Previous Page Next Page

Part III: Data Privacy

 

Chapter 14: Cryptography

 

Chapter 15: IPsec VPN

 

Chapter 16: Dynamic Multipoint VPN (DMVPN)

 

Chapter 17: Group Encrypted Transport VPN (GET VPN)

 

Chapter 18: Secure Sockets Layer VPN (SSL VPN)

 

Chapter 19: Multiprotocol Label Switching VPN (MPLS VPN)

Chapter 14. Cryptography

Today, the Internet provides the most efficient and commonly used information highway for communication and information exchange. With millions of people communicating on this highway, privacy has become an extremely important issue.

Secure communication is becoming pivotal in every network design. For this reason, cryptography is one of the essential elements of today's information systems, providing secure access to information with greater reliability, authenticity, accuracy, and confidentiality.

This chapter provides an overview of cryptography solutions and various types of virtual private network (VPN) deployments. This chapter builds foundation knowledge of cryptographic algorithms and protocols for the next chapter by covering IPsec VPN that employs a cryptography approach.

Secure Communication

From the physical layer to the application layer of the OSI reference model, cryptography is the first of many steps necessary to provide secure communication solutions.

Cryptosystem

A cryptosystem—or "cryptographic system"—is a framework that involves the application of cryptography to provide secure communications.

A cryptosystem is the collection of protocols, procedures, and algorithms required to implement an encoding and decoding system using cryptography technology.

With a cryptosystem, the confidentiality and integrity of information can be achieved by using various methods that employ cryptography, such as encryption and decryption techniques, hash functions, digital signatures, key management techniques, and various other systems.

Cryptography Overview

Cryptography is an ancient science. As far back as 1900 B.C., Egyptians used cryptography for ancient inscriptions. Romans used some early cryptosystems to exchange confidential messages.

The word cryptography comes from the Greek words kryptos and graphein. Kryptos means "hidden" and graphein means "writing." Hence, cryptography is said to be the study of hidden writing, or the science of encrypting and decrypting normal text to make it incomprehensible.

Cryptographic techniques are usually classified as

In data and telecommunications, cryptography is necessary when communicating over untrusted or shared mediums, such as the Internet.

Cryptographic technologies and solutions help address issues related to information confidentiality, integrity, and access control. The objective is to protect the immobile and mobile (stationary or during transmission) information by using cryptographic technologies. Cryptography solutions also provide techniques for identifying unauthorized data modifications and alterations.

In the modern world of computer networks, information and information systems are digitally secured by using modern cryptographic protocols and algorithms.

Cryptographic Terminology

The following terminologies are commonly used in cryptographic context to describe a function or a role. Here are some basic terms used throughout the chapter and further:

Note

While explaining cryptography in various paragraphs and diagrams in this chapter, two communicating endpoints are referred to as "Alice" and "Bob" to identify the communicating parties. This is a common nomenclature in cryptographic literatures.


Cryptographic Algorithms

In general, there are three types of cryptographic algorithms:

All three types of cryptography schemes have unique function mapping to specific applications. For example, the symmetric key cryptography approach is typically used for the encryption of data providing confidentiality, whereas asymmetric key cryptography is mainly used in key exchange and nonrepudiation, thereby providing confidentiality and authentication. The hash algorithm (noncryptic), on the other hand, does not provide confidentiality but provides message integrity, and cryptographic hash algorithms provide message integrity and identity of peers during transport over insecure channels.

Symmetric Key Cryptography

A symmetric key cryptography, also known as a secret-key or preshared key algorithm, is an approach that uses a single key for both encryption and decryption. Symmetric key cryptography is typically used to encrypt the contents of a message to provide data confidentiality.

Figure 14-3 depicts how the symmetric key encryption process works in using the same single key on both ends. The key must be known to both ends. The sender (Bob) uses a secret key to encrypt the plaintext message and thereby produce the ciphertext, and the receiver (Alice) uses the same secret key to decrypt the ciphertext, thereby producing the original plaintext message. A single key is used for both functions; hence, this method is called the symmetric encryption process.

Figure 14-3. Symmetric Key Encryption


Symmetric key cryptography ciphers are generally categorized in two modes:

In general, a block cipher mode yields the same ciphertext from a block of plaintext when using the same key, whereas a stream cipher mode yields different ciphertext from the same plaintext. Symmetric key cryptography algorithms are generally much less computationally intensive than asymmetric key cryptography algorithms.

Symmetric key cryptography is less computationally intensive and therefore much faster, especially for bulk data encryption such as data transfers, and can run on appliances without dedicated cryptographic hardware.

The list that follows contains some of the common symmetric key cryptography algorithms that are in use today:

Note

Among the common symmetric key cryptography algorithms previously listed, several other symmetric key algorithms are available—namely, CAST-128/256, IDEA, RC4, and Blowfish.


Asymmetric Key Cryptography

Asymmetric key cryptography is also commonly known as a public-key algorithm and was first described publicly in 1976.

