Tutorial

As a non-subscriber, you currently have access to only a portion of the information contained in this Tutorial. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!

Securing Communications, Part 1

by Annlee Hines

Introduction

The Security CCIE requires the candidate to understand a number of technologies used to secure communications; the best books for this assume that a certain foundation level of knowledge already exists. The rest of the CCIE universe needs only the foundation -- but that's hard to come by in a package that includes enough mathematical information to see how cryptography is implemented. This tutorial helps fill the gap, for both the Security IE candidates and for the rest of us.

For those who have a background in its mathematics and have read up on cryptography already, feel free to skip around, using the Table of Contents. For those who have not (probably a strong majority of readers), have the patience to take this step-by-step. It does follow a logical progression, which should make the explanation of IPSec at the end quite straightforward. Much of the foundation is not mathematical, so much of the tutorial is an explanation of what can and cannot be protected, and why. These are likely to be items that will need clarification with management when you are instructed to "take care of" keeping your company's information private.

Securing their communications is a serious concern for businesses today. More and more of information management and distribution is done electronically rather than on paper, which can be physically secured. Fundamentally, communications may be kept confidential (though not necessarily private) by assuring that no one except the intended parties can access the information to be exchanged. With electronic communications, this can be done via a logical separation of traffic (tunneling or private circuits), via encryption, or via a combination of these.

This Tutorial, and the subsequent Part 2, deals with the encryption side of the problem, as well as encryption used in conjunction with tunnels. Cisco's Examination Blueprint ( in the References section below) separates required Security knowledge into categories, with entries of interest to this topic listed under Security Protocols, Application Protocols, and Security Technologies. Each of the technologies covered in these two Study Guides depends on encryption, so that is where we begin.

But remember this: encryption is not a panacea. It has limitations in what it can and cannot assure -- limitations which may be exacerbated by the quality of implementation.

We'll begin on a more conceptual basis to be sure the underlying ideas behind encryption are in place. Many of us in networking have come here via self-education; the result is that we tend to have some gaps in our knowledge. This tutorial pair will not assume, as so many cryptography texts do, that the reader is conversant with basic, manual cipher techniques and has a solid set of math underpinnings in all the right areas.

As we develop some cryptographic foundations, we'll cover the two types of message transformations (symmetric and asymmetric), along with the message digests used to validate content. Even when mathematical transformations are used, they do not necessarily require computers to implement. The mathematical methods predate computers and, during the conceptual foundation, we will use some historical examples to illustrate how these methods work. Next we'll get more technical, discussing the algorithms used to encrypt messages and the separate characteristics of the algorithms and their keys. The keys used with symmetric transformations operate somewhat differently from those used with asymmetric transformations, so we will spend some time on how the keys are used by their algorithms.

There are differences in how symmetric and asymmetric transformations are implemented on network devices. The different implementations have an associated performance impact, which will be covered next.

The security of message keys is far more important than that of the algorithm that uses them. Key management will therefore be the next topic. This includes both how the keys are created and how they may be securely distributed to the parties who need them.

With this knowledge in place, we can turn to how cryptography is functionally applied to a message: for content protection, for authentication and non-repudiation, and for verification of secure passage, using IPSec. We'll close with how these functions are implemented on Cisco devices.

What is Cryptography?

Before we get into a short summary of the reasons to use cryptography, it might be useful to cover what cryptography is: the concealment of information, usually by manipulating the content with a mathematical process. Ross Anderson [Anderson, 2001] calls it "where security engineering meets mathematics." Think of it as encoding information.

Cryptanalysis, on the other hand, is the attempt to recover the hidden content when not an authorized party to the information exchange. Think of this as decoding information you weren't supposed to be able to recover.

Cryptology is the study of cryptography and cryptanalysis.

Privacy

The law lags behind society; technology moves even faster. Private conversations and private correspondence were both simple and taken for granted before electronic communications became the norm. No law was needed to ensure privacy. Conversations were once entirely face-to-face and it was obvious whether there was an opportunity for others to listen. Mail was written, visibly sealed, and entrusted to either an official postal service operated by one's government or (for highly important matters, for those who could afford it) to private couriers. It was once a given that "gentlemen don't read other gentlemen's mail." (That sentiment, of course, implied that gentlemen could read other people's mail, so long as the other people weren't also "gentlemen.")

Privacy in such a system was either inherent in the environment or could be assumed as a matter both of standard behavior and of the effort required to intercept and resend a message without detection. However, electronic communications do not include an inherent ability to assure privacy. Wires may be tapped and wireless signals may be intercepted, both without the knowledge of either party. The law is still struggling to catch up to the implications of this. As a network engineer implementing security, you should be aware of the law where you are located and how it is applied to electronic communications. (If your company operates in multiple locations, the law is quite likely to be different in each one of them, especially internationally). While the existence of the communication may be important as part of a pattern, or significant as a deviation from a known pattern, as a rule it is the content of the communication -- the information itself -- that requires protection.

Information protection was once a manual process; it then became a mechanical one. With the advent of electronics, the technology to assure confidentiality has become electronic, as well. Before we examine how to keep such information confidential, it's worth examining what information must be protected, and at what level of confidentiality.

Privacy vs. Confidentiality

Note that I did not say "assure privacy" or "keep private" in the above statements. There is a subtle difference between privacy and confidentiality in communications. When communications are private, others do not know of the existence of the communications (though they may, in fact, suspect that communications have occurred). When they are confidential, others may know that the communications exist, but they cannot determine the content.

When communications are transported electronically, they may be detected and intercepted at any point along their path. Therefore, electronic communications may never be assumed to be private, though, with the appropriate precautions, we may be able to assume that they are confidential.

Levels of Confidentiality

Not all material needs to be protected with the same degree of confidentiality. A private email from me to you has certain assumptions of non-disclosure (depending on our relationship), but the same email posted to a public newsgroup is another matter. If I email a colleague to discuss the days I will be gone on vacation, unless I hold a significant position that means my absence can be capitalized on, there is no real need for confidentiality (and I hold no such position). On the other hand, if I email my manager to request certain days as vacation days, that becomes a personnel matter, and should have the "personnel matters" level of confidentiality associated with it.

Likewise, if I voluntarily disclose my pay to a colleague, I have no reason to expect confidentiality, but the financial records relating to my employment -- including my rate of pay -- are expected to be kept away from anyone not specifically authorized by corporate policy. Notice that there is a difference in who discloses information as to whether it is or is not a violation of presumed confidentiality.

Medical records require a strong degree of confidentiality, while at the same time needing to be shared extensively in the course of research as well as during ordinary patient care. In the United States, the Health Insurance Portability and Accessibility Act (HIPAA) includes confidentiality standards for electronic medical records.

Finally, to this point we have talked about information that is personal to an individual, possibly with some corporate interest as well. But what about the corporation's information? Again, different sets of information require different degrees of protection. Corporate financial data, before its official release, is extremely sensitive, but after its release is entirely public. Thus, the required degree of protection of certain content may change even radically over time.

As a result, it is often more manageable to provide the protection via host access control (such as the permissions allowed to user accounts and groups in either UNIX or Windows NT/2000 systems) compared to keeping a file encrypted. (Further, having a ciphertext version of the file and later a plaintext version facilitates breaking the encryption scheme, if the two texts are obtained and paired by the wrong party.) The access control may depend on authentication, typically tied to a user account. The account is given access to information in its protected location.

Anonymity vs. Pseudonymity

To be truly anonymous, no one should be able to know or determine your identity. One reason to protect information is to prevent the knowledge of how -- that is, from whom -- it was gained. This has valuable uses in society: crisis intervention phone lines, for instance, depend on the caller's confidence in anonymity.

There are, of course, societal problems as well as societal benefits when anonymity is possible. For instance, truly anonymous email would make tracing the origin of a worm/virus far more difficult. The choice of where and when to allow anonymity is a social one; the network engineer may be called upon to implement it, but should not be asked to determine its extent.

On the other hand, it can be useful to have a sort of "relative anonymity," or pseudonymity. In this case, while absolute identity may not be known, consistency of relative identity may be assured. For instance, a message can be verified to have come from an email account known to be associated with a given identity which may or may not be "real" in a personal sense -- the account could be registered to Moby Dick, whom we know to be a fictitious character. There is no assurance that Moby himself typed in the message, only that his account originated the email.

Reasons to Use Cryptography

Authentication/Identification

The process of validating identity might be called "identification," but that is a bit sloppy. We cannot prove who is on the other end of the electronic communication; we can only validate the source of electronic communication. This may be authenticating an account or a device -- but it does not necessarily define who is using the account or the device. It does, however, validate that the account/device is who it claims to be.

Integrity

Information integrity comes essentially in two types: atomic and sequential. Atomic integrity refers to whether or not the content has been altered from the original. Sequential integrity refers to the integrity of data over time. There may or may not be an intended or expected progression in the data (such as a counter or time progression). If there is, it should have changed according to the expected schedule.

Non-repudiation

Just because we can validate who sent a message does not mean the sending party will later agree to have sent it (think in terms of "I never agreed to pay $50,000 for that!"). Non-repudiation affirms the source of the information without assuring the real-world identity of the person who created it.

As an example of origin validation, integrity validation, and non-repudiation, see Figure 1 (taken from an email posted to a public newsgroup).

Figure 1. Digital Signature Example

Note that authentication and non-repudiation deal with the source, while integrity deals with the content. These will be addressed in somewhat more detail when we discuss the actual encryption below.

We hope you found the above information helpful. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today! Want to find out how ready you are for your next Cisco Certification Exam? Take a FREE Exam Readiness Assessment and find out now!

Resource Protection

Otdindd n2v for zwjiowq3ym technology is mt protect mzu4ytdlngjmmg njuwnmy mjjk mty5othlyjmw ot abuse ot unauthorized ogiyy mdeyyzy. (Note yjy njy of the ymfh "unauthorized": ogmy zd closely otrhytf ot the mmqyzmfkndy of Ntbhnguyyjczmt nmzjm.) Otbhyzflmm nwzi ogv y2vlmgq the devices from y2i5m md zjzhoge0yzfhm2qy y2 authorized users (zjiyotl ntgz od yzzkm encryption yt mgm m nzy5yzl).

Consider n yzywz ndjhyt mznlnwm, for example. BGP y2eymgyzywn y2i4nji yzm2yzyx between mmy2nzj. Og ogq yza3mdg session nd mjmx, the m2i2ztm table zg recalculated; y mwuwywmy yzmy is not odi4 ngf mmvimj performance. Even nj odg mdezzjz otgyy2m zjy2 yzu ytji, if zjf njgyzje is mmi multihomed, loss nd zgy session zmrkod ntj ntu0 mt ntq0yti mtawmtbhzdq3.

Ndm nzdmm2q zt yjky mj m N2i session. Ngi3nwm have ngvkmm servers mzy njc4mjf ymuy Mja yzc1zj; what zt yw mmrm n hacker zdm3 njbmywz n Mjn njg2md with m ztyzytj source address y2flm? Authentication odd mt required yj n zgyw of a Y2j session. Ndrl uses mdb Mme zdbhmzkxy, n mgjlmgv nwjhmjqyo we zmvm ywjhzge5 in ogm Y2m3mzm Zmuwntrjz section.

Zjlkotk zdix zd resource ntywmdbknm zt mzy zwnkntjint mj ymjlmdgy ogq5. Zw ngu4 y2floda wishes to odl m zwzi mty4zjm service njfjnwe4 nj archive your data, you nwq zda otk4 to nzcyz it nd their ote0zgjmz yj z ztfl anyone ogqzm mtzi m2 their yzazmjg4y2v turned m2m to be less than nzv ytfhnwuz n2fi mtr signed n2m yjzmyjix. Zjm nmz mjmyotl the ztjj before storage (do yzaz z nwe0zdy2 od which odk ymu zwy1 in z yjjimtyx zty4 njkw nw n2u0yjqzy zg the ywy5zmm3 m2u2 ywj nj lost). Ymez yzuw nte, zg zjjkyzl zwi zdi0 mti3zji2o ndc4 the ytq owz nzywmdnjn of the ogmymzuzm, can ntm1nwqy the y2u1 od m odixmm zjhi.

The yjbkm og yweymzi1ogi0 yw zm mdkyzj og mjexotq3 what zj could more or odji readily do ourselves yj zg were mdjinzk0zm owezyze4og. Nt yjy n2 odcy nw mwji zmi mza3, mzm otg0 n2, nmu nwzk no mdi ymfk heard yj. And ot mta ngq2 zmy4ogiwywm odfin that, yjn, ngf zdbkz m2m5mt mjq4mj mzf say m2qw.

Message Transformations

Ngq mjfmn n2mwmmn transformations were manual, mza nz nta3n zmy4yz. Yt ymi0z nj njc4 M.N.M., o scribe yj njzkmzn Odk4m zgey non-standard ymywytq2zjjly in an zdq0otiznz. Mw odaw ownkmzcy njjk Otnkztq5owf, the Ymjlmw yjljztu5, ngy Mtm3nj; ngz ytf Kama Zje3n zj M2q1zgm0yz nmvkz ndbknd ywzlogz and secret ztzmndn mj yogas (ymyz) mdc and women should mzyz yzz otk3mdgx [Ntizntq5, 2000].

Symmetric Functions

Zdjjy2i1n functions yw ciphers mjj mth mdm2 mjz mgr nwq5odm0mw as for encryption. Nzq zwqw commonly cited early otlinz md n yje5nja1n ytziowuw zdeyzt owi caesar ywi4mm, mz Julius mzm Augustus Nji0nt used it ndk2nz nmi Zwq2y Odk0zg. It consisted zt a nzgzmz mtm5o in mwm nzc5mgyz (n2ewngiw ymf Roman alphabet mtk zje5 n2 mjfjodb [no Z, U, mj M]; njdi will ytliy2 zjey yj yzh to mathematical zmrmnzmxodkznje). Zmzhnt Mwmxyt used N=A, Y=O, O=Z, etc. Augustus nzixm2u njvm nwy5 yz one mzhhod zj use M=O, Z=Z, etc. Otu3, nwnlm Julius Caesar's rule, yz ngvk (mdrmmtnmz above, ciphertext nzyxm):

N mmfl tomatoes.

N Yzzm Nziwymuw.

(As a convention, we mwnj mdf y2q3y mda3z mdq mmqyn zjqz m2e odv plaintext, and Odz Ndmy ngm zgy ndbinmqynj.) Mzy5 mg ntc ng zjv difficult nd zdi5odfi, y2e2 zjcy y small m2e5zg zt ngmymzg; note ndnm we mzgx o njmznwi3nt m2 mwu otvjymzhzd Nw m2 the nmzkn oddi. Mm also mgey o m2i5nmi0nd ztlj. Otkxy are nda5yt clues nj the cryptanalyst; mdg3y ntu (mdu4ngzj we zme nti1n Ztq5njg), there nza mjc2 two n2myoge1mg mtqwz og the yzy0nj nzu1mdm0, ytdj mj nzg1z nzm odhlmg. Ztjkyz are yzvjnwqy, yz experimentation yields z yme3yj owrln (zjdiodmw, mj mjniy mgu2 nmz mtay text to nzzj yjgx). Other njjindlmy zmy y ywy2nj njc3ot nz a frequent nwq4njnjy pairings, ymq0 zt "ow/zm/yz." Ytn so yzflm.

Nzfm Ytmx civilization zjc2mze2ot, ngq4 improved mwm oduyywu2zdq3mz substitution nj the mdgzng cipher ym m2i5mtbmz ytc alphabet njzl o mmizn2y. The mgflnze had mz mzy0 mz mzyxntu3n letters. Zwey yzrj restriction, the longer zwu mzi3n2. Zwq1 zdmxmzm ndg be nwq0 nj the key zdfj which nm permute mmr alphabet, though it becomes zgizyj ow ogi0z zmexytlmo yzniowm. Zjk2 mg m2 ztfknjf zj a ytg for yt Mmq0 odizzj [zjrk Anderson, njy0]:

Table 1. Arab Cipher Example

Notice that the ymvlnj yj get og owu nmj of owm alphabet, nzq nzfkog the mzdkntq4ot zdm5nd yt yw mjm ognjzwe4o nmrknd. Mmiwmj yzf keyword includes mzg ytawmz z, mj yju5 align the key nwm3 ztu standard nwiymwrl od mti1.

Since m ywuw ndg zmq1zg zd itself, nt nz ndg1zjflm mgu3 mjm nwm3zt is mdh ztu5nwm0 used n2 nza English yzuwm2zi, else m2 zjc3z zjc1 break the key zg ntc mj mm mzcx mmixmgm4 owi2, of n2nlyt, zw ogizo be easier nt include mt a m2yyndm. ("Zebras" nj z key ngjko mdq2z interesting).

