same color, mixes it with his public private key and plus mixes my mixture to get the black. 1:10:44.990 --> 1:10:48.280 I use the same mixture which he sends me mixed with my private key. 1:10:48.290 --> 1:10:51.020 So eventually his private and my private are added. 1:10:51.020 --> 1:10:54.500 Plus the yellow gives me black, gives him black. 1:10:56.060 --> 1:10:58.670 In the end, both of them have black. 1:11:00.050 --> 1:11:01.340 The keying material. 1:11:01.370 --> 1:11:06.530 Now this keying material will be used to do s sha and all those things. 1:11:09.910 --> 1:11:10.300 Okay. 1:11:10.300 --> 1:11:14.650 So for things under IPsec, what the first thing was integrity. 1:11:16.870 --> 1:11:20.320 Integrity was md5 sha to make sure no one tampers the data. 1:11:20.560 --> 1:11:26.620 The second thing was encryption scrambling of data used with what? 1:11:26.650 --> 1:11:27.940 What algorithms? 1:11:28.780 --> 1:11:32.410 Des three Des As as 128 to 56. 1:11:33.400 --> 1:11:35.350 Then we came to authentication. 1:11:35.680 --> 1:11:43.900 Authenticate who the other guys would be used for that Pre-shared Keys and PKI public key infrastructure. 1:11:43.900 --> 1:11:47.440 So either certificates or a key on both sides. 1:11:48.190 --> 1:11:54.640 Remember this one part, that key, the authentication key is not used for encryption. 1:11:57.210 --> 1:12:02.400 When I say remember Cisco on both ends that is not used for authentication. 1:12:02.520 --> 1:12:03.630 Sorry, not encryption. 1:12:03.630 --> 1:12:04.710 What is it used for? 1:12:05.310 --> 1:12:09.260 Authentication only used to authenticate the other guy. 1:12:09.270 --> 1:12:12.090 There are two keys here and do not confuse yourself. 1:12:12.120 --> 1:12:14.070 There will be this Diffie-Hellman key. 1:12:16.720 --> 1:12:21.850 The final result of the Diffie-Hellman key, which will be used for encryption and decryption. 1:12:21.910 --> 1:12:24.180 Plus you will also use a key. 1:12:27.370 --> 1:12:28.080 What is this? 1:12:30.430 --> 1:12:31.390 Pre-shared key. 1:12:31.600 --> 1:12:35.020 Just to make sure that Alice makes sure that he's talking to Bob. 1:12:35.050 --> 1:12:37.150 Bob makes sure he's talking to Alice. 1:12:37.720 --> 1:12:39.070 So they will just change. 1:12:39.070 --> 1:12:40.540 Both of them should have, let's say, Cisco. 1:12:40.540 --> 1:12:41.050 Cisco. 1:12:42.730 --> 1:12:43.780 Bob has Cisco. 1:12:43.810 --> 1:12:46.810 The other guy has Cisco just to make sure they're talking to the real guy. 1:12:46.840 --> 1:12:47.290 That's it. 1:12:47.620 --> 1:12:50.440 It will not be used for any kind of encryption or hashing. 1:12:53.660 --> 1:12:54.110 Okay. 1:12:54.110 --> 1:12:56.210 What will be used for encryption and hashing? 1:12:57.350 --> 1:13:04.850 Which key Diffie-Hellman Your Diffie-Hellman key will be used for encryption and hashing. 1:13:05.210 --> 1:13:06.380 Not anything else. 1:13:07.490 --> 1:13:08.210 Is this clear? 1:13:09.140 --> 1:13:14.780 RSA different from RSA uses the public key to encrypt and private to decrypt. 1:13:14.870 --> 1:13:15.530 Is it the same? 1:13:16.190 --> 1:13:18.090 Yes, but encryption and decryption is not happening. 1:13:18.170 --> 1:13:21.440 Asymmetric encryption and decryption will happen now. 1:13:21.440 --> 1:13:25.340 Symmetrical RSA is asymmetric. 1:13:25.880 --> 1:13:27.560 RSA is completely asymmetric. 1:13:27.650 --> 1:13:29.940 So RSA was the first one which I showed you. 1:13:29.960 --> 1:13:30.260 Public. 1:13:30.260 --> 1:13:30.590 Private. 1:13:30.590 --> 1:13:30.890 Public. 1:13:30.890 --> 1:13:31.460 Private. 1:13:31.640 --> 1:13:32.710 I will give you my public. 1:13:32.720 --> 1:13:33.650 You will give me my public. 1:13:33.650 --> 1:13:34.400 I will use your public. 1:13:34.430 --> 1:13:35.420 You'll use my public. 1:13:35.500 --> 1:13:44.840 And it's not the Diffie-Hellman is this Diffie-Hellman is using public and private to finally get a 1:13:44.840 --> 1:13:50.110 symmetrical in Diffie-Hellman is a key exchange RSA. 1:13:50.600 --> 1:13:51.830 I will give you my public. 1:13:51.830 --> 1:13:58.410 How will you encrypt your data using my public key using 1024 bit keys here? 1:13:58.410 --> 1:13:58.800 I'm not. 1:13:58.800 --> 1:14:05.070 The actual data that goes through will not be encrypted using 1024 bits out of this chunk, a small 1:14:05.070 --> 1:14:12.330 chunk will be taken out as 128 from both ends using the same algo. 1:14:14.990 --> 1:14:16.970 So the actual encryption will be done here? 1:14:19.030 --> 1:14:20.090 Decryption will be done here. 1:14:20.900 --> 1:14:21.860 Symmetrical. 1:14:22.010 --> 1:14:23.540 This is the film. 1:14:26.530 --> 1:14:27.220 Do you understand? 1:14:27.250 --> 1:14:27.760 RSA? 1:14:28.030 --> 1:14:30.790 Is which one your SSH. 1:14:32.320 --> 1:14:35.620 In RSA encryption and decryption will not be done like this. 1:14:35.650 --> 1:14:36.100 RSA. 1:14:36.280 --> 1:14:37.510 It's a little different. 1:14:37.510 --> 1:14:39.100 How RSA? 1:14:39.130 --> 1:14:40.420 I'll send you my public. 1:14:43.330 --> 1:14:47.710 You will use that public to encrypt, which is 1024 bits. 1:14:50.300 --> 1:14:51.590 He'll use the public key to encrypt. 1:14:51.590 --> 1:14:52.130 That's it. 1:14:53.060 --> 1:14:56.450 And the only person in the world who can decrypt is the one with the private. 1:15:01.130 --> 1:15:02.840 So the key element is an extension of. 1:15:03.530 --> 1:15:04.400 You can say that. 1:15:05.060 --> 1:15:08.900 You can say that it uses the same concept as RSA. 1:15:09.260 --> 1:15:11.030 A similar concept at RSA. 1:15:11.420 --> 1:15:17.840 Not to encrypt decrypt, but to find out the symmetrical something like here. 1:15:22.830 --> 1:15:25.530 Uh huh, uh huh. 1:15:26.450 --> 1:15:30.000 And then just authenticate for the transaction. 1:15:30.000 --> 1:15:30.130 Just. 1:15:30.150 --> 1:15:32.190 But that doesn't use this part, right? 1:15:34.130 --> 1:15:34.490 Public. 1:15:34.590 --> 1:15:40.020 Yeah, that uses RSA, that uses RSA, that also uses tokens nowadays. 1:15:40.410 --> 1:15:45.180 You might have seen in a lot of newer ATMs that are coming in, not here, probably somewhere outside 1:15:45.210 --> 1:15:45.590 you. 1:15:45.730 --> 1:15:49.740 You now don't have your ATM pin, you don't use the ATM pin. 1:15:50.160 --> 1:15:52.890 You get that secure ID, RSA signature. 1:15:53.670 --> 1:15:59.220 You have a key on your they give you a key, a hard key, right. 1:15:59.220 --> 1:15:59.880 With your ATM. 1:15:59.880 --> 1:16:05.010 So once you enter the vicinity of the ATM, you can check it changes the key changes every one minute 1:16:05.730 --> 1:16:09.120 based on the time it calculates new keys. 1:16:09.120 --> 1:16:10.740 So when you're there, you'll have a new key. 1:16:10.740 --> 1:16:12.090 You enter that key and it goes through. 1:16:12.600 --> 1:16:13.890 That is SSL VPN. 1:16:15.240 --> 1:16:16.260 That is not IPsec. 