Asymmetric key cryptography design uses a two-key pair: one key is used to encrypt the plaintext, and the other key is used to decrypt the ciphertext. Unlike the symmetric-key approach, two parties can communicate securely over an insecure channel without having to share a secret key. Asymmetric key cryptography is typically used in digital certification and key management. Theoretically, asymmetric key cryptography could also be used to encrypt data, although this is rarely done because symmetric key cryptography is much more efficient and much less computationally intensive than asymmetric key cryptography.

Figure 14-4 depicts how the asymmetric key encryption process works using the two keys known as public and private keys. Each end user has its own pair of public and private keys. The public key from each end user is widely distributed via the key-management system to all users. The private key is never exchanged or revealed to another party.

Figure 14-4. Asymmetric Key Encryption


Figure 14-4 shows that the sender (Bob) uses the receiver's (Alice) public key to encrypt the message to produce the ciphertext. When the receiver (Alice) gets the encrypted message, she uses her own private key to decrypt the ciphertext to produce the original plaintext message. This mechanism provides a secure communication exchange, assuring that only the authorized recipient (Alice, in this case) will be able to decipher the message with her own private key.

Another variation of the asymmetric key approach is used to validate the identity of the sender, whereby the sender (Bob) uses his own private key to encrypt the message, and the receiver (Alice) uses the sender's (Bob) public key to decrypt the ciphertext. This variation offers nonrepudiation, in which only the holder of the private key could have encrypted the message, thereby assuring that the sender was the one who sent the message.

Separate keys are used for both functions; therefore, this method is called the asymmetric encryption process.

The list that follows contains some of the common asymmetric key cryptography algorithms that are widely used for key exchange and digital signatures:

Note

Among the common asymmetric key cryptography algorithms listed previously, several other asymmetric key algorithms are available—namely, Elliptic Curve Cryptography (ECC), Encrypted Key Exchange (EKE), ElGamal, and Cramer-Shoup.


Hash Algorithm

A hash algorithm has a number of names—hash function, message digest, and one-way encryption. Hash algorithms use a mathematical formula to compute a fixed-length hash value based on the original plaintext. Using a hash value, the original message cannot be reconstituted even with the knowledge of the hash algorithm. Hash functions are generally faster than encryption mechanisms.

Hash algorithms are typically used to provide a digital fingerprint of any type of data, to ensure that information has not been altered during the transmission, thus providing a measure for information integrity.

A hash value, also known as a message-digest value, is a unique number that is created from a sequence of text by applying a mathematical formula.

Figure 14-5 illustrates how the hash algorithm works. The sender (Bob) produces a unique hash value by using a mathematical algorithm, which is then appended to the original message as the unique identifier (fingerprint of the message) and transmitted to Alice. The receiver (Alice) separates the appended hash value from the original message and computes the hash locally by using the predetermined hash algorithm. If the locally computed hash equals the appended hash that was received, the data is known to be unaltered, thus providing message integrity.

Figure 14-5. Hash Algorithm


Hash algorithms are commonly used for data integrity check and digital certificates.

The list that follows contains some of the common hash algorithms that are widely used for information integrity, authentication, and digital signatures:

A traditional hash algorithm does not make use of any key mechanism to produce a hash value. However, a cryptographic hash algorithm combined with a secret key is used to calculate a keyed-hash message authentication code (HMAC). Message authentication code (MAC) provides data integrity and message authentication.

Digital signatures use the hash algorithm coupled with the asymmetric key mechanism to produce a private key encrypted hash output. Digital signatures guarantee the authenticity of the message in addition to message integrity.

Figure 14-6 illustrates how the cryptographic keyed-hash algorithm works. The sender (Bob) produces a unique hash value by using a mathematical algorithm, which is then encrypted using Bob's own private key. The encrypted hash value is appended to the original message as the unique identifier (as a fingerprint of the message) and transmitted to Alice. The receiver (Alice) separates the appended encrypted hash value from the original message and decrypts the hash with the sender's (Bob's) public key. Then the receiver takes the original message input through the predetermined hash algorithm to produce a locally generated hash value of the same text. If the locally computed hash equals the unencrypted hash received, the data is known to be unaltered, thus providing message integrity. This process provides nonrepudiation and proof of the integrity and origin of data because it proves that only the holder of the private key could have encrypted the hash, and the private key did so before sending the data. The digital signature provides data integrity and message authentication.

Note

Among the common hash algorithms previously listed, several other hash functions are available—RIPEMD, HAS-160, HAVAL, Whirlpool, and Tiger2.


Figure 14-6. Digital Signature Using Keyed-Hash Algorithm


Tip

Refer to RFC 4270 (by Paul Hoffman and Bruce Schneier, November 2005) for further information on attacks on hash functions, how hash algorithms are susceptible to collision attacks, and how to thwart these known attacks.


Previous Page Next Page