IPSec uses cryptography to provide privacy and authentication
services. Cryptography is the technique of ciphering and deciphering
(that is, encoding and decoding) of data. The cryptosystem defines
a pair of data transformations called encryption and decryption.
Unencoded data or plaintext is encrypted to form ciphertext. The
plaintext can then be retrieved from the ciphertext by applying
the associated decryption algorithm.
Most cryptosystems use keys in the
encryption and decryption algorithms. The keys are typically large
numbers with particular mathematical properties so that when they
are used with the cryptosystem algorithms they form ciphertext that
is difficult to decode without knowing the key.
There are two types of keying systems: Symmetric (the
sender and receiver use the same key) and Asymmetric (two
different keys are used). HP's IPSec/9000 uses symmetric
keys for AH and ESP encryption. It may use asymmetric key cryptography
as part of Internet Key Exchange (IKE) protocol.
Symmetric Key Cryptography |
 |
Symmetric key cryptography uses a single key for encryption
and decryption. Because both the sender and the receiver must know
the same key, it is also referred to as "shared key" cryptography.
In addition, the key can only be known by the sender and receiver
to maintain integrity, so it is sometimes referred to as "secret
key" cryptography.
Symmetric Key Authentication
In cryptosystems,
authentication is ensuring that remote entities (partners or systems)
are whom they claim to be. IPSec uses symmetric-key (shared-key)
hash functions to authenticate data.
The symmetric-key hash functions are based on hash functions
that take a large block of variable-length data as input and produce
a small, fixed-length hash value. Cryptographic hash functions are
usually one-way functions, so that starting with a hash output value,
it is difficult to create an input value that would generate the
same output value. This makes it difficult for a third party to
intercept a message and replace it with a new message that would
generate the same authentication value.Symmetric-key hash functions
are a variation of cryptographic hash functions that take both the
data and a symmetric key as input to generate an authentication
value. This ensures that only a holder of the secret key could generate
the authentication value.
In the example below, the sender uses the plaintext and shared
key to calculate an authentication value and sends the authentication
value with the plaintext. The recipient computes its own authentication
value using the same shared secret key and the plaintext. It then
compares the result with the transmitted authentication value. If
it matches, the recipient is assured that the sender knows the same
secret key, confirming the identity of the sender. The recipient
is also assured that the data was not altered during transit.
Asymmetric Key Cryptography |
|
Asymmetric
key cryptography uses a pair of related, but different keys. One
key, the private key, is associated with
a specific system or entity and is kept secret; the other key is
the public key and can be distributed freely.
The public and private keys are mathematically related so that data
encrypted with the public key can only be decrypted with the private
key. This guarantees message privacy during transit.
Asymmetric Key Authentication
Most asymmetric cryptosystems can
also use the private key to encrypt information. Information encrypted
with the private key can only be decrypted with the public key.
This can be used for authentication by using the private key to
encrypt a checksum or hash output of the data to form a digital
signature. The sender transmits the data and the digital signature.
The recipient decrypts the digital signature with the sender's public
key, and also calculates its own checksum or hash output for the transmitted
data. The recipient then compares the results with the value decrypted
from the digital signature.
Printable version