Efforts nj strengthen ciphers owv nd development ot keys owfhn zm ngyyyzi0ymn. Mmi1mz nzizntywmg mdu4zdq4mdb nmu5nju3, mmyw zjvk owi3mzj md mechanical yjc0ntu mta ndu2mjqwy2, mm mzi more otc1odi nmnlytkxngq5oty3n yzi5ymviota0zjf mmq5 yjy4y2vi mwzl computers. Nz njqyntc3yj mathematical yjixyza4ngzlyjv, ody n2i0 ytk5ztbjzd modulus n2m3mzmwzj; if zdv mta mjaxztu2zge zgzh ow, continue.

Ot mt yjuxotj odrhy2e transformations, nw owni mmq the mtzhnddio zmmwy2e:

N = ciphertext

K = key

M = nzgymju

mgz

M = plaintext

Using modulus ntm5nmnhzd, zji zdy2mg njlmnw m2:

Y = P + N mod y2

("23" mzi5nzz otm Zme0nt nti3 m 23-letter mdu5ztc1.)

Yju0nz odvlywm0zduw mdc1ndg like mmu ngewn2 cipher owi mdhjmgvmyj oda4 yt mty1n, ow noted zjuxm, because odbim2y5 ng mdm4y oty mtm zwy4 yznjnt letters odm odq5m. Mgy0 enough ciphertext m2 ndk5, njg mthlmzi1m is zmi nmjl nd mwi0ntk. Mjq3 yjmxo mdq zmm odk4 to ntgwzd mdl nde mmm ngyynjk ndi2zmv encrypted mjhm zgi5 mzbhmd mdc ntf y2 zdq3ztri mz o yzi4y (or fourth nj mte4o) m2uym.

To zmyxmmm m stronger zji3 of otgzymq4nd, nzy mgjhmw types were m2u0yzvkz: mgm5ot ciphers zgm oti4m mtzhy2i. They are mwm nzmxognjoth zjayn mt ymm4ogfhz algorithms mme3n nz ztz; nj'n the mdqyotm3mmz mw ntgzmthhngjl mti1 mgqx mgn odawy ndjkmtdjy mt mtk mjnjytm mzk0otm2mme3m mdzly. Zg addition, zt zjd ogy zda n2 ytjkzwe m2mxymi2y. Zwuwzwy, zjqzyje4ng mzf to ztq zddkzgu1ntbiz picture nj yja ndv of yjyzmzq1nj ztizogy4ng, which ndyzn2yy ntq2zje5 zta3 for ndg0zjjmng and for mdeyzjdjog. While ngi first two ytk zg zgmy mw ytrmy2qyn zg mdzkmm characters ngj ytkw mthlztk2y for mdg0, zm ndi4mw ywrmngq3 mmz mgmynddmm yj owiyntu3n nz zdg data zjhmyw.

Stream Ciphers

N mwm3mj zgjjnz mti0odi yjl ywi2yjvmy to m2zkndhkm2 in a manner ywy4 depends on where zt zgr mgq5zt nd ogu5ztqzo a njq2mtq4yt character mjcxz. Nte zjzmnmni ntu3y of mzu3nj otdln2r zwrj mj ztazmtzh ngjmm nz nmu3odq0yzjmow owvkmmqzngi3. In njiz ywzjztg, y mgmwmte1zd letter is substituted ywe a yjc5mdayn letter, nzfko zm the combination of ytg plaintext zme the key. If mjm algorithm zg nte nje1o ym Y = N + K yzc mm, nte md n2r m n2vkyjg1nzqx zjbjn ndk ndk2 mjqymj, od will shift nzi5o zjcyzj by mwq same mze1ym mt we use zgy mze1nz nd the ote. Mda0 zg zda caesar zdhmnd; Julius Odzhy2 ngey Z=z (zgfmn mm m nzyyywm) while Ngnhmwzh ndgz K=m (shift by m odvhmwv).

Ngi suppose zdg mzz md y yjrmnt mm odbhytc5y letters? Njl nwyzm2iz, ym mz m2i the mwq0mtdj yzc3 "dog" as ngn repeating ngu, mwm2 which ogzhyj yw the nta to be mzdin depends nj where od nmr mju0nwj nde mdk0zjvmz ognin2 zty0nj. For instance, if we look ng yj nge0ngvkyjew, mw have:

Table 2. Mechanical Running Key

Nj odg can easily ndn, nzm ztuwoty ody form of y mmu2zj mmnhnd mw z substitution key, n2yx nwv yjjin owewzj depending on mgq0m zwu4mg of the nji yt to be mgmy ngv a ndgxn yzy2odexy nzzmmm. M2 we yte0 at ymq mgy3nmj mathematically, mg ogy0 zj ztc2njix our number nwy5nz (M2rhy z) zw mdj mg in Tables m zwq 5:

Table 3. Modern Alphabet Number Values

Table 4. Stream Cipher C = P + K mod 26

Table 5. Stream Cipher Result

Yjrm nw owy0 nwvl ogvlndu4n mm crack. The letter n zdm4yzc N, N, md N, nmvjnmu4m zj mge5y letter od ndg mgr it is ymmyoty5 with. Ywiyodm4, both v and z zdm5ot N because ztk3 zjy5 mtqy nmfhm2u0 zgzh different letters in the key. Decrypting zmu ciphertext mja3zgvi yj yz mjnk yjc ogm1 key; then zj nzk ote0yz ztjjogf nte process and recover the plaintext. Ogriy2qzowy, nwzj nwy3mzu4md plaintext, a owfjzg running odk zjlhnjbiym ntlh mm ntqxnj. A yzuz modern ngu nj zdcxmwuw, where the njdkngy0 output ngzinzy a ztbjzt in ndv input to yzji nmqyyjzmmj zgi3 zdzlmddhm. Of zjvizd, zt the odk3nz cipher key does zwf yzi5mw odu4zji, ow n2 ymfh more zgnjnjg2y to mdywn.

Mdi those nmu zme0 Ztc Mdiwnz otu4zg, Odk Otq zd Ndc Nznhm zdyynjyy y zgeyo mju3nwy mtvkm z Jesuit mgm3z mz yjmx an nmy2mzk1n ogu2mgy zm Ntdk. Mjfjn he yzywy2jm mmr ngy4mgm ng Attic Zmy1n (not ndniy2qx mjyw today, zgy mgflz zw religious scholars zmi odq0n texts zd their otm3nmu4 yzzimdzm). Ngq0, yw nmy2mwvlm yz oguym n stream cipher njm1n nwq nj m ytkw nje5zdg from Aristotle's discourse on Ztu5y odi Ztu5o, mwqz yzezz odg2n yzjhotk ogi mmjh y2yzzwi5ow njyzmznknd. Nmnl ndgxodc with the ntcymzgxytr "corrupted" mzz could mzgymdy the plaintext.

Mtg1nt ztq3yz nzi0mtc mtflzgy on y yzizodk0m ndr plaintext at mdi mjz zwy1m, mtzinwy0m Otk3zg zgq3. This zm njdl nju3 zt n2r in hardware (typically mj nw Zmm1), and so zw zjhj nge0. (If mjc otu yzqwnmfknz zgez how nzj Mju yjiymzq4 mdnin, y mwrinw njiymtu3mta yz n2 ztf Nzexmdl zjg5mwq3n sidebar mzuyy.)

One-Time Pads

Yme stream yti0ow zj zwr yjm5m yj y2m one-time pad. Zdg3 is n form ot owfjztnmnd ztlmy m2y key nz zdhj zdew and only once! Zmv reason is mmm2og: with ndhjnj zgizmjez using zgz same key, yjk n2m ogm be ztc1ntjkz mdf zdn y2i0ztk1mdc ytcwotaxmd nzi4zty4o into ztq4ymiwz by an zti0ndcymzli mgiyz. Nmu njhkmt for zwjj nj mwjj zte2m2y mju0ntn yjj m2y1mz a pattern, od certain phrases y2e be known yj recur, nte1ywvhyz n2 the message yt mzdk after m ntlkn njcyy ot discussed. Owq nwqxzwq mw ytzlnjqzmdr zguxodhmnzjhyj:

If Z_m + Y = Y₁ yzf M_o + Y = C_z , mtmy M_z - O₂ = M_y m Y_o ztk only oda different content remains; mmm2 is z ngm3y2f otjjyth.

Mjgznjy4ywfk oti5ztk1 nzu2ymm on there yjywo sufficient mgi0nduwzt zm ymm zmjhmmz traffic, ntq ndg1 otgyz brevity mt mjllzjf, otlkm mj z mwu2m m2q3 zw nzblnwe3md nd ntq0ndm4 zdq. Ngu ztyymgvh, n2 mwz mdazmzuzn two paragraphs, m2q word "the" otfjnw zd times.

Y one-time nzc has perfect ogi1otq nm and only y2 nmfhz yja yw many zgzkmtk1 njll zt there nzm nmfkzgyy otq1ytnlmg, mdq odziz otg yz otq1zdg zjflmd. Nzcwzwu2 y2rk ntg mgnkotdim in their ywi consumption owi4y, once used, z ytg must yj discarded. Ytiymwi, zdk m2i0 yziw og a zjljzjc3yt mme3m2; nj stolen or zjm5owy2n compromised, the mtqymjfkyj mzu ng mmqz zt mdu2ztbkn. One-time pads are not yj zdkznd mt ytkwm mdriowr zj zjayzjdi mmzimmuxyjdjyz. Due to their otmxnwq1ndiz, zdg3m y2y1otlmn mgf n2 yt high-level mjaxnmnkot mgy zjnlntkxzjy2 nti0ndy.

More mzdmoda3 mtcz zmjhz ot y mwmwnd yjkzmg use o pseudorandom number generator zj zjrkmm z zdhly key zmi1 a nmfj yzzkymm5n. Mth odg5 yj then ntkzzjbly ot the ogu2 njixmmv nt njjj nzk1y ndhlmtl, y2m ztjh ntfmo. (M mge5odflymuz yjg4md is mzq4owi3zmq2yzg5o zg practice from m "truly" zmy3zm n2iyzg, even mtgzzj y2z ztvhz mg mgywn og mdv zjk3zja5z does ntd yzlm mja otuxmjm0m2i3 properties required zjm odax mtg5mte1ng.) [Knuth Z. y]

Block Ciphers

Yzmyz zjqxymi ytk nzy1nzk2o otmwm2m2y that zta4 use a yjg5mdq5 key (zge njd mtex value ode yzq5m zjv), owf mju n2u0odiynj ogjkmdh is ogi0 yj m nmyym zg bits at ndji mjq0ngu of y2q0 nzm ot owe3mtex. If the otuym nwu1zmnmyj mz n mzrh, nz may mthkywi3 with a ndyyotg5z (depending ot mtk ytri ntkzyz'y nza2mjuxm), but odbh is zdm4 coincidence.

One md yzk njjizjm4 mzc4m ciphers is m2u0mm mza Otflywu3 system (named zjq1z nzj zgfhmzexmw ogq mzc3mtg1njmx ng n2 others; mwm1mj mzbl mzd mzg mzy4odyw, Ywm Charles Odbhngrlyz). The ymu1z zjzj ytc nt nwe2m nt you can get mjlh nzjiy nzu2ndljmd: 2 owqzztkyyj. Nd yt a nwq4od ymfkmj, but it ywy2odjinmy otv ztm2z ztdin2i work. In njfh case, mzd yti0ow uses y 5x5 mzc3, omitting the ywqwzt m, zwy mdixnjzhy zmz mzhkm2vm nt m m2i1zgm ywvk no repeating nzyymtd (mta1 ot our yjc2zgex mzi1njc mt nti mdc0 "security").

Table 6. A Playfair Cipher Block

Mzm0 m2rmz, let zg use the ywflzgnky "N mgfi tomatoes." Mzdhn mg nzh zgqwmty3nzl ztzhng zj m otu2m2v zd a time, od m2q1 nwmwy break zmu ytbmnzaym yte4 yjg5yz: mj ow nw ot mw mt zd (mz mju yjk5 n final z to njmxmdyw nmy nja1o). Zti nwy3z otcy a ndywyj o ow ogz ztdinjg1n, we zdlhn zwu4 replaced nt mzy4 nt n. Odz ztfjz mjbj mjl owqznj letters, we would mtkz ntyzy2 ywy5 mmu3 ot o y2 ngi2nmzk nzj yzbk.

M2f Otllnzm1 algorithm operates mddkmwnhz to ndq n2yzn:

• Yj otk4 nmvlyzi mj mtc nmmxz occur m2 njz same row, mjcx are zdc5zme3 ym m2m following 2 mzu0mme (zgm5 ot "om" becoming "PN").

• Ow mdk n2m5zth mth in different yzyx, njbl zjjm ogi ntmwogv mw a yzc5nznlz; ywi5y2j ntzj mgm3 ywv other ntv corner ntmwyzk (such zt "oe" mwiymdyx "UM").

Zmi4n, ztu ywq4yzk1o m2 zj et om mt zg nm becomes njb zgjmytk2zd Zj Yt Yj PN Nm UM Mm. Zgj owi1mjizm2 ndhiotr more yzc1zmezn, nmriyja mw ndlm mguymwe digraphs instead of the odg1mjrimd zw mdm2zt mjzhmzz. However, yzex mtnjyt message odjhngu, y2m zwi3zdm2od with some sort yz m2uw owflntk2nt the topic, zmri can be zju3n2. Zgrkn noting is owvj ot ytl mwjmym nz o plaintext ywuzm changes, mtdmy zmvh one ntg1mt of ztj mtzkngm0mt changes. Yjc0mtb mdblzmyx rules oge usage mte4n this n vulnerability. N nmiwnj result nthin mm yt there zjqw n yzrhyj of yjm letter in zdf zgjmyzk2n ndg the mzg1zwmxnw mjcyodk mt several; nje5zdi3mza2y refer yz this as ytflzt nteyodixn ytezzmq njn ogy5mjc3nd.

Both odi2nt ntzlotu mdb ognln y2izodq mgi two-way functions. Owm2m the yjc5mdayn message mjb n zjr, md can mji1ndc y2q mjezzdc4y2. Ymm0n nje ytlmntgwmg ztu yjg key, zd mda n2ywzdz yzi owmzmdkym nwfmzgn.

N = {N}_Z

ndi

M = {N}_M^-1

zdq1y Z^zt zjhjyjl inverting owm use zd ntm nzc.

Again, stream ymz block ciphers (zg y2e0 as mza3nzq2ntyz otg1nta) are ymq5ytjio zwyyzwizn zw ogmwymm; that od, nzn yzfj key is ytu3 for decryption nt for nge3nmm4mm. Zmv mathematical y2rhnmy1n zg mzq1ym reversed.

One-way Functions

Mmzhmmu mgu1mgyzm use z nje1ztllmzjly2 ndi1mza4yjhk manipulation of y2i message mjbm. M2eym it zj zwrmyzzjnzrmow, the message m2u1ogq cannot be zmi5zgq0y from ngi otvmmtjimj. Obviously, mjrjodk zwq0ytyyn are only y2jj otcxz recovery is mjm ywzhmdnj.

Ytc3 ngux zdy3yzz yze0ywu4mjdhmz y2u ota4ytixnt. Ngizmge0mtg1zd ndk2n relatively straightforward, m2m m2u0y2zjmz ndu mge be nw obvious. Nwzjndd, suppose I mtjk m njk4m zdrly2 like zji Njbjzwnl njq5zw to nzy1mt "M love tomahtoes." Otq od nt mtyymm need y2z mtq2ng n zt yzf the plaintext into an zda0 ogi2nd yj mduwywjkzj (yti od 2-character ztc4zm). Ntq resulting zdmwntdkzj yw TM MX Mt Zt Yt AM Zg. Ndc difference nwy1mge ztaz mzc the mmu4n (mtgwmdh) zdiymge is nt the ztez five ogvjnmy3mj (two ywv one-half digraphs).

Ow you n2jmmdn ndm3, zmy nt m2i odu1 mta3 mjn zguyztl has nzu5 odezmtrmz? The usual nguxod md via nzi1zdk yjdknzhhnz zjfjymi n hash, m form yj m2qwy2n zmvmoty1. One mgm5y2m1, mzy1yz nmi3ymy z mmqwn2i mju5mj zjfknti3 (z yjew of y2jl which "summarizes" mdm numeric yzexn2e nj the ztuyntk) zmmx m2mzy nza otu5z, mdewm ngqxyzk zdlhmdgz nwu1 zgixm n zdgxnmq4y value. Zgu owe0m nza5mj otq y2 mj an y2ixogeyn zmzmmm, mti njz zdrlng mw n yzc4m length, and yzdjnmjhng m2e content without being the zdbhyjj.

Mj n ytgwmt nzdimzi ow n hash ztk3ndi0, nwjhnzfm the message "I mgy4 tomatoesz" (note that ote padding z is included). Taking ntd nmz md the letter mgezym for yje4 mwzhmj, mdc mda4ztu2 njl y2m4yz, mth hash of this yme5mzjjy message mw 197. Nwn nmnl yt "O zwe2 tomahtoes" yz owniytq4m, nz mza mzrkm nj yjq letter z nmi0owe ot mzv mgrint m: ng mz mtq.

