Cisco IP Security
IPSEC is used for authentication and encryption of IP traffic. It's a tunnelling protocol, in transport mode like a traditional VPN, or in tunnel hop like a secure hop between gateways. It works by sharing IKE (Internet Key Exchange) and deciding on a session parameters (encryption type, mode). Upon agreement, the tunnel is established and secure traffic can flow.
Cisco IP Sec feature operates at the Layer 3 Network Layer. It is a framework of open standards for rules on secure communications for protecting and authenticating IP packets between IPSec peers. IPSec can protect all application traffic because the protection can be implemented from layer 4 to layer 7 with a plaintext layer 3 header. It functions on all layer 2 protocols like Ethernet, ATM, Frame Relay, Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC)
IP Sec services include
- Confidentiality by encryption
- Data integrity
- Authentication using preshared keys (PSK), digital certificates, Internet Key Exchange (IKE)
- Anti replay protection
NAT Traversal allows IP packets protected by IP Sec to pass through a NAT. However is there is a problem to use the NAT with VPN on Windows XP .
Summary of Encryption Standards
There are three phases of the IP Sec using the different encryption standards- Setup
- Authentication of device/user
- Authentication of payload
Data Encryption Standard (DES) algorithm
- created by IBM
- based on 56 bit key
- symmetric
Triple DES (3DES) algorithm
- variant of DES
- data is broken into three 64 bit blocks
- processes each block three times with a separate 56 bit key
- symmetric
Advanced Encryption Standard (AES)
- NIST has adopted AES to replace DES in cryptographic devices
- stronger than DES, more efficient computational wise than 3DES
- three different key lengths available 128, 192, 256-bit keys
Rivest, Shamir, and Adleman (RSA)
- asymmetric
- uses key length of 512, 768, 1024 and larger
- not used in IPSec
MD5
- message digest 5 (MD5)
- 128 bit shared key combined and run through the HMAC-MD5 hash
- output a 128bit hash that is appended to the original message and forwarded on
Secure Hash Algorithm 1 (SHA-1)
- uses a 160 bit shared key
- take a variable length message and 160bit shared key, run it through HMAC-SHA1 hash algorithm to get a 160 bit hash
- append the hash to the original message, forward to the remote end
Symmetric Encryption - the same key for encryption and decryption, same key configured on both computers (receiver and sender)
Asymmetric Encryption - one key to encrypt, another key to decrypt
Public key encryption
- a variant of symmetric encryption.
- recipient gives public key to sender
- sender uses private key and public key to encrypt message
- sender shares public key with recipient
- to decrypt the message, recipient will use public key of sender and own private key
Public key encryption
- a variant of symmetric encryption.
- recipient gives public key to sender
- sender uses private key and public key to encrypt message
- sender shares public key with recipient
- to decrypt the message, recipient will use public key of sender and own private key
There are two main IPSEC framework
Authentication Header AH
- provides data authentication and integrity of IP packets
- when confidentiality is not required or possible
- text transmitted in the clear
Authentication Header AH
- provides data authentication and integrity of IP packets
- when confidentiality is not required or possible
- text transmitted in the clear
Encapsulating Security Payload (ESP)
- provides confidentiality and authentication by encrypting the IP packet, conceals the data the source/ destination
- ESP authenticates the inner IP packet and ESP header
- provides confidentiality and authentication by encrypting the IP packet, conceals the data the source/ destination
- ESP authenticates the inner IP packet and ESP header
Thank you for listing all the basic algorithms which are known so far. You have provided a very short detail about each one of them. This article is good for those who are aware of these algorithms.
ReplyDeletee-sign act