VPN Encryption and Security Protocols
Whenever you are planning and then deploying a VPN solution you often need to select the VPN encryption and security protocols used in the process.
The encryption and security protocol will vary from vendor to vendor, so Airtel will require one type of encryption and security protocol while 9Mobile will require for a different one.
There are 2 major categories of cryptography:
- symmetric cryptography
- asymmetric cryptography
Symmetric cryptography happens when the same key is used to encrypt and decrypt traffic, hence symmetry.
Now the same key in a manual configuration would be set up the same way at the two different VPN endpoints, although as we'll see a little later on, that can also be derived from asymmetric public and private key pairs.
In the manual configuration, a pass phrase is what is often configured, the same pass phrase as the symmetric key seed, and that would have to be configured on both ends of the VPN.
But that's only with a manual configuration. Generally speaking, the sole use of symmetric keys is not considered as secure as using asymmetric keys with public and private key pairs.
As we'll see, often both asymmetric and symmetric keys are used together to provide a secure solution.
Asymmetric cryptography means that different keys are used for encryption than are used for decryption, although they are mathematically related.
This is done through public key infrastructure, PKI, which is a hierarchy of digital security certificates, and each certificate, among other things, contains mathematically related public and private key pairs that are unique to that certificate.
So, this means that the public key, then, is used to encrypt, and the private key is used to decrypt traffic. And as the names imply, the public key can be shared freely with anybody, but the private key has to be kept secret and used only by the party to which the certificate was issued.
So in this configuration with a VPN, we would have a PKI certificate configured on each VPN device, and certainly that's the case when we talk about site-to-site VPN configurations.
Depending on the solution, with a client-to-site VPN may or may not need to install a PKI certificate on the client side. Now if we do use these PKI certificates, it is important that all devices trust the certificate issuer.
There are 2 phases when establishing a site to site connection:
- IKE, or I-K-E, stands for Internet Key Exchange it is also referred as phase 1 of a vpn connection
- IPsec, or IP security, isn't the only way to secure a VPN tunnel, but it is commonly used, such as with L2TP or Layer 2 Tunneling Protocol types of VPNs, this is also referred as phase 2 of a vpn connection.
- its purpose is to establish a security association, or an SA, between two communicating parties
- we need to have the same symmetric key generated on both ends of a connection without actually sending it over the network
- this is done often using the Diffie-Hellman protocol, but there are other ways it can be done as well, and the idea is that the symmetric keys can be built using the public and private key pairs on both ends, so that's their derivative. So that means then that using the Internet Key Exchange with IPsec uses a PKI certificate, so we end up having a unique symmetric session key. Now this is interesting, because this is a great example of where we are using both symmetric and asymmetric cryptography together at the same time to provide a secured solution.