Encryption Technology Overview

When prominent Internet sites, such as http://www.cnn.com, are exposed to security threats, the news reaches all parts of the globe. Ensuring that data crossing any IP network is secure and not vulnerable to threats is one of today's most challenging tasks in the IP storage arena (so much so that Cisco released an entirely new CCIE for the storage networking certification track).

Major problems for network administrators include the following:

■ Packet snooping (eavesdropping)—When intruders capture and decode traffic, obtaining usernames, passwords, and sensitive data such as salary increases for the year.

■ Theft of data—When intruders use sniffers, for example, to capture data over the network and steal that information for later use.

■ Impersonation—When an intruder assumes the role of a legitimate device but, in fact, is not legitimate. The intruder efficiently assumes the role of an authorized user.

The solution to these and numerous other problems is to provide encryption technology to the IP community and enable network administrators to ensure that data is not vulnerable to any form of attack or intrusion. This ensures that data is confidential, authenticated, and has not lost any integrity during the routing of packets through an IP network.

Encryption (user data that is encrypted will require decryption also) is defined as the process by which plain data is converted into ciphered data (a system in which plain-text data is arbitrarily substituted according to a predefined algorithm known as cipertext) so that only the intended recipient(s) can observe the data. Encryption ensures data privacy, integrity, and authentication.

Figure 4-4 displays the basic methodologies behind data encryption.

Figure 4-4 Encryption Methodologies

Data, for example 123...

Data is encrypted and only readable if decrypted by the correct key.

Data, for example 123...

Encrypted data is decrypted using the key.

Data is encrypted and only readable if decrypted by the correct key.

Figure 4-4 demonstrates the basic principles of data encryption, including the following: 1. User data is forwarded over the network.

2. Data (clear text) is modified according to a key. The key is a sequence of digits that decrypts and encrypts messages. Each device has three keys:

■ A private key used to sign messages that is kept secret and never shared.

■ A public key that is shared (used by others to verify a signature).

■ A shared secret key that is used to encrypt data using a symmetric encryption algorithm, such as DES. Typically, however, a device has two keys, a symmetric key and an asymmetric key. The symmetric key is a shared secret that is used to both encrypt and decrypt the data. The asymmetric key is broken into two parts, a private key and a public key.

3. A mathematical formula is applied to scramble the data. In Figure 4-4, the mathematical formula is applied during Step 2.

4. The data flows throughout the network and can be decrypted only if the correct key and algorithm are applied.

Encryption can take place at the application layer, the network layer, or the data link layer. Be aware of the following encryption technologies for the CCIE Security written exam:

■ Data Encryption Standard (DES)

■ Advanced Encryption Standard (AES)

Cisco IOS routers support the following industry standards to accomplish network layer encryption:

DES/3DES

AES

MD5

Diffie-Hellman exchange

IPSec

0 0

Post a comment