8.3 Encryption

Encryption is the process of using a mathematical algorithm to encode cleartext data in such a way that only the system with the correct key can decode it. The data is encoded by the sender, transmitted over unsecured links, and decoded by the receiver.

Encryption can occur in one of three places in the Open System Interconnection (OSI) layered model: between the physical and data-link layers, which occurs in specialized hardware to encrypt data in links; between the network and transport layers, which is routable; and at the application layers (Layers 5 to 7), which occurs between end hosts.

Cisco implements network layer encryption through Cisco Encryption Technology (CET), which provides for the encryption of IP packets. CET uses Digital Signature Standard (DSS), which is a public/private key system to verify the identity of another party and also to prove a user's own identity when communicating through electronic means; Diffie-Hellman, which is used for key exchange; and Digital Encryption Standard (DES), which is used to encrypt and decrypt data.

8.3.1 Public/Private Key Encryption

Public and private keys use asymmetrical algorithms to encrypt and decrypt data. These algorithms are called asymmetrical because different algorithms are used for encryption and decryption. You cannot transmit the decryption key across network because it could be intercepted and used to decrypt the message, but you can transmit the encryption key because it cannot be used to decrypt the message. Thus, to a message securely, the sender asks the recipient for its encryption key. The sender then uses recipient's the encryption key to encrypt the message, and sends it to the recipient. The encrypted message is indecipherable without the decryption key, so this transfer is safe. Finally, the recipient uses the decryption key to decode the message. The decryption key does not leave the recipient's possession, so it remains secure throughout the process. Because the encryption key is transmitted, it is referred to as the public key, while the decryption key, which is never transmitted, referred to as the private key.

8.3.2 The Diffie-Hellman Algorithm

Diffie-Hellman Key Algorithm provides the means by which two peers can create a shared private key that authenticates data and encrypts an IP datagram. A public and private key is generated by each IPSec peer. The private key is used to sign messages while the public key is used to validate signatures. The public key is a numerical imitation of the private key. The public keys are shared while the private keys never are.

8.3.3 Data Encryption Standard (DES)

Data Encryption Standard (DES) is a U.S. Government standard that is widely used for encryption. It consists of a 56-bit or 40-bit key that is used to encrypt and decrypt messages. When using DES for communication, both the sender and the receiver must know the same secret key, which can encrypt and decrypt the message, or generate and verify a message authentication code.

Triple DES (3DES) does three separate encryption processes (encrypt, decipher and decrypt) on the message, resulting in a 168-bit key (3 x 56-bit) that provides stronger security. Triple DES is supported by Cisco products.