IPSec terminology - Sinclair Community College

advertisement
Cryptography Terminology

Asymmetric Cryptography (Public Key Cryptography): A method of cryptography that uses two keys; a
private key known only to the owner of the key and a public key, available to anyone to use. Messages that
have been encrypted with a public key can only be decrypted by the associated private key; likewise,
messages encrypted by the private key can only be decrypted by the associated public key. These keys are
generated by and the public key stored with a Certificate Authority while the private key is retained and
known only by the owner.

Certificate Authority: A trusted party that issues digital certificates used to identify the bearer of the
certificate. The CA many times is a third party, hired by the bearer of the certificate, to confirm the identity
of the person, organization or computer. VeriSign Corp. is the largest and best known CA in the US.

Data Enryption Standard (DES): A standard for encrypting data, first published in 1977 by the US
National Bureau of Standards. DES uses a 64 bit key to encrypt data but only 56 bits are usable. Because of
the power of modern computers, this standard is considered inadequate for data protection. Triple DES
(3DES) processes each block of data similarly by using a different key each time resulting in a significantly
more secure message.

Diffie-Hellman algorithm: A mathematical formula that allows two parties to independently calculate a
common value known as a shared secret. The process begins with two values known to both sides (one value
is a prime number, the other value an integer). Each side generates a random third value which, when used
with the first two values in a specific mathematical formula, generates the shared secret. Each side can then
encrypt messages using the shared secret and the recipient can decrypt the message using the shared secret.
The algorithm is named for its inventors, Whitfield Diffie and Martin Hellman, two Stanford
mathematicians.

Digital certificate: A digital document or electronic credential used to certify the online identity of
individuals, organizatins and computers. The digital certificate associates a public key with the party
identified in the document. The document includes information about the issuer of the certificate
(Certificate Authority), the holder of the certificate, the period for which the certificate is to be considered
valid, the purpose of the certificate and the public key. The digital certificate conforms to a specification
known as X.509. A hash is calculated and then encrypted with the CAs private key. A party receiving the
certificate can use the issuer’s public key to decrypt the hash and compare to its calculated hash to determine
validity of the certificate. Also, the certificate can be compared against the issuer’s CRL to confirm validity.

Digital envelope: A combination of cipher text, after being encrypted with a symmetric key, and the
symmetric key after it has been encrypted using the recipient’s public key. The recipient can use his private
key to decrypt the encrypted symmetric key, then use the symmetric key to decrypt the cipher text.

Digital signatures: A technique, using Public Key cryptography, to confirm that a message has not been
tampered with in transit and its sender is the known party. A message or file is input to create a hash, e.g.,
using SHA-1 or MD5; the hash calculated is then encrypted using the private key of the sender. The
recipient of the message uses the sender’s public key to decrypt the message hash and, if the resulting hash is
the same as the hash calculated by the recipient, the message is considered to have been unmodified and the
sender’s identity is verified.

Hash function (message digest): an algorithm that takes a message of any length and outputs a fixed length
message digest, hash or fingerprint. Hash functions are used to verify the integrity of a message; the sending
device calculates a hash and the receiving device, using the same algorithm, calculates a hash. If the results
are unequal, then the message is considered to have been modified in transit and is discarded. Common hash
functions include MD5, SHA-1, RIPEMD and Tiger, creating keys of various lengths (128 to 190 bits).
All methods operate on the original message in blocks of data. Algorithms must be collision-free, i.e., the
probability of two different messages producing the same hash total must be exceedingly small. A greater
length of the hash total implies greater security; MD5 is considered to be the most efficient in processing
terms.

Hash Message Authentication Codes (HMAC): A method of providing message integrity by combining a
hash function with a shared, secret key. The sending device will calculate the hash total and encrypt it with
the shared key; the receiving device will calculate a hash using the same method and compare it to the
decrypted hash included with the received message. If they are the same, the message was received intact and
unmodified.

Public Key Infrastructure (PKI): The set of hardware, software, personnel, policies and procedures required
to create, manage, store, distribute and revoke public keys. The PKI uses asymmetric encryption to provide
proof of identity, data privacy, non-repudiation and data integrity. Digital certificates and digital signatures
are two elements of PKI. The most widely used public key algorithms are provided by RSA Data Security,
Inc.

Symmetric Key (secret key): A bit string created by generating a random number of the appropriate size
(bit length). Greater key lengths provide greater security for the data encrypted with the symmetic key. If
the encryption technique is sound (valid), the only way to decrypt the data is to determine the key. A brute
force attack, in which all the possible keys are tried until the correct one is found, is the only way to find the
key. In order to find the key, according to statistical theory, about half of the possible keys must be tried.
The key length is selected so that it is computationally infeasible to do this in the time required for the data
to be secure. For example, a key length of 64 yields 1.8E19 keys; a key length of 128, yields about 3.4E38.

Symmetric Cryptography: A method of encrypting and decrypting text using the same key to provide both
encryption and decryption.
IPSec Terminology

Authentication Header (AH): One of several protocols that are part of IPSec. AH provides data integrity,
authentication and anti-replay for the message but provides no encryption of the message content. This
protocol adds a new header to the orginal IP datagram by inserting an AH header after the original IP header
and before the TCP header.

Encapsulating Security Payload (ESP): One of several protocols that are part of IPSec. ESP provides data
integrity and authentication but also provides encryption of the message content. This ensures that the
message has not been viewed in transit. The ESP header, trailer and authentication portions are added to the
message. Except in tunnelling mode, ESP does not sign the entire packet and thus does not insure
protection for the original IP header. For highest security, combine both AH and ESP; this can only be
done in a custom IPSec Policy.

Security Association: An agreement between two communicating peers that determines the IPSec protocols
to be used (AH and/or ESP), the mode of operation of the protocols (tunnel or transport mode), the
cryptographic algorithms (DES or 3DES), the keys and key related parameters. Separate SAs are necessary
for inbound and outbound traffic and for each protocol (AH and ESP). Each node stores its SAs in a
Security Association Database and assigns each SA a unique Security Parameter Index (SPI) that is included
in the AH and ESP headers of related messages.
CIS273: Windows 2000 Network Infrastructure
Page 2
2/16/2016
Download