Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IPsec Implements security of IP packets at Layer 3 of the OSI model, and can be
used for site-to-site and remote-access VPNs
2. SSL Secure Sockets Layer implements security of TCP sessions at Layer 4 of the
OSI model, and can be used for remote-access VPNs (as well as being used to
securely visit a web server that supports it via HTTPS).
3. MPLS Multiprotocol Label Switching and MPLS Layer 3 VPNs are provided by
a service provider to allow a company with two or more sites to have logical
connectivity between the sites using the service provider network for transport. This
is also a type of VPN (called MPLS L3VPN), but there is no encryption by default.
IPsec could be used on top of the MPLS VPN to add confidentiality (through
encryption) and the other benefits of IPsec to protect the Layer 3 packets. MPLS
L3VPNs are not the primary type of VPNs we focus on for the rest of this chapter
and book. The primary VPNs that provide encryption, data integrity, authentication
of who the peer is on the other end of the VPN, and so on use IPsec or SSL
Remote-access VPNs Some users might need to build a VPN connection from
their individual computer to the corporate headquarters (or to the destination they
want to connect to). This is referred to as a remote-access VPN connection. Remoteaccess VPNs can use IPsec or SSL technologies for their VPN
2. Site-to-site VPNs The other main VPN implementation is by companies that may
have two or more sites that they want to connect securely together (likely using the
Internet) so that each site can communicate with the other site or sites. This
implementation is called a site-to-site VPN. Site-to-site VPNs traditionally use a
collection of VPN technologies called IPsec.
Confidentiality
Data integrity
Authentication
Antireplay
5. Confidentiality
1. Only allowing intended parties to understand the data. Eavesdroppers will only see
a scrambled payload (also called Cipher text) which is meaningless without being
able to decrypt or unlock the data.
2. Symmetrical algorithms when used, the key to encrypt data is also the key to decrypt
it
6. Data Integrity
1. An example is when you download an IOS image file from Cisco. Cisco includes an
MD5 (digest algorithm 5) value associated with the file. Use the Verify command to
make sure it matches. This is how hashing verifies data integrity
7. Authentication
1. Pre-shared keys used for authentication only
2. Public and private key pairs used for authentication only
3. User authentication (in combination with remote-access VPNs)
8. Antireplay
1. Just means that when a VPN packet is sent, another (duplicate) packet will not be
valid say an attacker tried to copy and replay packets from a valid VPN
termination point to establish a VPN
3. Ciphers
1. Ciphers are also known as algorithms; used for either encryption or decryption
There are literally hundreds of Ciphers both standards based and proprietary
2. Common methods of ciphers use include the following
a. Substitution This type of cipher substitutes one character for another. The
example earlier used a simple cipher that substituted each letter from the
alphabet with the previous letter of the alphabet. To make it more challenging,
we could have shifted more than just a single character and only chose certain
letters to substitute. The exact method of substitution could be referred to as the
key. If both parties involved in the VPN understand the key, they can both
encrypt and decrypt data
b. Polyalphabetic This is similar to substitution, but instead of using a single
alphabet, it could use multiple alphabets and switch between them by some
trigger character in the encoded message
c. Transportation This uses many different options, including the
rearrangement of letters. For example, if we have the message This is secret,
we could write it out (top to bottom, left to right) as shown in the example below
4. Keys
1. The key in the example above refers to the instructions for how to reassemble the
characters. In this case, it begins at the top-right corner and moves clockwise and
spirals inward. A one-time pad (OTP) is a good example of a key that is only used
once. Using this method, if we want to encrypt a 32-bit message, we use a 32-bit
key, also called the pad, which is used one time only. Each bit from the pad is
mathematically computed with a corresponding bit from our message, and the results
are our cipher text, or encrypted content. The key in this case is the one-time use
pad. The pad must also be known by the receiver if he wants to decrypt the
message. (Another use of the acronym OTP is for a user's one-time password, which
is a different topic than the one-time pad.)