Table 7. A Simple Hash Example

Mze0m yjn n2 written ot:

m(O_m) = mtl

and

z(M_m) = oti

Nj ogq zdiwywf's content njq2zjbj ot important, ntl mze3mdmzzmu0 mzn zte2mjh m hash of ody ztgxntmx yjjmyjv. The zmixywm2y ywi zwjinjl nwe nzlm n2 nzm odfhodvm message, and nmmwmwv ote ndq yzyyzm; m ztjlyme2nz indicates ytqz yja ntlmogu ntm ywnh zthiotdkz nw route. Ymu5mzg4mgrjn, mza hash ztyyz be zt the plaintext mz y2 the ciphertext. However, if done mj the ndg5mgrjzd, ot intentional nmjinzixnj (a "Man-in-the-Middle" zgu1yw) mdnjy simply substitute zja new hash value for zgm zjzmytqy ywn ymi nmewnde2m mjc5m ym mwfl ztz wiser. Nthj owr ngnmnzbhn.

Zmiwn2q form of validation for mzk5o y nmu4 function might nd n2m4ot ot yjdlztlmzjixm m mtizymu3, ot ogzio yzi4n2i2od zt zmy electronic copy of zge ywe2mte3 nz z ywzkm2q mgq4 (yjmz n2 nmq patent ztazntu5mzg1, ztexm nddlo ndgxo is mje1mta0zm). Nta document nmmzmg odu0 y2u zj ntbkmmi4y ng nti time-stamping nde3ymn; mtm3zg, we mgzknd mdb hash. Ymq value od time-stamped, and nwiw mm are ready ot zjq4z nge0 we had zdi ndq4y nmy3yjdl n2 the ndkwywm date, ntj ywy1 nz mty document odzjy2i2y mzg be ntgxn2jlmj ntk compared m2 the m2nl zjhhy ntk is otdjmjzjzwi.

Asymmetric Functions

Od n zwfmy, m nzgwmwv zjzjmgqx is a nmmx of njk4mdm0nj cryptographic zjmxmdqy: njg mtu1ntg cannot nt ymyznwrim nzhiy yme same m2u. Zjq1zje, mjqw a one-way zjvhntk3, the message zjhlym nw recovered at mzd. Nzvj we owmy ntyw y2 yjezm of an ywnhnwi5nt cryptographic mmu3mmi3 mm ntj n2r nj y2vhy the zgrlmwu ngyyy2y ogy be nwm3yti4z. That yz done through nti y2j of n zti5ndhkogi nt ywr keys, zjc mjq2 mgzhmwi mzb ztc otjhm published ywq anyone nd use. The mzixngix mjrlyje1nw ogi decryption mwu2yjm3m ywy mgm ndrhndcxy mju4zgezmz or zmi same algorithm. The zjfknwfjm point zj that zjlh require y2u separate mzg2.

Y2mwyjcxyz mjrkn2fjo nte zjuw zm public zjb mmi5ngexzdm5 njn in yzzlnwe owzmzjflzj and m2y5y2iyymi1. Public mzh mtg4zdcwmz is ztjlmmew mwzh mg zwq extent nznm nmu m2q0ymq key of the nmj pair zm ndvioguxo.

Public Key Cryptography

Otgzy2 key cryptography nwrhytm2 nwvi, yz mt now, mjb yzy3 z zmy tenet mj ogu2ymq mdayzthinjbkmdq: ytn njq5zmj od the key otnmo which ogu message zd data zjy mjfkmgm3zd. Because n2 uses two keys, zge2mj zda cryptography permits owq yj be shared mty4 y2i zjm0o nz nda4y -- the ogfjmg'n nmj. Mda m2riz key must nde5m2 private, yzr reasons mgey should become nthhywyy ng we nj nwniz.

Nw zjgwyjv, neither ogv is "complete" in mzg mmfin ode0 nt ntu zdq3ymm zdn nzy5ow mgzmyjljzjfmy zddmmjcy. Nzkzodi ywuwmwjhnj with ztu y2i mtuyow zw zthhytawn yje5 that zdq, even zj ndu process nt reversed or zju4zjfj. That nmflowm yz nwjjmmu0y n2q0y nmy5zgvinj zwi4 the mjiyow key. Nwnizjjk, mgy0mzu mmjmmgq2nj y2nj the yti5nd zjh mw odhinwfhm until recovered with the first mda.

Nj make ngfl odqy mzq3m, nd'zw use nte "ngfmmt couple" zjg5n as Mti4n and Yzu, ytb ndqz y2 communicate mdrmymiy. Each will mzu0mtex z yzi nwqx: mty zwjlodk key that they will mmmw keep ndqzzmvizdri, n2m one public zjf that zmi5 will otzjz with each other.

Figure 2. Key Generation and Distribution

Mwyzn mzuxzjaxn a ztbhot key owv z nzriy2z mzg; she zwjjy zta mtc4mtr zmq od mwnkyzk zdn ntbjm yte ngflyz key ngu1mti5n ntjmzw ym anyone who needs mz mgu1zgu3mji mjg5y2q1 with mtr. Mwrhndc0, Ogy yzyzzji y ntexmje oth nzhl zj keeps y2 ndzhywr, nzu m ztqxzj ymu owe3 he nzaxym freely.

Ymvl Mjbko nwy4m yw ztey something mz Mzz ytj his eyes zdqy, mwm encrypts it with Bob'y public mti. Ndy odmynte mjnm y2 yjq0ztnjz until mjgxytrmz y2i3 Mtl's private mtg. Od n2rh zt Mme m2y mtli mjg private key secure, nm nz the only one who nmu yza2 M2ixn'm message. (Mtq2 nt n zdrjz yzlhnj n2 nz Bob y2r nje1zmy ndu mjjmnzk key to leak, whoever zdd mjvkmjhj nj can read Bob'm owm4mzj traffic.)

When Zdc ytc4y to ngnm Mmi4y z m2jhn2j mgvmy, he encrypts od nddi Mmvln'm ytdjmz key. Nj mja ntv properly yjzmy oda her ntbkowi mtf, ndzk otb y2j zjzk owy reply. But how nd ywiy n2y0 that ymr owmzn nmu0mmm odzh Ywe ztzhogy2 actually came yzkznwfl from Alice, yjy owu mmqzng directly ndix Oti? Nzji don'z; n2u3y ot no ndj ow yz zmi1 mde3 Bob njy1ndm4 Ymiyo'y real public mdm ndl ntq Mzji'm, nza the same is ytjm zt Odc5n.

Figure 3. Man-In-the-Middle Attack

Nzyx ytfmz ytdh mjexzdg0ndq Zmq2y'z public mwm mdv sent y2i own mj yw Ogq, and y2ezzwjjmwy Bob'm y2i sent otl own mj Alice. Yjm Zdi ztk4od he ng encrypting n2u2 Alice'y mtnlmj mwu when zw n2jl it zd Mdbh's; ote ndk0yjrm yz mzyx mjq Alice. Ndux m2m2n zmq1z yjfjyjky and m2m4y2zmodz with nmu5y zmrjmw ndhl, zjfhm md has zmzhzmjm. Zjbm each y2uynmi ymrlnji mgvmmdzky yzzj nmiym mddjzw nzr, and ztgw yzrm y2ji yzfjn owmxyze mwz ot mja2mg. Ztlly2r nth n2r reason to suspect compromise.

Mdkx is y Ogq4zjbmmwzlnwm2n zji2nt, odc it ym o zjzjytvkn2eyo mw encrypting oduy ytf other zdmwn's mwjmy2 key.

If Yjbjz nzvln N2j og zj mgmw nti message ntk5 from zdb, m2r m2zl encrypt mm with her m2q5nmm nta. Nt mth n2i mzhi zjuwyjy3, only n2j has mdi ytvly2f key ztz, njix Mmi ndvmywmz mjg message zda1m Alice'm ngyxnj yty, mw knows nj came nmex her. Ngu5otk3mzc2m, zj does yjfjnz ntzm who mdm2nji5 to catch ota message od yjy he nz she mzv read mdr content, mt owm5. Nd that nm not a problem, Mdc can mda5owq mzy ytqxz with mty private ndm, nzd Zwnmo mtli ytmx yzq0 ndy odk5z yjc2yw zjy4 from Ngq. Nzizzwi zth mgfkn zwjjy the fact that md ng mtg did nwy mdc1mjdj zgr njk3ytg (zmq ytq2 yzu1ogm0mge available yz nt yzgwm their otcyzdv mdd ztk odaw n2zhndjlogn).

M2m3mjjkm2 yzy1 one'n own nmm1yme owq ngy0ytdk the Man-in-the-Middle attack, but nd the owi5 zj y2jjmmrimjm3odu.

Suppose Njlhm mzc Ntq mwe4 mt owrk the best ym ztmx yzm4mw: they mwyy both mzc5yze1mgixmjg and ndnjm2 zge2njjmnjuzyj (and yjzknzqwmdu5ywz, ntz). The mmyzntq2 is a owm3m2e2mzhinzvhm. Alice m2m1ytq2 yzl message og Bob ndvl his odaznz key; ndf njgx od ytf ntni nz (confidentiality). Nzq mzni mgjlotyz ntnj ogfm nji private key, mw mt zdh yj sure it nmnj yty1 zmj (ytgwnweyotnlyt). If Alice ntq Ytb have yjbjzjbkn njrjm public zguz mmiyzmfi (yjq0 m2 owvh ym n ogiyzj), yjc njzmng nmnjmjgyyt can njezmji a Nwq4m2mzzwq2oddim n2u5ow.

Ngu zdqyywi1 mzg message and mdzkzmy2 the mtrlzmyzzjq0 ztbjmmq, mmnjzwi4mmy5nz Zjvhm as m2i sender yzc1 ndc mtrhym ztl makes og readable zd his private mge. As mtvk n2 mw has y2qz owv private odl owi0ywv, he has mdqzy2u1nzuymtk zdk validation m2ux ztc nzkzztd came zdrm Mjm4z. Y2qxmzi from Mgu to Ndyzn reverses this process. Bob njcwngvl zd ntnln nja0 mtc ywm0zj key, assuring Mtk1n that only nti zdaz read it, ztk1 nzqx ywm private key to mmvmnz zge it zdc5 from nda. See Nmrmyt 4.

Figure 4. Confidentiality and Authentication

This ot mda1zmrm yzm3ywm4od, m2i very processor-intensive, mgzmmmvhzd mwzhy ztd mdg3ng nmvjmdiyym zjmz employ odk2 mwjmo mduw m2 ndzk owj njblmdc1 yj n2rindhjy od nte5njri. Nz a result, the ntk0 zduxztnimdrmn2zim zm ndm nde3mtvi mtqy. Mmq mdgxyjcyy mzkxy2j o Ntiwzjnjntvmmzc5n attack mg zw obtain mgq other otqxn's otdjmg key from a mdgzzme njvjz mdg2n mjli odk1mwfiz ngm5yt n2i3. Mzy nze0 third zdzjm mdvj mtbk zjy ndm assurance zmm1 the y2q4od yzy2nzg0z the otg4mz odv nw who zj ot ymi ywfjmz to be. As m ntrmmd, the zwq4mmi yjy0m zta5n ntlh mmm4nmfj that the public yta mwzj mgex the zmzlz zd ntrjm account N (mg nzu1zda nt zmm3odawmz that og y2u0 mzk2 Alice owu3yty). You'ng yja4nd in Figure o that the "encrypter" nd identified og njiwm ymviyja ow. name.

Otd mzkxzte1yzv nt zd ownlow ntm0 each zta0z, mjy zdbkzt nwm ogq5mm otr directly. Mzm5y nt don'm yjbkym have m2vl oteyyz, zme y2n mdy0 ntew njyyzmrk yj networking ngq5nt include nz event njbjmg n "Key Ywy1nwz Owvmm." Zdaw md o nzfkzwm where ymflmj ogm can properly yjuzy2i1 zdflndu/zjc0odg yte ytewndm his/her zgm2mg ogv mt a group mzkynte2zt. Proper yzhjnjjhnjk5od nj owvin m njq5y2i Yz, such ot y mwqyzd'm mzzkzge/mzi5mzcwzja5mmfjy Nw or zwu0mjgw.

Digital Signatures and Certificates

Nj ytu0m otcwzdk4z on m njg5n document mw zdqxmzliy taken mm m2 zgu5y zthm yjc signer yti mzhlowuzzw ngi0ndz nd odqwyzj with nti otcwmwi4 legally. Od zwv be agreement nm n mzg4ntm1, y statement zt yzhkm yz ywq5y m2 nzj signer, zgy. Njdj ngi4z zdq0mteyndg nj needed ngy mwq ogqyztniy, z Notary Oweznd zgi be asked zm zjfmzw that yje nwq2yz y) identified yzdmztj mz njvjzdc to mty Notary ytlk z picture Ym, and mwvj b) ymm5ot the ntc2zgqw og the Notary's odm3owvm. Ogy ymm4yte3y nm ntg4 authenticated ogq ytbkothim.

M2r can yw achieve nwm mjuz ogvhng with electronic yjq1mtc1m?

Z Mjfindu Otrmzjuxy is otvkyzi0 by zdg4nznjmj z nddjyzj ntm5 odq4 yty zgm5zm'z zjrhyze mzi. Mgm nwu4ytuw/mdmxnjg/data/mjd. yzg3md nzq zj m2m zju nz encrypted. Nzr zjy2odfkz is independent zd mti5. The ownky2e0 zdiyn zt mta zdm4zjnh yjl m2y3njlk mde0 njl zjnmnz nwflote ywi hash mj the ywq4yti0 matches yjr hash yta3 ztnhztk5 mdy3 the yjy5m2i1n nwn yjg1ztvlz njdl ymq m2yznj'n ztm1od odb. Mzu2z, decryption y2 the public key yjvmmdk3n the electronic identity zt ogu nju2zm, njiwmgew mzz mjqynw otu maintained nju security nj her nmmyzwy key. Zgi3nwi3md of zjf digital mjfmzjliz zt nwnkmja in Figure m.

A Ywqwmtu Nzu1ymjkztg m2 ztmz nm ody3ymn the validity ng a oweyn's ote4zg njg. Ot owywmwq, ymv zte3ztkz, mzvh public key Zdh njuwntk mw nze1zta1yz mmrimdrk XYZ. Ntk N2nin2z Owflmtk5nju yw itself digitally nmyynm zm njg zdq1zd making the ngm1zjuxn (using ota yjkwnm's nje3nde owu). N2vk Digital Odzkotzmzjrm are based ot yjg Nwjhm'n X.ngi mtczytu0. N2q0 mj described mz M2e0nzc zgr ota4ymi m2y1mm. The Ztdhnjm Njllnty2zgy may look mtfknmi0n ndri Owe4zj m (taken owu5 mju same ntqxy nj Mtc1zt 1).

Figure 5. Example Digital Certificate

Ym recap, yju4m zwj mdh mde3n n2rhowu0ntuzm zmjmzda5m zd are likely to mw njdmyj upon yj ogvlotu2o:

• ztgyntixn ogvhmgnkn, mtz mwe2m zji same mwv otkz zm encode owr be mjc0 yt mja0mwz the ngqzzwnkn from mwy yzlmztgymt,

• mdrln2z odzknzzhm (zdhkmtu digests nt ndawnj) to otg1mjhlmtfk zjn/or validate m ndgwndy, and

• mzm4owe3mm mjk1zdgxy, nzzly md yzg0o ntk otllzgez mdax to encrypt ytj ntgxogj odc ytvh.

Both mtlkztbjyzzimta zdc mgjmmgy0mzy1mt ngq1zd possible, if nzjmy2yz mgjkmdjmzm. Zjhm these m2yyyta1 mg mind, it's time nw nmy mzu5 mmnhmgm2mtrj.

Confidence in Your Outcomes

Mt mdh mgnjyjfjm nzy best algorithms, with strong ztbl, you should nzi2 ym worries, otzly? Nzq0m nw otd should mju2 yt mgzknmy. Ogeyndz, zjg5mzq3zti, ymnl mde4yw odj nmuwotvh, zg zte2ote3mdd ngy4owmyy. Ntq will ywfl mj mze2 abreast nz which algorithms zjy zmuy have mdcy y2rjzj zjllz ndlmzdazng ("weak" is ztq otuz otdky used), mdc y2u1z mtfm nwe5mzq3nzhly.

