VPNs and cryptography

Virtual Private Network (VPN)

A VPN is a method of creating a local network between two devices which are not local to each other.  For instance we might have a device in Auckland and a device in London, with a VPN, we can configure a connection so it’s as if they are on the same LAN.  VPNs came around because the cost of a dedicated line between sites is much higher than implementing a VPN over the Internet. 

Types of VPN

•    IPsec – typically used for site-to-site connections, but can be used for remote-access as well, it implements security at layer 3
•    SSL – security at layer 4, typically used for remote-access VPNs
•    MPLS – provided by a service provider to connect multiple sites that a company as.  No encryption by default but IPsec can be added on top

Benefits of a VPN

The benefits of a VPN hark back to the beginning of this blog where we talked about the key ingredients for data security:
•    Confidentiality
•    Integrity
•    Authentication

Cryptography basics

A cipher is an algorithm that basically lays out how to change a piece of data which we want to keep secret, into an unintelligible piece of data, and then return that data back to what we want, when we want it.

Substitution – Substituting one character for another. 
Polyalphabetic – Using multiple alphabets and switching between them to introduce more complexity
Transposition – Use many different options including the rearrangement of letters.

A key is instructions for how to reassemble the characters back into the correct data. 

A block cipher is a symmetric key that operates on chunks of data called blocks.  Many of the well-known encryption algorithms are symmetric block ciphers.

A stream cipher is also a symmetric key cipher where it is encrypted one bit at a time.

We’ve just briefly mentioned the concept of symmetric and asymmetric keys here, so let’s explore what we mean when we talk about those.

A symmetric algorithm means that exactly the same key is used to encrypt and decrypt the data.  Obviously this means that keeping the key secret is of the utmost importance, because anyone with the key can decrypt it.  This process is used for most of the data we encrypt today simply because it uses much less overhead than asymmetric encryption. 

An asymmetric algorithm is the opposite of this.  When we encrypt the data with one key, we need a different key to decrypt it.  Once it’s encrypted, it’s impossible to decrypt with that same key.  When we implement this, we use the concept of public and private keys.  If someone wants to send us some data, we will give them our public key and they will encrypt the data using this key.  Then when we receive the data, it can only be decrypted with our private key which we have kept secret.

Continuing with our key terms to understand is the concept of hashing.  This is a method used to verify data integrity.  What happens is that we use a process to create a small size value which is associated with that data.  It is only possible to generate that value if the data is exactly the same, so when a hash is set along with the data, we can calculate the hash ourselves, and if they match then we can be confident that the data has not been modified.  The most common algorithms in place are MD5, SHA-1 and SHA-2.  However this does not stop a malicious person manipulating both the data and the hash.

We can use the Hashed Message Authentication Code (HMAC) to calculate the hash and use a secret key to ensure it cannot be modified by unknown people.  This makes it impossible to recalculate a hash without the receiver knowing.

Digital Signatures use a combination of all of these methods to verify that something comes from exactly who it says it comes from.  The process follows like this:  We create a hash of the packet which we are transmitting, and then we encrypt that hash with our private key.  This encrypted hash is called a digital signature and is sent along with the data.  The receiver can then decrypt the hash using our public key and compare it to the hash which they generate themselves.  If the two hashes match then the receiver can be sure that both the data is untouched and that it comes from the correct person.

IPsec

We’ll go into IPsec in more detail later but here are some key things to know:

•    ESP and AH – these are the two protocols we can use to implement IPsec.  ESP is much more frequently used than AH.
•    Encryption algorithms – DES, 3DES, AES
•    Hashing algorithms – MD5, SHA
•    Authentication algorithms – Pre-shared keys, RSA digital signatures
•    Key management – Diffie-Hellman (DH) ca be used to dynamically generate symmetrical keys.  Internet Key Exchange (IKE) does most of the key negotiation.

SSL

Secure Sockets Layer is the protocol we use when we connect to a web server over https instead of http.  When we connect to https, the browser requests that the server identifies itself using its digital certificate.  The browser verifies the certificate using the digital signature attached.