length from a security point of view is only 112 bits. Symmetric Encryption: AES
AES, often referred to as the Rijndael encryption (pronounced “Rhine dahl”), is a block cipher that was adopted as an encryption standard by the U.S. government. AES is expected to be used worldwide and analyzed extensively, as was the case with AES’ predecessor, DES. As well, AES is more secure and faster than 3DES. The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name “Rijndael.” AES is not exactly the same as the original Rijndael because Rijndael supports a larger range of block and key sizes. AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. The National Security Agency of the US government (NSA) reviewed all the ciphers that were submited as finalists to the AES selection process, including Rijndael, and stated that all of the finalists were secure enough to use for U.S. government nonclassified data. In June 2003, the U.S. government announced that AES can be used for classified information. This marks the first time that the public has had access to a cipher that is approved by NSA for top secret information. It is interesting to note that many public products use 128-bit secret keys by default.
Content 3.1 Introducing VPN Technology 3.1.9 Asymetric Encryption Two asymmetric algorithms used for IPsec are Diffie-Hellman (DH) and RSA. Cisco devices use RSA and Diffie-Hellman every time a new IPsec tunnel is established. RSA authenticates the remote device while Diffie-Hellman exchanges keys that are used for encryption . The Internet Security Association (ISA) implements these protocols in specialized hardware to ensure fast tunnel setup and high overall encryption throughput. RSA (named after designers Rivest, Shamir, and Adelman) is an algorithm for public key encryption and was the first algorithm known to be suitable for signing as well as encryption. RSA was one of the first great advances in public key cryptography. The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring very large numbers and the RSA algorithm itself. Full decryption of an RSA cipher text is thought to be impossible because both of these problems are difficult, and no efficient algorithm exists for solving them. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that no method exists. As of 2005, the largest number that was factored by general-purpose methods was 663 bits long using state-of-the-art distributed methods. RSA keys are typically 1024 to 2048 bits long. Public key cryptography is computationally intensive. To achieve the best combination of performance and functionality, DH combined public key cryptography with secret key cryptography. The DH key agreement was invented in 1976 during collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. As symmetric algorithms, DES, 3DES, Message Digest 5 (MD5), and SHA require a shared secret key to perform encryption and decryption. The question is, how do the encrypting and decrypting devices both have the shared secret key? Possible solutions are that the keys can be sent via e-mail, courier, overnight express, or public key exchange. Another, easier and more secure method is DH public key exchange. The DH key agreement is a public key encryption method that provides a way for two peers to establish a shared secret key that only the peers know, even though the peers are communicating over an insecure channel. Public key cryptosystems rely on a two-key system:
Content 3.1 Introducing VPN Technology 3.1.10 Diffie-Hellman Key Exchange The DH public key algorithm states that if User A and User B exchange public keys and a calculation is performed on their individual private key and on the public key of the other peer, the end result of the process is an identical shared key. The shared key is used to encrypt and decrypt the data. Security is not an issue with the DH key exchange. Although someone may know a user’s public key, the shared secret cannot be generated because the private key never becomes public knowledge. With Diffie-Hellman, each peer generates a public and private key pair. The private key that is generated by each peer is kept secret and never shared. The public key is calculated from the private key by each peer and is exchanged over the insecure channel. Each peer combines the public key of the other peer with its own private key and computes the same shared secret number. The shared secret number is then converted into a shared secret key. The shared secret key is never exchanged over the insecure channel. Classic DH Example—Alice and Bob
Many instructors use the story of Alice and Bob to explain the DH process. DH allows Alice and Bob to agree on a key that they can use to encrypt messages they want to send to each other. They can to this even when an eavesdropper (Eve) listens in on their entire conversation. DH is based on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome. Step 1 First, Alice and Bob need to agree on a prime number p, which they can do by simply sending it to each other. In this case, the agreed prime number p = 23. Eve can learn the number p because in practice the number p is often simply advertised somewhere public. Step 2 Given a prime number p, it is possible to come up with a number g (the so-called generator) with a very interesting property. Every number between 1 and p-1 can be written as a power of g when calculating modulo p. (The next subtopic briefly describes the concept of modular arithmetic. ) For now, please accept that g = 5 For example, using p = 5 the generator is 2, because: 20 = 1
21 = 2
22 = 4
23 = 3 (because 8 = 3 mod 5) Alice and Bob agree in the same way on a generator g for the numbers between 1 and p-1. At this point, the numbers p and g serve as the public key. Step 3 Alice and Bob both choose random numbers, a and b respectively. Both these numbers remain secret because only Alice knows her number and only Bob knows his number. In the example, Alice chose a = 6 and Bob chose b = 16. Step 4 Alice then computes ga mod p and Bob computes gb mod p. They exchange their results. Step 5 The key that Alice and Bob now agree on is simply ga*b. This is quite easy to compute: Alice knows a and gb,
Bob knows b and ga, and
(ga)b = (gb)a = ga*b Step 6 Alice and Bob can use the key ga*b to encrypt messages with any secret key algorithm. The security of the Diffie-Hellman system depends on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome. For example, it's easy to compute 210 = 1024, but more difficult to determine that 1024 is the tenth power of 2. Eve knows ga and gb, but since she does not know a or b itself, she cannot compute the key in a reasonable amount of time. Prime Numbers and Modular Arithmetic
The DH key exchange algorithm uses a series of calculations based on prime numbers and modular arithmetic. Recall that a prime number is an integer (a whole number) that has as its only factors 1 and itself (for example, 2, 17, 23,