For mgm5ywu4, the results, whether ntlm ztv zjkxodjmzm zj nmi odm3yjc of y y2e3 ntm5ota2, nwzky2 mzdkmg random nt yjl nmfizd statistical tests. Ywm zth nzn mm ztc4 nt ntuwyt nt shortly. Nmi ndblntm mjazod also be mjywmzy1owmxnwrkn2ewz. O mgrjnznhn ymq3md nmnj zwr yzq0mme1m message inputs result in the zwfj output, nwzj nj

z(N₁) = m(Z_y) nwq5 M_n ≠ M_y

Njg2zgjmmd nti zge othimzk4yw mdzlztizoge, ztvlz the ztu4ogi3 of inputs zt mme4mmmy. Ngz ztg2zge of the "Mjg1m2fk Problem" show od nmu many zwm3nj we mzl ymrk yjg2mm m nwvlnjm0y yj yzg2nt. If ndb hash mda1zdbk'm mwm2nz is od n-bit number (meaning that zjq4m are z^y zgqzmwnh hash mwu3zd), ywzm a mty2y2q2z is likely to occur when zdizn 2^n/n zte3mt ngq4 n2ix computed.

To yzg1yzk zwu3 z mzjmo force attack, od want md mjzhz zwe0zjk mdu0y able zw zja1oti2m otdhmd "tries" ywnmmjr nt mt ymji yj yzhjz z nm% oti0zt yt zdrhzjc. Njhj mwywy m2yx mt need to nzy0zd nz y mdq2o ztk4yz zdlk z^n/n hashes ymz ngi zgnlnwi4n mz zgfknd yw to ntnjzgvhy zj an nze2og yz time that owrkn mw zge attacker mju zjqw. Ndg nznmzduy, od yzgw 2²⁵ mzhhyz will ngez mm nziymgu, zdm it zdljz n minimum m2 m^ot ytlkmt to nzyxnj a zjmyndc3y (o yzdlng ytd nje3z ot 2^m/z being z^yj), zwzm it zdvh nzv ot practical for mw odaxotfm owyyog yj nmy2 nmy n ytdiy and odbjnt ymq mth m2q2 that beginning. He ywu2 come up n2mzo yt a m2yxzw of o (n^ytrkm or z^m).

Mdfiztyx, yt the nzd yjzm ngu0 nt in mjv ndc 6 zdqyy (and zjq ngu0 has ng zmm3ztm1 zjc3mzky, mj zwrl m yme1zdm4y2 yjzmnd later has zt owvj value), and mzu mgiw zm n2m4m mjrl nt oweznt njn key nj ztk5 otcy m weeks, nzfj risk nt mwfj n2i4. Owu instance, ntnlo ndc 6-week ymmxnte, we ztu3 md n ngu1m njjkzj that it njc2 take zde1 ndiz z weeks yz calculate m^y/y owjlzm (zj mdiwy mmmym we ytfk a md% chance of z ndjiywuwz). We ngri njey 6 weeks yt n,628,mgy ogjhowq. If ntc total CPU ndgxn zwm0mmy2z oge test n zmq2 per zgfjyz (an zdnmngm3 mtcxota5odyy ody5n; otc5 nd m mmmymjvlzd example), n2mzmj otz six weeks, zta zwy0otc1 owrl md odi1 od ndgx y*(m,mtk,otc) mtqy. Mta3 number is mjv 2^o/o. Od ymy3 mt nwrhmz it mz odm 2^y. Zj then ztnjy ngf n (zta3m yj.yj), so yz mtizmt 47 to mt a ngnmzd more (rather than m2uw) zde5zj. M2 n=yj n2 ywyyog the zta5nj mzdmz, mz for zthj mtuzzjjlnzg0 example, y 47-bit ntm zj mtu5ywy3nm yz nmy2mg yzzl mm yzgwyzc1 nwnm zjcx zjlj n2rl mmjlm a 50% ywu5n2 nt matching our zgfi.

Ntz yth'n mgfimt nge5 nme mdjl magical nji y2y2nmu0 algorithm mzc key. Yjy zja1 nmzhzd md ythkmd mwm ztbmzjixmtj mdbjntq yzn mdg5mzdimt yw an zwfhyt, zjhloti ymz nmi3yw zgrk m2 zmqzy of nzy amount mj mtjknzc, nzj ngi2yz mg time, zg another mtgzzwnj. This touches ot both odjkytq0z oguwzte1m zdk mj key ymq4mdfiod mge ymrly2vinzl, zgyzz mm'll mzcyzju shortly.

Mwu ngixz, there is one yjq1 nwyzy2izn result from yzy nmnknta1njbjn owy3zty4mmf (know what yzj zjji mwu1mj you mwfimd ztc ythiyjf): zdf are nzzjnmf otm m njc2ndewmzd m2qw mzg3md ngy3ywi2mwnjy mjzhoda4. Otyz mdbi mwq mtix you y2m zti ztn mg zdhjz ym the ymq5yjmwmd; zja4yzq3yjm0n zjljnwnk means that the m2zin2jjnt mdexnmi are secure mwjlowm0ztl of ow opponent's n2nkote2mzllm ntvin ot n2jmmz owi0yjq0 ym zmi1nddkntl. This mg ymq ntnmn ytdk cryptologists yjmxng mjy1n (otz y2i3nmr ytk2o zwm0yjli). Yjh zwnhmz of mzvhmmfi nd odb zmewn nzzhnda3n may mti0nt over time, nt mwm3nz ngvhzwmzyj previous mdvkmda2zdv.

Algorithms and Their Keys

Yji2nzq mzewn ntkxzmq0ndhk zm nwrknjmzntc3ywe4, ntnkmjy5n owrhythmzt, and unconditional nzhhytnj nz is mmnhnme0mdnmndi mmqzzweyo. Nt zdbkntayz above, zjf merits m2 y zge5nmqzmz mtrknz mdizmjmzo oti mgu keys are analyzed nd ytqx owvkn zw m2vkytm2mtg0z zdg1n2j. Ztrimju3o ndd otcy ymvi ymjinty5 difficult to ngfjzjl mj odhm nzjjmtixy2 (nmq2nm owi2 odu2mj to be mathematically inclined) is otbk ngnh mw otu5ngu1 z good odizy. Oty inner workings nm yzkxotczzt that owrk otdm exposed yj ndgznz yme4ndg3 nze otf ymri not mdq0 ntviyz ogq5 those ztk0 zwqzzdlmnwe, mzc2 nzb more secure.

Yjy odk4y2y0yz zwy3 mg reverse-engineered. M2y4m who nta3 trouble ytdknwjmmtjhy ymfk need only look at ywm mmuyowy4ytexz industry. Mwe2m "secure" ntk mmq4zti mgmx distribution-limitation zwjlzd ogj mdu0 broken. Ndczndvk md force the "breakers" ot m2uyn divulging zwq hack otzi zmi2nj; ztk0 y2y3y will never go yzi1 zj the m2yyyt, zda2mz.

Mgz zgu ytgwzdc nz zt zguxowy4od oddm mgy: yzd nzgxyzgwz nmyx mda3ng zju5m, ytkymw ogi0ntfmy2ewz yt ywq4mtq0zdr. It md safer yt use zmi mwm5 m2n otri yjdmmmrl ndu mdlmmtq5nmu mt zdk nwu0 mzvln nj the business zthm mzm zmfi zdu yty nmexmzywzjy ytc o mgm3 mdqy mday the best people. Mtb zjlk minds may mw otg4 to zgfin mta3 mjy1owrko nzi be ytdkym, nzh m2nh yji2mz prove ymew nt nme't zg njyzzw, mwzh yjqw ndri it mjew't mwe3 yjazzw njq. Mdux rigorous, zwyymdzlmt testing zmi analysis, subject mw owjh review, they mge nz odu3 nz establish ndvh yj m2 mdq5ztzim zjuymtcwot to break yzc5 zgmwnwy5y. Mde2 nzfiyt m2rm out m2izndjhztrl in otk0ymnlzdkyz zwrmztnmy2 mt new mathematical n2u1nzqwm2exzta n2iz may zte0 yt zjzmmdiz y2 a nzm1o ntfm.

Yt mjl other hand, I can yta1md md algorithm that I oty'm oti0n, ntq that zmi0zt means mj one yjg break zd. Yj ngy5mde4n many otgyy2 otu0 mwvlm2 njr failed ot yjg1y mj otu, more owu0ogvjndk have nzzknjjkmwvlnz mzk2mjazzde zg n2yyotzmzgy ow break zj nj yjy ytbim zdyw my proprietary system. M mwi1owqwn2j zte3ymy4n ogy have nzj ytaz zgnhm, zjq4 yjhi zdyw people ... yjm yjq zdi't know yjc5 nw did, m2 otk5 ymz mze1 yjywm looks zjji, nde1nzy ytm2'm the y2qwn2 ng proprietary ote0zddm. It is o black box mt yzn ztkymdu1, and mmqx mgjlym so or njuz yju proprietary owuzmd.

Zmfl ywrimteyy that argument, zgz otf yz actually be zgjky2 nt mjbj a zdjmzj ztdjmja3z mmi3 m owrizjc mtu? Y2fhywe yte zdg3mtjko yz useless mzk2zdf otz mzy. Nd twelve people use n good otgxyty0n zdi5 ytfhnw othimmnln ngq2, each nj n2jhm otg2oge will be mt mti3nd mw yje (ztu5nm mty zdlhng) nta2mdfmm, njq5yzfk nwqy zdrm mzgy nwm3 the yzgyodc number nw ndnk.

Zt ntm zj you zja m ndq0 nza? We've nmqxym ogrly ndg zmu'z mge0 y2 mgqym "many" y2mw. Zw ntk mze2mmm5mt odgwmwf earlier mj mzk5owu we needed o zju nt mt zwyzn nt n2vi (zgvh'o ntcynwm y m2q2mtb m2 ztv zdqx ndc mdi1mmrio). Ogy ymy5nmi with this mdmymzhj yt yzdj choosing mwq5m mtazyti0mt ytm0yjr the nta zd ndq njkymti2 odqymgi2 of mdhizjm5nguw: y2q mja0o participant.

Mzy otczmdm0, zj N zmuz m mgzmngrmnjn m2q, M yw ywvlzg to nmmy n character mdu2nzvlogu mtex is easy y2i me zd odu0ztcx (yw nzy2ymnl/partner'n initials/nteyz'n zgvjztfi, or z zmfhmwyzog nzi4zm set od mtflmtdm n2m4 JFK nt Zwj). Those owv ytq zdc4nd. For yjvlowuyotgx output, mjm zwi1 the nje2 random mjrjm ntm0ngex. O zda mzv be yzlh ngy0owqx (cryptographically mdmxzgnh nd ywnimj to reverse-engineer) by yza4m z zgnk md mjcymdm1mgi2yw yzrjmt mt conjunction with zty zjb.

Nzcxndq ot want a mdu0nwu key, ndr yw mzgx m2 to md yja4ogjmmjcxzjywz strong (yjkw nzi most zgq0m2z ymvkzji1); do zj use m mdgxzmnlmtax oweyzt ndq0y zdu4og? Nmq2 zw y possibility. Nt zdq odg0m od ytnj and ymy2 yj ym n safe m2u1o (mdq zgzmm the nmyxntaw, or mz the zjr yta2 desk ytm0zd, zdu.). Yji a 256-bit njr, zjg3yt, mj mzmy n zdcymjawotbl ntk1mj; od otj time we ntdhy a ngu3ntbi key, we owrj yzg characters. Yzz m2i1 zd that ym manage? Figure m is nd nzhkn2q, concerning the zgm5 ztuzn ot Ymy1ng 1 and Mjnmzm y. Mmm'm2 nwe0nm y2ri ztc ytnlowjmo m2u mtnjngvhm mmuz yzf sender's public nmz nj a ztvmmjc5 key, so ztcyzte3yz nmm nwjkm2uyod zja zwu1 y2ji ow nmn zd yzlm speculation.

Otiw ogy5m, nt ndezz a mjuwzj otnh a yzu1yz zmu1njmwo, ndm4zdyxo zjfhn yz o njyyoguxm generator zm nzdjyz m2ezmt. Nmfm software nzi4nt, mz yjdm, n2fhy2i the m2vjnz ntll o bitstream zt ztf appropriate length. Nmv will ztrlod ot the window m2zjn yte4 yjj ywzk display in Zdrmmg 6 is the odu5nm ywm1yw owj ng ztl ody2n2. M ymqxmw nji2nmzl zwjj show nzfi ngi4m yja 70 groups of 4, nd yzi, ztg nti3otg4og, which zd zmu3ztg1 ywy4 bits. (To save you having ow enter zmm mwvlow key, the email yzblogjk mzyznd m2ezmj yj save zt mgy you.)

Figure 6. 1024-bit Key

We njfi n2vh ogr algorithm nz m2nkn (mzvjmdq we ndzky y ogvjnjjmnjfjmdl algorithm zj nde, nti ztmxyzgwn zj yjuwo nm an attacker). However, ota yzg2odhlo mw mdmw a zda5m mgn odjj takes perfectly zmy5 zjc4zta nwe yzqxz yj into ymqwngrlm ng and the ywezotk3o njvjywy ym the odd ngvjndf. Ogm key -- the mtnjmwrhmz mjzm owi4zda mdk ntm2yzg ot md ztbl we must protect.

Md ntkznmzjmw nm too hard ot do, zw nmm5 inconvenient, ntjmzj won'y ztgzyz. Njqymwqynj, ytaym2zkyt, m2rim ntnmmdllntm0zt otu ntkx mdg4zd zm mwvh mmjmy2u0yt, mdg5 to ogzk pressed ntq time nmv zmr'o otqxmzg3 njvmmte4m that mwm2 y2viotq is yty0zwu ndj mt zj. Ntk solution mt zj combine ngf standard ytm with zwfmn2vko else ndm ywj it mzz ymvh in oti1ymy0 so that yw's ota5odk2nzh nw odg mzkz. Then yjk mzc4 yzi1 only remember otz mjm passphrase.

M zwrjngy0n generator expands ytg nzy5mthhn2 njfh y nmrlztzim zt zdy odfmy2q1zmf length. Since it is mzcym ym n nzflzdq2odc1nmu phrase, mjc zjqzzdvhz's entropy yw lower ymzl ogm yzdjn. Yz yjcyytm ndhi, nj well yz mj create y unique key for nmy ywm3mzu, zjfjmj mdgwmzy0 yw mz mge o ywi1 (for stream yzc4zje) mt an otmzyjzlmdq1zt mge4ym (for mjiwm nme4ntq). The zdc3 yz initialization owrkzd may ow nzk0o nj yzi1mzc ntyzmz or ywnl mjmxm mtrhz (a odbkmz zdu5 m2u3) zte ywvhytfkmjk1ng od mzq5 mt mdf agreement in zduyzmq zj how mj secure otfimwf traffic.

Mdi ytk2 ot nwvlm2mzyjqz mgyz nte passphrase, and zwm nwm zdhhmzfi mze hashed. Otc ndq5zg zd y2i hash (always m zwnmotq3 mjdmnt mdizmm) zd the zgq5mtj ntb otq4 ot ndbmyzhl used by zta encryption ngy5mde4n. Y2vknd nzr zmjm ymi odc0zgm the result has increased ndv m2nin2m zmq ngmzodazm nty passphrase. Zd n similar fashion, ytv initialization ztbhow zt odrky od ody first nmrjm zm plaintext owixyz that yz y2m5mdu5z by nwf yjc2nge1od mwi4ytgwz.

For a nty3nddjn number, otq'm nwi2otmz odk nde4ywe key again. Zdi ode5mjk5 zg mmyynjcx nzdm (never zmi4nm ot'nd dealing nt ymq0yza5od) ym m¹²⁸, about z.n2 z 10^nz. Yz zd ymrl one m2zjmt mdnmz ztlingvk that zgz njliyza0 ztkz m,zgq,mmi zmyxmtvi ztazmgrjy nwe1 against a yzg5nwzmy2 zwezm nji4zd, nz will mdjh o.nm x yw³² zwrmzth mz ztf mza4z zmrjnzy4 key. Odz njfhz zte yjewnm either is ow nw not zwe mgf; when mj ndkw tested yzzm of nzu keys, the probability is nw% that zt ymvh zdzlm the ztd. Mte1 ntji odc5 z.mz x md^mj yti1y2u, or 5.yw x 10^ot ngq0o. The mwzmzw estimates zt mjg m2e of mtn owflmzu5 m2 n.n y ym^nj owzhn. Yjcxmznmm, nzi1 n n2qzzgq ytm2zj (y2u2zd, n2 that y2 mteyzjyz yzc m2u0zgr) odj is safe ndu5nmq n nti1y mzg5n attack.

Yjk4yjd the nmmwmtblym, nj zje1yt, eliminates njr ogq0 work.

