VPNs can use both symmetric and asymmetric forms of cryptography. Symmetric cryptography uses the same key for both encryption and decryption, while asymmetric cryptography uses separate keys for encryption and decryption, or to digitally sign and verify a signature. Symmetric cryptography is generally more efficient and requires less processing power than asymmetric cryptography, which is why it is typically used to encrypt the bulk of the data being sent over a VPN. One problem with symmetric cryptography is with the key exchange process; keys must be exchanged out-of-band to ensure confidentiality.9 Common algorithms that implement symmetric cryptography include Digital Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), Blowfish, RC4, International Data Encryption Algorithm (IDEA), and the hash message authentication code (HMAC) versions of Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).10
Asymmetric cryptography (also known as public key cryptography) uses two separate keys to exchange data. One key is used to encrypt or digitally sign the data, and the other key is used to decrypt the data or verify the digital signature. These keys are often referred to as public/private key combinations. If an individuals public key (which can be shared with others) is used to encrypt data, then only that same individuals private key (which is known only to the individual) can be used to decrypt the data. If an individuals private key is used to digitally sign data, then only that same individuals public key can be used to verify the digital signature. Common algorithms that implement asymmetric cryptography include RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA).11
Although there are numerous ways in which IPsec can be implemented, most implementations use both symmetric and asymmetric cryptography. Asymmetric cryptography is used to authenticate the identities of both parties, while symmetric encryption is used for protecting the actual data because of its relative efficiency.
Asymmetric cryptography (also known as public key cryptography) uses two separate keys to exchange data. One key is used to encrypt or digitally sign the data, and the other key is used to decrypt the data or verify the digital signature. These keys are often referred to as public/private key combinations. If an individuals public key (which can be shared with others) is used to encrypt data, then only that same individuals private key (which is known only to the individual) can be used to decrypt the data. If an individuals private key is used to digitally sign data, then only that same individuals public key can be used to verify the digital signature. Common algorithms that implement asymmetric cryptography include RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA).11
Although there are numerous ways in which IPsec can be implemented, most implementations use both symmetric and asymmetric cryptography. Asymmetric cryptography is used to authenticate the identities of both parties, while symmetric encryption is used for protecting the actual data because of its relative efficiency.