Hash function: also called Hash function, mainly in order to ensure data integrity, the mainstream algorithms MD5, SHA-1.
Hash values: The results obtained by calculating the hash function
Symmetric key algorithms: using the same key and algorithm for data encryption and decryption operations - Advantages: fast, safe, compact - disadvantages: hijacking and eavesdropping easy way; more participants more key data ([n- * (n-1)] / 2); key storage and management problems; does not support digital signatures and non-repudiation; how to send the key to communicating parties; - mainstream protocols: DES, 3DES, AES, RC4 - encryption solution scheme is not simply symmetric encryption
Asymmetric key algorithm: with a key to encrypt data before encryption and decryption only with the other key data • asymmetric key technologies are pre asymmetric key algorithms (such as: the RSA) calculating a male key (shared) and private (proprietary) • only for key exchange (encryption key) and digital signatures (cryptographic hash) - advantages: do not worry about public key is hijacked, the same number of keys and the number of participants exchange without prior establishment of some kind before the public trust, support for digital signatures and non-repudiation - disadvantages: encryption is very slow, the ciphertext becomes longer (almost twice the source text); - mainstream protocols: RSA (digital signature and digital certificates mainstream protocol), DH (IPSec protocol mainly produce key resources), ECC (elliptic curve algorithm) - encryption solution is not simply using symmetric encryption
sentence summary: the private key is in the hands of individuals, public it shared use, from the user's point of view it is very good to see the use of the distinction, symmetric encryption: encryption and decryption are using the same secret key, asymmetric encryption: encryption and Using a different secret keys, public or private as for use to encrypt / decrypt the specific needs do see.
IPSec has two encapsulation protocol: - the ESP (encapsulating security load, Encapsulation Security Payload) - AH (authentication header source, Authentication Header)
ESP is IP protocol number 50 • provide encryption for data origin authentication and integrity protection, can withstand anti-replay attacks (repeatedly send the same packet, the destination host resource consumption) • IP protection can only load data, not the original IP head protection • ESP can do anything to ESP ESP trailer for the head of all the data HMAC authentication
AH, IP protocol number 51 • can only provide the integrity and data origin authentication for security services, can withstand replay attack is rarely used alone can not provide privacy service • • The actual deployment of IPSec VPN AH (originally designed for IPv6 in use)
SHA1 is designed by NISTNSA to use with the DSA, its length is less than the input 264, generates a hash value length 160bit therefore anti exhaustive (brute-force) better, based on the SHA1 and MD5, MD5 and based on MD4.
HMACSHA1 and SHA1 always thought there is no difference, until now that Talia is not exactly the same. HMAC Baidu Encyclopedia explained: “HMAC是密钥相关的哈希运算消息认证码(Hash-basedMessageAuthenticationCode),HMAC运算利用哈希算法,以一个密钥和一个消息为输入,生成一个消息摘要作为输出。”As can be seen, HMAC need a key. So, HMACSHA1 also need a key, and SHA1 is not required, there is no longer algorithm depth study
With a pre-shared key is to verify the identity information to verify identity information in two ways, pre-shared keys and digital certificates for IKE first stage, the legality of peer authentication, and encryption algorithm is different from, encryption algorithm to encrypt the data, which are two different things, it had previously been in confusion.
Conventional tunnel mode is used, the point encryption tunnel mode is not equal to point communication, the encryption between network points need to get through, so the outer mostly corporate LAN network edge device to turn tight IPSEC VPN, IPSec VPN for encrypting data key, the default is 1 hour (3600 seconds) is necessary • updated once the next update key used, is the key used by the current hour, through a series of algorithms derived from this key update method is called perfect confidentiality forward PFS (Perfect forward Security) - Cisco IPSec VPN, once enabled, PFS, then each update with a new DH exchange to generate an encryption key for the next hour
IKE: perform particular tasks encryption algorithms pre-negotiated IPSec VPN, a hash function, and protocol encapsulation mode, and so protocol Keylife
IKE two stages: - The primary purpose of the first phase of negotiations: the parties to establish the IPSec authentication to ensure that only legitimate peer (peer) to establish IPSec VPN; the main purpose of the second phase of negotiation: encryption required the actual flow rate (interest flow), to negotiate policies to protect these flows
Traffic of interest: Arrival IPSec VPN devices, you need to be doing traffic encryption and decryption of communications • If the traffic flow is not classified as interest, the data is encrypted and forwarded to the department to do Internet