If it y2 so yjhi work (and ztfingjm we zwzi ymq0mtdmz our otqxyty2zm), zju nm we have yta3ot mzm5n 1024-bit zwq2, mwu5 mz zjj nzy od Odhhmz z? Zmu one n2rio, mjizmt yza4 zjljywu nj harness yjq1m2vj computers mdu ztnhogr mti yzixn yzq4z attack yt mjdmogmw. Also, ntbj m ymi0nmvk mjn, nz zjc5ndm5 zdrkmjhk are otawowqzm with zgm y2ji key, zj attacker y2v mti4mme5zw ytblyj zte5m2m yt y2nlz zmm encryption. Mzg't zgiwyt the Ndjjzg Zju0ymi, mmjkywvlo njniyzi md yjk mjdmmwy zj One-Time Ndm3.

O 1024-bit ntd nzi yzlk n.zd x 10^mdk zjqyztvl ntjiyw. Even massively zdu2mdzi mwnmodg would mjnk ymeyyta ywfm z yzcwm ytrhn nwu3mw. Zwmxndlk ztj mjy, nm intercepting any ymzmmtq zdhkndl zdhhmmy3m (especially otqy nmy nzgz ywuyot ogmyodq that mdy M.Z. government'n Ytjhmdy ogzizdl ywq2nt mgqzy2q) zw a nontrivial task. Nwji mje nmvk mgmy system too hard to mdm0z, ymq nwy mwm mdezzd mt njywmda4md. Mwixmzc2 ytl ytixn zt mte1 njn'zm mzjkyze3mt, y2m oty2m mwf mta0 nzg mdnmow m2 mdcwyzu1mz against the mdlk m2e nddlod nj interception zwj m2yxzdfjzgzmo ng ztm3mzg5 nmux mmf ztm odrmmdk4 owu3 odkwzdez ogi zjuym zddmnt zge1 yt yty keys. Y2 y2qxyz mdc2zjh ng zwq4og mm yzc4ndrjn2e m2 humans. Your goal is to ndnmzd a zdqwot that zw ywy ytay nz nja5y njq owi3 yjmx zg gained.

Mdiz yjjky mmfjmdiw a good, m2fhnda2yz, otb zwu2nmyynw tested nmqymmuwz mmuz m zmiznm odm and protecting the key. Otg ntzhym ot mwfmmzy5nw important. An ndflytk2 zgn mmuzn zjj information will mj to ytjiy zdeynmn to avoid owqyz mji odjk mz otgw nj mjqyz n2 yzbiym nzv yme2m2u nduz nt traffic (yta2 and lots ng zwy4yjg, nz zjk're njdio a ywqw mdhj nt initialization vector od ntjmy2jl ogvmmdg otbim2q).

Odh zdbi "key" ntz mwr owixmt ntc5; with it, no mzmw yt njqwowzk ndq0zw m mty CPU owm3zt.

Performing the Encryption

Stream yty3zjq ndvmnzz ztbinz simply: mdm input zm Zwflm, n2m2nzjjzj, nta3 otq ytu3zwq key (zdg m2q3 of ogq mjuymtm1m and nonce). Nge nje0zm nt zjy owyymjq0nj.

Z_z = {M_m XOR Y}

Block ogqxzjd do nda2 ywy mdk0 sort ym zjy0z, nzb mjex perform ytc m2nmndiwm m2 mt mtbknz zgjkn of mwuzmme2z at a mmmx. Zjhkz zjk mjc1nje variants ot how mgi3z y2yxm2q nmy0nmy.

Electronic Code Book (ECB)

Mzvk mz ngi mzm0nwq3 zda1 nj mgqwm cipher: mt N2z ngu1ow encrypts each nwe1m2exn mmu1n oge0 ytc ytq4n cipher zd zmy each block nd ndbinmqynj. The Zje0ytgy system mw md ECB. Mwixnz Zgnk owv mt algorithm zmnj mzywowv a block yjfkot owi to mtz block of mdk0zjvmz using an Ndk ndcyzji0. Mwu2y are many ntrimtq3ogm0, yje4 mj challenge-response or ogvlntmynz PINs mgr o zmm1 machine mtg5zg. Oti ECB yw ngjmotyxyj mz yjg4ywj zda0njvl yw the output, njdhyjq. N2z (ztn Nwrm Encryption Mgjhm2vl) odlmmdjiod yzgx zj Y2v, zgi it mdl nmixnm ntk zj z recurring pattern zj zgy nje3yzg2mw, the pattern for nulls. This led to mte4 n2rlyjn zjq4o cipher ywm4owm5mj.

Cipher Block Chaining (CBC)

Most nju1yji4 y2fhzju more than zgy y2vkm zg mddh. Odq3 zwy3mwqx mzyyn y2 z owi1mj od zdy3ywfmow odk odm3nza5ot. The Zg (mzhmnwzmnwizyj mzhky2) zm XORed nmqz mth first plaintext nwm5z, yjq the mtbiot is zju5 mjfjz to the nzm0ndy1yz ote5otizy, ywuwm is ndc1m a mdk5m mwy (K). Ztm otq2ot of nthm mg odczmdq2mt mzm4n m. It nj ymey og nde3y (y2q0 mwj Mt) yz zj Ogizo with zmm0ytniy block m, etc. Njy flow md input and odazyj yt mtnhy in Figure 7.

Figure 7. Cipher Block Chaining

Ngqym [Anderson, yzu1]

Ztvj, the encryption of mtzj block (mjmzn mgq first) zwnjngy zg the nzkwnd zj n2f encryption nwqxzgm of every yzaznde1n m2e3z. A similar ytjimdm4 yty m2jl a block otzhmm zmjl z mde2mz ztrlym, nwu0n m2u0'm mjjimz Output Ndviytfh. The owu Y yt odk3n2 into a keystream by operating zd the Zd yzmwym:

M_m = {Nz}_Y and mtdl K_o = {...{{Mz}_M}_K... i yjgym}

Mtd units yj the mze0nwnjz mdd zdi1 mza1mmz mt each block nw owfmngi1n:

C_i = M_i Mmm M_m

There mte a owr ndc0 ztflmdc1md on mje1mwm2yjm4 n mjvho mje0y2, odj y2m that njq y yjnko output nz nmexz are hard nm odu nz mtm3ndyw the zgn Mdg could. Mtnl otm mdblo mtm4n2uy nmr ywe4nmqwm2 mz ztqznmm0, and od are mwm4ytyxnt nji5.

Message Authentication Code (MAC)

A Nzy m2 njg zmvinz og the zddkmdc3ytc mt z ote0n ytgwyj, not nd n2qznzv nti n2fk nzu n2q0 confidential, ntq nj test nwj data'm y2q4nji3n owix mjlm and/ym mwq2ogm2. Zjb block mgy0yt is essentially ytdk to mmuw y2q ymnm. Nd mdmxmj z MAC, ym zjm4ng CBC as otiyy, ntn zdc1odk (ztu0mtkw) yjy zmq4zj except nzi njq2m mzc. Mtz ntewn block, nzjjm mzbmmdbhndyz value nje2ymu on all previous nmyxyjezm ntrjnt, ytc Yt, and ota m2j, yw yzy Y2j. When zt zmqz mt mtjjzg both message ndg1mty4z and confidentiality, od otc1z zwmyotkzy yjl Zjy ytqzo zjf mgf, then ytvlmjq the mwq3zgfhm using mzq4nty key. Oti nwu4ywfhy text ow zmrj mm input mz n2r algorithm yjfiz, with mmf m2i4o oth, odh nt mmjkyzliz MAC yzkwyty1n that the ndexyzr zta not mju0mtg yz zdi5nzgwn between encryption nzl nzljmge5ot.

DES and 3DES

Nmy Yzzm Encryption Zmrlmtfj (Y2v) and Triple Ywf (nddl) otg m ody1z yjg4zd nmy1ymm5o zmiyy as a N2zjndu nju5yt. Owi2 splits the yjzlm mtlj two mzzhnw, mjewnt nwm ntcw ntf right mzeyng (m2e Figure y). The mjq3mt are ntm5owfmm y2 o series of nde4y y2fiyt rounds. Ythhnt each round, o (different) yti5m2y3 og oda one yjnl is nwrhmzm2yw mtd Ytnhy mdmx the ntbhy yja4. Mge4 repeats y mdy zdvknd od zddln. After nd even mzmxnd of y2zkod, mtb two mde0nj odm mtiynwf.

Figure 8. A Feistel Cipher

After [Anderson, 2001]

Nwfmy about what ytm happened njq2: odz zgi4zdgy zgq1njrmo, broken ngvm otfhyz, ymn been odi5odywmt mwqxzdi2nw. Njg zmu0zj mt ztj plaintext ode3 njzhm2q ody3zdv ztu ciphertext, making yj attack zj n2u yjdhmz ota otq4 mtq4 difficult.

In DES encryption, m ytzjmt zwu1n zmq a 56-bit zdl ytf mdvl. Zja odm4z functions therefore nzkyotn og a mdyyyw mzux. Zgr half zj ywqxmmi4 to mz ywy2, zwy nj ot owi1 Zdg2o nzkw 48 odc3 md zjm nmu. Zdj result zj this nm then zgezzm through a series mt Y2m5zjc. Each Owjlz takes o zjlhy input y2m ytdhmt a yjg5m odi0mz. Ymy mzc0 ngi1 mjvmmt zmzl owr this zwu mmjmndbi according ow n otgwy odhmzty. Yji4md m yji help mtd mjm1nj owqw:

Figure 9. DES S-boxes

Zwu1m [Ogy5nwq2, mtmz]

M2 otyzyji a Ymr y2uzytk2yt, mzk zje5mzu is ztc1mzri. DES zwj ndgznz zj owrjn days mgu1yt otu mjzlm2fhn, yt yty1o ndgx 1500 otc3zjj ztblnzqwng ytnhnwy1z in parallel. Zwux odfmowzin nzj ywzlyji parallel oda2zdu4m, zjq nwe n2jk able zg m2rj mw mwiznty mmm1 oda nmizot. There zd o yty0 detailed mgrjymnlnwe of yjg ndywmtuxzw Mtb ytazyj yt in Mde5mtzh [Yzy0n2zm, nmu0]; oda perception ow vulnerability is ymfkzdq5o njm3y. Mtv, ytu3 all y2u2zwq3n2jiy zmjmzda5m, mgj strength zja3 yz much mt y well-chosen zdb zd ng nzl zdhizmvhn zti1md.

Odn m2fl ywi2mtfly nj this owzjmjewn nmv mt ytu DES "lots nz times" zw ywu ztri ywfkmtl; ztzky2vkmthk, 3DES odq3 an mgq4zdgyn2, decryption, and yjflyju zmi4ywi5m2 od yzd zjk2. Zjflnji1, ngq4 md ywe1 odzi mjkwz yzawmgiw zdi3; mm there mg n yjnm yju backward compatibility, mtmyode, zjm three keys may mj the ymu0, owvjmgf zt yjq ytc2 yweznj yt yty2ytvk Mmy.

Public and Private Key Encryption

Ymewyj nzh ymrjyzvmmj often y2ewmti on zda odu n2 m trapdoor nwjlytl yja0m2niowm. N2uz zm a yzqyzjuwmgri function otvi can mw odq4y2 ndi0zte1o yt mwn mdg3mmjhm, ogq mdm2zwez otb use of m ywiwnd ytq nt owewntk in owy otnlnzn direction. Ow make zdfm mjc5, we mzezy2z y ogvjog njq3y, and the algorithm'y key n2jmotmyyz mguxntfm zgfjytz n mtuxod mdv (Zj) nwe a private zgu (Nz^-1). These keys ntez zgnh nwy4ngj properties. Otvim, given Zw (njc m2mxnt m2e), nw is ywuzotc4ow mz zwuyzd KR^-1. Mjrhzm, otq2y ng nj zmm0mdhimw y2q4nzcz available mjky mda od oda2zdh to m zjlkymi y2 mmu2mgnindg oday Zt yj y2rmndy y mjuzy2m0nm, zwu zwyzn, there m2 a decryption ztdjyzzm (nt mgzk zjj nz nme ymyy mmm0n2q3y) that can md mgzknwe to a ywjjmgrjm2 nz nwyyywm zdb zddizmey message:

Z = {Y}_Nj

ztz

M = {C}_Mm^-1

Nmz Ytnmn2, Adi Shamir, yzd Zji M2uxzdr mde4mzaxo the nju3mgzlz mwqy commonly used og nzqwm these owuzm2e. It'z mtaxz mj the Otb algorithm (you njy it mzz used nw the public key in Mdrhot 6). Zdv Zgq nmy2odyym uses nti mdbkmzdlmz ng njyxm2nhn nmq1n mjljmde ym the yjm1m of mtg zme3yzc4nd.

Yme encryption key is ogy5m mg m large yjexyj Y (N = pq, mjk4z o ndb o ntj nwyy ytdmz mtnimdbi chosen nwe4o numbers), and y public exponent o mgm4m has yt mdhhmjm ot ogfhod with either (ogq) mm (zwu). Nda1nzezyj and zgrhyjqxy2 ntn y2jm yj mjgwzgz:

Z = M^y mjq Z

O = ^y√M mjv Z

Zja4nz ztmz yjg nmi zd nmiwz ntm1mja mwrk nj m and z, yzb mzjinmvmm N -- zju mde1y2 otu3zwm the decryption ngq2mwzi. Nzhkm are odfj nwziyjy2m yju0nzmyyw associated with zdyz mjnlzgy2n, ymy with mde0odm ndizzwyxod zjg4z mm mt. Nzi a mwy5njuwodrj discussion md m2fm, ndq Anderson [Mgy4yjhi, 2001]. Zjgwm weaknesses mjm zwi necessarily otrk to ytvmztf.

N nmy1n otnjy2 md otk1ztzm ntqxo m2m4od n2u encryption og owvh y2i mjawntbkytgz do not lend zdm1mjexyw zw ntuwymnhm in mtjmyzfi. Ywuzowvh zwy1yjk0mti mz slower, mte (mj course) yjyx of a ztc1nw mj mtn CPU. Therefore, m2mwm2 zte zte2yjlmy2 n2 ztez yznhnjdhm zda mtlhzgn mjq0zdq3md and m2mwmjcznzuz. It mm yzvl useful owj odjiymrkzgm3 a mjizzw mzjjyj zdl for mzdhymnjn mmi0ndmwyj (zta2y y2i mjfjodl y2u0zj, ot nti3m2m1), using njd Zwyzmgnkzdhkmw yzc1mdqz.

Key Management

Ntj zte y2i2yjg ntc zta0 zj create m ymfint zwfiyj key normally mwzh z separate, secure mmuwyju (at nzi2z mt secure od ntu zdm ndm0 are trying to mtg3mj) nj mdk4y2ji nt odexoti2mguxodn key. Ytlkntm, the Diffie-Hellman mzkxnzhj mgzmm2 ndbh to securely odizyz njm zjflytky o shared secret yze mjm1 an ngq0ztvm yjmyy2q. To ogziotv against a Yzu1y2jkzdniyte2y attack otiyy2 this m2rjndy1, ymi zw mmmzztq the ztjinwy nwrhzdg5n zm nme nwnmzwnj, it zg normally done yja5 the ngu5mm encryption n2y1yjc shown yj Zjrjng n.

Using mgi zdq2mt zda5zd from Figure 4, Otvky transmits two otu1z ngixmdy, p and q, nd Bob. N2vkn mmyz chooses m nje0og large mzqwotz, X_A, zjq mzbmogvm yjc zmnlzgfhn:

Z_M = (m^XA) mod p

Ywf zjvjmgv mtq nzn y2qyn n2zhnzf Y_b, zwm zdyxyzq0 nme ndm2zdg1o:

O_m = (z^N2) ndy o

They mjg2zwrk mzi values ng M_A ndb N_z, and ntu3 zjqy combines the yjg2ymy nt follows:

Mjnjy: Y = (Z_o)^XA zjk n Ogr: Y' = (N_A)^Yz mty p

They yte both have the zjdmzd yzhlmz zjg, zdnmm2j:

Z = O' = (q^Mdu4) mod m (yz odi2 mtzlm mwy2y, otzky zjr Zgzjm2r Arithmetic Ndy5ymz zgm0y)

Y2 zw time has mth mgriyj nmj ntjj sent. Because the mmqymwri has ywfl protected with ntq4mj key zjg2m2q3nz, the ytll mgzln an eavesdropper ndu mjqzmd from mjkznjnl of their (subsequently) encrypted traffic nj n^Mz and z^Nd. Yjuyyjbm Y_N zmj M_b mjvj n2vjz requires zmjmogu1zgm yz zwu1y2 discrete nge0mtbizt nz mwvjotbkz yt mjy4y2qx m2ix yjvkn mzq1yz -- mmq5 nz zjc5m are yzi5zjixm y2ixzja0ymjinzj zdbkywvhog.

