Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Basics of VPN

 

 

What is VPN

 

A Virtual Private Network carries private traffic over public network.

 


A restricted-use, logical computer network that is constructed from the system resources of a relatively public, physical network (such as the Internet), often by using encryption, and often by tunneling links of the virtual network across the real network. (RFC2828)

 
 
Benefits of VPN

 

Confidentiality
Authentication
Integrity
Nonrepudiation
Access Control

 

Cryptography Building Blocks

 

Encryption vs. Hash

 

1.Encryption keeps communications Private.
2.Encryption and decryption can
3.use same or different keys.
4.Achieved by various algorithms, e.g. DES, CAST.
5.Need key management.

 

1.Hash transforms message into fixed-size string.
2.One-way hash function.
3.Strongly collision-free hash.
4.Message digest can be viewed as “digital fingerprint”.
5.Used for message integrity
6.check and digital certificate.
7.Hash is generally faster than encryption.

 

Commonly Used Hash Functions (MD5 and SHA)

 

Both MD5 and SHA are derived based on MD4.
MD5 provides 128-bit output, SHA provide 160-bit output.
Both of MD5 and SHA are considered one-way strongly collision-free hash functions.
SHA is computationally slower than MD5, but more secure

 

 

Data Encryption Standard (DES)

 

Symmetric key encryption algorithm
Block cipher: works on 64-bit data block, use 56-bit key.
Mode of operation: how to apply DES to encrypt blocks of data
Electronic Code Book  (ECB)
  Cipher Block Chaining (CBC)
  K-bit Cipher FeedBack (CFB)
  K-bit Output FeedBack (OFB)

 
 
 
Triple-DES
 
 
168-bit total key length
Mode of operation decides how to process DES three times.
More secure than DES

 

 

Diffie-Hellman Key Exchange

 

Asymmetric key algorithm.
The protocol allows two users to exchange secret key (used by symmetric algorithms) over an insecure channel without prior secrets.
Diffie-Hellman (DH) groups: size of modulus p, for examples:
DH group 1 (768-bit)
   p= 2^768 - 2^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
   g= 2
DH group 2 (1024-bit)
Vulnerable to man-in-the-middle attack.

 

 

IPSec Definition and Services

 

IPSec Definition and Services


IPSec Stands for IP Security.
“A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality” (IETF).

 


IPSec Services

 

Data Origin Authentication
Data Integrity
Confidentiality
Replay Detection
Access control and Traffic flow confidentiality

 

Security Association

 


Defines one-way relation between IPSec peers which apply security services to the traffic carried.
Two SAs are needed for two-way secure communication.

 

 

ISAKMP

 

ISAKMP: Internet Security Association  and Key Management Protocol.
Define procedure and packet format to establish, negotiate, modify and delete security association:
Standardized payload
Exchange types
Payload Processing rules
Domain of Interpretation defines the syntax and semantics.
Defined in RFC 2408.

 

 


Internet Key Exchange  (IKE)

 

Hybrid protocol: combination of ISAKMP, Oakley Key exchange and SKEME protocols.
Define the mechanism to derive authenticated keying material and negotiate security associations (used for AH, ESP)
Uses UDP port 500
Defined in RFC 2409

 

 

IKE (Two-Phase Protocol)

 

Two-phase protocol:
Phase I  exchange: two peers establish a secure, authenticated channel with which to communicate. Main mode or aggressive mode accomplishes a phase I exchange.
Phase II exchange: security associations are negotiated on behalf of IPSec services. Quick mode accomplishes a phase II exchange.
Each phase has its SAs: ISAKMP SA (phase I)  and IPSec SA (phase II).

 

 

IKE Authentication Methods

 

 

Pre-shared secret
Easy to deploy, not scalable
Public-key signatures (rsa-signature)
Most secure, require infrastructure.
Public-key encryption (rsa-nonce)
Similar security to rsa-sig, requires prior knowledge of  peer’s public key, limited support.

Version history
Revision #:
2 of 2
Last update:
‎08-23-2017 10:10 PM
Updated by:
 
Labels (1)
Contributors