Operation Manual
Asymmetrical Encryption Techniques
44 NetWAYS/ISDN – 3 Remote Access with NetWAYS/ISDN
IKE Phase 2
The goal of IKE Phase 2 is to negotiate the SAs for the encryp-
tion of actual user data. This negotiation is itself encrypted
based on the SA that was negotiated in Phase 1. The follow-
ing parameters are negotiated:
the IPsec transport protocol (AH and/or ESP)
the encryption algorithm for user data transmitted over
the VPN connection (DES, AES, or 3DES, for example)
the hash algorithm used to ensure the integrity of the
user data
the IPsec operating mode (Tunnel or Transport Mode)
the lifetime of the SA
the random key material for the encryption and authen-
tication algorithms
Once IKE negotiation has been completed, secure IPsec com-
munication begins.
Asymmetrical Encryption Techniques
Asymmetric encryption methods use a key pair rather than a
single key. A key pair consists of one public and one private
key. Data encrypted with one of these keys can only be de-
crypted with the other. The advantage over symmetrical
encryption methods is that no secret key needs to be ex-
changed between the communicating parties.
A popular application using asymmetric encryption is PGP
(Pretty Good Privacy), which is frequently used for e-mail en-
cryption. The recipient's public key is accessible to anyone,
and so can be used by the sender to encrypt an e-mail mes-
sage. The result is an encrypted message that can only be
decrypted using the recipient's secret key.
It is also possible to use the secret key for encryption, so
that only the corresponding public key can be used for de-
cryption. This is the method used to create digital signa-
tures. A hash digest of the original message is encrypted by
the author using the secret key, and attached to the mes-
sage. The signature can then be decrypted by anyone using
netways-e.book Seite 44 Freitag, 28. November 2003 3:51 15