HP Sa3110 - VPN Server Appliance Manual page 45

Related Related
Related Related
Information Information
Information Information
Hewlett-Packard Company Virtual Private Networking Concepts Guide
TCP and indicates to an intruder that an acknowledgment packet
is expected. Trapping acknowledgment packets is a good way to
gain some knowledge of the contents of an encrypted packet,
which can be used to help break the encryption. Setting all the
encrypted packet protocols to UDP removes this bit of
knowledge and further secures the communication.
The entire original packet is encrypted. Some other solutions
only encrypt the payload data and expose a wealth of
information about the nature of the packet and the source and
destination networks.
Finally, the packet keys are encrypted with session keys and
appended to the new packet. Remember that DES, triple pass
DES, and 3DES are symmetric algorithms. Therefore, both the
device encrypting the packet and the device decrypting the
packet must know the same keys. The packet keys, however, are
randomly generated for each packet. Assuming that both the
encryptor and the decryptor know the same session keys, this
technique makes the encryption more secure in 2 ways. Attempts
to break the packet keys are not practical since it changes with
every packet. The most that can be gained is about 1400 bytes of
data from an operation that will take years. The session keys are
used to encrypt a very small amount of data (only the packet
keys), which is random. If the session keys are changed
periodically, then even this small target is moving and attacks
are made more difficult. The frequency with which session keys
are changed is called the crypto period.
Packet Handling (page 3-7)
The Template Concept
Packet Keys
3-9