Before we dive into the deep dark depths of how IPSec VPNs work, let's take a moment to review hashing, encryption, and the keys used for everything throughout.
Hashing is not encryption, but actually a result from an algorithm. When data, a key, and an algorithm are combined, a fixed result is generated. This result is a small, fixed-length piece of data, which you could call a fingerprint (message digest or hash) of the data and key. Every time the exact data and key are run through the algorithm, the exact same output value is produced. A modification of even 1 bit in the data or key produces an entirely different fingerprint . For example, if Jack wants to guarantee that his data doesn't change when he sends it to Peter, he could hash the data. After he has the hash result known as a digital signature , he can send this along with the data. When Peter receives the data and digital signature, he can use the same data, key, and hashing algorithm to generate a result himself. If this hash result is exactly the same as the signature Jack sent, the data is true and hasn't been modified.
Now for all of this to work, three things are needed: data, a key, and an algorithm. Both sides need all three to come up with the same result. Two algorithms commonly used in IPSec are Message Digest version 5 and Secure Hash Algorithm. Figure 12.4 displays an example of hashing data to get a single hashed value.
Figure 12.4. Hashing example.
Message Digest Version 5
Message Digest version 5 (MD5) is a hashing algorithm commonly used to authenticate data and ensure that data hasn't changed. It is a one-way hash that produces a fixed-length result called a message digest . MD5 feeds successive 512-bit blocks of data into the algorithm to eventually produce a 128-bit message digest.
Secure Hash Algorithm
Secure Hash Algorithm (SHA-1) is the second hashing algorithm that can be used by IPSec. It produces a 160-bit result and is considered more secure than MD5. Because SHA-1 is more secure, it also takes longer to perform its functions.
Encryption is the process of taking data, a key, and an encryption algorithm and producing encrypted data known as cipher text . If the encrypted data needs to be extracted back to normal, a decryption key and algorithm are necessary. The following sections discuss the two main types of encryption used by IPSec: DES and 3DES.
Data Encryption Standard
Data Encryption Standard (DES) uses a 56-bit symmetric encryption key, meaning the 56-bit key used to encrypt the data is the same key used to decrypt the data. DES was published in 1977 and is considered a fast and reliable encryption engine that is commonly used to provide basic protection or in places outside the United States where the export of stronger encryption is not allowed.
Triple DES (3DES) is a spin-off of DES itself. Basically, 3DES encrypts data, but it does it three times. 3DES iterates through the data three times with three different keys, dramatically increasing the protection level of the data. 3DES uses a 168-bit key and takes more time and processor power to run than normal DES does. Figure 12.5 shows an example of data encryption.
Figure 12.5. An encryption example.
The two technologies, hashing and encryption, both require keys with their algorithms. Keys come in two main types ”symmetric and asymmetric. You will see how these keys are used in several ways with different algorithms and technologies, but they all follow the same basic concepts.
The symmetric key, also known as a shared secret key, is a single key used by both parties involved. This key is typically used to encrypt and decrypt data. For example, if Jack uses a key of x132w to encrypt his data, Peter will need to use the same x132w to decrypt that data. The hardest thing about using symmetric keys is getting the same key to the other side without anyone ever knowing what it is. Lastly, symmetric keys are generally used by very fast systems and are used to encrypt and decrypt bulk amounts of data.
The asymmetric key is actually two keys paired together. One is called the public key, and the other is called the private key. The public key is given out freely , whereas the private key never leaves the owner. When you encrypt something with the public key, it takes the corresponding private key to decrypt it, or vice versa. For example, if Jack has a copy of Peter's public key and uses that public key to encrypt some data, Peter could use his own matching private key to decrypt that data. Therefore, only Peter could decrypt the data. Asymmetric keys are considered slower and take more processor power; however, they are great for authentication and for use during the authentication phases of communication.