Saigon,Vietnam
10-09-2003, 06:46 AM
Hi board,
I am stuck, can't type in Vietnamese when opening a new topic. Allow me to write in my poor English, please!
Just want to give Mr. Dang Quang Minh a hand in IPSec VPN. IPSec is a new technology and is still in developing process. It is not well doccument yet. And there are a lot of different ways to call a single object in the real networking environment as well as in the books, docs about IPSec. I am trying to summary to make clear some basic concepts that hard for beginners.
To the beginners, please pay attentions at the some "Notes" I try to give hints by them!
I might make mistakes somewhere in writing this. Please, let me and every one know if you catch one to avoid misconceptions.
IPSec Overview
IPSec is an industry standard suite of protocols, which provide a mechanism for secure data transmission over IP unsecured networks.
IPSec functions include:
1 Data/message integrity
2 Data origin authentication
3 Anti-replay
4 Data confidentiality
Notes: IPSec is a suite of not too many protocols (AH, ESP, ISAKAMP and IKE).
IPSec Architecture
IPSec uses two protocols for authentication and encryption AH and ESP.
Both two these protocols use hashing algorithms (MD5, SHA-1, HMAC) to ensure data integrity. The hashing algorithms MD5, and SHA-1 do not use shared secret keys. Therefore, Cisco supports HMAC variants of MD5 and SHA-1 for data authentication.
Shared secret keys are used to verify for data integrity. This key is created by Diffie-Hellman algorithm each time (exactly is right before) an IPSec tunnel created or before a “timeout session”.
The symmetric encryption algorithms (DES/AES) support only ESP to encryption / decryption function. They do not support AH. The symmetric encrypt algorithms such as DES/AES use a shared secret key to encrypt/decrypt packet data. Again, this key is created by Diffie-Hellman algorithm each time (exactly is right before) an IPSec tunnel created or before a “timeout session”.
IPSec uses two other protocols ISAKAMP and IKE for
• Authentication of peers
• Negotiation of IKE and IPSec security association
• Establishment of keys for encryption algorithms
Internet security association key management protocol (ISAKAMP) defined in RFC 2408 for the above listed functions. ISAKAMP was not defined how keys should be shared nor how they should be managed.
Internet Key Exchanged (IKE) defined in RFC 2409 combines ISAKAMP and Oakley algorithm to do the job completed.
Notes: Do not be confused between the terms IPSec protocols and IPSec algorithms
IPSec protocols: AH, ESP, ISAKAMP and IKE.
Hashing algorithm: MD5, SHA-1, HMAC.
Encryption algorithm DES or 3DES
IPSec keys
There are five permanent keys are used for every IPSec peer relationship:
Two are private keys that are owned by each peer and are never shared. These keys are used to sign messages.
Two are public keys that are owned by each peer and are made available to anyone. These keys are used to verify signatures.
The fifth key is the shared secret key. Both peer members use this key for encryption and hashing functions.
This was the key created by the Diffie-Hellman algorithm. Diffie-Hellman algorithm computes peer‘s private key and remote’s key to have a number. This number is the same as Diffie-Hellman algorithm computes peer‘s public key and remote’s key. Number then be conversed to shared secrete key.
Thanks for reading,
I am stuck, can't type in Vietnamese when opening a new topic. Allow me to write in my poor English, please!
Just want to give Mr. Dang Quang Minh a hand in IPSec VPN. IPSec is a new technology and is still in developing process. It is not well doccument yet. And there are a lot of different ways to call a single object in the real networking environment as well as in the books, docs about IPSec. I am trying to summary to make clear some basic concepts that hard for beginners.
To the beginners, please pay attentions at the some "Notes" I try to give hints by them!
I might make mistakes somewhere in writing this. Please, let me and every one know if you catch one to avoid misconceptions.
IPSec Overview
IPSec is an industry standard suite of protocols, which provide a mechanism for secure data transmission over IP unsecured networks.
IPSec functions include:
1 Data/message integrity
2 Data origin authentication
3 Anti-replay
4 Data confidentiality
Notes: IPSec is a suite of not too many protocols (AH, ESP, ISAKAMP and IKE).
IPSec Architecture
IPSec uses two protocols for authentication and encryption AH and ESP.
Both two these protocols use hashing algorithms (MD5, SHA-1, HMAC) to ensure data integrity. The hashing algorithms MD5, and SHA-1 do not use shared secret keys. Therefore, Cisco supports HMAC variants of MD5 and SHA-1 for data authentication.
Shared secret keys are used to verify for data integrity. This key is created by Diffie-Hellman algorithm each time (exactly is right before) an IPSec tunnel created or before a “timeout session”.
The symmetric encryption algorithms (DES/AES) support only ESP to encryption / decryption function. They do not support AH. The symmetric encrypt algorithms such as DES/AES use a shared secret key to encrypt/decrypt packet data. Again, this key is created by Diffie-Hellman algorithm each time (exactly is right before) an IPSec tunnel created or before a “timeout session”.
IPSec uses two other protocols ISAKAMP and IKE for
• Authentication of peers
• Negotiation of IKE and IPSec security association
• Establishment of keys for encryption algorithms
Internet security association key management protocol (ISAKAMP) defined in RFC 2408 for the above listed functions. ISAKAMP was not defined how keys should be shared nor how they should be managed.
Internet Key Exchanged (IKE) defined in RFC 2409 combines ISAKAMP and Oakley algorithm to do the job completed.
Notes: Do not be confused between the terms IPSec protocols and IPSec algorithms
IPSec protocols: AH, ESP, ISAKAMP and IKE.
Hashing algorithm: MD5, SHA-1, HMAC.
Encryption algorithm DES or 3DES
IPSec keys
There are five permanent keys are used for every IPSec peer relationship:
Two are private keys that are owned by each peer and are never shared. These keys are used to sign messages.
Two are public keys that are owned by each peer and are made available to anyone. These keys are used to verify signatures.
The fifth key is the shared secret key. Both peer members use this key for encryption and hashing functions.
This was the key created by the Diffie-Hellman algorithm. Diffie-Hellman algorithm computes peer‘s private key and remote’s key to have a number. This number is the same as Diffie-Hellman algorithm computes peer‘s public key and remote’s key. Number then be conversed to shared secrete key.
Thanks for reading,