IPSec IPSec VPN Concepts
key is not safe or compromised. Before we take look into IPSec's key exchange, a basic concept of encryption and
authentication is introduced first.
Encryption
Encryption mathematically transforms data to meaningless random numbers. The original data is called plaintext and
the encrypted data is called ciphertext. The opposite process, called decryption, performs the inverse operation to
recover the original plaintext from the ciphertext. The process by which the plaintext is transformed to ciphertext and
back again is called an algorithm. All algorithms use a small piece of information, a key, in the arithmetic process of
converted plaintext to ciphertext, or vice-versa. IPSec uses symmetrical algorithms, which the same key is used for
both encrypt and decrypt the data. The length of the key is one of the factors determining the security of an encryption
algorithm. FortiWAN IPsec VPNs offer the following encryption algorithms, in descending order of security:
AES256 A 128-bit block algorithm that uses a 256-bit key.
AES192 A 128-bit block algorithm that uses a 192-bit key.
AES128 A 128-bit block algorithm that uses a 128-bit key.
3DES Triple-DES, in which plain text is DES-encrypted three times by three keys.
DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
Authentication
In Information Security (or Cryptography), Authentication is the process of determining whether someone or
something is, in fact, who or what it is declared to be. In authentication, one has to prove its identity to the remote one,
and the identity will be verified by the remote one. A typical providing proof can be a certificate or username and
password. In cryptography, a message authentication code (MAC) is a short piece of information used to authenticate
a message—in other words, to provide integrity and authenticity assurances on the message. Integrity assurances
detect accidental and intentional message changes, while authenticity assurances affirm the message's origin. A MAC
algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one
of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be
authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data
integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the
message content. As with any MAC, it may be used to simultaneously verify both the data integrity and the
authentication of a message. FortiWAN IPsec VPNs offer the following MAC algorithms, in descending order of
security:
hmac-sha512 A SHA512-based MAC algorithm with 512-bit hash output.
hmac-sha384 A SHA384-based MAC algorithm with 384-bit hash output.
hmac-sha256 A SHA256-based MAC algorithm with 256-bit hash output.
hmac-sha1 A SHA1-based MAC algorithm with 160-bit hash output.
hmac-md5 A MD5-based MAC algorithm with 128-bit hash output.
174 FortiWAN Handbook
Fortinet Technologies Inc.
To Next Page
Loading...
