At-A-Glance—Encryption
Data that travels across unsecured networks is vulnerable to anyone who wants to read, alter, or forge information. Using easily obtained tools such as protocol analyzers, just about anybody can read packets and gain access to classified information. Hostile parties can tamper with packets, hinder delivery, or prevent network communications.
Encryption provides a means to scramble and protect information as it travels across an otherwise unsecured network. Different levels of encryption can keep anyone from deciphering the message or figuring out the message’s origin and destination.
</division><division> <title>What Are the Problems to Solve?</title>Almost all methods of encryption rely on two basic items, codes and keys.
First, you must develop a mathematical code so that only those processing the right keys to the equation can properly code and decode messages. Extremely complicated mathematic functions are used in the following way.
The mathematics are so complex that without knowing both the encryption code and the right key, it is virtually impossible to figure out the original message.
The second key piece of encryption is the distribution and protection of keys. There are a number of methods for key exchanges; the following At-A-Glance sheet focuses on the Diffie-Hellman method.
</division><division> <title>Bullets, Bombs, and Secret Codes</title>It might surprise you at first: Encryption codes and cryptography methods have the same export laws as guns, ammunitions, and explosives!
However, it does start to make sense when you think about the damage that could come from someone unraveling the myriad encrypted messages sent across the Internet every minute of every day. Access to this information could compromise military operations or expose the information that businesses and organizations keep secret.
What might happen if one company knew every other company’s marketing plans, or if your insurance company could track all your credit-card purchases? In dollars and cents, the damage could be as bad or worse than what a bomb could do.
</division>At-A-Glance—DES and Key Exchange
The Data Encryption Standard (DES) is a fixed-block algorithm, which is a fancy way of saying it performs a complicated math function on a standard length of bits (referred to as a block). The DES algorithm splits the blocks in two, encrypting one half using a key value and a complicated algorithm. The two halves are rejoined and then re-split; the process is repeated a number of times before the output is secure. Think of it as an extremely complicated way of shuffling bits.
Triple DES (3DES) encrypts message using three seperate passes of the DES algorithm. 3DES provides a high degree of message security, but depending on processor speeds, it can take up to three times longer than standard DES to encrypt a data block. However, with the increased availability of cheap, fast processors, this method is becoming a popular option.
</division><division> <title>Digital Signature Standard</title>The process of encrypting and decrypting data happens through the use of keys. Without the correct key, third parties are unable to unscramble a coded message. (Of course, you can eventually crack any code given enough computing power and time.) Digital Signature Standard (DSS) uses a public key/private key pair to identify users and code and decode messages. A public key is mathematically derived from the private key using a mathematical method called factoring. A detailed explanation of factoring is beyond the scope of this paper, but the nature of factoring makes it nearly impossible to figure out a private key by looking at the public key.
The results of an encryption is a hash. Using a private or session key, you can code messages. The public keys ensure that the message is authentic and unchanged, and the private key decodes the message.
</division><division> <title>Diffie-Hellman Key Exchange</title>Understanding how DSS uses keys is only half the battle. You must also have a secure way to obtain session keys without any third party obtaining them, even when you exchange the keys over unsecure links. The Diffie-Hellman key exchange protocol was designed for just this purpose. The exchange is secure because keys are never transmitted in clear text, and they are exceptionally difficult to figure out. Diffie-Hellman prevents key interception using two known prime numbers that have a special mathematical relationship to one another. Is it possible for two parties to agree on a shared secret key but impossible for eavesdroppers to determine what this secret key is (even if they know the shared primes). Here is a basic example of how it works:
N = Prime number G = A Root of N
User 1 creates very large random number A.
User 2 creates very large random number B.
User 1 sends a to User 2.
User 2 sends b to User 1.
a = GA * (crazy math function using N)
b = GB * (crazy math function using N)
Both parties can now figure out the key (K) as
K = ([A]) b * (crazy math function using N)
K = ([B]) a *(crazy math function using N)
At-A-Glance—Encryption and OSI Layers
You can implement encryption at one of three OSI layers: the application, the data link, or the network. Each layer has advantages and disadvantages.
For application layer encryption, you must upgrade each application to support encryption, and all hosts that communicate with the applications must speak the same encryption language. This setup can often mean replacing all the hosts in a network, but it does not necessarily require any network upgrades because traffic is unaffected.
You can do network layer encryption anywhere in the network (at the ingress and egress, for example). You do not have to upgrade the hosts. It also leaves pertinent Layer 3 and Layer 4 information in the clear for use in routing. Network layer encryption has a good balance of security and cost.
Data link layer encryption is very secure because it encrypts everything (including IP addresses). The downside is that each router must decrypt the traffic at every link and then re-encrypt it once the correct path is determined. This process is very slow.
</division>