Table of Contents
Advertisement
Data Encryption Overview
IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme
•
key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP)
framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers,
negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or
without IKE.
CA—certification authority (CA) interoperability supports the IPSec standard, using Simple
•
Certificate Enrollment Protocol (SCEP) and Certificate Enrollment Protocol (CEP). CEP permits
Cisco IOS software devices and CAs to communicate to permit your Cisco IOS software device to
obtain and use digital certificates from the CA. IPSec can be configured with or without CA. The
CA must be properly configured to issue certificates. For more information, see the "Configuring
Certification Authority Interoperability" chapter of the
http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_releases.html
The component technologies implemented for IPSec include:
DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption
•
packet data. Cisco IOS software implements the 3-key Triple DES and DES-CBC with Explicit IV.
Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is
explicitly given in the IPSec packet.
AES—The Advanced Encryption Standard, a next-generation symmetric encryption algorithm, used
•
by the U.S. Government and organizations outside the U.S.
MD5 (HMAC variant)—MD5 is a hash algorithm. HMAC is a keyed hash variant used to
•
authenticate data.
SHA (HMAC variant)—SHA is a hash algorithm. HMAC is a keyed hash variant used to
•
authenticate data.
RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed
•
by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while
RSA encrypted nonces provide repudiation.
IPSec with the Cisco IOS software supports the following additional standards:
AH—Authentication Header is a security protocol that provides data authentication and optional
•
antireplay services.
The AH protocol uses various authentication algorithms; Cisco IOS software has implemented the
mandatory MD5 and SHA (HMAC variants) authentication algorithms. The AH protocol provides
antireplay services.
ESP—Encapsulating Security Payload, a security protocol, provides data privacy services, optional
•
data authentication, and antireplay services. ESP encapsulates the data to be protected. The ESP
protocol uses various cipher algorithms and (optionally) various authentication algorithms. Cisco
IOS software implements the mandatory 56-bit DES-CBC with Explicit IV or Triple DES as the
encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The
updated ESP protocol provides antireplay services.
IPPCP—IP Payload Compression Protocol. IPPCP provides stateless compression for use with
•
encryption services such as IPSec. When using Layer 3 encryption, lower layers (such as PPP at
Layer 2) cannot provide compression. When compressing already encrypted packets, expansion
usually results.
VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide
1-2
Chapter 1
Security Configuration Guide
Overview
at
OL-5979-03
Advertisement
Table of Contents