6. Block Ciphers
1. A symmetric key cipher that operates on a group of bits called a block. A block
cipher encryption algorithm may take a 64-bit block of plain text and generates a 64bit block of cipher text. With this type of encryption, the same key to encrypt is also
used to decrypt. Examples of symmetrical block cipher algorithms include the
following
a. Advanced Encryption Standard (AES)
b. Triple Digital Encryption Standard (3DES)
c. Blowfish
d. Digital Encryption Standard (DES)
e. International Data Encryption Algorithm (IDEA)
2. Block ciphers may add padding when there isn't enough data to make a full block;
some overhead wasted
7. Stream Ciphers
1. Symmetric key cipher, each bit of plaintext is encrypted 1 bit at a time against the
bits of the key stream, also called a cipher digit stream. The resulting output is a
ciphertext stream. Less overhead than Block Ciphers.
9. Symmetric
1. Again, a symmetric encryption algorithm, also known as a symmetrical cipher, use
the same key to encrypt and decrypt. Both VPN termination points require the same
key or keys.
2. Examples
a. DES
b. 3DES
c. AES
d. IDEA
e. RC2, RC4, RC5, RC6
f. Blowfish
3. Symmetrical Ciphers are mostly used today; especially for the bulk of our data as
they require less CPU compared to asymmetrical ciphers. The longer the key the
more secure. A minimum key length should be at least 80 bits to be safe; a typical
key length is anywhere from 40 bits to 256 bits. Bigger is better.
10.Asymmetric
1. An example of an asymmetric cipher (asymmetric encryption algorithm) is public
key algorithms. Instead of using the same key for encryption and decryption, we use
two different keys that mathematically work together as a pair. Let's call these keys
the public key and private key. Together they make a key pair. Let's put these keys
to use with an analogy
2. An example is a cargo container with two key holes; a large key hole and a small
key hole. If we lock the container with the small key hole and the respective key,
the only way to unlock it is with the big key/hole. If we lock the container with the
large key/hole, the only way to unlock it is with the small key/hole. Since
asymmetric ciphers take so much CPU, we usually use them for such things as
authenticating a VPN peer or generating keying material that we could use for our
symmetrical ciphers (encryption algorithms).
3. It's called Public Key Cryptography as we allow one of these keys to be published
and available to anyone who wants to use it (the public key). The other key in the
key pair is the private key, and this private key is known only to the device that owns
the public-private key pair. Example is visiting a secure website. Your PC has
access to the public key, and the server is the only one that knows the private key.
SSL later in this chapter, and again in more detail in the Public Key Infrastructure
(PKI) chapter
11.Hashes
1. A hash (AKA digest, or message digest) is calculated from some data. Since the
same hash will be calculated from the same data every time (one way) it can be used
to verify data integrity
2. Example is the sender of data calculating a hash from the data and sending the hash
with each packet. The receiver runs the same hashing algorithm and if it's not the
same then the data lost it's integrity.
3. Three most popular types of hashes are as follows
a. Message Digest 5 (MD5) This creates a 128-bit digest
b. Secure Hash Algorithm 1 (SHA-1) This creates a 160-bit digest
c. Secure Hash Algorithm 2 (SHA-2) Options include a digest between 224 bits
and 512 bits
4. With encryption and cryptography, and now hashing, bigger is better, and more bits
equals better security
Hashed Message Authentication Code (HMAC) uses a secret key to calculate the
hash for data so that the packets cannot be changed during transit; and only the
parties with the secret key can correctly verify the hash
13.Digital Signatures
1. Digital signatures provide three core benefits
a. Authentication
b. Data integrity
c. Nonrepudiation
contained each other's public keys. Bob and Lois do not just trust any
certificates, but they do trust certificates that are digitally signed by a CA that
they trust. This also implies that to verify digital signatures from the CA, both
Bob and Lois would also need the CA's public key. Most browsers today have
the built-in certificates and public keys for the mainstream CAs on the Internet
today
15.Key Management
1. Symmetric keys used for symmetric ciphers such as hashing and encryption
2. Asymmetric keys public-private key pairs can be used with asymmetric ciphers
such as digital signatures among other things
3. Key management
a. generating keys
b. verifying keys
c. exchanging keys
d. storing keys
e. End of lifetime, destroying keys
4. Keyspace refers to all possible key values for a key. Longer is better but more CPU
17.IPsec
1. Collection of protocols and algorithms to protect IP packets at Layer 3
a. Confidentiality through encryption
b. data integrity through hashing and HMAC
c. Authentication using digital signatures or using Pre-Shared Keys (PSK)
2. Summary of IPsec
a. ESP and AH The two primary methods for implementing IPsec. The
acronyms stand for Encapsulating Security Payload (ESP), which can do all of
the features of IPsec, and Authentication Header (AH), which can do many parts
of the IPsec objectives, except for the important one of encryption of the data.
