Defining VPN Encryption

Describing Public-Key Infrastructure (PKI)

To ensure that the VPN is secure, limiting user access is only one piece of the puzzle; once the user is authenticated, the data itself needs to be protected as well. Without a mechanism to provide data privacy, information flowing through the channel will be transmitted in clear text, which can easily be viewed or stolen with a packet sniffer.

The type of encryption available is highly varied but there are two basic cryptographic systems: symmetric and asymmetric. Symmetric cryptography tends to be much faster to deploy, are commonly used to exchange large volumes of data between two parties who know each other, and use the same private key to encrypt and decrypt data.

Asymmetric systems (public-key) are more complex and require a pair of mathematically related keys - one public and one private (known only to the recipient). This method is often used for smaller, more sensitive packets of data, or during the authentication process.

Generally, longer encryption keys are stronger. An algorithm’s bit length determines the amount of effort required to crack the system using a brute force attack, where computers are combined to calculate all the possible key permutations. The XSR offers several encryption schemes:

•Data Encryption Standard (DES): a 20-year old, thoroughly tested system that uses a complex symmetric algorithm with a 56-bit key, but is considered less secure than recent systems.

•Triple DES (3DES): uses three DES passes and an effective key length of 168 bits, thus strengthening security.

•Diffie-Hellman: the first public-key cryptosystem, is used to generate asymmetric (secret) keys, not encrypt and decrypt messages.

•Advanced Encryption Standard (AES): the anticipated replacement for DES, supports a 128-bit block cipher using a 128-, 192-, or 256-bit key.

•RSA signatures: an asymmetric public-key cryptosystem used for authentication by creating a digital signature.

Describing Public-Key Infrastructure (PKI)

PKI is a scalable platform for secure user authentication, data confidentiality, integrity, and non- repudiation. It can be applied to allow users to use insecure networks in a secure and private way. PKI relies on the use of public key cryptography, digital certificates, and a public-private key pair.

Digital Signatures

Encryption and decryption address eavesdropping, one of the three Internet security issues mentioned at the beginning of this chapter. But encryption and decryption, by themselves, do not address tampering and impersonation.

Tamper detection and related authentication techniques rely on a mathematical function called a one-way hash (also called a message digest). A one-way hash is a number of fixed length with the following characteristics:

•The hash value is unique for the hashed data. Any change in the data, even deleting or altering a single character, results in a different value.

•The content of the hashed data cannot, for all practical purposes, be deduced from the hash - which is why it is called one-way.

It is possible to use your private key for encryption and public key for decryption. Although this is not desirable when you are encrypting sensitive data, it is a crucial part of digitally signing any

Enterasys Networks X-PeditionTM Describing Public-Key Infrastructure PKI, Defining VPN Encryption

Models: X-PeditionTM