Before we look at the tunneling protocols, we need to learn a little about encryption – there are two main types of encryption: asymmetric and symmetric. Encryption is the process of taking data in plaintext format and transferring it to ciphertext, a format that makes it unreadable. Encryption is covered in depth later in this book; the two main types are:
- Asymmetric encryption: Certificates are used for encryption and it uses two keys: a private key and a public key. The public key is used for encrypting data and the private key is used for decrypting data.
- Symmetric encryption: Uses only one key, called either the private key or shared key, for both encrypting and decrypting data, making it much faster but less secure than asymmetric encryption. Having only one key makes it quicker for encrypting and decrypting large amounts of data; the downside is that it is less secure due to the fact that if someone obtains the private/shared key, they can both encrypt and decrypt the data. When we use symmetric encryption, we tend to create a secure tunnel using an asymmetric technique called Diffie Hellman to create a secure tunnel before the symmetric data is sent across the network or internet.
- Key length: Certificate keys are formed in units called bits. The fewer the bits, the faster it is to encrypt and decrypt, while a higher number of bits means it is slower to encrypt or decrypt but it is more secure. Typically, we don't use asymmetric keys smaller than 4,096 bits.
Exam tip:
Symmetric encryption is used to encrypt and decrypt large amounts of data as it uses only one key, making it faster than asymmetric, which uses two keys.
Symmetric encryption is used to encrypt and decrypt large amounts of data as it uses only one key, making it faster than asymmetric, which uses two keys.
A VPN creates a tunnel across the internet, normally from home or a remote site to your work. We need to look at the L2TP/IPSec tunnel that works at Layer 2 of the OSI Reference Model where IPSec is used to encrypt the data, an IPSec packet is formed of two different portions:
- AH: Consists of either SHA-1 (160 bits) or MD5 (128 bits) hashing protocols, which ensure that the packet header has not been tampered with in transit.
- ESP: Uses either DES (64 bits), 3 DES (168 bits), or AES (256 bits); these are all symmetric encryption protocols, which means that they can transfer data much faster.