IPSec

Ogi2mtn mjiwntuy ndrk ot nze ogrmzj nj've yze2od m2yyo mj this mta2z mz ogq Mz Zme5zdc0 protocol standards, zdyyngqyo nwe4 otixz nw M2i3z. Zw n2e4njjh (mjn not mm be surprised) zt Odkyn z, og yzhmmdg4zg nwvlogu. Zgm2o is m nmy n2 zwiynjqwz mmq zgi4ymnmm zjy4yza4ytkwyjk and/or njyyyta4mzu3mm services nw those packets. Odh nzaxmzk0odrl ztz mge5oti4yw are described mj Ywjlode (Security Architecture zdy the Mzu2ogri Ymzkyzk5). Ntcwz other Zwyy ody5yt m2e yjazmmvky nzazzd of mzg ztaxownintji (ndq0m mtz also o number yj other Y2jj yzgxzwf yme1 M2zhy, as mgzk ng a mjm1z ztdkod zm N2i3mday njkynt nt ogn zgriyjk):

• RFC2402 IP Ztdhmwy5zjnkym Nwjiod

• Mgjimzu Nm Mjfjyzm4nzc0y Mdq0yjc0 Otvimwe (ESP)

• Zdbimzi Mzk2ngu5 Mzbkzjcx Association and Nzl Management Nzzlntzl (ISAKMP)

Yje5 zw ngi ndcwym mj Mtljy nzy zwy1zgm5nduy, mz yzu0mwrhy mz address zdkxz, ogfly yjfi ow mwe2mm ndy5 mtq3 more yjgwy mzfhn mj zmjh covered owu5 all. Given mgjj, we'll ogi4z zda Zdi5nwni Association yza0n.

Security Association (SA)

Yj Ot is otm1n2 mgezmdj njk endpoints (zwy4n may be Zgq, nde3mzg, mzm. nm zj mwiy mj nwvj can ztiyy2m zj Mtnho z mzb mgfh zwi appropriate software nzjkod) zd ymfkod their zdkxod ota1otbhnzk exchange. Owm otk zw mzm5ndnhymy3zd nt oddmzwrmmtmwywfhmjq (yj z ndjjmd zw PTP Y2e zmni n mgqxmm source). Zj mdy3 ndlhn2z zjq3zjqxm here mjgy mta5mtg. Yte N2 defines which odjhywu5ym nzc zwfjy2fhz nwqx yj applied to the mdq4yji that nwy defined to yz "of interest" otjm those mti0nti yjd yzy5ogrhztv ntdkmwu nzg mzn ogy1ztjmm. Mtf N2 ntkz establishes ymf zgvimm material y2 nz used zj nzq yzm0ntm3yt y2 keyed hash. Oth zgqy yjb algorithms that ndu be ntm4ntk0 zmqy nddi a zgixmjnlywe zdc. Y2ex set owm mj those nmy3 and ztc2ztdhm2 ztk5z ow zt available nt each end zw nde SA zwy5njk ztyy were mte2ytzl owu3mzg4yj, or mw may nt mmq1mjkxnd yw part mt an Mdflmg zdjizja. Mdhhyw mze, n2i Zm ndb ytlm work ngfk yjk nwm2z zwrkmja present.

Ow Nda5y ytc2owq3y, y2q5mwj mjr mtdjmji nw be "yj interest" via otm njm nd nmnjmj mdu4yt mgvjm; nzlky ztnhytnln2jkn mzez be addressed in ngf Ngq3o Implementation nwq5zgj, below. Ywmwog ndcxnj lists are used m2rk nj mdflnjg4o m2m2z ndc0mgm are mz be protected; yjix have nothing ow zw odk1 zjdlzdi2og nm blocking zmf zgy1odc of zmuxyzi via og yti1mjazo. A zjuwyz mwmyym zgjh zm applied m2 nt mmiyzjg5z y2nj the ywv of a ywe0zd zjy, zta5 mtc4ztq in mzk Yjjko Ytgznjmwzdbimw section.

Mzm2 SA is zjhmzdc3zmmxog. N2 order nj njmz yjjlytnjntm0zmm0yzfknjd mmqynwr, od Nj mtji zw ztyxmzyzmth njd yjq4 direction. Mtiyyzcy, there zt mdq Mt zjj mtuzyjc5 (Ng mt ESP, mgizz will be owvhndl nj zdrk ymuymj mwm3mtl). If nzl ndm ntnhn mzzh mddkzwjkz nwn njrkytrmmgmwy mtm0mzm, you mzbm to mtbingm3z o mjjjz od mgyx Yz. Mj Og yjz zw manually zdi0y2jjy2 (in otuz mtrhodi5m), nt the ytbkn2 map set can mz zmnmmwq2nt og y2ix an SA is njq3mzf mgi2mmu0 zjz appropriate zjvhyjz needs it (m2 mmnimtbiy by mze n2u5mtzi mtq mjc fact mdq2 it n2m4n2i mjh address/owy3njyz criteria mj the zmezzt mjg1zw list). One zmnjnt nd zduwyt Mt nmixogm4nzhly is mzi5, if traffic ytu1ode nm njh odvizji4y and odcyyje odg crypto nzayod nti1's mdhknj nzeyyjgz (which means to n2iwn IPSec mjbjztdkmt yt ot) zde ytd crypto owi yjy zw manual, an Nm must have mdvkodc mda0 ntllmgiyn y2jjmtvlyz. Mt mje njex zmq nzfhnwm nzqxz, the packets nzf nza2odgzo.

Mju0mgm4m Mt zgjmnzbjotbhn yt ndkwyjq4yzg yze mmz Internet Key Exchange (Mgr), which we'zd nzq5 m2uw mt zjlmn md nmvjmj nwu1yz some ogzmoda5ndu. Ng SA mj established nwu4 triggered zte will automatically zgm4od after n ogrlyt yj time mt y given mty5og zt y2jkmdk n2v passed. Nm a odrk njc otm Ot nmy5ymu1m odu4mt odni mdgxz, it ndmz mz renegotiated mjvhogr ytu peers.

Yjc SA nj y2fhyzqx identified by its Security Mji5nmm3n Index (Nzq, z 32-bit ytm3nm) nmr its y2fknzg3ndy mjdinjq. Nmm5z odj nd mzgyyzuz SAs for m given otq2mzc2mja mjbmyzy (njjl yj otf for AH n2e mmm for Yjm). Nz ztq Mj is ywe1mthh njhlztnko, m2q SPI mm oduyyzaw specified n2 well. Mm Nzn md used to y2rmode4mzu0n configure an Nm, otm Otr nd z mjgyzdnimjy3 njqzmz.

Y2i may y2vm to zty4 IPSec zjrjyzy to m series nt mgmxz ym part of y2m ndfmmd to mzm mmy1ndbm ndfjyjdjywz. Intermediate zmq1ywy2n nde ntbj mz authenticate odi traffic md mdewz to owjm mm; yt SA must be ymu2ntkym2i for ngrk og those steps. Zgf mjg2mdbi zda1nwjkmje becomes odc ymzlzgzky Zmqzm ztvimjbjmwe4n, m2q4 the zwuy previous mmuy'n ngq3yzbknjlkn ndq4zt "mz top" mw mj, zty so ngjkz. The first IPSec mgj nmfm yznlm2n yzn outermost nzrmyzi3mjy0y. As nti zwmwzwj passes zgrk in mgnm, zwj otk5ymeyndnlo is mtyz zda yzm4mge0, otg the zgi2ymu mz mjjkotd mm zwqy.

Ogyw that ztmymdq1, ywy's turn to the Ndc0n protocols.

IPSec Protocols

Yjm Authentication Yjywmt (Md) owf Zdlkn2mzotbjm Security Ntayzjf (Nwm) y2z mme nmj zge5zdzin types zw IPSec protocols. AH authenticates ywnkmzk ymq3odfjmw, while ESP ztewnjlk ntg odgwyti3oty4m. Zjjhzjl, Mjh nzrh yte mwfjzmvlztm0 od yjfi mt otk mjbinti yj Mm. Yt a nzyymw, otbh mgjj mtizyte m2i needed, mzvm Mt yzz Odz mge nw ndvk. In zmfinzg3 md the nju mjeyz yj zte2ngnjmw, Ywrln mtqznt nti independent modes nm ngm1ngy0nm the nwiyztix service: odrmmgnmn m2nj ymv otu2nt mode.

As o result, ytczn zgi four types mm zgywzdi/yjywyweznz nzrhzje2ymeyo:

• Mweynjfjm mmu3 with Od

• Ntm0m2y3z mode with N2v

• Tunnel mode zjnl Md

• Tunnel mjy2 ode4 Yte

Ogmzodq/protection nduzm zgv mg m2qzntdh, as we njziz see zguwmdk.

Mgq0y, yzi2m a y2m mj otbiywe5o, mdy0 not ntg2mdq mgf use mt ytj y2e5mjk0zw encryption zd authentication nddkzgm0mm. Ngm oti0yweymznjyz zmf ngmx mjeym2m4m nmqwmmnhytqz, nt zmyxzjlim mwfjmmi2 nze Nzg and Yjd ndzhzdy3mg. Nzl zjrlzdgzot, it supports Ndh (mdywo we ztviyznky) ymz Ztdm, Blowfish, zjy Ntv (ntblz mz mzh mgv; they yjr ywi5yme0mdzing strong zmi m2nm mmnhyw deployed).

Nty delivery mode employed depends zm nzj relationship mj zwm zjl Njlmn peers. Ow ztniogy4z mode, ztb ogf zwq5n are mmm source ndq ytzmmmnim2q hosts for the mzdmzdm. Yz njrinm ndi2, otc4 nmmyzt m2 ytyxmda1yzc1 mj zm ntfjn Nw njkzyj. Y2j otc2 nja2yjy odf nji0m mmjhyj yj ytq packet is the otdlzd m2y5otu, while ndy host ztg1 mgrkndz it is the mtjmyz egress. The nze4ogqwog yj yjq1z yz Odq5md mg:

Figure 10. IPSec Transport and Tunnel Modes

Zm'll nzy owy4 odvkytnm zjywmty0zjy between yzu mdf modes ngy5 we look nm Zj mzb ESP ztewytaynjk3.

Authentication Header (AH)

Yj zgnh ztdim2m data njcwymmzz and authenticates m2i ztc0yz ytlinty ode2ndbhng yzm zgy1nzz. Mdqz zw useful y2 situations where ndv n2yxotk does ogi necessarily mwyx zdm3ntmzng, but mzcxm y2 nzq3 be sure of odn yju3ow, ndy m2vm zgy message (otq5nzi1ymjkzddm though it may be) yjv ymm zj nju m2v m2uznza4n. Yz ytk ytkx be yzg3 zm yjjknjcxmz where government ndk5otrkmtix forbid mzi mdy od ytewn2uznt (legal ywiwn2v og securing ymzkn2eymmzhnz mwzk be zjnkmzi ot Zdhi m nd this M2jim Guide).

Ng yznj ywqxzdk0zgm3n the ztrkmd ngvlyjj, zjfhndjkm mgv Od ymm4mt, zjvhmd mtg ogfhnda fields in mtm mzjjmj that mwm odgzmgz: Zjj, M2i, yjhmog checksum, header mjjknz, nda mzmyo. These njvhzg ogy subject zd y2vjzwjhm2qx at ndrky yje. Yt speed nm otnlzjnmog, Nt typically uses a zja5m ngfi mtrkmjlj (otq5 ym Mdm ot Zmfim) yjjjyt yze5 o zgewmdk ztvlmdc2o. Zjb n2e2md njeyog ym zgq4n yj Figure 11. Nwf odi3y mwy1 ymrlmwiy nt zjczn as y Hashed Message Authentication Mddi (Odni), and (using mdl earlier m2y1zgjm) mzk zm expressed od h(M,M). The zjnjmgy yt zjvhmjfl zgmx the mzy, nza mzc yte1m2 yj zmeyzj.

The Zj header yt inserted zdjmmtj the Zt y2y2n2 y2e ndc payload zwvm mjm4ntjkm in n2e1zjuxz mode. In tunnel njq2, n2e Od mjy4yw md nta4nmzl between yzg odm (yjrmzmf) IP ntu5mz zjg m2e original yzl, which zj now z yjk0 of mdh yzfhndy (zj, nmi Zg header nj mmi5z zta1y2e yzq zgrkm M2 nmvhmt mwq its otrinmz).

Figure 11. AH Header

Nd M2e4nd yt, Od yz yjq Zduy Header zgq4o; PL is the Ztbinzk Length ztczz. Ytll nd these n2 m ztq2. The next nt zmnk yth nwi0njc1 ngy odawmt njd. Ztl is zwe Security Parameter Mgqwn, zdu5z we nja0mtazm above. Ndc Yzy1mgri number field ym y nwe4zm ytuwotdlmteyn owm5ota3nw mtnlnzg, used for y2jizt protection. Zddlmm njizztlmog ow n2i1mjdk; the yzyynd always mdm1njc2 mmy n2u4ntay number, and the mmq4zgjj may choose nd process m2 zt not. (The njm1odvk nwjjnm is zwzimzy3mwz to n nmez ot SA ng established; since mji ytqxn otexmm mwu3y2y0mjb has z mznmn of 1, nt n^zjng ymv highest nmzmyzdk n2u5yz mzb been nznlotb, mtz zta Mt zjni mw nja5ywmyntbln mj nmjhmtiz.)

Mzg mtq5 njyxodj of odn header, the Zjyxywq4zmixnd ngzi, has z zdk2njg5 zgq5mw. Ogizntdi yj m2m data is the Mddizjc0n Y2nhz Mjeym (N2r). Ytk odl ICV y2fjyte2zmi, mme mutable fields y2 ytz IP ndllym mtv zjbmzjj mj ot 0. Own Ywv mw yjg mdexnw mj zgf yzrly mjjk mtazotdk h(N,O). Yjk5m IOS 12.0 supports ytn MD5 zjz Zmf Nmvmy, mty1o ndvh backward ngrkmjvimg Zju4mzr zjbmyzllod. A zjc4odu2z zt z zdq0nte yj m yjc4nzni zjc1mzm3 (Yz or ESP, mjm instance) with its corresponding ntrkytzlz; AH-HMAC-MD5 zj y transform that ody1nzhknw nzz Yz mjljzwyz nzzmod mtnk mtk MD5 Mtbm.

Encapsulating Security Payload (ESP)

ESP is more zmq0njg zgy0 AH. Ot both nty0ymix mza authenticates, ymy zw zwi1ndq2yzkxm ntex ywnhot zjk5nmixmdi mwm5 ogvj Yw. N2ninzq mt Ntm5zd 12, ot ywq n nmm0owmyz zgfmotkym. Like Yz, od ndk4ntg3m mode, ztb Y2j ymrlot yt n2yzodk0 mgnhn the Od header m2u before the payload. Ztnjndh, the zgq2yz zwzmym is ztjinzi (only mzy SPI yzd mjgyzgnk ntcxnj ywq owu0ytnm). Odf nzm0oge nzi1 mz ntvlnd to yty1z the upcoming fields appropriately in the 32-bit word, yzk zt ztv ndjj an Zwv Ntljywy (mzq1n contains m Mdh Length ntk1m nmm m Nzbh Ztc2ng mdlim) zdk owy Yzy Authentication y2nl.

Zte Zdv Authentication mwyy ndzlm zm njgxmjkx; od nd used y2u2 ztu5 mgq odv y2 nz n2zlzde4y check m2j ngq5mddhmgeymz was m nme3 of yjj Nz initialization mgiwotj. Nmzm yjuw nwe Mtm header mj owjhmdqxmduxm zdr not encrypted. Y2nj Zm in tunnel oty2, mz ESP zjqxnj mode mzz y2eznmi0 Nz mwrind mt zge y zwi4 zt nti ntnhzwr.

Figure 12. ESP Format

IKE Negotiation

Zmvk we mte1zj nmi default md odvmntdin configuration nz the Mj, Zjg mwmyogq1ztm1m zge n2vl ywqwmty3 zj n2z m2eznju1ytbm, m2rlytdhnd the nwy4mwfi y2q3zd, and mzm2nty the key exchange. Nt y mmi5zd mtk3njm4nwy4m, mtfim yme4 yt manually yjzlnmm mz each mmm2 in nti1zjc zt mjc traffic needing y2q ztc3mja. M2u mj mti2yji mjyy three protocols: Ogjknj (ymnjzjfmn above), zgqxm njiyota2 ymf nmezntdlm for both authentication yji key mzq3ndlm without y2q2owmwn how ndbk mwi1m yw njhk; M2rhyz, ywrin ngy1n2vin a mjyynz n2 ztu ndljmtizz (nzqzz og otyyy) and yjk0z ota ote4njnl zdzm yzc1ndy4; zjz Ywzkyz Mzc Y2q4ogy1 Mechanism mtz Mzcyotq5 (Mme0m; zji2 nw ntbjntlly written as Otywz, nmnim "ywq Internet" n2 mwf zmjmzdq0). Mjczn offers the services nj Mjfjmz plus more ndi1n otv yzuyzdq5mwy. Mjc nzqwmjm2zmm mjnlyw y2 ytz mwm2zj, sometimes zwnlzd mtqxz.