1:16:16.860 --> 1:16:20.100 Right now we have not gone into the working of IPsec. 1:16:20.400 --> 1:16:26.260 I'm telling you, the different modules which are there, the Diffie-Hellman module is there, encryption 1:16:26.260 --> 1:16:30.040 module is there, authentication module is there and hashing module is there. 1:16:31.840 --> 1:16:37.600 The good thing about this, the good thing about IPsec, you might ask the question that, okay, IPsec 1:16:37.600 --> 1:16:44.040 is here today, but you see how rapidly the technology changes, right? 1:16:44.050 --> 1:16:48.700 Tomorrow they need to add more encryption mechanisms or something else which was there. 1:16:48.700 --> 1:16:54.070 Let's say for example, when it was created in the beginning when IPsec was created, it did not include 1:16:54.070 --> 1:16:54.790 encryption. 1:16:58.600 --> 1:16:59.980 It did not include encryption. 1:17:00.340 --> 1:17:03.280 It had integrity, but not encryption. 1:17:04.330 --> 1:17:07.000 But IPsec is designed in a modular way. 1:17:07.000 --> 1:17:12.070 When I say modular way, that means tomorrow, if something else comes up, they will just add a block 1:17:12.130 --> 1:17:14.290 to IPsec and it starts working. 1:17:16.940 --> 1:17:17.300 Right. 1:17:17.330 --> 1:17:20.780 Let's say tomorrow you want to create a tunnel based on fingerprints. 1:17:21.290 --> 1:17:23.420 You want to make sure that the fingerprint matches. 1:17:23.420 --> 1:17:24.790 You can add another module. 1:17:24.800 --> 1:17:26.990 Module five fingerprints. 1:17:31.480 --> 1:17:35.200 So when I want to create a tunnel, I'll have to go in there and press in my fingerprint. 1:17:35.230 --> 1:17:37.870 The other side has to do the same press in his fingerprint. 1:17:37.900 --> 1:17:40.060 If they will not match, obviously. 1:17:40.060 --> 1:17:43.030 But if they are in the database, the tunnel will come up. 1:17:43.060 --> 1:17:44.780 You can add that module also in there. 1:17:44.800 --> 1:17:47.670 It's modular, just like encryption was not there. 1:17:47.680 --> 1:17:48.640 They added it. 1:17:48.820 --> 1:17:50.710 You can add more modules to IPsec. 1:17:50.740 --> 1:17:51.880 That is the best part about it. 1:17:54.310 --> 1:17:54.820 Okay. 1:17:55.390 --> 1:17:55.990 Any questions? 1:17:55.990 --> 1:17:56.440 Until now. 1:18:00.900 --> 1:18:03.660 They will not send one of them will choose the public key. 1:18:04.590 --> 1:18:05.460 Yes. 1:18:05.460 --> 1:18:05.880 Yeah. 1:18:05.880 --> 1:18:07.890 They will be chosen by the initiator of the connection. 1:18:07.890 --> 1:18:09.120 So Bob will choose one. 1:18:09.210 --> 1:18:10.950 He sends both of them separately. 1:18:10.950 --> 1:18:11.480 Right. 1:18:11.490 --> 1:18:13.800 I'm sending a public plus the mixture. 1:18:13.920 --> 1:18:16.680 The other guy will use the same public to send it back to me. 1:18:19.110 --> 1:18:19.380 Okay. 1:18:19.380 --> 1:18:21.510 Any questions on again is important. 1:18:24.000 --> 1:18:25.440 Do you want me to explain it again? 1:18:27.930 --> 1:18:28.220 Honestly? 1:18:30.460 --> 1:18:30.690 Here. 1:18:30.870 --> 1:18:40.260 No, IPsec doesn't use only RSA it will use in PKI, but not for encryption, decryption for ISIS, 1:18:41.130 --> 1:18:42.780 just for authentication. 1:18:43.200 --> 1:18:44.490 We will see that at that time. 1:18:44.820 --> 1:18:48.780 But most predominantly it uses IPsec. 1:18:49.560 --> 1:18:49.980 Okay. 1:18:49.980 --> 1:18:51.990 Let me explain the mechanism again. 1:18:55.050 --> 1:18:59.160 Both of them need the same key so they decide on a same yellow key. 1:18:59.250 --> 1:19:04.290 Both of them, first of all, not both of them, because Bob is the one who is creating the connection. 1:19:04.470 --> 1:19:09.810 Their job is to mix their private keys together. 1:19:09.810 --> 1:19:12.300 That's the whole purpose of the exchange. 1:19:12.510 --> 1:19:15.750 They want to mix their private keys together to find the final touch. 1:19:17.250 --> 1:19:17.760 Okay. 1:19:17.760 --> 1:19:20.190 So what Bob does, he's the initiator. 1:19:20.190 --> 1:19:21.690 He sends two sets of keys. 1:19:21.690 --> 1:19:26.820 One is yellow and he mixes yellow plus blue. 1:19:27.540 --> 1:19:27.950 Right. 1:19:27.960 --> 1:19:35.640 So he sends another mixture, which is yellow and blue. 1:19:35.970 --> 1:19:39.000 It's a mixture, right? 1:19:39.000 --> 1:19:44.490 He will whoever is the guy will not be able to separate these two and sends this also along the way 1:19:44.490 --> 1:19:45.420 to the other side. 1:19:45.840 --> 1:19:51.750 What Alice does is since he receives this, he will add to red this mixture 1:19:54.240 --> 1:19:57.810 of yellow and blue. 1:20:00.960 --> 1:20:01.620 You finally get? 1:20:01.650 --> 1:20:02.160 What? 1:20:04.760 --> 1:20:06.410 But he also sent something along. 1:20:06.410 --> 1:20:06.710 What? 1:20:06.860 --> 1:20:08.090 What does he send back? 1:20:10.250 --> 1:20:14.810 His private key mixed with yellow. 1:20:19.130 --> 1:20:19.820 Mixed with yellow. 1:20:20.120 --> 1:20:21.650 So what does the other side do? 1:20:21.680 --> 1:20:25.700 He adds to this blue, red and. 1:20:29.740 --> 1:20:31.660 So I'm sorry. 1:20:36.190 --> 1:20:37.090 Third packages. 1:20:40.260 --> 1:20:42.780 So the hacker sees. 1:20:42.780 --> 1:20:44.280 That's what I showed you in the beginning. 1:20:44.280 --> 1:20:45.770 The hacker will see the keys. 1:20:45.780 --> 1:20:47.280 He will see the public key. 1:20:48.540 --> 1:20:51.150 He will see the mixture of this, which is green. 1:20:52.500 --> 1:20:55.230 He will see the mixture of these two, which is orange. 1:20:56.220 --> 1:21:01.290 He sees the whole exchange, the hacker sees the whole exchange out there. 1:21:03.600 --> 1:21:08.610 So for him to find out how orange was created, for him to find out how green because he needs to find 1:21:08.610 --> 1:21:12.480 black for him to find black, he cannot mix these two together. 1:21:12.570 --> 1:21:14.190 If he mixes these two together. 1:21:14.190 --> 1:21:15.420 There is also yellow in there. 1:21:15.420 --> 1:21:17.430 Two times yellow will give him something else. 1:21:17.430 --> 1:21:19.320 So you cannot mix these two together. 1:21:19.380 --> 1:21:20.220 You cannot mix this. 1:21:20.220 --> 1:21:23.520 He needs to find out the exact combination that was used to create this. 1:21:23.550 --> 1:21:28.770 Because if he gets that, if he gets the exact right out of here, he can mix it with green to get black. 1:21:28.920 --> 1:21:31.590 If he gets from the green, he gets blue out. 1:21:31.620 --> 1:21:36.480 He can mix it with the orange to get black, but he might have it. 1:21:36.540 --> 1:21:36.930 Yeah. 1:21:37.650 --> 1:21:38.190 Yes. 1:21:38.220 --> 1:21:39.600 Which is mixed with yellow. 1:21:39.600 --> 1:21:40.410 Yes. 1:21:41.070 --> 1:21:41.760 Yes. 1:21:41.790 --> 1:21:43.110 The hacker, which is me. 1:21:43.410 --> 1:21:46.470 I'm trying to solve his private key, which is mixed with the yellow. 