and 127 are prime). The DH algorithm uses the
special properties associated with prime numbers. Modular
arithmetic is based on a concept of doing addition and other
operations on a circle as opposed to a line. The values in any
arithmetic operation "wrap around" and are always
less than a fixed number called the modulus. For example, to
find 39 modulo 7, you simply calculate 39/7 (= 5 4/7) and take
the remainder. In this case, 7 divides into 39 with a remainder
of 4. Thus, 39 modulo 7 = 4. Note that the remainder (when
dividing by 7) is always less than 7. Thus, the values
"wrap around," as shown in the following example: 0
mod 7 = 0
1 mod 7 = 1
2 mod 7 =
2
3 mod 7 = 3
4 mod 7 = 4
5
mod 7 = 5
6 mod 7 = 6
7 mod 7 =
0
8 mod 7 = 1
9 mod 7 = 2
10
mod 7 = 3
and so on. In modular addition, you first
add the two numbers normally, then divide by the modulus and
take the remainder. Thus, (17+20) mod 7 = (37) mod 7 = 2. A
simple analogy will help clarify this concept, but you have
likely used it before when you calculate when you would have to
get up in the morning if you want to get a certain number of
hours of sleep. For example, assume you are planning to go to
bed at 10 PM and want to get 8 hours of sleep. To figure out
what time to set on your alarm, you count, starting at 10, the
hours until midnight (in this case, two). At midnight (12), you
reset to zero (you "wrap around" to 0) and keep
counting until your total is 8. The result is 6 AM. What you
just did is to solve (10 + 8) mod 12. As long as you do not
want to sleep for more than 12 hours, you will get the right
answer using this technique.
Content 3.1
Introducing VPN Technology 3.1.11 Data
Integrity Data integrity guarantees that no tampering or
alterations occur with data between the data’s source and
destination. VPNs typically use one of three technologies to
ensure integrity: - One-way hash functions: A
hash function generates a fixed-length output value based on an
arbitrary-length input file. The idea is that it is easy to
calculate the hash value of a file but mathematically difficult
to generate a file that will hash to that value. To validate
the integrity of a file, a recipient calculates the hash value
of a received file and compares the calculated value to the
hash value that is sent by the sender. Thus, the recipient can
be assured that the sender had the file at the time the
recipient created the hash value. Examples of hash algorithms
are MD5, Secure Hash Algorithm 1 (SHA-1), and
RIPE-MD-160.
- Message-authentication codes
(MACs): MACs add a key to hash functions. A sender creates
a file, calculates a MAC based on a key shared with the
recipient, and then appends the MAC to the file. When the
recipient receives the file, the receiver calculates a new MAC
and compares it with the appended MAC.
- Digital
signatures: A digital signature is essentially public key
cryptography in reverse. A sender digitally "signs" a
document with the sender’s private key and the recipient can
verify the signature by using the sender's public key. A
digital signature is similar to a wax seal on a letter. Anyone
can open and read the letter, but the wax seal authenticates
the sender.
Content 3.1 Introducing
VPN Technology 3.1.12 VPN Security:
Authentication When conducting business remotely, you need
to know who is at the other end of the phone, e-mail, or fax.
The same is true of VPN networking. The device on the other end
of the VPN tunnel must be authenticated before the
communications path is considered secure. The following are
methods used between two peers to establish that they are each
connecting to the right person and not to someone pretending to
be that peer: - Username and password: Uses the
predefined usernames and passwords for different users or
systems.
- One Time Password (OTP) (Pin/Tan): A
stronger authentication method than username and password, this
method uses new passwords that are generated for each
authentication.
- Biometric: Biometrics usually
refers to technologies that are used for measuring and
analyzing human body characteristics such as fingerprints, eye
retinas and irises, voice patterns, facial patterns, and hand
measurements, especially for authentication purposes.
- Pre-shared keys: This method uses a secret key
value, manually entered into each peer, and then used to
authenticate the peers.
- Digital certificates:
Use the exchange of digital certificates to authenticate the
peers.
Authentication, authorization, and accounting
(AAA) servers are used for more secure access in a
remote-access VPN environment. When a request to establish a
session comes in from a dialup client, the request is proxied
to the AAA server. AAA then checks and records the following:
- Who the client is (authentication)
- What the
client is allowed to do (authorization)
- What the
client actually does (accounting)
The accounting
information is especially useful for tracking client use for
security auditing, billing, or reporting purposes.
Content 3.2 Understanding IPsec Components and IPsec
VPN Features 3.2.1 IPsec Security Features
IPsec provides a mechanism for secure data transmission over IP
networks, ensuring confidentiality, integrity, and authenticity
of data communications over unprotected networks such as the
Internet . IPsec encompasses a suite of protocols and is not
bound to any specific encryption or authentication algorithms,
key generation technique, or security association (SA). IPsec
provides the rules while existing algorithms provide the
encryption, authentication, key management, and so on. IPsec
acts at the network layer, protecting and authenticating IP
packets between IPsec devices (peers), such as Cisco PIX
Firewalls, Adaptive Security Apliances (ASA), Cisco routers,
the Cisco Secure VPN Client, and other IPsec-compliant
products. IPsec is an Internet Engineering Task Force (IETF)
standard (RFC 2401-2412) that defines how a VPN can be created
over IP networks. IPsec provides the following essential
security functions: - Data confidentiality:
IPsec ensures confidentiality by using encryption. Data
encryption prevents third parties from reading the data,
especially data that is transmitted over public networks or
wireless networks. The IPsec sender can encrypt packets before
transmitting the packets across a network and prevent anyone
from hearing or viewing the communication (eavesdropping). If
intercepted, the data cannot be decoded. Encryption is provided
using encryption algorithms including DES, 3DES, and AES.
- Data integrity: IPsec ensures that data arrives
unchanged at the destination; that is, that the data is not
manipulated at any point along the communication path. IPsec
ensures data integrity by using hashes. A hash is a simple
redundancy check. The IPsec protocol adds up the basic
components of a message (typically the number of bytes) and
stores the total value. IPsec performs a checksum operation on
received data and compares the result to the authentic
checksum. If the sums match, the data is considered not
manipulated. Data integrity is provided through the Hash-based
Message Authentication Code (HMAC) function. Supported HMAC
functions include Message Digest 5 (MD5) and Secure Hash
Algorithm 1 (SHA-1).
- Data origin
authentication: The IPsec receiver can authenticate the
source of the IPsec packets. Authentication ensures that the
connection is actually made with the desired communication
partner. IPsec authenticates users (people) and devices that
can carry out communication independently. The quality of Data
origin authentication is dependent on the data integrity
service that is provided.
- Anti-replay:
Anti-replay protection verifies that each packet is unique, not