Table of Contents
Advertisement
Defining VPN Encryption
To ensure that the VPN is secure, limiting user access is only one piece of the puzzle; once the user
is authenticated, the data itself needs to be protected as well. Without a mechanism to provide
data privacy, information flowing through the channel will be transmitted in clear text, which can
easily be viewed or stolen with a packet sniffer.
The type of encryption available is highly varied but there are two basic cryptographic systems:
symmetric and asymmetric. Symmetric cryptography tends to be much faster to deploy, are
commonly used to exchange large volumes of data between two parties who know each other,
and use the same private key to encrypt and decrypt data.
Asymmetric systems (public-key) are more complex and require a pair of mathematically related
keys - one public and one private (known only to the recipient). This method is often used for
smaller, more sensitive packets of data, or during the authentication process.
Generally, longer encryption keys are stronger. An algorithm's bit length determines the amount
of effort required to crack the system using a brute force attack, where computers are combined to
calculate all the possible key permutations. The XSR offers several encryption schemes:
•
Data Encryption Standard (DES): a 20-year old, thoroughly tested system that uses a complex
symmetric algorithm with a 56-bit key, but is considered less secure than recent systems.
•
Triple DES (3DES): uses three DES passes and an effective key length of 168 bits, thus
strengthening security.
•
Diffie-Hellman: the first public-key cryptosystem, is used to generate asymmetric (secret) keys,
not encrypt and decrypt messages.
•
Advanced Encryption Standard (AES): the anticipated replacement for DES, supports a 128-bit
block cipher using a 128-, 192-, or 256-bit key.
•
RSA signatures: an asymmetric public-key cryptosystem used for authentication by creating a
digital signature.
Describing Public-Key Infrastructure (PKI)
PKI is a scalable platform for secure user authentication, data confidentiality, integrity, and non-
repudiation. It can be applied to allow users to use insecure networks in a secure and private way.
PKI relies on the use of public key cryptography, digital certificates, and a public-private key pair.
Digital Signatures
Encryption and decryption address eavesdropping, one of the three Internet security issues
mentioned at the beginning of this chapter. But encryption and decryption, by themselves, do not
address tampering and impersonation.
Tamper detection and related authentication techniques rely on a mathematical function called a
one-way hash (also called a message digest). A one-way hash is a number of fixed length with the
following characteristics:
•
The hash value is unique for the hashed data. Any change in the data, even deleting or
altering a single character, results in a different value.
•
The content of the hashed data cannot, for all practical purposes, be deduced from the hash -
which is why it is called one-way.
It is possible to use your private key for encryption and public key for decryption. Although this is
not desirable when you are encrypting sensitive data, it is a crucial part of digitally signing any
Describing Public-Key Infrastructure (PKI)
XSR User's Guide 14-5
Advertisement
Table of Contents
Troubleshooting
