Symantec™ Security Gateways Reference Guide - Sawmill

Understanding VPN tunnelsIPsec standard97Data Encryption Standard (DES)The Data Encryption Standard (DES) was originally developed in 1974 by IBM, and adopted as a standard in1977. DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key. However, only 56 bits are actuallyused. The least significant bit (right-most) bit in each 8-byte block is a parity bit, and is unused. This resultsin only 7 of every 8 bits being used, yielding 56 bits. DES takes a 64-bit block of plaintext as input, and thenexecutes its algorithm on the plaintext 16 times, producing a 64-bit block of ciphertext.Triple DESData integrity preferenceDES was effective for its time, but is now easy to break with today’s rapidly advancing technology. Mostinstitutions serious about security bypass DES and move on to either Triple DES or AES. Triple DES is, ineffect, the DES algorithm applied three different times. Therefore, its understandable that it takes threetimes as long to encrypt or decrypt with Triple DES as compared to DES. However, the level of securityimprovement varies depending on how the implementation is carried out. The Symantec implementationof Triple DES uses three different keys, encrypting with the first key, decrypting with the second key, andthen encrypting with the third key. Like the DES algorithm, only 168 bits (3 times 56) are actually used forthe entire encryption process instead of all 192 bits.Encapsulation and encryption are important aspects of VPNs, but one of the most important pieces is toensure that the original data sent is also the data received. Data integrity ensures that this takes place.Typically, a checksum or digest is calculated on the sending end, based on the data being sent. Thereceiving end then recalculates using the same algorithm on the received data. If the calculated values atboth ends match, the data has not been tampered with.MD5The MD5 algorithm takes as input a message or datagram of arbitrary length, and produces a 128-bitmessage digest (fingerprint) of that data. This digest is then recomputed on the receiving end to verify thatthe data has not changed in transit. The MD5 algorithm was developed by MIT Professor Ronald L. Rivestand is discussed in more detail in RFC 1321.SHA1The Secure Hash Algorithm, Version 1.0 (SHA1), is a cryptographic message digest algorithm similar to theMD4 family of hash algorithms produced by MIT Professor Ronald L. Rivest. SHA1 takes a message lessthan 2 64 bits in size and creates a 160-bit message digest. SHA1 was also designed to make it difficult tofind another message which matches the hashed result. SHA1 is slower but considered to be more securethan MD5.Data compression preferenceCompression algorithms work by detecting duplicate patterns in data, and then minimizing therepresentation of the duplicate data. The larger the number of duplicate patterns, the better thecompression is. For example, if the pattern the appears many times in a long document, the compressionalgorithm could create a new, compressed file that lists the string once at the beginning, and then includesa pointer back to this string at every other location that string the would normally appear. The benefit ofthis is that the pointer would require less space to store than the original string, essentially reducing thesize of the compressed file.Because there is some minor overhead included with compression, files with no duplicate patterns, or veryfew duplicate patterns, may actually end up being larger in size when compressed than the original. This isalso the key reason why compression is performed prior to encrypting data, as a good encryption algorithmleaves almost no duplicate data.