Defining Hashing, Encryption, and Keys

Before we dive into the deep dark depths of how IPSec VPNs work, let's take a moment to review hashing, encryption, and the keys used for everything throughout.

Hashing

Hashing is not encryption, but actually a result from an algorithm. When data, a key, and an algorithm are combined, a fixed result is generated. This result is a small, fixed-length piece of data, which you could call a fingerprint (message digest or hash) of the data and key. Every time the exact data and key are run through the algorithm, the exact same output value is produced. A modification of even 1 bit in the data or key produces an entirely different fingerprint . For example, if Jack wants to guarantee that his data doesn't change when he sends it to Peter, he could hash the data. After he has the hash result known as a digital signature , he can send this along with the data. When Peter receives the data and digital signature, he can use the same data, key, and hashing algorithm to generate a result himself. If this hash result is exactly the same as the signature Jack sent, the data is true and hasn't been modified.

Now for all of this to work, three things are needed: data, a key, and an algorithm. Both sides need all three to come up with the same result. Two algorithms commonly used in IPSec are Message Digest version 5 and Secure Hash Algorithm. Figure 12.4 displays an example of hashing data to get a single hashed value.

Message Digest Version 5

Message Digest version 5 (MD5) is a hashing algorithm commonly used to authenticate data and ensure that data hasn't changed. It is a one-way hash that produces a fixed-length result called a message digest . MD5 feeds successive 512-bit blocks of data into the algorithm to eventually produce a 128-bit message digest.

Secure Hash Algorithm

Secure Hash Algorithm (SHA-1) is the second hashing algorithm that can be used by IPSec. It produces a 160-bit result and is considered more secure than MD5. Because SHA-1 is more secure, it also takes longer to perform its functions.

Encryption

Encryption is the process of taking data, a key, and an encryption algorithm and producing encrypted data known as cipher text . If the encrypted data needs to be extracted back to normal, a decryption key and algorithm are necessary. The following sections discuss the two main types of encryption used by IPSec: DES and 3DES.

Data Encryption Standard

Data Encryption Standard (DES) uses a 56-bit symmetric encryption key, meaning the 56-bit key used to encrypt the data is the same key used to decrypt the data. DES was published in 1977 and is considered a fast and reliable encryption engine that is commonly used to provide basic protection or in places outside the United States where the export of stronger encryption is not allowed.

In 1998, the Electronic Frontier Foundation (EFF) built the first unclassified DES encryption cracker. This system took only three days to crack DES, proving it to be an insecure algorithm. Six months later, the Distributed.Net, a worldwide coalition of computer enthusiasts , networked 100,000 computers together to crack DES in only 22 hours. Needless to say, DES is considered to be unsuitable for highly secure environments. As of this writing, triple DES has not been cracked.

Triple DES

Triple DES (3DES) is a spin-off of DES itself. Basically, 3DES encrypts data, but it does it three times. 3DES iterates through the data three times with three different keys, dramatically increasing the protection level of the data. 3DES uses a 168-bit key and takes more time and processor power to run than normal DES does. Figure 12.5 shows an example of data encryption.

The Advanced Encryption Standard (AES) is a recent encryption algorithm standard sponsored by the National Institute of Standards and Technology. AES is gaining acceptance and is supported in most newer IPSec implementations in the place of 3DES. AES processing is faster and supports larger key sizes than 3DES does, making it a better choice based on speed and level of protection provided. This book mainly covers DES and 3DES because support for the older algorithms is widely used. See http://www.nwfusion.com/links/Encyclopedia/A/597.html for more information about the newer AES algorithm.

Keys

The two technologies, hashing and encryption, both require keys with their algorithms. Keys come in two main types ”symmetric and asymmetric. You will see how these keys are used in several ways with different algorithms and technologies, but they all follow the same basic concepts.

Symmetric Keys

The symmetric key, also known as a shared secret key, is a single key used by both parties involved. This key is typically used to encrypt and decrypt data. For example, if Jack uses a key of x132w to encrypt his data, Peter will need to use the same x132w to decrypt that data. The hardest thing about using symmetric keys is getting the same key to the other side without anyone ever knowing what it is. Lastly, symmetric keys are generally used by very fast systems and are used to encrypt and decrypt bulk amounts of data.

Asymmetric Keys

The asymmetric key is actually two keys paired together. One is called the public key, and the other is called the private key. The public key is given out freely , whereas the private key never leaves the owner. When you encrypt something with the public key, it takes the corresponding private key to decrypt it, or vice versa. For example, if Jack has a copy of Peter's public key and uses that public key to encrypt some data, Peter could use his own matching private key to decrypt that data. Therefore, only Peter could decrypt the data. Asymmetric keys are considered slower and take more processor power; however, they are great for authentication and for use during the authentication phases of communication.