1:21:47.700 --> 1:21:51.660 So I try to get his private out of that yellow, which is not possible out there. 1:21:53.610 --> 1:21:56.700 Now that I'll explain that, I'll explain how that happens. 1:21:56.880 --> 1:21:57.510 Right. 1:21:58.020 --> 1:22:01.260 What you need to understand is this keying material is the end of the exchange. 1:22:01.530 --> 1:22:03.300 Only two packets needs to be exchanged. 1:22:03.300 --> 1:22:05.430 The first where the public and the private is sent. 1:22:05.460 --> 1:22:07.770 The other the mixture is sent from the other side. 1:22:07.770 --> 1:22:10.890 Only the mixture is sent two packets done. 1:22:10.890 --> 1:22:14.010 They have their they have their keying material on both ends. 1:22:14.010 --> 1:22:15.810 They are set to do that. 1:22:16.590 --> 1:22:17.730 Does it work with symmetric? 1:22:18.120 --> 1:22:19.080 This is not RSA. 1:22:20.430 --> 1:22:24.300 RSA is asymmetric, RSA is completely asymmetric. 1:22:25.080 --> 1:22:26.220 What are the symmetric. 1:22:27.440 --> 1:22:28.460 This is symmetrical. 1:22:30.650 --> 1:22:31.160 Where? 1:22:31.160 --> 1:22:31.670 Symmetrical. 1:22:31.670 --> 1:22:32.570 I use encryption. 1:22:32.570 --> 1:22:33.200 Which you will do. 1:22:33.200 --> 1:22:35.510 Always uses for IPsec. 1:22:35.540 --> 1:22:39.470 It will always use key exchange will be asymmetrical. 1:22:39.500 --> 1:22:42.920 This is an asymmetrical key exchange, but not RSA. 1:22:42.920 --> 1:22:44.360 It's not RSA, it's FF. 1:22:45.230 --> 1:22:48.230 If you use RSA, the mixture will not be sent. 1:22:48.260 --> 1:22:50.780 It will just send public, public and start encrypting. 1:22:52.940 --> 1:22:57.590 In RSA, I'll send my public, he'll send my he'll send his public, I'll encrypt and he'll encrypt 1:22:57.590 --> 1:22:57.980 and done. 1:22:59.360 --> 1:23:01.730 It's just expensive on the users to do that. 1:23:02.180 --> 1:23:05.330 So what they did was they created a separate mixture out of it. 1:23:05.360 --> 1:23:10.640 They created a newer version of where the exchange is done, but not to do encryption decryption, but 1:23:10.640 --> 1:23:11.900 to find a set of keys. 1:23:13.220 --> 1:23:15.320 Then that will be used for encryption and decryption. 1:23:17.140 --> 1:23:17.410 Kit. 1:23:21.490 --> 1:23:21.940 Good, right. 1:23:23.320 --> 1:23:30.040 Let's move on to how now until now, what you've done, what you've seen is just IPsec. 1:23:32.510 --> 1:23:35.780 It's just IPsec, which is bringing all of these things together. 1:23:36.830 --> 1:23:41.030 The way IPsec Tunnels work is an entirely different thing. 1:23:41.990 --> 1:23:46.620 Now all of these, again, as I said, will come together to give you that tunnel. 1:23:46.640 --> 1:23:48.010 All these features. 1:23:48.020 --> 1:23:49.520 What are the features again? 1:23:49.520 --> 1:23:53.810 Integrity, authentication, encryption and the key exchange. 1:23:54.080 --> 1:23:56.450 They will come together to form the tunnel. 1:23:58.640 --> 1:23:59.100 Right. 1:23:59.120 --> 1:24:05.000 We have still one challenge I solved, one challenge the other challenge that I should not give the 1:24:05.000 --> 1:24:09.380 attacker a lot of data is there to work on the key. 1:24:10.250 --> 1:24:11.720 That challenge is still there. 1:24:12.440 --> 1:24:18.710 Yes, I understand that he won't be able to solve the key, but the problem now comes is now both of 1:24:18.710 --> 1:24:20.240 them have a set of keys, Right. 1:24:21.080 --> 1:24:31.820 If you think about this, Alice, Bob and the attacker here. 1:24:31.820 --> 1:24:38.060 I'm sorry, the attacker will see you're sending data through the Internet. 1:24:38.060 --> 1:24:39.410 So we are going through the 1:24:42.980 --> 1:24:43.410 database. 1:24:43.730 --> 1:24:44.470 He's not do. 1:24:44.990 --> 1:24:45.980 He should not build it. 1:24:46.100 --> 1:24:49.000 So I should not give very much too much of data. 1:24:49.010 --> 1:24:50.630 Yes, too much of data. 1:24:50.660 --> 1:24:51.950 See what I'm talking about. 1:24:51.980 --> 1:24:54.170 Now, both of us have this key, right? 1:24:54.470 --> 1:24:59.180 Out of this, I will only use 128 bits for encryption. 1:24:59.540 --> 1:25:00.620 Only 128. 1:25:00.980 --> 1:25:01.280 Right. 1:25:01.280 --> 1:25:04.790 So when I'm sending data out, I'll encrypt it using this. 1:25:04.820 --> 1:25:05.990 It will be encrypted. 1:25:05.990 --> 1:25:08.360 It will go to the other side as encrypted data. 1:25:09.800 --> 1:25:12.170 The other side will decrypt it to get the original data. 1:25:13.310 --> 1:25:14.690 It's only 128 bits. 1:25:14.720 --> 1:25:20.820 It's still huge, but if you compare it to 1024, it's nothing, right? 1:25:20.840 --> 1:25:23.830 Now with the attacker will do is he will get this data. 1:25:23.840 --> 1:25:25.130 He's also getting all of it. 1:25:25.160 --> 1:25:28.760 He will try to build a huge database of this data in GBS. 1:25:29.600 --> 1:25:33.240 The more data he has, the more his chances to get the key. 1:25:35.220 --> 1:25:38.970 We want to make sure that we find out a way that the attacker cannot crack this. 1:25:39.630 --> 1:25:40.980 That is the challenge right now. 1:25:42.670 --> 1:25:45.510 Should not be able to open this and see find the key. 1:25:45.510 --> 1:25:48.030 Because if he finds the key, the whole exchange is lost. 1:25:48.060 --> 1:25:49.650 They already have the key. 1:25:51.000 --> 1:25:52.320 How do you solve that challenge? 1:25:52.320 --> 1:25:52.830 You don't. 1:25:52.860 --> 1:25:53.940 IPsec does it for you. 1:25:54.810 --> 1:26:00.720 IPsec has devised a very, very cool mechanism to exchange keys. 1:26:02.530 --> 1:26:08.710 In IPsec, the tunnels that you create, the VPN that you're going to be creating, you're not going 1:26:08.710 --> 1:26:09.700 to create one tunnel. 1:26:10.510 --> 1:26:12.220 You're going to create two tunnels. 1:26:14.050 --> 1:26:15.130 You don't do it, though. 1:26:15.430 --> 1:26:17.230 It does it automatically for you. 1:26:18.610 --> 1:26:22.030 If we create one tunnel. 1:26:24.780 --> 1:26:29.120 Out in this tunnel in total of only nine packets go through. 1:26:33.610 --> 1:26:36.880 In the first tunnel, only nine packets go through. 1:26:37.450 --> 1:26:43.690 This tunnel is known as Isa k MP isa cam. 1:26:46.850 --> 1:26:50.660 Are you to totalling nine six. 1:26:51.500 --> 1:26:53.360 Three more quick mode is also done there. 1:26:55.190 --> 1:26:55.700 Okay. 1:26:56.780 --> 1:26:58.760 In total of nine packets will go through. 1:27:00.200 --> 1:27:01.250 Using this tunnel. 1:27:03.110 --> 1:27:03.590 Okay. 1:27:04.100 --> 1:27:08.690 The whole purpose of this tunnel is two things. 1:27:09.410 --> 1:27:11.660 There are two things that are important through this tunnel. 1:27:11.660 --> 1:27:14.240 Number one is key exchange. 