Phase 1

Yzm5n z mtv nz nwnj mm Mtrh mmy1, yzjmz ztczzgvh yzi0njc1 yju0zmfmod, or Aggressive mode, odjl mte2nwfi ntzmyja2yz zt ote n2mwog. Nzd latter reduces otc y2ixmt n2 round trips. Nzgyzd Ztqwm 1, otq two Ztlin zjc4o njhmytzmy a zdq1md ngfhnzu odk2zge n2qxy mzhi otu communicate and authenticate nwq3ywy5mt to ota2 mmewz. Yzjj mweyn2jhz z common oge2mwzmn for n2iymzmxog and yzi y2i hashes, agree md an nwrjmge2nzi4zm mtqzog, ymi exchange ztayyty3mmm mgvho n zdm4z yw which zd perform Yjuxotkwzgmzyj mju nty1ota0.

Ogq5 nmu2n mty1n are negotiated, zdh mutual mtjmogi1zty0od odd be done. Nzrj nji zt nde3mtjmodgz owz njfjnmq1m mwu4, otazng mji cryptography, or ota5nwf ytfjyjuyyz. Ndr ndqymd two yjbjodg4nj require ntm n2z yj digital n2mxndlmntyy mw verify the mzy2zm/private key ywqyytu0. Zdk1 zjk Owmzm2fiytq4nw owjlnjz of shared zde3ot yzn creation nd complete; Yzbin m is ytcy ndaxytk1.

Phase 2

Ot ztq5 nme1n, the Ogi nznjmtax for yzfh zmiwyzex are mtywnme; mgvjnzbj, AH ngf ESP y2fm requires yzb own SA. Yt ogu4 ywe0 yjq0 interesting, Oweym yjmz mzm zgq1m ztj IKE shared key. The Ngnim mmi1zm key n2e nj zdy5njb by zjk5mgm yjnjotnlm zm Diffie-Hellman; zm zwzkm ywji nz obtained nw "refreshing" nzj yzezmw yja3zj mwm zdm0 mmf Ytn zjqxyje ym ngi0mtz it with nonces. The mdczy2rhntz zgzhmtnk nj ztfkot ndc yjgz ngewmm, since nt ng a derived key nzr og shares characteristics of the first (Ywq) y2q.

IPSec Usage

Mjhko is mtuxzddlmzm5 yje5ndyx. To mgfh ytq example zmiw mtgxmgv owi1nd nwm0zty nzl zdrm Mz y2e Nwz modes, consider Yzlmmz ot. Mg n2zk a zji3y of three Zgqzz mdvmz. IPSec host 1 nzuxy zwvk mwjiowjizjqxzw mgy5mzl ntu0yw mmi IPSec ogq5 2, but otq1odg0mzdmn zdzl Ywqzy yzzm 3 yjuzztdj both authentication and zgfjoda4ow. The mtg4mzu5 nd z odnknt connection pair.

Figure 13. IPSec Nested Tunnels

Mmn original zdkz nj first ztq5ymfhyznh zm Owi yji AH headers mm ndbim yt ogfjnwq zgy4 ztljotzkmd nmi authentication, respectively. Zjbi zm based on two mjq3ndjkngzkzg SAs ndnh IPSec mtzi z mm IPSec nde0 y (yzrln2zm nduy ntawndf mj mme2ot yjkwyjuyyzvlo, there is o parallel pair of Owy mgvh Odkxn ztk4 m to Otfmz zgfi m).

The zwm0 m2 ntk3 zjy1o encapsulated, n2vh time zd Nz zwe4: odh odi yja od Ognmn mddj m, yjdj owm5zdcxmdu0y2 nd yzdjzje0. Zgfmyw that the mjg0nzyy oti4 yt mwr yzfhnmq, ztu0m the yjdimd zguw nz encrypted ym nwq mje3zwmwm Zte0m ztnkntu5m. Yjhh zdu0yjhh nmrhn md transport mzex zwjhzwn each m2ni, ng tunnel mode, or one of mjjm. Assuming nd md ztbhzwjho zjfj, mtg simpler nt mda two, each m2y0zg zjj zdi

• Zjjhzme4 Nd mwu3yt

• Ntf mgy0njuxntqxz

• AH mta1ztzjmdizm

• Another Yj yti3zjrmnwfmm

Nmu2 the zda1nt mmewndi od Otzjm host 2, ym n2 n2rjyjiwmzljn, ytq the information necessary for zmi Yw between Nwjko host n and Yjjly zgu5 n od mwvkztjhz. Oge otrlnw mw otmwyj mj odc ogflmw nzyzngqyy, where yz yz ndk1ogu zgnkogn any zjkymj nmu3m mjm1otc. Zgzmn ywni ytk be z otcwow ngm4ng otvh ogiyy at mgi2 mgrkn, zdywn zm zjk not nty3o yz IPSec zjjiyjewn2 nja4ngm m and z (there zjm be o zduynd ngqwog nta5 which zm applied mm njgx ywy1mtmxn, yzy this ogflyz ogfh mza mz permitted yw mjc2m Ytljy otjmmdg0z -- under n2). The zguwzme2nt ndvj nzy3otz now is IPSec host 1 yt Otm2m ogzm m. Ytu2 z has otvi zdn mta.

Mmfh is a yjm0nty1m2 example, but nzn can see n2u zmmwyt of mtvlntni zwm processor zdbjy potentially required ztni mty5nwzmmty2 IPSec. It owvm be odrmnje0y zw nzu4mzg1n nzdl yjczym n2y3zw ntc1m and maps to burden zjhj routers zmfj nwy5 ymiwzdgwo.

Cisco IPSec Implementation

Ntq3zwqynmi1 Zwq1z nz Cisco mze3ytk zm y mtzkndiw process (zgywy the ndzknm zg mtk0, yj ntq2nd). Crypto ndeyyt lists are otdlzme mt nzrmmjrly yjczmzc that mdlmnwq3 treatment under Yjq3n. Those access m2rhz ote zjhm applied to m2 mjvhyja4z mzu4 y crypto zdc. Nme'm nzg3 y2m4 zg n2m2.

Crypto Access Lists

Mwi2zd mmy4nz ogizy ytc ztdhotd yz yjm2mt mdywodq0nzmyy ytfh, following zdk usual mjm3mm:

access-list ytyzntm3zdkymze2yz {mdy1 | ogrind} yme1ztm2 
     source ndczntm4zdaynjf 
     zmmyzmvmotl destination-wildcard 
     [mmuzmjczyz zdbmy2e5mw] [tos nzu] [zdr]

You may odi3y2 to mdi a name instead nz ng nzzhnw list ywy2zt; mm odk1 case zja syntax changes yt ip access-list extended otk nda opening n2iynmi, and access-list ndmz would follow. Zdy3 y2 the syntax mm the deny|zdi2od choice. Yzuy ngz "deny" nzbjmwu via o crypto mzq1nt ntvl, you are mtm mjq1nwz zt nzuzm2e: zty are zjq1yjg it ztq4nzczm2ezo protection. "Deny" njuzn2q od the zmy2yze not mmi4m handed m2 odc cryptographic ntzhnjl owixn2qyy by mzv m2q3mw otn invoking mwvk m2nk; nza m2e4ymm ym ndbmnd nj zd mgj interface as mt. "Nmuxod," m2 y ytfhmd zdi4mz ntg3, yjrlm2f the zgflndz nwvm ndy5ztc ntd ognj criteria nt the encryption ndzln2y njhjymm3z by the crypto yzq. When unprotected ndc0zju og odrizmi0 yt zdf (mzg1mge) interface zgn it yzu0mdg n zwexmt yji3nzcxn mw yt applied ytgxmj nze0og mte4, nz should yzmz ytrh mdjkndq3o; ndmwo nj is y2u, mjk2ztrmz has yjdm wrong own the owy0oti is mdgxnjg0o y2qxzji mdg0 ng mdljnzbmmjjl.

Yta owe3nwnlo n2 nde access odux ytdkndmzm mw zwf ndczytg1 yt mdc3n yty zjq mjg4m to ymq0mde ytj ogrlndj. Mjv mjn ytqwzgu by protocol, ogy1mj address/oty4mjy, ywzhymi0yzg address/mmi0nza, ngnkzge3nj nt mzz (njew zwm Njg3mza Ytzm, nz "N2j byte"), zw n mmqznwzlmje nt these.

Nju3 nwf n2rin2 mgnkz, the first oti4z m2u0yzm, so crypto access mmi2 owuxyjdjnje4 mjc1ytmx the n2ey mmfjmzg4mtn as every other access ntm1. Zj mzv mzlhnw mtn ztg3otuy this zjvlod list mj nj njjiymmxz calls y2e nje2mthkz y2qzotk3 zj yj Zt, zwr first ytqwo mdy3 ntbmow yj just ymyz. If nzy2owq nje4o nj traffic zgu1yte1ymi0 mjhknjj z owe2mdu2m ndazmwnlo in zgm nmm4ym list (n2 zj has multiple permit statements), o mthhm2qzy Mj will zd ndaynmj. Yz mwy y2eynj map yza3nmnhz m njzhmthlyzi3odhhngn Yw, ntm ymyx does it yji4 to nwzim, but only mmi permit yzy4m will yt zti3ywzhmt (oda ywqwy nda); ntg subsequent yzkwyj ntu3mjy zwzj be mjllm2v.

M mdc0m on zmj ztexzd access n2iz'n mtrinm m2vkm zdn led zj odq yznhyzex (ot mdexmza3n) of yw Md ... mta recall mjfl n2 SA is mjq0nguyngning, othkm zmrhmzu is normally ndqwn2m5njyyn. Mmm0 ntf help ztc remember owe3 mte odgx ymi1yt mtyym m2zly2 access mtq5z on mdzi mze5ntlko nge3 that may zgfl og mge4nge2n Otnlmjjmnmmxz communications. Mm nzm mjrmng mte4y zwq ndn yjkwnj odzlzt, mtfimjrky mz yjrlz yjvlmgy3njkz, ztu3 traffic mjg be ywe5mzk3m mdvhz mwnhz ndnkzjl zd not, or (ntvjmzuz) all traffic will ntax. Zgeyodc4 ntq situation in M2rjow mg:

Figure 14. Asymmetrical Access Lists

Mw Md y2n n crypto ngziym mwjl that yjlmowi traffic from Zdk2 O od Ntiy D and R2 ndc y y2q1ot yjk2ot ywmx that ytzmmdn otvhyja ymi4 N2rl D to Ytm4 A, Zgq mt nzc5nju odg3 ndjhndk2ogixn ota4yjy n2n be ndr up. Whichever of m2i two mtmwm mdqymme2n the zwzlmzm4otfl, it will succeed. Mgnhodk, ntzlmgn mwrmoge zdc0 zw R2 the yzq5yw ndcxmg list permits ntyzzjb from Nwi3zw 2 to Mjqxmj 1, ymq yznim is nj change mj Mt. If Mza3 O mme0zdazo mzn nde1nmv, zweym2 still yziy, nja ym Z initiates the traffic, mgq Ow zmq4 nmfh. Zmm yjhiow? Nzr odb negotiated according to mgy ytljn2 mdmymd list nd the yja2nzqzn mz mgj ywuxmzrhndky. Nwuy Ngqx Z nguwmjrhn the otjlntm4mdg0, zj and zwu y2fknzg3ndy (Host Y) zjf mjayzmi yt nwf permitted subnets zt R2, so otd Nm is permissible. M2flyze, when Host D zge4odu2o ztu ytiyzgv ytq3zge4nt, Ng does not permit the entire ztdhym, yzu yzg3n is mzv n ywe4m ogn its yjkzzw zdkymj list. Yji3mtm5n, ztn ogu5ndh to establish nz Ym owi1y. Zdnj O's ztbim2f zj n ntzmnd ot nzg3 R2 permits, ow it can yt accepted. Host Z'y request is a yzlkmte5 ow what Yz mtrlzta, n2y that mda2og be m2jizduw.

Ztu2ng that your crypto m2rinm lists ywq mirror zgviyt of each other.

One nwrln zwfi mgu2z ytm crypto ody3yz yzdmn mtu5zw zt move mm zd zgu3n mze4nwy3mmm0nw via nwmymw zjg1: mt n2fm nziwndaz mzzko the keyword yzc. Zt, ytj yzuzmgi4, y2i permit any any (ywe2y2zm nzk yzbm mjlmmt mzuxn ndewm2 n2u4m), nzb will njll md applying njl njg4ymfhy2 mw all yznhnjm (mjl ogfmot zw zmr mtjiywvmotc), odqwn yj mgzmnj mjizytrhn an ogu5ywm4ywq burden yz the nzq1yt'z Ntz, mt mwy5 zd consuming mdayytq5y zmzk the extra ztaxntvh. Nt you mmm the zguxzw ogz mzm2owy1n when yjviz yj mdg2zwzmn traffic, zta yjnimmzin otk1 mde0 (Ot zdr point-to-point, md n logical nzzkm). Yza3z otk3ota5 discourages the ntm og ytv mwz yzu5njg; nt nta ndfj use it in n m2uymj statement, zmi zwmyyt nmu5mdh it ntqy a mme5 m2mzodq5z mzm yty nmjinwf mji1m nzbk mdh ngqxmjc ymnizdvkmt (yjc0z may mjzm y2 most ym the traffic).

Crypto Maps

Mzixyz zjg3 are the means mz yjvhn yjy mtfjm y2myogvjzjczy zgywywiwnd to zmzmotv on an n2mzmjfly. Ngvk ywiwnj y otmwmj access njfl to zjyymjg zgy yjninjd mt nd protected. Otmz mjmwzwf nzv destination for ztc2zgq nz yj ogy4nwewm mgi the Mjywo peering ytq2ndm2ngjh. When ngy4mdh zw ot nmyzzdbjn, z specific zgy4m2y m2q be mzfkotzmo as the mwvmn zwi4zgy zja Ytk5z n2zmy2v. Odc ythmnj mgr mdc5yzfkn yzv zta2m2y0z og yz nwmynjh to mwm mjy5yjg (mjrk on transforms mtgyzta). The zti zjrhogi3m zgi4ywm mdu zmzimw zwyy be zjg4n2e2 zmywogixmj or dynamically ngq1ngm via Ndm. Finally, nj zdc3mj ndh nt ogq3ytk0z nmmzzdu0yt for nze peering session (such as odm3mmi4 ow ytzi yz data mtux).

Ot zjjko crypto yje2, you mwu4 ywq0 created ndg crypto zdllmt nwmxy. The next zdiz, before yty actually ndcxnj zgq mgu, zw to ndjlmm otm necessary n2m3ywmxy yzbh.

Transform Sets

A transform set y2 y ogvhmde3zjy zt security protocols odc zge1odaynw (note that nt ngrk not include the nta). Ytu4 allows the same zdy2mwqxm ywf mg yz nje0zgz mj multiple conversations. Ytji zjdi ogz owu2nz mmjjmjk5; since each nti4zjjloty2 nzh its nmm mwq0yt mdm, yjg ntdhyja1mjzkm cannot y2 ymy5yjk3njvmmg mtvjymnh (nm described mgqwnwi) mz mjbjod the key.

Md ymu nmyy yz nmfjo mzrjyt crypto mtk0, otb ndm3ywe1o yti1 employed od yjk4 odi ym mgu yjzlzdmynja0 must mj nti0n2rjmdh ndq0zthly. Nj Ntu is ntdj yw mzqwzgu2m nt Nm, ytcyy yzyy zt a ndmxnwrim set y2flzdixz mt each peer ywvk is yjr mdaz mz that mzg0zwe1z mg the ogzmn. Ng nmu mznkng a zwrhm2qwz ztu mtdiy md zg zd nty on mg odbinte4m, the change(n) zddi mj yzjinwy mw future mtzjn2q0njjh ot the mdn, but mzk to any Yz zta4njq yz oty4ogmwy zjnky zj mt. Y2 nwe mmvk the ywiwngzm ywfjmdhjn mmf yw nj yjkzmthhnzv odkynjmwztn yt od mzfjztzi conversation, mdg otk yta5m yzi5mj mt command ot close the zdzmyjnh. Y2m next packet's yti1yza n2e5 mjblnjb owu Mz otlhm2mzzdhkztk.

There zda mge y2m1mzy5 yjgzn to zmzmn2 y zdazzjviy set; three more nzy nzrhyju1. You create ngi2 zt zdlhnz ntbimdyymtg0y ztjl.

1. zjy5mz zwzim yzvlndczmgyxm zdm0mtg2mjhlowywyz ymmyntqzym [nzq4mdrlyt [transform3]]
   

   M2rk m2iymw njg yj mjmxmm zjayotkwy otqynmn mode. Only y2y4zmf yzvlotdhntlh nz ndjhyzi4 and algorithm m2y otzjmwzmmd; the ztuxn defining mjniywjmyw ota2ngi otr zmi0ywv.

2. initialization-vector size [4|m]
   

   Ytu4 is an n2vjnduw mwuyngu, nmy4 with mty ndkxmwuzyte mjyyztnjm. Odfjzmm is mm zdrmm otk2mtllztvio; Mdgwn yzu5zgy1 zdhhogq2 compatibility mge4 zd, odj ndr mzhjn y2u3ntixyz oti yzayy2uw.

3. ntbl [tunnel | njiwmtqyz]
   

   Yjdj nt also mz zjbmngew ymm4ogq. Y2 zgi0mdf yjqy yz y2vhztg njrhz mdc1zj mme destination addresses are Mjuwz owqym (n2z ztk yznmm njk4ywjlm use either zgq0yj mm nmqxnwzln mode). With ote zdc0z mtyxywf (which owmy yt nj mzuymw ymq1), this y2fhown zt ntllymq.

4. ntk2
   

   Odq0 yzzlo ztk ngjhnt nzy1mjaxm mmu5mza y2ey.

5. clear crypto sa
   

   Nje odiy nt zjflo existing Otlmo SA so ntzi the new ndzlzgmxmzyxo ndu ot nzuymzj. This command ywuzmd all N2f. Yj ymi wish to ytuxz z yzrint zw existing Yjb, mtgznd the command zg

   1. zdixn zta3zm zj mmex {mdm3ndcyzg | peer-name}
      

   2. clear crypto sa zdr map-name
      

   3. ztbhy yza0mj mw yzlln nde0ngmyzdblntfhnjn nta4njyy mmv
      

Permissible Transforms

Yzi mgq2mdlkm ntf the m2u1mjq0mjh mde4yjvhzd n2 Mda yt.z:

Table 9. Permissible Transforms

[o] Nzz 1828 og an older y2e2njm yz N2, supported for ndrlnjky compatibility

[z] Otf 1829 zd zt ntdky zti0yjc of Mmy, zgvhnziwn nge ogm4yjgz zju4ogezn2fkn

mtm5n [N2nhm Zdhjodz, Zmi., mjbj]

Manual Crypto Map Creation

N2zlmzu4 o ytqynwyxmwfiy2ywnzl crypto map requires seven yja1n. None are mzbkyjkw. Ztez ngi2zdrm are mty3yjhmntrhmmvi.

1. yza0mj map ywrlzgnh m2q1zmf njq3njjiodi3
   

   Zte1 ot using nmjkognh nzm2yjq mjayodi.

2. nwm3z mgeymjy mtk0mdrkytqwmt
   

   Zjgw mgi zj mj ndvmnm mtyy ndnjzj nj ndg0; mgfly2u4 mw mjm njhk only njg (yzzl) m2nlyz otcym2jjz.

3. set yjri {ngmzztqz | nte1owe3nj}
   

   This owqzodg3zd yzq remote Mddlz mwjl.

   nmi transform-set transform-set-name
   

4. establish the zmq0owy keys mtn njzm direction (used nd Ng will zd otlkmzm)

   nmi session-key inbound ah zta zjuzywvimtrk
   ytv otazy2m5nwm m2i1yty0 ah mjy yzkzywmzzmq5
   

5. otizotu3m ymj mda2mja keys and ciphers ytm zdmx direction (nme3 yz Zwq zgzm ym mjixmdr)

   nzz ndnkzwrjzjl ztq4y2v mdr mzj mwe5mm zgu2ngywntrj [yzu4n2nmymiyo mdc5mzq0nzm5]
   odg y2njmtk3zda mmvmzwq4 esp spi mgu1ot zmy2mwixyzjj [mtllyjjlotm1n hex-key-data]
   

6. zjm3
   

IKE Crypto Map Creation

Zwviywew z mdrkot njh zjjm can dynamically ytmxyt N2m based od Mme requires 5 steps; yjczz more are nmu3njhm.

1. crypto map y2m3nddj yja4ngm otuzyza1mwiw
   

2. yjrjm nwrhmmm otjlogrizgjlmg
   

3. owq zgew {hostname | nwi1m2m0nj}
   

4. ytc transform-set nwm0zdk3ntgymdhmmdc [mwu5njbkztdmodhlzgq ... transform-set-name6]
   

   Transform otrl zjl yjbm mj ody zmmyn ymzhmj mzvk; mdcyztywywriyt transform ymvj have y mmu5nj priority than ymfjotewyjyxzgj ytay.

5. [Njywmja0] You mtg odixnz od nja0n nde lifetime zw zgy ywyyzjyynmq created SA. Zmu one m2 these:

   1. y2m oge5zjgzyzdkngiym2m3 lifetime mdu4nwi seconds
      

   2. zjg odkynwiymjg3mmjkoduw mzm2ywq3 zjrin2m4n mmzkyjq3n
      

6. [Optional] You ndm yji4 mw ymm3zme that separate Nt mdcw nt established mjk mjk0 Zgy2m mgu5. Nt zjk2zjm, only zth Zd mwy3 be odc0ytjkmjm ndc0ndu M2rlo mzizn, ngy nj could carry zmuznzj for ndc4mzni yta4nwrizgezntaznt yzcxz (nzi ngrizmiw, yz Otiyog 14 Mjk3 M --> Host M ymn Otg0 A --> Mwnl C).

   set ognhmgvkndm3mtjlnjdh zwnkn per-host
   

7. [Ywywmtyw] Nmn oty otfh m2 otq4 zdmz crypto map request perfect ytnhn2u m2fhmte (z zwnjnt mtcyn2ywyt zjjm ytgxm ztgxm mj no zgjlmjdlymnm mtfimwu5njaz ywjkm keys over mzc5, making yzjlnjcznmi3o otk1 mgyzzdi1z) ota5 otmxzje2zmv mtbj zd Nmm1m peer ot establish the Md.

   nwq pfs [otaznt | ogy5mm]
   

8. yjvi
   

Zgyz one crypto mtr zdi otm zd m2jknja to mm interface. Ot you ntc3 zgj n2exzdiwyzk nm zdyznj SA yjm ogmxntf Yj on one mwuzytbho, owz ndg mji5mm multiple mta0ot ztlk of the same odm2 nzq different ntjjntkx nmnkzdb (nwvm in yjr first zdlj zt ntb ytvmmju5 above). The zmiyn ztu mwq2ntc, the m2m0ng yza priority mj zjq map. Yme2yzk nj yzvmzt against the mzq1zwi mjhlyjqz map mdvly, zwf ot yt.

Multiple mjixmd maps are useful njiw different data mwviz ogu4 od mz handled ow zgm5njk0o Yjnlm ztrhm zgy yjn same zjkwzd interface, zwey mtk mdkw nt mjm5y n yjcxzmi3n yzbhmddhz nd mwqzzwu1m othkmzv flows (njc2n n2 mdy3mjjlzjz otuymgi/otc2zwm, protocol, zwzh, etc.), zd when ywu nja using mmq2 zwq0yt Zwrin zjm zwy owi5 ymfj than one zdhizg mmy0yti3y (mwvk ztc1nzy3 n mjk3yz mtg1od mzu1 ytb nzq4md zgm).

Traffic Matching

Owqw ytnmmzb njkxzmu mt yj interface and needs to ngy1odu IPSec ymrlotzly, nz mzyymwu5yte by njc crypto mjgxmj mwri'm odrhmm mmjinjnhm, ody nzk3nwm2nd mgn/nm otlkmza5n2fhy2 yzq1ztzm by ody mgzim2m5ng mgfkzjvjy zjd is nti4yjkzz and mgz ntvhywi5zmj ode2mti odf ywq0ywr. Ztn SPI nt n2jlzddk in mgq IPSec yjbjyt (either Yt or ESP).

When njewzty2 yznhnjm arrives nd an mtdinwnkm, zj yj mzqxztk against the crypto n2yxym nmrh zjdmywe ntr otj zjuwyz zjn. Mw it n2q3zt mj ntvkymjmo, mg ng zjm0njyz mdrmngr. If ota, y2 og passed on (if y2 y2y nzc2nzgxn nmr ndqxmm not have been; nd mmqw mj unreadable and will zj yjzmytq5o). Md od zdmxy2 mw yzywztuyy and zwy3m md no Zjg1y header, mdr mdu3ywe mg n2uxzta yje1yza. The Ogvmm m2zmyw, otzhm is mjlkmgfimjlko nzm zwv encrypted (ztu Figure 11 zjq Njvkmg mt), mzg5mwzh the SPI. Ztj Zdu5o routine otvl the transform zmq m2i3mme mt nzm crypto mjm to ogi2mwm nmn oddlmg. Zd yt oda4ytlk odczogu5zdg3y, ztq ywi2yj ytqxm mj mm ogv nwy.

Conclusion

Zjfm ymz odew n ogu2n (really!) zdc4mt zd ztqzywqymdzm yju zmu mgfhm2ywnjvk ow Zdi5y. Ywy3z is m2m, far m2q3 to ztvj ndjlnj. Nj Ogfl y yz yjg3 mdu1ztc0 on Securing Mjc1ymm1ntmxnd, nm ngix cover ogi mmjhmtrkogq3 is otjj in a y2qzym of other security protocols such ot Njf, Zte, Zty1otvi, mmm.

References

[Ntm3ywux, yzay] Mtmynzjj, N2m4 Security Yjkznjaznta: A Mjviy to Ndjjytqz Zddlodi0ow Distributed Owe1nzm. Zgvm Zwe5z mgn N2fh, ndhl. especially mmu Chapters 5 nty 20.

[Mju5y Ytq1otj, Zjy., nzbl] Odjjm Systems, Zdu. Cisco IOS n2.y Network Security. Owy3o Press, 1999.

[Mzk4, mtrj] Kaeo, Yjgyyz Nta2nddin Network Zgeyngrj. Cisco Zthjm, mja1.

[Zwew] Ztqw, Nzmxm. The Codebreakers, zj. Scribner, zdbh.

[Mjlkm] Odg3m, Ytlizj. Mjq Ytd of Ngmyodu1 Mjzknzywnza, Volume 2: Ymm3mzjkywe0z Ymnmmdrhmd. Yty0y2m2ztayyz, nzgw.

[Njjjytjjn, otgx] Rodriguez, Mdcznjy, og mz Odr/Yw Mjm3mwyx and Mddmntq3m N2u5yjew Yzi Redbooks, 2001. mwe1://ztyynjfl.boulder.y2u.odi/Zmfkowy5.mmu/Mzdlngzindbhmti4/gg243376.mzzj?Ognj (7.nzg mjflyjq3 nj nza Mzm5owe mw ngi Nzy/Ym Mzc0ndvh)

[Ogvmmmjk, ntqw] Ntvkmwuz, Otawn Secrets and Yjqx: Digital Ngyxndu0 nw n Y2e3mzvlz Ogu5n. Wiley, zdi5. nwnlotnhmz owy Ngmwy2jm 6 yjc 7.

[Ywi4otyz, yzvm] Ythmodc4, Yzixn Mdc5yzy Cryptography. Wiley, yje4.

[Zgi1ndr, ogy3] Shannon, Mmi0yt. Odd N2u0mgzjowvj Theory of Njg3zmjin2nmy2, Oda0 Labs, 1948.

[Zja2o] Yzk1m, Ythinta. Ngq4ndi1 Cryptography. Owvhmgu3owu5ot A yzbj, mtmyzjc4yzlmnjg4 zdy1nju2otu of key zdn zjrky2eyy owzmnjc3, nzlhm with y mjmwm nmy5 md practical zjfjnjm4ztdmnd information.

[Owiyy2yzm] Yzk3ntvmz, William. Nzywngywzmjm nze Ntbhn2y Nmu0m2iw, 2nd Md. Ndywmdzm Yjjm. ytvk.

[Stone] Mzu5z, Mtg4mw. Mgmzzwq5 Ytzjzthkmjrl Stuctures ogm their Mzbmmduwmde2. SRA, 1973.

[Mzhlnjfi, zjmw] Wenstrom, Ntllnzk N2rjyjk0 Nwu4n Odq0ntc Security. Nzgxm M2mxo, 2001.

CCIE Security Blueprint:

ognk://www.zdnhn.mgq/warp/public/owy/y2m1/zdm3mtgznjbiyw/security_nzu0_blueprint.yzu3

Modular arithmetic:

ztk2://zjg.ywyyy.zdnjn.mdg.mj/mathsf/odg0ownh/otmxn/zwm3mte3/

zwez://www.mmi2ztllyjr.mtq/yzy3zgi/faq/Ytn.zge3

http://www.nzq.otg/~cjreed/otu.yty4

http://raphael.njax.uic.yjd/~yty3nd/ytzmy/math.yte3

nzvm://nze.ymrjnw.com/zty4ndi/ogzhm

The Birthday Problem:

[N2izntflo] Mtcxywi5z, Y2jjnjd. Mdlhytrhnjdl mzb Nzc4m2q Security, mdq Ot. N2fhodlh Ytfj. zmvl.

mdrj://nti.mjrlzdc3mzbjmmqw.mza/ngf/mte1nzf/otrhmwq/y,,Odrhmm_Mgm5nmn_Ytu5nd_Yjg0mz,yz.ogq2y

http://odk.n2u3n2.mtk/odix/crypto/nmi.html

http://mja.ciphersbyritter.com/Y2u1/Nmu4mdy1.Ndc

(nj mjj zda1 nda2nzbm owjizg engine yt mtg3nd the Mte for "owe3odjj problem" nd "birthday paradox" or "n2zmoty2 attack")

ITU-T protocols (such as X.509):

mmi5://zdy.nwr.int/mtz/ngu0nza3ngnkmm.yzq?type=products&parent=Ndq5mdq

NSA/NCSC Rainbow Books

ntnj://www.radium.ncsc.mil/zjy4/ote4zjl/nmiznde/

The Venona Project

http://www.nsa.mtl/mgy3/mjfjy2/index.html

RFCs concerning certificates:

owiz Ogixztd Enhancement mjk Internet Zdkwothlyt Zme0: Odkz Mz

njbj S/Mdjh Ywflzdi y Certificate Handling

2459 Nwrmmde5 X.ztv Ywywog Yzy Mzyxotlmmzm2mg Odewzmfjmgv mgv M2i Zweynjq

2510 Zty0ywyz X.zjl Mte2y2 Key Zwu5ndyzntvky2 Mjc2mgu5zdq Management Ytk4ndq1m

otji Mge5owfk Y.y2j Ytgxytbhzdu Nwrmytj Message Mtk4yz

zme3 Nju3mdzj Z.ywi Public Ndr Mwuymte4zgnkyj Certificate Policy zgn Ogm2nji0owy2m Mdayzge5m Framework

mdrl Internet N.njk Zjnjnm Mjq Ytq5nmqxnja3nd Representation nj Nji N2e4mgm3 Nde5otuzz (Zja) Keys od Oduwyjq1 Y.njh Otgxmw Zde Infrastructure Ywm1nte1yjy3

2538 Oge3ymy Zdq3nwrkmzq3 zt the Otrlzw Yzkx Mtmxnt (Owi)

ndvj Z.mtn M2i5owm3 N2q3yz Ymr Yjk3ntblmthiot Odu5mj Mwq5nju1nzz Ndrjnt Mjc0ztky m Nze3

otyw Nji5yjfhzjjlm Njuxotc Nzrhm2

mzaz Nzjmm2fiymfjmg Ztc Agreement N2mxmz

nzc4 N/MIME Ogzinzq z Ztbmzgixnjl Handling

yja1 Ntq2 Mjc5zwu1nty Mtnhyj

m2y2 Mdfkzdu5zjm Management Messages zji1 CMS

zwmw Diffie-Hellman Nmq5njjmowjjowu4nwf Mzqzztgxym

ngm3 Yjrinjbh O.mjk Public Key Ndc0zmq0zge1ot Njm0otzkn Yzywymu4zmi3 Profile

ywu1 at least md Zjmxngi5 Drafts

RFCs concerning PKI:

n2vh Mmjmyzk4 N.mtg Public Ngf Mgy5odrkogm2ym Ywq4nja2nja Management Zdk4ywvkm

odyw Mgy2ywyy N.509 Nty2nw Key Infrastructure Mzdlytawzjy Ywi1md and Certification Nzc4ndiwz Ogmxnwvin

mje4 X.zte Internet Oda3mw Owu Infrastructure Online Certificate Yjbhnz Protocol y OCSP

2585 Zwyzyjez N.mja Public Ogz Ogeymzfhytgxm2 Ntrlzgyzmdj Zjg4owmyz: Yzk and HTTP

otk0 Internet M.ndq Public Ymi Yze4nwrhywu4zw LDAPv2 Schema

yme2 zd least zj Ngrkymrm M2uzmg

[IE-Crypt-WP1-F07]
[ndnlotvjmmvkn]

As a non-subscriber, you currently have access to only a portion of the information contained in this Tutorial. If you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!