James P. Hughes
Network Systems Corporation
The technology to create interoperable secure encrypted tunnels over the Internet is now possible. Secure intranets over the Internet is an intriguing, cost-saving solution to replace high-cost leased lines or frame relay services, while at the same time increasing the security of that traffic.
An intranet is a private network inside a corporation using the Internet as the underlying medium. This concept is not new, but is just now becoming possible. The enablers for this technology have been the commercialization of the Internet backbone, the proliferation of World Wide Web (WWW) and Internet Protocol (IP) security. Now that every company needs a WWW connection to the Internet, it is logical to overlap that use with other office-to-office traffic, especially when that network is significantly cheaper than leased or even frame relay services.
IP security is another enabler for the intranet. The Internet is a scary free-for-all that allows any to any connectivity. If you are building a network specialized to carry private company information, the last thing you want is any-to-any connectivity where the "any" can be your competitors. In addition to keeping the competitors out, you also need to make sure that the company's proprietary data are indeed unreadable to your competition when they are being transferred over the Internet.
The IP security standards suite uses encryption technology. Encryption is more than just the scrambling of bits so that the data cannot be seen. Encryption technology, as envisioned by the IPsec working group, includes the capability to create private transmissions, to provide authentication of parties to a conversation, and to provide data integrity so that you know that the traffic was from the original sender and was not modified in transit by an attacker. These mathematical transformations can be implemented at several places in an IP network and can be used to protect data from host to host, site to site, or any other combination.
Creating secure tunnels is one issue, but another issue is: how do people agree on secrets (session keys) even if there are eavesdroppers listening in? The IPsec Oakley key management protocol provides the ability to privately negotiate a key while also ensuring that the key you negotiated was indeed to the intended source. The authentication of the initial source and the creation of (two-party) shared secret keys is the prime motivation.
When to negotiate a key is another issue. The ISA/KMP protocol allows keys and traffic parameters to be negotiated before they are needed.
Finally, a way to reliably and undeniably know that an endpoint that you may never have heard of is who they say they are, even in the event that keys are stolen, compromised, or simply revoked, is part of yet another protocol defined by the DNSsec working group. DNSsec can send the authenticated credentials to validate that end points are who they say they are.
These mathematical transformations can be implemented at several places in IP networks with or without firewalls.
Packet formats for IPsec compatible encapsulations will be shown, as well as future challenges such as public key certificates.
Encryption is a set of mathematical transformations. It is a tool. This tool can be used to create several important capabilities when applied to the protection of private data on public networks.
Technically an integrity, key exchange, and authentication are not encryption per se, they do, however, use the same properties of irreversibility that make encryption possible.
Privacy is the ability to keep data private on networks where others may be listening. This is where the common "symmetric ciphers" such as DES, 3DES (pronounced triple-DES), CDMF (40 bit DES), IDEA, RC4, and others. There are many ciphers that can be used. The IPsec standard is mandating a conservative standard of DES. DES is a well-understood and royalty-free algorithm, and has successfully withstood 20 years of public scrutiny.
Integrity is the method of ensuring that the data has not been modified in transit from the source to the destination. Typically, in networks and on computer disks, the protection used to ensure that data is not modified uses cyclic redundancy checks (CRCs). These are very good at catching random events, but to the attackers, CRCs are very predictable and easily reversed. In addition, the sizes of CRCs--16, 32, or 64 bits--are all too small to stop a birthday attack.
The integrity function is usually performed by a hashing function. The two currently in use today are MD5 and SHA. Hashing algorithms can also be used to create authenticated hashes. These hashes are used to both ensure that the data has not been changed and that it is from the correct source. IPsec uses both MD5 and a keyed variant of MD5, HMAC.
This capability ensures that data is received once, and never again. In an IP network, traffic is not guaranteed to arrive in order and is not guaranteed to arrive at all. Replay prevention provides a means of ensuring that data, once received, cannot be recorded and played back later. Replay attacks can be useful even if the data is never decrypted.
How does one create and communicate a secret when there are others listening? There are two basic algorithms that do this: Diffie-Hellman and elliptical curves. The mathematics of Diffie-Hellman are simple and easy to follow.
First, an x is chosen from random bits. The sender then calculates g^x and sends that to the other side. In the mean time the receiver chooses its own y and calculates g^y and sends it to the other side. The sender then calculates (g^y)^x and the receiver calculates (g^x)^y. In both cases, they have calculated G^(xy). (All of these calculations are performed using modular arithmetic.) What makes this elegant is that even if the eavesdroppers listen to the conversations, and knows g, g^x and g^y, unless they can perform discrete logarithm over a finite field, then G^(xy) will remain a mystery. If the numbers are large enough, the reversal is not possible.
Another aspect of Diffie-Hellman is that, if the bits are calculated new and not reused in any way, the keys generated will be completely unrelated. If one key is cracked, the attacker knows nothing about any other keys that have been used or will be used in the future.
Authentication is the method of ensuring that the data received is from the expected source. While it is possible to create a key with someone and use it, there is a possibility that the caller is not who they say they are. In that case, the data will be protected while on the network and sent to the wrong destination. To solve this authentication, protocols and algorithms are used. Most privacy systems use RSA to authenticate a party to a conversation. RSA has the ability to publish your public key; if you keep your private key private, it is theoretically impossible to impersonate you.
These public keys, when combined with a certification authority, provides means of not only storing and sending out public keys to callers, but also provides for the integrity of the keys, as well as allowing the certifying authority to revoke a key so that if a key is lost, it can be made useless.
IPsec is a family of RFCs that can be used to create secure communications. They are the data encapsulation, key exchange algorithm, and key exchange framework. These RFCs represent the minimum implementation that can be called IPsec.
This is the overall architecture. This can be used to define the various encapsulations.
This contains the creation of a secure keyed MD5 operation. This allows the MD5 packet integrity check to be keyed so that the source can authenticate its packet.
This is the actual implementation of the tunnel. This transform contains privacy (DES) integrity, authentication (HMAC), and replay protection.
This is a key management protocol that is going to be used to both exchange keys and authentication.
This is the framework that the key management protocols work under.
There are several other RFCs and many more to come.
Many vendors are working toward these standards, but the current sticking point is the wide deployment of the key management and the integration of the key management system with DNSsec or other Certificate servers.
This paper has discussed the networking, security, and standards aspects of creating a secure intranet over the Internet. You can not buy this exact suite of interoperable algorithms and protocols, but they will become real in the near future.
 No one had publicly showed that a key can be derived from a single block of known plaintext and ciphertext or from a differential cryptanalysis attack using a reasonable amount of known traffic.
 A birthday attack requires searching half the bits before there is a probability that two hashes have the same value. This is discussed in Schneier.