1:27:18.420 --> 1:27:20.820 Number two is negotiate. 1:27:24.040 --> 1:27:24.930 Negotiate. 1:27:26.040 --> 1:27:27.030 IPsec. 1:27:32.010 --> 1:27:33.510 Negotiate the IPsec Tunnel. 1:27:36.210 --> 1:27:39.870 Those of commission for a combination of policies. 1:27:40.580 --> 1:27:40.710 Yeah. 1:27:41.700 --> 1:27:43.500 Why do I need negotiations? 1:27:43.530 --> 1:27:44.460 Negotiations? 1:27:44.460 --> 1:27:45.150 Because I told you. 1:27:45.150 --> 1:27:46.440 You have many options. 1:27:46.800 --> 1:27:47.810 You can use three days. 1:27:47.820 --> 1:27:50.640 You can use as you can use a shower. 1:27:50.760 --> 1:27:53.550 You can use MD5, all of those things you can use. 1:27:53.580 --> 1:27:55.380 Which one are we using? 1:27:55.410 --> 1:27:56.550 Is negotiation? 1:27:57.480 --> 1:27:59.250 I'm using is from my end. 1:27:59.280 --> 1:28:01.110 Obviously the other side should also use. 1:28:01.620 --> 1:28:03.240 So the negotiate on that. 1:28:04.650 --> 1:28:04.950 Done. 1:28:04.950 --> 1:28:06.330 Where in this tunnel. 1:28:09.930 --> 1:28:11.270 It is done in the first. 1:28:12.600 --> 1:28:14.530 The second tunnel now here. 1:28:14.550 --> 1:28:17.910 A lot of people get confused, but keep your concentration. 1:28:17.940 --> 1:28:19.050 The second tunnel. 1:28:23.820 --> 1:28:26.570 A government which is also known as phase two. 1:28:26.600 --> 1:28:26.900 Tunnel. 1:28:29.300 --> 1:28:31.070 Phase two tunnel, not phase two. 1:28:31.970 --> 1:28:34.820 There is a difference between phase two tunnel and phase two. 1:28:36.140 --> 1:28:37.100 Phase two tunnel. 1:28:37.730 --> 1:28:38.240 Right. 1:28:38.660 --> 1:28:41.330 The only thing that goes through here is data. 1:28:43.280 --> 1:28:44.770 No negotiations. 1:28:44.780 --> 1:28:52.220 So basically, if you want to talk in language, you could say that this is your control plane as a 1:28:52.220 --> 1:28:52.940 separate tunnel. 1:28:53.060 --> 1:28:55.580 And this phase two tunnel is your data tunnel. 1:28:56.120 --> 1:28:58.310 Your data traffic goes through the phase two tunnel. 1:28:58.610 --> 1:29:04.850 Your control traffic goes through the phase one tunnel or the ice tunnel. 1:29:05.660 --> 1:29:07.280 This is also called IPsec Tunnel. 1:29:12.090 --> 1:29:12.810 Your actual tunnel? 1:29:12.810 --> 1:29:16.680 Is this to set up this tunnel? 1:29:16.830 --> 1:29:19.050 You use the first one. 1:29:21.460 --> 1:29:22.150 To set up this. 1:29:27.660 --> 1:29:28.550 Good things. 1:29:32.850 --> 1:29:33.840 No, I'm fine with it. 1:29:34.350 --> 1:29:39.050 But I can sense things like this in my. 1:29:39.750 --> 1:29:45.150 I'm not really in camp is a simple exchange on UDP. 1:29:47.490 --> 1:29:55.440 UDP 500 is a camp is a protocol which works on UDP 500. 1:30:01.980 --> 1:30:07.200 All the exchanges that take place happen on UDP hyphen in total of nine packets. 1:30:08.400 --> 1:30:08.850 Right. 1:30:08.850 --> 1:30:12.620 And then your phase two tunnel, I'll talk about the headers that are going to be used there. 1:30:12.630 --> 1:30:13.410 That's for later. 1:30:13.500 --> 1:30:15.870 For now, we need to fix how camp takes place. 1:30:18.320 --> 1:30:18.720 I don't know. 1:30:19.540 --> 1:30:19.950 Yeah. 1:30:20.160 --> 1:30:21.600 What I received from other side. 1:30:22.950 --> 1:30:26.340 Probably the policies should match for the ice. 1:30:26.880 --> 1:30:27.780 It should match. 1:30:28.350 --> 1:30:32.070 Yeah, it should match negotiation. 1:30:32.070 --> 1:30:32.280 Right. 1:30:32.280 --> 1:30:33.690 That's what negotiation is. 1:30:33.720 --> 1:30:38.550 Let me explain what these nine packets are and how are they traversed from one place to another one 1:30:38.550 --> 1:30:39.150 by one. 1:30:39.240 --> 1:30:48.660 Now, again, from anything from any perspective, you look at IPsec, this is the most important part. 1:30:49.410 --> 1:30:53.460 The nine packets which are going through the most important. 1:30:55.230 --> 1:30:55.620 Okay. 1:30:55.650 --> 1:30:56.790 Trust me on this. 1:30:56.970 --> 1:31:05.200 You need to know this for any IPsec VPN, whatever IPsec VPNs you're doing from now. 1:31:05.200 --> 1:31:06.580 When I said the base. 1:31:06.610 --> 1:31:10.810 Remember the base I was talking about yesterday when I was talking about the base. 1:31:10.810 --> 1:31:12.250 This is what I mean. 1:31:12.280 --> 1:31:13.360 This is what I meant. 1:31:14.170 --> 1:31:15.880 Right here is from AT&T. 1:31:15.910 --> 1:31:16.810 The AT&T guys came. 1:31:18.040 --> 1:31:20.890 You only bunch of them. 1:31:20.890 --> 1:31:22.120 A bunch of them are there. 1:31:22.120 --> 1:31:22.360 Right. 1:31:24.280 --> 1:31:24.790 Okay. 1:31:25.150 --> 1:31:30.220 So you're the only one who's here for VPN in the morning, but you're the only one in the morning. 1:31:35.980 --> 1:31:36.310 Yesterday. 1:31:36.310 --> 1:31:38.170 I don't think you knew that the class was here, right? 1:31:38.740 --> 1:31:39.040 I knew. 1:31:40.920 --> 1:31:41.530 Assignments. 1:31:51.380 --> 1:31:57.740 So as I was saying, I camp we will have a look at the packet exchange, the most important part of 1:31:57.740 --> 1:31:57.980 it. 1:31:58.970 --> 1:32:02.630 We will also see it practically, but I don't think we have time for that today. 1:32:02.660 --> 1:32:04.520 We'll only talk about the exchange today. 1:32:04.550 --> 1:32:07.970 We'll create the tunnel tomorrow and have a look at your package. 1:32:09.450 --> 1:32:09.900 Okay. 1:32:13.070 --> 1:32:14.510 This is what happens. 1:32:34.740 --> 1:32:36.030 Packet number one. 1:32:38.620 --> 1:32:44.830 Now, all of this all of this communication is happening on UDP port number, which 500. 1:32:45.670 --> 1:32:49.770 All of this communication of nine packets is happening on UDP 500. 1:32:49.780 --> 1:32:51.670 So the first packet goes out. 1:32:53.260 --> 1:32:53.560 Right. 1:32:53.560 --> 1:32:58.270 The source and destination of this packet is going to be public. 1:32:59.650 --> 1:33:02.740 Alice To public. 1:33:04.330 --> 1:33:04.930 Bob. 1:33:07.890 --> 1:33:12.480 UDP source port 500 destination port. 1:33:13.470 --> 1:33:15.450 And then the final Isa camp is here. 1:33:17.940 --> 1:33:20.340 This is how the package travels from public to public. 1:33:21.240 --> 1:33:22.530 Very, very, very important. 1:33:22.530 --> 1:33:23.130 This part. 1:33:23.580 --> 1:33:25.980 Concentrate public to public. 1:33:27.750 --> 1:33:31.140 Camp always goes from my public address to the other guy's public address. 1:33:32.190 --> 1:33:36.600 If you're doing it between the two routers, the routers, public address to the other side's public 1:33:36.600 --> 1:33:42.030 address, my eventual job is to go into protect my private networks right over the public domain. 1:33:42.030 --> 1:33:46.800 But the ice camp will be first exchanged through the public networks. 