Other Encryption Schemes

Many encryption schemes fit neatly into the symmetric or asymmetric categories, but a few fall outside the scope of these categories. For example, cryptographers can use steganography to manipulate files and embed detailed messages within them. However, steganography simply hides the data within the file and doesn’t use a key. IPsec is another encryption scheme that doesn’t fit neatly into the symmetric and asymmetric categories, but it is important in the context of cryptography.

Steganography

Steganography is the practice of hiding data within data, or hiding data in plain sight. For example, a check can have a watermark embedded within it, and if someone knows what to look for, the watermark provides additional information that wouldn’t be apparent to someone unaware of the watermark.

It’s possible to get much fancier with steganography, though. Some programs modify the least significant bit of individual bytes within a file. For example, consider the byte represented in Table 14-1. The value of the byte is 255 (eight 1s), but if you modify the value of the least significant bit (2⁰), the new value is 254. If this value is used to represent the tint of a color or one of the values in sound file, the change between 255 and 254 is so slight as to be indistinguishable.

Table 14-1 Modifying the Least Significant Byte

If someone modified the last bit of each byte in a 1MB file, he or she can embed a message in these one million bits. Even though the changes are not distinguishable to most users, if someone knows what to look for, he or she will be able to read the message. For example, it’s possible for someone in one country to post a picture on a website with an embedded message and enable someone in another country to retrieve the picture and read the message.

EXAM TIP Steganography attempts to hides information by embedding it into a file such as a picture or streamed audio or video file.

IPsec

Chapter 3 introduced Internet Protocol Security (IPsec) and explained how IPsec provides security for data traveling over a network. IPsec is actually a suite of protocols that can be used together to increase the security of network communications. The primary documents describing IPsec are RFC 4301, RFC 4309, and RFC 6040.

TIP Both IPv4 and IPv6 support IPsec. IPv6 mandates the support of IPsec for any IPv6 applications. However, IPsec is an extension to IPv4, so there are compatibility problems in some situations. For example, IPsec traffic can’t go through a system using Network Address Translation (NAT).

To mitigate sniffing attacks, you can use IPsec to encrypt the data before putting it on the wire. You can also use IPsec for authentication of both clients (without encryption) to reduce the risk of impersonation or replay attacks.

The two protocols within IPsec are Authentication Header (AH) and Encapsulating Security Protocol (ESP). AH provides authentication and integrity while ESP provides confidentiality, authentication, and integrity. You can use AH or ESP alone or both protocols together. However, you can configure ESP to provide the same services as AH (with or without encryption if desired) in most applications using IPsec.

AH provides data origin authentication by assuring both systems of the identity of the other party. It creates a hash derived from packet data and uses this hash to provide integrity in addition to authentication. AH does not encrypt the data or provide confidentiality.

ESP encrypts the data within the packets to provide confidentiality. Although it’s possible to configure ESP without integrity, this is not recommended. In other words, when you use ESP for encryption, you will also include the same features provided by AH (authentication and integrity).

Chapter 4 presented IPsec as a tunneling protocol for VPNs. IPsec can be used with Layer 2 Tunneling Protocol (L2TP/IPsec) or by itself to create a secure connection between a VPN client and a VPN server.