Chapter 4: Cryptography and VPN Terminology

Previous page
Table of content
Next page


Overview

Crucial to the configuration and discussion of network security is an understanding of cryptographic terms. This vocabulary is essential when evaluating any type of encryption technology, be it files encryption or the encryption of packets in transit (as through a VPN). While we will not include enough detail on the algorithms to write your own implementations, we will discuss the most important terms and algorithms to allow you to better compare countermeasures.

The first terms to discuss are plaintext and ciphertext. Plaintext is what you are reading now; that is, normal unencrypted text. Ciphertext is thaw uoy era gnidaer won. [1] The process of converting plaintext to ciphertext is known as encryption, and the process of taking a section of ciphertext and producing plaintext is known as decryption.

When discussing plaintext and ciphertext, it is easy to visualize this if you are looking at a page of text versus a page of code. One of them you can read because it is in English and the other does not make any sense. It is important to realize, however, that the idea of plaintext and ciphertext are to some degree abstractions. That is, typically in a VPN (virtual private network) scenario, normal bits that make sense to a computer are also plain-text and bits that another computer can make no sense of are ciphertext. To you and I, there is no difference between the unencrypted start of the UDP header "00000110" and the same encrypted header "01001000"; but when a receiving host tries to sort out the bits, the bits of the first header fall into values that are expected while the bits of the second header do not. When we are talking about encrypting and decrypting computer data, this is typically what we are discussing. There is generally no problem in reading the stream of bits, but making sense of them is the problem.

In the above example, there are 256 ways that the second string of bits can be interpreted. Which one of them is correct? The only way to figure this out without knowing the way in which they were encrypted would be to try each combination and see if it makes any sense in the context we are expecting. Of course, a computer could do this in far less than a second, but by adding a single bit to the above patterns, we suddenly do not have 256 combinations; rather, we have 512 combinations that need to be tried. In fact, each bit that we add to the encrypted block doubles the amount of choices that we have to sort through to find the right information.

To decipher our earlier example, eight encrypted bits, we use an eight-bit key. To decrypt the encrypted string of bits above (01001000), we would need a key that says something like "The key is 11100111. Compare that to the ciphertext and XOR the two. The result is the correct text." [2] As noted, this would not take long for a computer to do. To increase the complexity, we increase the key length. For each bit we add to the key length, the problem becomes twice as difficult to solve. If you are thinking to yourself, "yes, but a computer should be able to work through that pretty fast, even with long keys," Then try this experiment. Grab a chessboard and the biggest bag of rice you can get from your local supermarket. Put one grain on the first square; and then on each successive square, double the grains of rice. That means two grains on the second, four on the third, and eight on the fourth, etc. When you are done, take all the rice that you have used and donate it to a charity. You should have enough rice to feed the world for quite a while. [3] The number of grains you have on the last square would be equivalent to a 64-bit key. While computers can operate very quickly, the number of possible combinations confounds even the most powerful computers. Any key can be cracked eventually in this manner, but with the common 128-bit, 160-bit, and 256-bit keys used to encrypt information over VPNs today — as long as the algorithm is secure (more on that later), it is likely that any computer today able to crack such keys would report its success to a barren and cold Earth long after the sun has passed through its red giant phase. That is, nobody is going to be around to care.

This is not to say that longer keys are always secure. Furthermore, computers now exist that can break 56-bit keys, regardless of the algorithm used. They are just fast enough to try all the combinations. The beauty of our encryption algorithms, however, is that by simply adding another bit to the key, the message is suddenly twice as difficult to decipher.

[1]Ciphertext is what you are reading now. Notice the advanced algorithm in use.

[2]This example was chosen only for the sake of simplicity. It does not mean to imply that all keys have to be the same length as the message they are encrypting.

[3]On the last square alone, you will have 18,446,744,073,709,551,616 grains of rice. That does not include the 9,223,372,036,854,775,808 grains on the second to last square, and so on. That is a lot of rice!


Previous page
Table of content
Next page
Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
MySQL Clustering
Java How to Program (6th Edition) (How to Program (Deitel))
The Java Tutorial: A Short Course on the Basics, 4th Edition
PMP Practice Questions Exam Cram 2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy