Encapsulating Security Payload (ESP)
The ESP security protocol provides
confidentiality via encryption, data origin authentication, data integrity,
optional antireplay protection, and limited traffic flow confidentiality by
defeating traffic flow analysis. Authentication and integrity can be provided
via the same algorithms used by AH. Confidentiality can be implemented
independent of the other services.
The ESP confidentiality is accomplished by performing encryption
at the IP packet layer. ESP supports a variety of symmetric encryption
algorithms, but the default for IPSec is 56-bit DES. This particular cipher must
be implemented to conform to the IPSec standard and to ensure interoperability
with other vendor IPSec products. Cisco products support DES plus 3DES for even
stronger encryption.
DES Encryption Algorithm
Data Encryption Standard (DES) is a popular symmetric-key
encryption method that uses a 56-bit key to ensure secure, high-performance
encryption. The first public encryption standard, DES is based on an algorithm
developed by IBM. DES is used to encrypt and decrypt packet data turning
cleartext into ciphertext via an encryption algorithm. The receiving device uses
a decryption algorithm and the same shared key value to restore the cleartext.
Figure
9-7 shows the encryption process.
Specialized “DES cracker” machines, while uncommon, can
recover a DES key after only a few hours, so Cisco recommends 3DES as the main
encryption algorithm for VPN.
Triple DES Algorithm (3DES)
Cisco products implementing IPSec can use the Triple DES
(3DES) algorithm as a much stronger encryption method. 3DES is a variation of the 56-bit DES that breaks the data up
into 64-bit blocks, and then processes each block three times, each time with an
independent 56-bit key. This process effectively doubles encryption strength
over 56-bit DES.
Both DES and 3DES offer adequate performance for production
network applications. Now that DES/3DES encryption is available in ASIC hardware
in products, such as the VPN 3002 Hardware Client Device and VPN 3000 Series
Concentrators, you can add encryption to a VPN with little impact on overall
system performance.
Advanced Encryption Standard (AES)
AES encryption technique was recently approved as a Federal
Information Processing Standard (FIPS)-approved cryptographic algorithm (FIPS
PUB 197). AES is based on the Rijndael (pronounced Rhine Dahl or Rain Doll) algorithm,
which defines how to use 128-, 192-, or 256-bit keys to encrypt 128-, 192-, or
256-bit source blocks (all nine combinations of key length and block length are
possible). AES offers greater flexibility than even 3DES because it supports
multiple key sizes and multiple encoding passes.
Release 3.6 of Cisco VPN products introduce support for AES
(128 and 256 bit), providing a stronger encryption standard option and improved
remote access performance for both software and hardware clients. Cisco is
working with the IETF IPSec Working Group to push for a new specification
outlining how AES will work within the IPSec framework.
Sections
Comments (0 posted)
Syndication
