IPSec is a protocol suite which allows for secure communication through means of authenticating and encrypting each IP packet on a network. What it means to be a protocol suite is that IPSec is a protocol which is made up of other protocols. The protocols used in IPSec are the following:
Developed out of experimental research protocol called "swIPe" in December of 1993 at Columbia University and AT&T Bell Labs. From this, Wei Xu took over the project and was able to get a working system by the end of December 1995 when he was able to securely connect from the west coast to the east coast.
IPSec has two different modes that it can be run in. These are Transport Mode and Tunnel mode. Each has a different purpose.
Transport mode is the default mode for IPSec, and it is used for end-to-end communications (for example, for communications between a client and a server). When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header.
IPSec encrypts the IP header and the payload, whereas transport mode only encrypts the IP payload. Tunnel mode provides the protection of an entire IP packet by treating it as an AH or ESP payload.
As an example, given the OSI model for networking, Transport Mode will encrypt everything from the Transport layer and above. With tunnel mode, everything from the Network layer and above will be encrypted. Transport mode is useful for using IPSec on internal networks.
The Security Association protocol is used to describe which algorithms will be used in future payloads. For instance, which encryption or hashing algorithm to use. In addition to this, Each SA consists of values such as destination address, a security parameter index (SPI), the IPSec transforms used for that session, security keys, and additional attributes such as the IPSec lifetime. After this has been decided, the machines will then attempt to share keys which will be used for future communication.
An example request may look like:
As mentioned before, when an agreement is made between two machines then they must then share keys. This is when the Internet Key Exchange (IKE) protocol is utilized. The IKE protocol uses the Diffie-Hellman Key Exchange algorithm, which is described in detail below.
First a little background on what it means to share a key. There are two methods to accomplish this:
Simply passing a symmetric is fast, but also insecure as anyone else along the path of the communication could intercept it. When using public and private key's (asymmetric), the transfer is very secure but also slower to compute. The general solution to this is to combine the two so that you get the both worlds.
Diffie-Hellman is a method to transfer cryptographic keys. It was first published in 1976 by Whitfield Diffie and Martin Hellman, although it was technically invented a few years prior. It has yet to be cracked.
Example
A demonstration in javascript can be seen here
The Authentication Header (AH) is used to authenticate but not to encrypt communication over a a VPN. Authentication of data is essential to security so that is ensures that data has not been tampered with, and that you are actually communicating with who you think you are.
Authentication is performed by utilizing hash functions. A few popular options are shown below
The AH consists of 5 different fields:
ESP not only can authenticate data but encrypt it as well. Unlike in the Authentication Header where it precedes the data, the ESP encapsulates the entire payload. Some popular encryption algorithms for use with ESP include: DES, Triple DES, AES, and Blowfish. These are discussed in detail below.
In order to ensure that the data being sent over the VPN has not been tampered or been corrupted in some way, hashing is used as part of the IPSec protocol. Several popular options for this are SHA-1 and MD5.
Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function designed by the NSA in 1995. There are actually four different SHA algorithms (SHA-0 - SHA-3), however SHA-1 is current the most widely used of them all.
SHA-1 will produce a 160 bit message digest, and the principles behind the algorithm are actually based on what is used in MD4 and MD5
The Message-Digest Algorithm (MD5) is a cryptographic hash function which produces a 128 bit message digest. While still widely used, several flaws have been discovered which have pushed people in the direction of using other hash algorithms such as SHA-1.
Data Encryption Standard (DES) is a previously dominant encryption method which was developed in the early 1970's. It was based on a design by Horst Feistel ( no picture available ). It's popularity has been reduced due to the 56 bit key being too small. As an attempt to illustrate this, distributed.net and the Electronic Frontier Foundation came together in 1999 and were able to break the key in 22 hours.
3DES leverages the original DES algorithm, but actually uses it three times using three different keys. This results in a 168 bit key. For a detailed analysis of 3DES, please refer to my other classmates research entirely on the subject here
Advanced Encryption Standard (AES) is a symmetric key encryption algorithm developed in 1998 which was invented by Joan Daemen and Vincent Rijmen. It is widely used and can encrypt into 128, 192, or 256 bit key sizes.
An interactive example of AES encryption can be seen here
Blowfish is a symmetric key encryption algorithm designed by Bruce Schneier in 1993. It is able to encrypt with key sizes between 32 and 448 bits.
An example implementation I wrote can be found here