Types of VPN
- IPsec: Layer 3 for site-to-site and remote-access VPN
- SSL: Layer 4 for remote-access VPN (+HTTPS)
- MPLS: When a company has 2 or more sites with logical connectivity using the service providers network.
2 main types of VPN
- Remote access vpn: Connection of a host and a site.
- Site-to-Site vpn: Connection of 2 or more sites.
- Confidentiality (encryption): The payload is cipher (scrambled) so it cannot be eavesdropped.
- Data Integrity (hashing): The attacker cannot inject data into the packets. The payload will be the same at the destination.
- Authentication (check identity): This ensures you that at the beginning of the VPN connection you connects to the right computer.
- Antireplay: The attacker can replay a part of the VPN traffic and this way build a VPN to the victim computer (Authentication fail). This is why a VPN packet has been sent and accounted it cannot be used again.
- Cipher: Also called as algorythm which performs encryption and decryption.
- Block Ciphers (AES, 3DES, DES, Blowfish, IDEA): They are using symmetric key on a group of bits: block. 64-bit block –> 64-bit block of cipher text.
- Stream Ciphers: Also using symmetric key and encrypting 1 bit at a time.
Symmetric and Asymmetric Algorithms
These type of encryption is used in the beginning of the communication. The 2 party agrees which symmetric key they are going to use for the communication and for this talk they use asymmetric encryption.
- DH (Diffie-Hellman) : Used commonly on VPN connections to allow secure transfer of shared secret keys (and helps generate shared secret keys) 768, 1024, 1536 bit … or larger
- RSA: Similar to DH. Mostly used for authentication. 512 to 2048 bits (min 1024 recommended)
Asymmetric keys are very strong but need lots of computing power, that is why we use symmetric keys for transferring data.
Uses the same key to encrypt and decrypt the data. In this case both devices need the key to communicate. Much faster than Asymmetric keys. The usual key length is 40 to 256 bits.
- AES: 128, 192, 256 bit keys
Hashing a block of data will create a small fixed-sized hash value. This is one way function. If you hash the same block of data on another computer you will get the same fixed-sized hash value. This result is called digest.
- MD5: Creates 128-bit digest
- SHA-1: Cretaes 160-bit digest
- SHA-2: Can create digest between 224 and 512 bits.
Pre-shared keys (PSK)
In the beginning of the communication the 2 parties send a hashed password to ensure they are talking to the right device.
Cons: These passwords need to be changed from time to time (local pass..) and in case of a big network its a pain…
Public Key Infrastructure (PKI)
Here the Certificate Authority gives all devices a certificate.
Digital Certificate in action
Two devices that want to establish a VPN connection to each other, and to do so they want to use digital signatures to verify each other to make sure they are talking to the right device.
Bob and Lois have generated public-private key pairs, and they both have been given digital certificates from a common certificate authority (CA) . A CA is a trusted entity that hands out digital certificates.
If you and I were to open a digital certificate, we would find the name of the entity (for example, Bob). We would find Bob’s public key (which Bob gave to the CA when he applied for his digital certificate). There would also be a digital signature of the CA.
Bob takes a packet and generates a hash. Bob then takes this small hash and encrypts it using Bob’s private key. We attach this encrypted hash to the packet and send it to Lois. There is a fancy name for this encrypted hash: a digital signature .Lois when she receives this packet looks at the encrypted hash that was sent and she decrypts it using Bob’s public key. She then sets the decrypted hash off to the side for one moment and she runs the same hash algorithm on the packet she just received. If the hash she just calculated matches the hash she received, she knows two things. She knows the only person who could have encrypted that was Bob with Bob’s private key, and that data integrity on the packet is solid, because if 1 bit had changed the hash would not have matched.
This process is called authentication , using digital signatures, and normally happens in both directions with an IPsec VPN tunnel if the peers are using digital signatures for authentication,referred to as rsa-signatures in the configuration.
Bob and Lois also exchanged digital certificates, which contained each other’s public keys. Bob and Lois do not just trust any certificates, but they do trust certificates that are digitally signed by a CA that they trust. This also implies that to verify digital signatures from the CA, both Bob and Lois would also need the CA’s public key.Most browsers today have the built-in certificates and public keys for the mainstream CAs on the Internet today.
SSL (Secure Sockets Layer)
Mainly used for HTTPS and remote-access-vpn. For IPSec everybody need a client software but it is not necessary for SSL. Even if all had IPSec client software not everyone has a digital cert or PSK.
To use SSL the user connects to an SSL server (webserver with SSL support) by HTTPS. When the browser request the webserver to identify itself it sends a copy of its digital cert (SSL certificate). The browser check the digital signature of the CA. If it trust the cert it will use the webservers public key.
Fundamentals of PKI
Enrolling cert in nutshell
Same example Bob and Lois. Both of them creates a public and private key. The CA creates a Digital Certification using each of their public key, IP address, name plus the CA gives a digital signature on the Digital Cert.
Using the certs:
They exchange the digital certs and each of them checks it with the CA. If the CA digital signature is OK they will use the public key which is in the digital cert.
This contains the public key of the CA server and some more information about it.
An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client)
As a review, most digital certificates contain the following information:
■ Serial number: Assigned by the CA and used to uniquely identify the certificate
■ Subject: The person or entity that is being identified
■ Signature algorithm: The specific algorithm that was used for signing the digital
■ Signature: The digital signature from the certificate authority, which is used by
devices that want to verify the authenticity of the certificate issued by that CA
■ Issuer: The entity or CA that created and issued the digital certificate
■ Valid from: The date the certificate became valid
■ Valid to: The expiration date of the certificate
■ Key usage: The functions for which the public key in the certificate may be used
■ Public key: The public portion of the public and private key pair generated by the
host whose certificate is being looked at
■ Thumbprint algorithm: The hash algorithm used for data integrity
■ Thumbprint: The actual hash
■ Certificate revocation list location: The URL that can be checked to see whether
the serial number of any certificates issued by the CA have been revoked
Authenticating and Enrolling with the CA
- First we need to authenticate the CA and for this we need to get the root certificate (it contains the public key of the CA).
- Second step is creating our own identity certificate. We need to generate a public-private key pair and give the public key to the CA (plus some more info). The CA will generate the identity cert (give their digital signature on it) and send it back. This we can use.