1:33:47.790 --> 1:33:48.290 Okay. 1:33:48.330 --> 1:33:58.040 In this ice camp packet inside here at this layer seven, inside this, you will see policies. 1:33:58.050 --> 1:33:59.700 What kind of policies? 1:34:00.690 --> 1:34:08.820 Alice will say, I'm using encryption three days, for example, for hashing. 1:34:09.540 --> 1:34:10.410 I'm using Sha. 1:34:12.330 --> 1:34:12.810 Okay. 1:34:12.810 --> 1:34:16.750 Then he will say an authentication. 1:34:19.990 --> 1:34:20.770 Mechanism. 1:34:20.770 --> 1:34:25.300 I'm using SRC, not PKI and the group. 1:34:26.230 --> 1:34:27.790 Group is Diffie-Hellman group. 1:34:27.820 --> 1:34:30.190 There are three groups one, two and five. 1:34:31.750 --> 1:34:33.160 It's just the key sizes. 1:34:33.190 --> 1:34:34.540 Group one is 768. 1:34:34.570 --> 1:34:35.770 Group two is 1024. 1:34:35.800 --> 1:34:37.670 Group five is 1536. 1:34:37.750 --> 1:34:39.520 The size of the keys. 1:34:39.520 --> 1:34:42.910 You can see that when you're creating the tunnel, you'll see the size of the keys. 1:34:44.560 --> 1:34:53.200 The key size, the group that you can use on the side, which you can use on that router. 1:34:54.010 --> 1:34:58.480 So some some routers will also give you group seven available to them. 1:34:58.480 --> 1:35:02.260 But most of the times these days you will always use group two. 1:35:02.920 --> 1:35:07.020 You will not go to 7 or 5 because again, that will be too processor intensive. 1:35:07.120 --> 1:35:08.650 Most of the time you'll use two. 1:35:09.250 --> 1:35:10.990 Now there are different variants out there. 1:35:10.990 --> 1:35:13.330 They have group 20 1716. 1:35:13.360 --> 1:35:16.180 Those are in a newer version, but we'll get to that. 1:35:17.800 --> 1:35:18.220 Okay. 1:35:18.220 --> 1:35:23.030 So this is what Pre-shared key and everything here. 1:35:23.480 --> 1:35:24.860 It will be sent basically. 1:35:24.860 --> 1:35:26.150 I'm not sending everything here. 1:35:26.150 --> 1:35:28.130 I'm just telling him what I'm going to use. 1:35:29.630 --> 1:35:30.350 I'm sending him. 1:35:30.350 --> 1:35:31.700 This is known as policy. 1:35:32.060 --> 1:35:34.310 The first packet is also known as policies. 1:35:37.130 --> 1:35:41.150 I'm sending him all the policies that I am going to use for from my side. 1:35:44.580 --> 1:35:45.780 There is a twist, though. 1:35:45.810 --> 1:35:46.800 What is that? 1:35:47.010 --> 1:35:49.140 There are two tunnels being created, right? 1:35:49.350 --> 1:35:53.070 One here and the other one is the data tunnel. 1:35:56.980 --> 1:36:01.330 These policies that I'm exchanging is not to protect the second tunnel. 1:36:02.770 --> 1:36:04.540 It is to protect the first tunnel. 1:36:07.710 --> 1:36:08.310 Why? 1:36:09.330 --> 1:36:14.160 Because eventually, through this tunnel, I am also going to exchange my pre-shared key. 1:36:17.180 --> 1:36:20.870 My actual preset key will also be exchanged through this tunnel. 1:36:24.730 --> 1:36:26.800 There will be only used to authenticate the peers. 1:36:26.800 --> 1:36:31.330 But I don't want anyone, anyone else getting that because then tomorrow he can create a tunnel with 1:36:31.330 --> 1:36:33.010 me using the same sk. 1:36:33.820 --> 1:36:35.260 I need to protect that too. 1:36:37.530 --> 1:36:44.520 So these set of policies that I'm negotiating in the first packet is to protect the first tunnel, phase 1:36:44.520 --> 1:36:45.090 one tunnel. 1:36:46.620 --> 1:36:50.610 So this happens before the tunnel was created, before the second tunnel is created. 1:36:52.800 --> 1:36:55.530 This after this happens after the first one was created. 1:36:56.040 --> 1:36:57.060 This is not a tunnel. 1:36:57.770 --> 1:36:57.930 No. 1:36:58.020 --> 1:36:59.010 The exchange of policy? 1:36:59.010 --> 1:36:59.530 Yes. 1:36:59.550 --> 1:37:00.470 When does it happen? 1:37:00.480 --> 1:37:01.410 Before the tunnel. 1:37:01.830 --> 1:37:02.700 Before the first tunnel. 1:37:03.120 --> 1:37:03.840 The first one. 1:37:05.730 --> 1:37:06.690 Before the first one. 1:37:07.380 --> 1:37:09.030 It's the creation of the tunnel. 1:37:09.720 --> 1:37:11.010 This part is the creation. 1:37:11.010 --> 1:37:12.900 So negotiation should happen first, right? 1:37:13.230 --> 1:37:15.450 When I want to communicate to you first, we negotiate. 1:37:15.450 --> 1:37:16.200 I tell you my name. 1:37:16.200 --> 1:37:17.250 You tell me your name. 1:37:17.430 --> 1:37:18.840 Then we have certain conversation. 1:37:18.840 --> 1:37:21.030 Then we have a trust between us. 1:37:21.060 --> 1:37:22.410 That's what happening right now. 1:37:22.800 --> 1:37:24.780 I'm sending them my first policies. 1:37:24.810 --> 1:37:26.580 The other guy will reply with what? 1:37:26.880 --> 1:37:27.630 Packet number two. 1:37:27.660 --> 1:37:28.770 What will be in there? 1:37:30.480 --> 1:37:31.350 Three days. 1:37:32.660 --> 1:37:35.670 QA group. 1:37:35.770 --> 1:37:36.400 Let's say two. 1:37:37.390 --> 1:37:39.480 If any one of the packets don't match here. 1:37:39.490 --> 1:37:44.020 If I'm using on one side, PK on the other side, this exchange will drop. 1:37:44.770 --> 1:37:48.970 If I'm using three days on one side, on the other side, this exchange will drop. 1:37:51.130 --> 1:37:54.760 Okay, so it should match for the communication to take place. 1:37:56.680 --> 1:37:58.330 Packet one and two. 1:37:58.990 --> 1:38:02.980 Packet three from Alice. 1:38:06.810 --> 1:38:08.880 That's exactly right. 1:38:08.940 --> 1:38:10.200 You can visit a protocol. 1:38:10.470 --> 1:38:11.130 It's a protocol. 1:38:12.060 --> 1:38:17.490 I say camp is a protocol which works on UDP 500 protocol, which has these things. 1:38:17.490 --> 1:38:19.740 Define the nine packets, define the first packet. 1:38:19.740 --> 1:38:21.390 Should be this, the second packet should be this. 1:38:21.390 --> 1:38:22.470 The third packet should be this. 1:38:22.470 --> 1:38:23.700 The fourth packet should be this. 1:38:23.730 --> 1:38:28.260 If the first and the second don't match, drop the second and the third don't match drop. 1:38:28.500 --> 1:38:32.730 Do we have any other options in the coming apart from Acanthoderes this year? 1:38:33.060 --> 1:38:35.160 For most of the tunnels this is the one. 1:38:35.490 --> 1:38:41.220 There are certain other extensions, but they're also part of icecap also. 1:38:41.220 --> 1:38:42.720 So usually you'll use icecap. 1:38:42.750 --> 1:38:46.860 It's I think it's Internet Security Association key management protocol. 1:38:47.100 --> 1:38:51.210 Then there are just this and they'll come after. 1:38:51.210 --> 1:38:51.720 I'll show you. 1:38:52.200 --> 1:38:53.220 We have not reached there yet. 1:38:54.840 --> 1:38:56.160 They'll come after the sixth packet. 1:38:56.520 --> 1:38:58.410 Today we'll do only until the sixth packet. 1:38:59.700 --> 1:39:01.080 Okay, so now 1:39:03.750 --> 1:39:06.550 we know not the tunnel. 1:39:06.760 --> 1:39:13.330 The negotiation of what we are going to use for the tunnel exchange is private. 