and 127 are prime). The DH algorithm uses the special properties associated with prime numbers. Modular arithmetic is based on a concept of doing addition and other operations on a circle as opposed to a line. The values in any arithmetic operation "wrap around" and are always less than a fixed number called the modulus. For example, to find 39 modulo 7, you simply calculate 39/7 (= 5 4/7) and take the remainder. In this case, 7 divides into 39 with a remainder of 4. Thus, 39 modulo 7 = 4. Note that the remainder (when dividing by 7) is always less than 7. Thus, the values "wrap around," as shown in the following example: 0 mod 7 = 0
1 mod 7 = 1
2 mod 7 = 2
3 mod 7 = 3
4 mod 7 = 4
5 mod 7 = 5
6 mod 7 = 6
7 mod 7 = 0
8 mod 7 = 1
9 mod 7 = 2
10 mod 7 = 3
and so on. In modular addition, you first add the two numbers normally, then divide by the modulus and take the remainder. Thus, (17+20) mod 7 = (37) mod 7 = 2. A simple analogy will help clarify this concept, but you have likely used it before when you calculate when you would have to get up in the morning if you want to get a certain number of hours of sleep. For example, assume you are planning to go to bed at 10 PM and want to get 8 hours of sleep. To figure out what time to set on your alarm, you count, starting at 10, the hours until midnight (in this case, two). At midnight (12), you reset to zero (you "wrap around" to 0) and keep counting until your total is 8. The result is 6 AM. What you just did is to solve (10 + 8) mod 12. As long as you do not want to sleep for more than 12 hours, you will get the right answer using this technique.

Content 3.1 Introducing VPN Technology 3.1.11 Data Integrity Data integrity guarantees that no tampering or alterations occur with data between the data’s source and destination. VPNs typically use one of three technologies to ensure integrity:

One-way hash functions: A hash function generates a fixed-length output value based on an arbitrary-length input file. The idea is that it is easy to calculate the hash value of a file but mathematically difficult to generate a file that will hash to that value. To validate the integrity of a file, a recipient calculates the hash value of a received file and compares the calculated value to the hash value that is sent by the sender. Thus, the recipient can be assured that the sender had the file at the time the recipient created the hash value. Examples of hash algorithms are MD5, Secure Hash Algorithm 1 (SHA-1), and RIPE-MD-160.
Message-authentication codes (MACs): MACs add a key to hash functions. A sender creates a file, calculates a MAC based on a key shared with the recipient, and then appends the MAC to the file. When the recipient receives the file, the receiver calculates a new MAC and compares it with the appended MAC.
Digital signatures: A digital signature is essentially public key cryptography in reverse. A sender digitally "signs" a document with the sender’s private key and the recipient can verify the signature by using the sender's public key. A digital signature is similar to a wax seal on a letter. Anyone can open and read the letter, but the wax seal authenticates the sender.

Content 3.1 Introducing VPN Technology 3.1.12 VPN Security: Authentication When conducting business remotely, you need to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networking. The device on the other end of the VPN tunnel must be authenticated before the communications path is considered secure. The following are methods used between two peers to establish that they are each connecting to the right person and not to someone pretending to be that peer:

Username and password: Uses the predefined usernames and passwords for different users or systems.
One Time Password (OTP) (Pin/Tan): A stronger authentication method than username and password, this method uses new passwords that are generated for each authentication.
Biometric: Biometrics usually refers to technologies that are used for measuring and analyzing human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements, especially for authentication purposes.
Pre-shared keys: This method uses a secret key value, manually entered into each peer, and then used to authenticate the peers.
Digital certificates: Use the exchange of digital certificates to authenticate the peers.

Authentication, authorization, and accounting (AAA) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dialup client, the request is proxied to the AAA server. AAA then checks and records the following:

Who the client is (authentication)
What the client is allowed to do (authorization)
What the client actually does (accounting)

The accounting information is especially useful for tracking client use for security auditing, billing, or reporting purposes.

Content 3.2 Understanding IPsec Components and IPsec VPN Features 3.2.1 IPsec Security Features IPsec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet . IPsec encompasses a suite of protocols and is not bound to any specific encryption or authentication algorithms, key generation technique, or security association (SA). IPsec provides the rules while existing algorithms provide the encryption, authentication, key management, and so on. IPsec acts at the network layer, protecting and authenticating IP packets between IPsec devices (peers), such as Cisco PIX Firewalls, Adaptive Security Apliances (ASA), Cisco routers, the Cisco Secure VPN Client, and other IPsec-compliant products. IPsec is an Internet Engineering Task Force (IETF) standard (RFC 2401-2412) that defines how a VPN can be created over IP networks. IPsec provides the following essential security functions:

Data confidentiality: IPsec ensures confidentiality by using encryption. Data encryption prevents third parties from reading the data, especially data that is transmitted over public networks or wireless networks. The IPsec sender can encrypt packets before transmitting the packets across a network and prevent anyone from hearing or viewing the communication (eavesdropping). If intercepted, the data cannot be decoded. Encryption is provided using encryption algorithms including DES, 3DES, and AES.
Data integrity: IPsec ensures that data arrives unchanged at the destination; that is, that the data is not manipulated at any point along the communication path. IPsec ensures data integrity by using hashes. A hash is a simple redundancy check. The IPsec protocol adds up the basic components of a message (typically the number of bytes) and stores the total value. IPsec performs a checksum operation on received data and compares the result to the authentic checksum. If the sums match, the data is considered not manipulated. Data integrity is provided through the Hash-based Message Authentication Code (HMAC) function. Supported HMAC functions include Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1).
Data origin authentication: The IPsec receiver can authenticate the source of the IPsec packets. Authentication ensures that the connection is actually made with the desired communication partner. IPsec authenticates users (people) and devices that can carry out communication independently. The quality of Data origin authentication is dependent on the data integrity service that is provided.
Anti-replay: Anti-replay protection verifies that each packet is unique, not