Encryption and VPN TechnologyWord文档格式.docx

1、Encryption and VPN Technology#Encryption and VPN Technology#Symmetrical encryption#Figure shows symmetrical encryption, which is also known as secret key encryption. Symmetrical encryption is used for large volumes of data since asymmetrical encryption is much more CPU intensive. The three encryptio

2、n algorithms available in the IOS include Digital Encryption Standard （DES）, Triple DES （3DES）, and Advanced Encryption Standard （AES）.#DES is one of the most widely used standards. DES turns clear text into ciphertext through an encryption algorithm. The decryption algorithm on the remote end resto

3、res clear text from ciphertext. Keys enable the encryption and decryption. DES is the most widely used symmetric encryption scheme today. It operates on 64-bit message blocks. The algorithm uses a series of steps to transform 64-input bits into 64-output bits. In the standard form, the algorithm use

4、s 64-bit keys. 56 of these 64-bits, are chosen randomly. The remaining 8 bits are parity bits, one for each 7-bit block of the 56-bit random value.#3DES is an alternative to DES that preserves the existing investment in software but makes a brute-force attack more difficult. 3DES takes a 64-bit bloc

5、k of data and performs the operations of encrypt, decrypt, and encrypt. 3DES can use one, two, or three different keys. The advantage of using one key is that 3DES with one key is the same as standard DES for backward compatibility. However, additional processing time is required with one key. Both

6、the DES and 3DES algorithms are in the public domain and freely available. The US Government restricts export of 3DES technology and many other governments restrict encryption technology within their own boundaries so they may monitor communications.#AES is a newer encryption algorithm. It currently

7、 specifies keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. All nine combinations of key length and block length are possible. AES is now available in the latest Cisco router images that have IPSec DES/3DES functionality.#The most important featur

8、e of a cryptographic algorithm is its security against being compromised. The security of a cryptosystem, or the degree of difficulty for an attacker to determine the contents of the ciphertext, is a function of a few variables. In most protocols, the cornerstone to security lies in the secrecy of t

9、he key used to encrypt data. Symmetric encryption algorithms are built so that it is extremely difficult for anyone to determine the clear text without having this key. In any cryptosystem, great lengths are taken to protect the secrecy of the encryption key.#Asymmetrical encryption#Asymmetric encry

10、ption is often referred to as public key encryption. It can use either the same algorithm, or different but complementary algorithms to scramble and unscramble data. The required public key and a private key are different, but related. For example, if Alice and Bob want to communicate using public k

11、ey encryption, both need a public key and private key pair. Alice has to create her public key/private key pair, and Bob has to create his own public key/private key pair. When communicating with each other securely, Alice and Bob use different keys to encrypt and decrypt data.#The mechanisms used t

12、o generate these public/private key pairs are complex, but they result in the generation of two very large random numbers. One of which becomes the public key and the other becomes the private key. Because these numbers, as well as their product, must adhere to stringent mathematical criteria to pre

13、serve the uniqueness of each public/private key pair, generating these numbers is fairly processor intensive.#Some of the more common public key algorithms are the Rivest-Shamir-Adleman （RSA） algorithm and the El Gamal algorithm. Public key encryption algorithms are rarely used for data confidential

14、ity because of their performance constraints. Instead, public key encryption algorithms are typically used in applications involving authentication using digital signatures and key management.#RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman . The t

15、wo methods are RSA signatures and RSA encryption. RSA encryption generates a value known as a nonce. A nonce is temporary random string, which is generated and combined with the peer public key. This is more secure than the shared key method of authentication. However, it requires more processing po

16、wer and decreases throughput performance. An RSA signature is the method that uses digital certificates. This method is very scalable and typically is used by medium and large corporations.#Non-repudiation is the ability to prove a transaction occurred, similar to a signed package received from a shipping company. This is very important in financial transactions and similar data transactions. RSA signatures provide non-repudiation. RSA encryption does not provide non-repudiat