1:39:13.840 --> 1:39:15.190 I'm only on the second tunnel yet. 1:39:16.120 --> 1:39:17.290 I'm only on the second packet. 1:39:17.320 --> 1:39:19.510 There are still seven more packets left. 1:39:21.040 --> 1:39:24.070 Okay, so the first and the second are done in the first. 1:39:24.070 --> 1:39:27.700 I'm telling him I'm using encryption, three days, authentication, all of this. 1:39:27.730 --> 1:39:28.930 It should match from the other side. 1:39:28.930 --> 1:39:31.210 The other side should say, okay, I'm also going to use the same. 1:39:31.510 --> 1:39:38.920 The third packet I will send my public and the mixture. 1:39:44.100 --> 1:39:50.550 Plus I will also send something known as nonce. 1:39:53.850 --> 1:39:56.370 Nonce is nothing but prime numbers. 1:39:57.240 --> 1:39:59.580 A certain variations of prime numbers. 1:40:00.450 --> 1:40:01.470 Random numbers. 1:40:02.160 --> 1:40:02.580 Open. 1:40:02.580 --> 1:40:02.850 Clear. 1:40:02.850 --> 1:40:03.480 Text. 1:40:06.110 --> 1:40:07.340 I'll send it to the other side. 1:40:07.520 --> 1:40:08.420 Why? 1:40:09.590 --> 1:40:10.340 I'll show you why. 1:40:10.370 --> 1:40:15.510 So I'll just send a combination of 0101, just for simplicity's sake. 1:40:15.530 --> 1:40:16.670 I'm just sending zero one. 1:40:16.670 --> 1:40:20.930 It's just prime numbers and certain alphabets together to the other side. 1:40:21.530 --> 1:40:25.490 The moment the other side receives this, does he get his black key? 1:40:26.990 --> 1:40:27.960 He does. 1:40:28.100 --> 1:40:31.700 He mixes this mixture with his private to get the black key. 1:40:34.100 --> 1:40:34.520 Right. 1:40:34.520 --> 1:40:37.490 So at the end of third packet, Bob will have. 1:40:42.330 --> 1:40:43.890 What does Bob send back? 1:40:45.300 --> 1:40:47.730 Is his mixture. 1:40:49.950 --> 1:40:51.210 And this nonce. 1:40:52.110 --> 1:40:54.840 But this nonce he will encrypt. 1:40:55.650 --> 1:40:56.640 Using what? 1:40:57.900 --> 1:40:58.800 The black key. 1:41:04.910 --> 1:41:07.160 This nonce will be encrypted using the black key. 1:41:07.190 --> 1:41:07.550 Why? 1:41:07.580 --> 1:41:08.570 I'll explain why. 1:41:08.600 --> 1:41:10.580 When this packet reaches Alice. 1:41:10.610 --> 1:41:11.780 Does he have the black key? 1:41:14.120 --> 1:41:16.520 He mixes this mixture with his private to get the black key. 1:41:16.550 --> 1:41:16.970 Right. 1:41:17.690 --> 1:41:21.020 Then he will use that black key to decrypt this nonce. 1:41:21.650 --> 1:41:26.180 If he is successful in doing that, that means his exchange was successful. 1:41:32.370 --> 1:41:33.000 Do you understand? 1:41:34.950 --> 1:41:36.180 I'm sending you something. 1:41:36.750 --> 1:41:40.210 I'm sending you a mixture of my keys, my private plus yellow. 1:41:40.230 --> 1:41:41.250 I'm sending it to you. 1:41:41.730 --> 1:41:43.530 Plus I'll send you some clear text. 1:41:43.980 --> 1:41:44.700 I'll send a message. 1:41:44.700 --> 1:41:46.290 Hello there to you. 1:41:46.890 --> 1:41:47.460 Right. 1:41:47.460 --> 1:41:49.620 Once you receive that, I'm the one who sent it. 1:41:49.620 --> 1:41:50.790 So I know what I sent. 1:41:51.210 --> 1:41:51.790 Right. 1:41:51.810 --> 1:41:54.410 When you receive it, what you're going to do, you. 1:41:54.420 --> 1:41:58.010 The moment you receive the mixture, you mix it with your private to get the black key. 1:41:58.020 --> 1:42:00.120 I don't have the black key yet, but you have it. 1:42:00.930 --> 1:42:03.840 You send me same notes back. 1:42:04.200 --> 1:42:08.070 You send it back to me again, but you will encrypt it using your black. 1:42:10.380 --> 1:42:15.000 The actual key which you got, the final key, which I should also get since he encrypts it using his 1:42:15.000 --> 1:42:16.710 black, he also sends me the mixture. 1:42:17.130 --> 1:42:20.370 So once I see both things together, I receive the mixture. 1:42:20.370 --> 1:42:22.500 I'll use the mixture quickly to find my black. 1:42:22.890 --> 1:42:25.490 I will use that black to decrypt what he sent me. 1:42:25.500 --> 1:42:31.120 If it is the same thing which I had sent before, that means our exchange was successful. 1:42:33.070 --> 1:42:36.610 This is no, this is not hashing. 1:42:36.940 --> 1:42:43.060 This is just to make sure this is just a dummy value, to make sure that the key exchange was successful. 1:42:44.350 --> 1:42:47.380 Eventually it means whatever Bob is encrypting, I can decrypt it. 1:42:50.060 --> 1:42:50.450 Right. 1:42:50.570 --> 1:42:52.190 That's the whole purpose of it. 1:42:52.400 --> 1:42:55.760 So they make sure that whatever Bob can encrypt, I can decrypt. 1:42:55.760 --> 1:42:57.110 So we have the same key. 1:42:59.110 --> 1:42:59.650 That's it. 1:42:59.680 --> 1:43:02.050 It's just a random value just for this purpose. 1:43:04.340 --> 1:43:05.960 By the end of the fourth packet. 1:43:06.650 --> 1:43:09.320 Both of them know which policies to use. 1:43:09.350 --> 1:43:11.330 Let's say they've already settled on it. 1:43:11.360 --> 1:43:16.310 They know that for this tunnel three days is to be used and Sha is to be used. 1:43:17.450 --> 1:43:18.170 Group. 1:43:18.200 --> 1:43:19.060 Group was two. 1:43:19.070 --> 1:43:21.080 So the size of this public is group two. 1:43:21.110 --> 1:43:24.380 Size that is already used. 1:43:25.820 --> 1:43:26.330 Nirosha. 1:43:26.390 --> 1:43:28.040 And the three from this side. 1:43:28.070 --> 1:43:31.010 They know three days and sha from this side is supposed to be used. 1:43:31.040 --> 1:43:37.130 Both of them have the keying material so now they can do the rest of the stuff. 1:43:39.270 --> 1:43:39.660 Packets. 1:43:39.660 --> 1:43:40.630 One, two, three, four. 1:43:40.650 --> 1:43:40.920 Done. 1:43:45.290 --> 1:43:45.740 I guess. 1:43:45.740 --> 1:43:46.370 One, two, three, four. 1:43:46.370 --> 1:43:49.790 Done by the end of the fourth pocket, your actual tunnel is up. 1:43:53.650 --> 1:43:55.180 The first tunnel is completely up. 1:43:55.900 --> 1:43:57.190 What do I mean by that? 1:43:57.220 --> 1:44:06.790 Your traffic will still go from public Alice to public, Bob. 1:44:07.510 --> 1:44:10.360 It will still be on UDP 500 to 500. 1:44:11.020 --> 1:44:12.430 It will still be isakmp. 1:44:15.200 --> 1:44:24.590 But now inside this icy camp, it will be encrypted and hashed inside the icy cap at layer seven. 1:44:25.340 --> 1:44:29.870 Whatever information you send now will be encrypted using this, not the whole key. 1:44:29.900 --> 1:44:32.480 Obviously, a small amount of this key. 1:44:38.860 --> 1:44:44.940 So whatever you're sending now will be encrypted and the other side will have to decrypt it. 1:44:44.950 --> 1:44:49.480 So the intruder here will not be able to see what's in the fifth packet. 1:44:49.660 --> 1:44:52.330 The first four packets is completely open. 1:44:54.190 --> 1:44:56.600 He will see the policies that are being exchanged. 