For that reason, we do not frequently see AH being used
b. Encryption algorithms for confidentiality DES, 3DES, AES
c. Hashing algorithms for integrity MD5, SHA
d. Authentication algorithms Pre-shared keys (PSK), RSA digital signatures
e. Key management An example would be Diffie-Hellman (DH), which can be
used to dynamically generate symmetrical keys to be used by symmetrical
algorithms. PKI, which supports the function of digital certificates issued by
trusted CAs. Internet Key Exchange (IKE), which does a lot of the negotiating
and management for us for IPsec to operate
18.SSL
1. Could use IPsec to do your banking, but not everyone has IPsec client or software.
Even if there were, not everyone has a digital certificate or a PSK that they could
successfully use for authentication
2. SSL can be used for encryption and authentication and almost every web browser
out there supports it
3. To use SSL the user connects to an SSL server another way of saying connects to a
web server that supports SSL by using HTTPS rather than HTTP. SSL is also known
as Transport Layer Security (TLS).
4. Browser requests web server to identify itself. Server sends browser a copy of its
SSL certificate and browser checks whether it trusts the certificate by looking at the
digital signature of the CA that is on the certificate using the method for verifying a
digital signature discussed earlier, the browser determines whether the certificate is
valid or not based on the signature of the CA. Pop-up comes up if the certificate is
not trusted and asks if you want to continue. You shouldn't continue.
5. If trusted, browser now has access to the server's public key contained in the
certificate
6. Usually the server does not require the browser to prove who it is; but instead the
web server uses some type of user authentication such as a username or password as
required to verify who the user is
7. After authentication, several additional exchanges occur between browser and server
as they establish the encryption algorithm they will use and the keys that they will
use to encrypt and decrypt the data
Table 17-2 VPN Components
Component
Function
Examples of Use
Symmetrical
encryption
algorithms
Asymmetrical
encryption
RSA, Diffie-Hellman
Digital signature
RSA signatures
Confidentiality
Encryption algorithms provide this by turning clear text DES, 3DES, AES,
into cipher text
RSA, IDEA
Data integrity
MD5, SHA-1
Authentication
Questions
1-5
6-10
Page
Number
Text
What is a VPN? -
426
List
VPN technologies -
427
List
427
Text
430
Text
432
Text
Hashes -
434
Text
434
Text
Digital signatures -
435
Text
436
Add the IP address of the NTP server. (This may be the IP address of a publicly available NTP server or an internal server on your network.)
Interface
Preferred
If you have entered multiple servers and require this one to be preferred
over others, select this option. However, depending on the accuracy of the
server, if another servers time is more accurate than the preferred it is used
instead.
Key Number
Select from the list or enter a number for this authentication key.
Trusted
Key Value
Enter the message digest 5 (MD5) key used by the server for authentication.
Re-Enter Key
Value
Examples of Use
Symmetrical
encryption
algorithms
Uses the same key for encrypting and decrypting DES, 3DES, AES, IDEA
data
Asymmetrical
encryption
Uses a public and private key. One key encrypts RSA, Diffie-Hellman
the data, and the other key in the pair is used to
decrypt
RSA signatures
Diffie-Hellman
key exchange
Confidentiality
Data integrity
MD5, SHA-1
Authentication