length from a security point of view is only 112
bits. Symmetric Encryption: AES
AES, often referred
to as the Rijndael encryption (pronounced “Rhine dahl”), is a
block cipher that was adopted as an encryption standard by the
U.S. government. AES is expected to be used worldwide and
analyzed extensively, as was the case with AES’ predecessor,
DES. As well, AES is more secure and faster than 3DES. The
cipher was developed by two Belgian cryptographers, Joan Daemen
and Vincent Rijmen, and submitted to the AES selection process
under the name “Rijndael.” AES is not exactly the same as the
original Rijndael because Rijndael supports a larger range of
block and key sizes. AES has a fixed block size of 128 bits and
a key size of 128, 192, or 256 bits, whereas Rijndael can be
specified with key and block sizes in any multiple of 32 bits,
with a minimum of 128 bits and a maximum of 256 bits. The
National Security Agency of the US government (NSA) reviewed
all the ciphers that were submited as finalists to the AES
selection process, including Rijndael, and stated that all of
the finalists were secure enough to use for U.S. government
nonclassified data. In June 2003, the U.S. government announced
that AES can be used for classified information. This marks the
first time that the public has had access to a cipher that is
approved by NSA for top secret information. It is interesting
to note that many public products use 128-bit secret keys by
default.
Content 3.1 Introducing VPN
Technology 3.1.9 Asymetric Encryption Two
asymmetric algorithms used for IPsec are Diffie-Hellman (DH)
and RSA. Cisco devices use RSA and Diffie-Hellman every time a
new IPsec tunnel is established. RSA authenticates the remote
device while Diffie-Hellman exchanges keys that are used for
encryption . The Internet Security Association (ISA) implements
these protocols in specialized hardware to ensure fast tunnel
setup and high overall encryption throughput. RSA (named after
designers Rivest, Shamir, and Adelman) is an algorithm for
public key encryption and was the first algorithm known to be
suitable for signing as well as encryption. RSA was one of the
first great advances in public key cryptography. The security
of the RSA cryptosystem is based on two mathematical problems:
the problem of factoring very large numbers and the RSA
algorithm itself. Full decryption of an RSA cipher text is
thought to be impossible because both of these problems are
difficult, and no efficient algorithm exists for solving them.
No polynomial-time method for factoring large integers on a
classical computer has yet been found, but it has not been
proven that no method exists. As of 2005, the largest number
that was factored by general-purpose methods was 663 bits long
using state-of-the-art distributed methods. RSA keys are
typically 1024 to 2048 bits long. Public key cryptography is
computationally intensive. To achieve the best combination of
performance and functionality, DH combined public key
cryptography with secret key cryptography. The DH key agreement
was invented in 1976 during collaboration between Whitfield
Diffie and Martin Hellman and was the first practical method
for establishing a shared secret over an unprotected
communications channel. As symmetric algorithms, DES, 3DES,
Message Digest 5 (MD5), and SHA require a shared secret key to
perform encryption and decryption. The question is, how do the
encrypting and decrypting devices both have the shared secret
key? Possible solutions are that the keys can be sent via
e-mail, courier, overnight express, or public key exchange.
Another, easier and more secure method is DH public key
exchange. The DH key agreement is a public key encryption
method that provides a way for two peers to establish a shared
secret key that only the peers know, even though the peers are
communicating over an insecure channel. Public key
cryptosystems rely on a two-key system: - Public
key: Exchanged between end users
- Private
key: Kept secret by the original owners
Content 3.1 Introducing VPN Technology
3.1.10 Diffie-Hellman Key Exchange The DH public
key algorithm states that if User A and User B exchange public
keys and a calculation is performed on their individual private
key and on the public key of the other peer, the end result of
the process is an identical shared key. The shared key is used
to encrypt and decrypt the data. Security is not an issue with
the DH key exchange. Although someone may know a user’s public
key, the shared secret cannot be generated because the private
key never becomes public knowledge. With Diffie-Hellman, each
peer generates a public and private key pair. The private key
that is generated by each peer is kept secret and never shared.
The public key is calculated from the private key by each peer
and is exchanged over the insecure channel. Each peer combines
the public key of the other peer with its own private key and
computes the same shared secret number. The shared secret
number is then converted into a shared secret key. The shared
secret key is never exchanged over the insecure channel.
Classic DH Example—Alice and Bob
Many instructors
use the story of Alice and Bob to explain the DH process. DH
allows Alice and Bob to agree on a key that they can use to
encrypt messages they want to send to each other. They can to
this even when an eavesdropper (Eve) listens in on their entire
conversation. DH is based on the assumption that it is easy to
raise a number to a certain power, but difficult to compute
which power was used given the number and the outcome. Step
1 First, Alice and Bob need to agree on a prime number
p, which they can do by simply sending it to each other.
In this case, the agreed prime number p = 23. Eve can
learn the number p because in practice the number
p is often simply advertised somewhere public. Step
2 Given a prime number p, it is possible to come up
with a number g (the so-called generator) with a very
interesting property. Every number between 1 and p-1 can
be written as a power of g when calculating modulo
p. (The next subtopic briefly describes the concept of
modular arithmetic. ) For now, please accept that g = 5
For example, using p = 5 the generator is 2,
because: 20 = 1
21 = 2
22 = 4
23 = 3 (because 8
= 3 mod 5) Alice and Bob agree in the same way on a generator
g for the numbers between 1 and p-1. At
this point, the numbers p and g serve as the
public key. Step 3 Alice and Bob both choose random
numbers, a and b respectively. Both these numbers
remain secret because only Alice knows her number and only Bob
knows his number. In the example, Alice chose a = 6 and
Bob chose b = 16. Step 4 Alice then
computes ga mod p and Bob computes gb mod
p. They exchange their results. Step 5
The key that Alice and Bob now agree on is simply ga*b.
This is quite easy to compute: Alice knows a and
gb,
Bob knows b and ga, and
(ga)b = (gb)a = ga*b
Step 6 Alice and Bob can use the key ga*b to
encrypt messages with any secret key algorithm. The security of
the Diffie-Hellman system depends on the assumption that it is
easy to raise a number to a certain power, but difficult to
compute which power was used given the number and the outcome.
For example, it's easy to compute 210 = 1024, but more
difficult to determine that 1024 is the tenth power of 2. Eve
knows ga and gb, but since she does not know
a or b itself, she cannot compute the key in a
reasonable amount of time. Prime Numbers and Modular
Arithmetic
The DH key exchange algorithm uses a series
of calculations based on prime numbers and modular arithmetic.
Recall that a prime number is an integer (a whole number) that
has as its only factors 1 and itself (for example, 2, 17, 23,