1:44:56.620 --> 1:44:57.790 He will see the public key. 1:44:57.820 --> 1:45:02.950 He will see the nonce, but he will not see anything else. 1:45:02.980 --> 1:45:03.340 Why? 1:45:03.370 --> 1:45:05.650 Because the fifth packet is important. 1:45:05.680 --> 1:45:07.510 The fifth packet will be used. 1:45:07.510 --> 1:45:08.200 For what? 1:45:11.360 --> 1:45:12.560 Be ask. 1:45:13.940 --> 1:45:14.960 Validation. 1:45:16.970 --> 1:45:19.970 Alice is letting Bob know that he is Alice. 1:45:20.000 --> 1:45:25.280 Bob will let Alice know that he is Bob. 1:45:25.310 --> 1:45:25.820 How? 1:45:25.820 --> 1:45:28.220 They will try to exchange the Cisco. 1:45:28.370 --> 1:45:29.240 I'll send him Cisco. 1:45:29.240 --> 1:45:30.260 He will send me Cisco. 1:45:30.290 --> 1:45:31.310 Through the. 1:45:33.590 --> 1:45:33.980 That's me. 1:45:34.370 --> 1:45:35.300 That's encrypted. 1:45:35.300 --> 1:45:35.780 Yes. 1:45:36.230 --> 1:45:38.360 In the fifth packet, what's inside is. 1:45:38.390 --> 1:45:40.650 I can't hear. 1:45:40.730 --> 1:45:41.840 The key will be here. 1:45:44.570 --> 1:45:45.380 The Pre-shared key. 1:45:47.890 --> 1:45:48.800 She's not performing. 1:45:50.070 --> 1:45:52.350 That is something which I want you to do. 1:45:52.410 --> 1:45:54.240 We'll show when we do the practical. 1:45:54.420 --> 1:45:55.680 I want you to do it. 1:45:55.710 --> 1:45:57.060 I'll give you two things to do. 1:45:57.090 --> 1:45:58.500 Hashing and encryption. 1:45:58.650 --> 1:45:59.910 There's a practical I have on it. 1:45:59.910 --> 1:46:01.860 So once you do it, we will see. 1:46:02.070 --> 1:46:02.580 We'll see that. 1:46:02.580 --> 1:46:04.290 Practically which one is done first? 1:46:05.160 --> 1:46:06.300 Hashing or ESP? 1:46:07.840 --> 1:46:08.140 Okay. 1:46:08.280 --> 1:46:09.720 We'll still have to go through the headers. 1:46:09.720 --> 1:46:14.310 We have not gone through the headers because the header and the ESP header, we have to go through that. 1:46:14.310 --> 1:46:17.490 But that is package 767, eight, 789. 1:46:17.520 --> 1:46:18.720 We'll do that later. 1:46:18.720 --> 1:46:21.960 But do you understand this until packet number six. 1:46:23.520 --> 1:46:25.560 Until the packet number six. 1:46:25.770 --> 1:46:28.590 Fifth and sixth is protected completely. 1:46:29.010 --> 1:46:32.640 So your pre-shared key, no one ever will be able to see it. 1:46:34.880 --> 1:46:37.310 The fifth packet is I am sending you my key. 1:46:37.340 --> 1:46:38.930 Sixth is you are sending me your key. 1:46:40.230 --> 1:46:41.900 I appreciate not the session. 1:46:42.380 --> 1:46:43.790 Not the session session. 1:46:43.790 --> 1:46:44.520 Key is with you. 1:46:44.540 --> 1:46:45.810 You have the session key already. 1:46:45.830 --> 1:46:46.970 You don't need to exchange it. 1:46:48.950 --> 1:46:54.240 By the end of the fourth packet, you have the session key, your actual encryption decryption key. 1:46:54.260 --> 1:46:57.230 You already have it by the end of which packet? 1:46:59.790 --> 1:47:05.880 Fought back my sixth and the seventh packet. 1:47:06.210 --> 1:47:07.050 Let me explain that. 1:47:07.050 --> 1:47:08.130 We still have time. 1:47:08.520 --> 1:47:12.120 My sixth and the seventh packet are simple. 1:47:13.950 --> 1:47:16.680 By the way, the first six packets are known as. 1:47:16.800 --> 1:47:23.160 This mode is known as main mode, also called phase one. 1:47:25.470 --> 1:47:27.540 It's also called phase one exchange. 1:47:29.380 --> 1:47:29.980 Main mode. 1:47:30.430 --> 1:47:31.750 First six packets. 1:47:34.820 --> 1:47:36.560 The other three packets left. 1:47:39.060 --> 1:47:43.620 I called quick mode or also phase two. 1:47:46.030 --> 1:47:46.990 Not the phase two tunnel. 1:47:48.910 --> 1:47:50.260 It's not the phase two tunnel. 1:47:50.680 --> 1:47:59.710 It's the negotiation of the phase two tunnel and negotiated policies until now, only for what? 1:48:00.400 --> 1:48:01.080 Phase one tunnel? 1:48:01.870 --> 1:48:05.980 My phase two policies can be entirely different than the phase one policies. 1:48:10.450 --> 1:48:15.310 Okay, so here I'm using three dozen right in the seventh packet. 1:48:15.340 --> 1:48:16.600 Now everything is protected. 1:48:16.600 --> 1:48:20.410 So the good thing is that no one in the world will see what you're negotiating. 1:48:22.390 --> 1:48:25.600 Yes, they can see the Eichkamp exchange, but who cares about that? 1:48:27.160 --> 1:48:29.620 Because the actual stuff is happening after the fifth packet. 1:48:30.790 --> 1:48:33.020 The first few packets are available to anybody. 1:48:33.040 --> 1:48:34.210 Everyone can see that. 1:48:36.340 --> 1:48:36.640 Right. 1:48:36.640 --> 1:48:38.050 So in the sixth packet. 1:48:40.620 --> 1:48:41.580 This is done. 1:48:42.000 --> 1:48:46.590 Then the seventh is the first packet of humane mode in total three packets. 1:48:46.620 --> 1:48:47.610 Seventh packet. 1:48:47.610 --> 1:48:49.140 I will send him again. 1:48:50.070 --> 1:48:58.500 I want to use, let's say ease and MD5 for we call this transform set. 1:49:03.830 --> 1:49:05.660 Transform set is your phase two. 1:49:07.730 --> 1:49:10.550 Phase two is also known as Transform set phase two. 1:49:10.580 --> 1:49:12.710 What we're using practically is called transform set. 1:49:14.300 --> 1:49:23.030 Basically, I'm saying that for the actual data tunnel, I'm going to be using what is and MD5, What 1:49:23.270 --> 1:49:24.290 am I talking about? 1:49:32.340 --> 1:49:37.690 I'm saying for this tunnel, for the encryption and decryption of this tunnel, I'm going to use MD5 1:49:37.700 --> 1:49:37.770 MD5. 1:49:37.800 --> 1:49:39.720 The other side should agree on the same. 1:49:40.380 --> 1:49:44.730 If he uses Des here, my packets will stop at the eighth packet. 1:49:44.850 --> 1:49:46.260 My exchange is stopped. 1:49:46.290 --> 1:49:47.730 My tunnel is not created. 1:49:49.770 --> 1:49:51.330 My exchange will be stopped right there. 1:49:54.000 --> 1:49:54.230 Okay. 1:49:54.240 --> 1:50:00.360 So here also, both of the sides should agree on a yes, that's it. 1:50:00.750 --> 1:50:02.010 Seventh and eight is. 1:50:02.010 --> 1:50:03.180 That's all it is. 1:50:04.260 --> 1:50:05.550 Finish your exchange is done. 1:50:05.790 --> 1:50:08.430 You have negotiated the exchange. 1:50:08.430 --> 1:50:10.470 You know what policies you are using. 1:50:12.420 --> 1:50:14.520 You know that you'll be using as. 1:50:18.540 --> 1:50:22.380 You know, that will be used, you know, will be used here. 1:50:22.470 --> 1:50:27.870 You know, MD5 is used for hashing, MD5 is used for hashing. 1:50:28.620 --> 1:50:30.300 You have your keying material. 1:50:34.590 --> 1:50:38.760 Both of you have your keying material right now. 1:50:38.760 --> 1:50:42.710 The keying material which was used here is different than the key material used here. 1:50:42.720 --> 1:50:44.700 Why here you were using what? 1:50:48.690 --> 1:50:54.060 So this he gets it from here again, he goes to the king material, gets it out of there, keeps it 1:50:54.060 --> 1:50:55.050 for the IPsec community. 