Network Systems DesignLine | IPsec, a Tutorial--Part I

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » IP Networking

 
 HOW-TO : IP Networking

IPsec, a Tutorial--Part I

Here is Part I of a Network Systems DesignLine multi-series excerpt from Chapter 2: IPsec Fundamentals from the book IPsec Virtual Private Network Fundamentals. First, an overview of cryptographic components.
By James Henry Carmouche Print This Story Send As Email Discuss This Story Reprints

Page 1 of 3

Network Systems Designline
(12/08/2006 0:25 AM EST)

Rate this article
WORSE | BETTER
1 2 3 4 5
Internet Protocol Security (IPsec), as defined in RFC 2401, provides a means by which to ensure the authenticity, integrity, and confidentiality of data at the network layer of the Open System Interconnection (OSI) stack. IPsec is a suite of protocols that define standards for four key elements needed in defining a comprehensively robust Virtual Private Network (VPN) enabler:

  • Security Protocols
  • Key Exchange Mechanisms
  • Algorithms Required for Encryption and Secure Key Exchange
  • SA Definitions and Maintenance

In this chapter, we will introduce the cryptographic components and concepts necessary to understand how IPsec delivers on promises of secure transmittal of data across untrusted media. In order to understand the encryption algorithms and security protocols used by IPsec, one must first understand how encrypted messages are formed. In this chapter, we will discuss the basic elements of encryption that will clarify the cryptographic mechanisms used within the IPsec protocol suite. Additionally, we will explore IPsec's establishment of secure data tunnels, IPsec VPNs, with other peers. IPsec employs the Internet Key Exchange (IKE) protocol to exchange keys. This chapter will cover the critical importance of IKE within the IPsec protocol suite and its role in establishing IPsec Security Associations (SAs).

Note:
The IKE protocol is used within the Internet Security Association and Key Management Protocol (ISAKMP) framework. However, throughout the course of this text, especially when describing SA establishment, the terms IKE and ISAKMP will be used interchangeably.

Overview of Cryptographic Components
As we had discussed briefly while introducing the criteria for defining an effective VPN, data confidentiality, data authentication, data integrity, and data nonrepudiation must be maintained. These criteria also apply to the effectiveness of any encrypted communication--the more of these criteria are met, the more secure and private the communication channel is deemed to be.

Cryptographic processes use three basic components to deliver upon these criteria for success--a key, a cryptographic mathematical function (also called cipher), and a message to be encrypted or decrypted. A one-thousand-foot view of the process is as follows: the message is fed into the cipher algorithm, which uses the key to transform the original message into a format that is undecipherable to anybody who does not possess the appropriate decryption key.

As depicted in Figure 1, the exchange between James and Charlie relies heavily on encryption and decryption keys. In any cryptographic operation, these appropriate keys must be obtained in order to encrypt and decrypt messages. In some cases, the encryption key and decryption key may be one and the same. In other cases, they may be intentionally different from one another (one used for encryption, the other used for decryption). We will no explore how these two different types of encryption (symmetric and asymmetric) provide for data confidentiality in VPN deployments.


Figure 1. Encryption--A One-Thousand-Foot View

Asymmetric Encryption
In an asymmetric encryption scheme, each party derives a private and public key pair, as shown in the following text. As noted by the name, public keys can be exchanged securely with communications partners, while private keys must be kept secret.

In asymmetric cryptographic operations, private keys are generally used to decrypt data, while public keys are used to encrypt data. In the scenario depicted in Figure 2, James and Charlie will exchange public keys to encrypt traffic to one another. James will then use Charlie's public key to encrypt his message to Charlie, and Charlie must use his private key to decrypt the message. The same operation will transpire in the future when Charlie replies to James--Charlie's reply will be encrypted with his James' public key, and James will have to use his private key to decrypt Charlie's reply. Thus the requirement for James and Charlie to exchange public keys before any encrypted communication can take place. Of critical importance is that these public keys be exchanged securely and only between the appropriate parties. As we will see in later sections, effective methods exist to guarantee the authenticity of key exchange across untrusted media.


Figure 2. Asymmetric, Public Cryptographic Setup and Key Exchange



Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2 | 3


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2. 3. 4. 5.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3. 4. 5.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts More career-related news, resources and job postings for technology professionals

     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service