Network Systems DesignLine | IPsec, a Tutorial--Part III

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » IP Networking

 
 HOW-TO : IP Networking

IPsec, a Tutorial--Part III

Here is Part III of a Network Systems DesignLine multi-series excerpt from Chapter 2: IPsec Fundamentals from the book IPsec Virtual Private Network Fundamentals. Here are public key encryption methods, including a discussion of RSA encryption and the Diffie-Hellman key exchange.
By James Henry Carmouche Print This Story Send As Email Discuss This Story Reprints

Page 1 of 3

Network Systems Designline
(12/12/2006 1:32 AM EST)

Rate this article
WORSE | BETTER
1 2 3 4 5
Here are Parts I and II.

Public Key Encryption Methods
In almost every form of commercially available cryptographic scheme, which would include all of the components used in IPsec, the cipher used is generally known. It is the key that is used within the cipher that makes the encryption harder to crack. Consider the asymmetric key encryption scheme used by James and Charlie. Charlie and James must have each other's public key to encrypt communications that are decipherable by the other party. Let's say that another party, Olivia in this case, decided to play a trick on James and Charlie by convincing them that she was Charlie and James, respectively. Figure 9 illustrates how a public key can be compromised by a user inserting themselves between two cryptographic endpoints.

Charlie's keypair has been compromised. Olivia can now send messages to Charlie and decrypt messages from Charlie originally intended for James and vice versa. The type of attack that Olivia executes on James' and Charlie's conversation is typically referred to as a man-in-the-middle attack. The steps in Figure 9 are as follows:

  1. Olivia authenticates herself to Charlie as James and to James as Charlie. Charlie and James intend to exchange their public keys with one another. But, because Olivia has authenticated as James to Charlie and as Charlie to James, James and Charlie actually exchange public keys with Olivia.
  2. James encrypts a message to Charlie with Olivia's public key, thinking that he is using Charlie's public key, and transmits it to Olivia unknowingly.
  3. Olivia receives the message, decrypts it with her private key, and is now able to read the original content of James' transmission to Charlie.
  4. Olivia encrypts a message and manipulates the original content to suit her needs. She encrypts the message with Charlie's public key and forwards it on.
  5. Charles receives the message from Olivia, thinking it was from James. Charlie then uses his private key to decrypt the message and reads the altered message sent by Olivia in Step 3.


Figure 9. Compromised Keys in an Asymmetric Exchange

Apply this type of attack to an exchange of financial account information between large global financial organizations, the exchange of patient health care records between regional hospitals and their insurance providers, or a customer and retailer exchanging credit card information over the Internet, and it becomes apparent why it is absolutely critical that the keys used in the exchange of encrypted data be exchanged securely and privately.

ISAKMP employs several operations to protect the authenticity and integrity of cryptographic keys. There are generally three different methods for doing so, all of which will be discussed later in this chapter--Preshared Authentication Keys, RSA Encrypted Nonces, and RSA Signatures. As we'll discuss at several points throughout this text, many of these methods are secured by the computational difficulty of factoring two large prime numbers. Let us begin our exploration of these techniques by discussing the RSA encryption algorithm.

RSA Public-Key Technologies
Ron Rivest, Adi Shamir, and Leonard Adleman developed the RSA encryption algorithm in 1977. To this day, RSA encryption has served as a critical authentication component in many large-scale commercial ISAKMP deployments. Two key cryptographic operations that leverage the RSA encryption algorithm are RSA encryption and RSA signatures. In this section, we will explore the operation of both RSA technologies within the context of the IPsec protocol suite.

RSA Encryption
RSA encryption uses an asymmetric cryptographic exchange to secure data. However, the strength of RSA encryption lies within the generation of the public and private key pair. Although the generation of RSA keypairs is somewhat expensive computationally relative to IKE preshare keys, RSA encryption is asymmetric, and therefore yields an added level of security in authentication over manually defined IKE preshared keys (see Figures 4 and 6 for the added value of asymmetric cryptography). Consisder the exchange of information between James and Charlie in Figure 9. Figure 10 shows how the encryption and decryption process work when using RSA encryption.



Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2 | 3


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2. 3. 4. 5.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3. 4. 5.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts More career-related news, resources and job postings for technology professionals

     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service