1:50:58.140 --> 1:50:58.900 Yes. 1:51:00.360 --> 1:51:01.830 Anything related to this? 1:51:03.770 --> 1:51:05.540 So as I was saying this. 1:51:07.140 --> 1:51:07.290 You. 1:51:08.050 --> 1:51:11.280 The second is, would it be the same with the SK? 1:51:11.790 --> 1:51:14.770 No, it is still again the same. 1:51:15.610 --> 1:51:20.740 I told you it's 1024 bit material right out of that 1024 bit material. 1:51:20.740 --> 1:51:23.620 One half was used for the first key for the first tunnel. 1:51:24.100 --> 1:51:28.510 Then for the second part, another part is removed and used for the second part. 1:51:28.870 --> 1:51:31.990 So the session key and the shift key are the same. 1:51:32.260 --> 1:51:34.540 Just two different words for the same name, the shared. 1:51:34.540 --> 1:51:35.530 What do you mean by shared key? 1:51:36.520 --> 1:51:37.720 There's something called a shared key. 1:51:37.960 --> 1:51:38.710 That's SK. 1:51:40.210 --> 1:51:41.290 That's not the same. 1:51:42.550 --> 1:51:44.080 That's only for authentication. 1:51:44.080 --> 1:51:45.190 They're not the same. 1:51:45.520 --> 1:51:47.440 That was only the fifth and the sixth packet. 1:51:50.080 --> 1:51:52.060 The shared key has nothing to do with this. 1:51:52.390 --> 1:51:57.490 All the encryption and decryption are done on which keying material answered. 1:51:58.480 --> 1:52:07.480 Which keying material is used for encryption decryption the keying material not your SK even this right 1:52:07.480 --> 1:52:12.430 now, the actual tunnel encryption decryption will be done using the material. 1:52:13.120 --> 1:52:15.160 One part was removed for the first tunnel. 1:52:15.940 --> 1:52:21.670 The second part is removed to negotiate the second tunnel at the end of the eighth packet. 1:52:21.700 --> 1:52:23.780 The ninth packet is just an acknowledgement. 1:52:24.510 --> 1:52:28.540 When I need for the second time I wouldn't need to a second term. 1:52:28.630 --> 1:52:29.170 Why not? 1:52:29.590 --> 1:52:31.090 Because it's already protected, right? 1:52:31.090 --> 1:52:32.890 It's inside now. 1:52:32.890 --> 1:52:34.240 You're not going to use the same tunnel. 1:52:34.240 --> 1:52:37.380 It's a separate new tunnel which is inside the customer. 1:52:37.420 --> 1:52:39.490 No, it's not. 1:52:39.490 --> 1:52:40.930 It's a completely separate tunnel. 1:52:41.440 --> 1:52:43.300 It doesn't work on UDP 500. 1:52:44.830 --> 1:52:48.250 This tunnel that you'll be using here does not work on UDP 500. 1:52:48.250 --> 1:52:53.030 It has a different protocol of working, which is either ESP or H. 1:52:53.110 --> 1:52:54.640 We will talk about that later. 1:52:57.290 --> 1:53:02.660 For now, you have to understand that this negotiation, which is happening on seven and eight, is 1:53:02.660 --> 1:53:03.620 only to negotiate. 1:53:03.620 --> 1:53:04.880 What kind of protocol? 1:53:05.360 --> 1:53:06.500 Only two things. 1:53:06.530 --> 1:53:07.370 Hashing. 1:53:07.370 --> 1:53:09.170 I don't need authentication anymore. 1:53:09.710 --> 1:53:11.300 Authentication is done already. 1:53:11.780 --> 1:53:12.980 I don't need group anymore. 1:53:13.010 --> 1:53:14.570 That has already been solved. 1:53:15.530 --> 1:53:20.000 The only thing that is supposed to be done here is to make sure you have your three days or whatever 1:53:20.330 --> 1:53:25.220 you're using the negotiate on S and Sha or MD5, whatever you're using. 1:53:25.340 --> 1:53:26.090 So you choose. 1:53:26.090 --> 1:53:29.030 I'm going to use S and MD5 and MD5. 1:53:29.060 --> 1:53:30.530 They match from both ends. 1:53:30.930 --> 1:53:31.280 It's done. 1:53:33.350 --> 1:53:34.280 Any questions? 1:53:35.210 --> 1:53:36.750 These two things are not related. 1:53:36.770 --> 1:53:38.240 How is it secure from the handle? 1:53:39.150 --> 1:53:44.330 I mean, you said these are these are related in a way, this because the first tunnel gives the second 1:53:44.330 --> 1:53:51.440 tunnel the key, the keying material, the black the black key came out from the first half. 1:53:51.650 --> 1:53:52.700 We use it for the second half. 1:53:52.850 --> 1:53:54.380 That is the one which is used for the second time. 1:53:55.610 --> 1:53:58.040 The whole purpose of the first tunnel is what? 1:53:58.310 --> 1:53:59.060 Excuse me. 1:53:59.510 --> 1:54:01.310 You can ask me if you have anything. 1:54:02.240 --> 1:54:02.690 Yeah. 1:54:03.260 --> 1:54:06.410 The whole purpose of the first tunnel is what? 1:54:08.390 --> 1:54:09.320 To get the key. 1:54:10.460 --> 1:54:14.240 That is the whole purpose plus negotiation. 1:54:14.240 --> 1:54:15.470 I told you two things. 1:54:16.250 --> 1:54:18.170 One is to exchange the key. 1:54:18.170 --> 1:54:22.940 The second is to get what forgot. 1:54:24.080 --> 1:54:26.420 The first is to get the key. 1:54:26.450 --> 1:54:36.980 The second is what To negotiate the policies that happens before the before the second tunnel here. 1:54:36.980 --> 1:54:37.820 Also seven and eight. 1:54:37.820 --> 1:54:41.630 I'm doing what I'm negotiating policies for the second time. 1:54:43.160 --> 1:54:44.480 That is the whole point. 1:54:45.950 --> 1:54:48.470 To get the keys and to negotiate the second tunnel. 1:54:49.850 --> 1:54:52.970 What encryption mechanism am I going to use in the second tunnel? 1:54:53.420 --> 1:54:54.050 Right. 1:54:54.050 --> 1:55:00.020 And what hashing mechanism am I going to use in the second tunnel since that negotiation also needs 1:55:00.020 --> 1:55:01.100 to be protected. 1:55:01.100 --> 1:55:07.910 So I also need a separate set of policies for the first tunnel to protect that negotiation. 1:55:10.210 --> 1:55:10.660 Okay. 1:55:11.800 --> 1:55:17.760 The last packet is only an acknowledgement sent by the first guy saying that everything is okay. 1:55:17.770 --> 1:55:20.680 Just one packet to check if everything is acknowledged. 1:55:20.800 --> 1:55:22.960 Basically saying that I have received everything. 1:55:22.990 --> 1:55:25.960 The other guy knows that the other guy has received everything and he has everything. 1:55:25.960 --> 1:55:27.070 So everything is okay. 1:55:28.390 --> 1:55:29.350 Just an acknowledgement. 1:55:29.350 --> 1:55:31.630 Very small packet from me to the other side. 1:55:34.090 --> 1:55:34.320 Net. 1:55:35.470 --> 1:55:39.520 We will talk more about this second tunnel tomorrow, how it is created. 1:55:41.740 --> 1:55:42.880 This is a black, right? 1:55:42.940 --> 1:55:43.370 Yeah. 1:55:43.560 --> 1:55:45.430 Which mechanism is it? 1:55:45.670 --> 1:55:46.540 Symmetric or. 1:55:47.410 --> 1:55:53.710 The black is symmetrical, but it was generated by the symmetrical. 1:55:54.070 --> 1:55:54.520 Right. 1:55:54.550 --> 1:55:56.560 Asymmetrical exchange to find the symmetrical.