Securing Virtual Private Networks (VPN), Page 2
Asymmetric Encryption, or public key encryption, depends on a pair of keys called public key and private key; hence the name. The keys are selected such that, if data is encrypted through key 1, it can be only decrypted through key 2 and vice versa. Of the two keys, we tell about one to everybody and call it a public key. The other is kept private for decrypting and called a private key. For example, our e-mail account has a public e-mail address that we give to everyone we want to but we won't tell the password to anyone.
Suppose a person named Linda is a broker and she gets a request mail by James Anderson for buying some stock shares for his company. She performs all the arrangements and sends a confirmation mail to James. In the end, she sends a bill to him for the payment; at this point, James completely denies that he has ever sent a mail to Linda for any stock shares. Now what should Linda do? She is in extreme trouble because there is no clue to prove that James was the actual e-mailer.
Click here for a larger image.
The solution is provided by the use of public key encryption; if Linda has encrypted the data by a public key, it can be decrypted only through Linda's private key which should be told only to James, so when James replies to the confirmation mail for the shares, it is known for sure that the answering person is no other then James Anderson and he is caught. This is source authentication.
If we use the hashing scheme, such as MD5, on our data and generate a hash value for it at the source computer and send it along the data to the target, the destination computer will also compute its hash code for the received data. If the hash generated by the destination is same as the one received by the source, our data integrity is preserved; in other words, the data has reached its destination without any change or loss. This hash code is called a digital signature when sent with e-mail data.
- Data Integrity
- Data origin authentication
- Replay prevention
- Limited traffic flow confidentiality
Replay prevention means that if somebody gets to know the keys by some means and resends your messages again or if someone gets to know the user name and password of your account, he or she can directly learn all your important business transactions and deals with others and can enjoy full authority to make other deals with them on your account using your name.
IKE is a mechanism in IPSec where we exchange the key. It is a hybrid protocol that implements Oakley and Skeme key exchanges inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations. The main features of IKE are as follows:
- Negotiates policy to protect communication
- Authenticated Diffie-Hellman key exchange
- Negotiates (possibly multiple) security associations (SA) for IPSec.
Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.
Security Association (SA) combines the agreed upon principles for VPN communication. This is done by IKE. The secret key exchange is the main process so that the dependent data to be delivered is secured.
Isakmp + oakley is the IKE policy that we define to start the encryption process. The Internet Security Association and Key Management Protocol (isakmp) is a protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association. Oakley is a key exchange protocol that defines how to derive authenticated keying material. Skeme is a key exchange protocol that defines how to derive authenticated keying material, with rapid key refreshment.
MD5 (Message Digest 5) is a hash algorithm used to authenticate packet data. HMAC is a variant that provides an additional level of hashing. The Data Encryption Standard (DES) is used to encrypt packet data. IKE implements the 56-bit DES-CBC with Explicit IV standard. Authentication header is used for data integrity and source authentication whereas encapsulating security protocol is used for confidentiality.
Page 2 of 3