Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
261262263264265266267268269270
XSR Users Guide 233
Chapter 11 Describing Public-Key Infrastructure (PKI)
Configuring the Virtual Private Network
As a general rule, longer encryption keys are the strongest. The bit length of
the algorithm determines the amount of effort required to crack the system
using a brute force attack, where computers are combined to calculate all the
possible key permutations. The XSR offers several encryption schemes:
Data Encryption Standard (DES): a 20-year old, thoroughly tested system
that uses a complex symmetric algorithm, with a 56-bit key, although it
is considered less secure than recent systems.
Triple DES (3DES): uses three DES passes and an effective key length of
168 bits, thus strengthening security.
Diffie-Hellman: the first public-key cryptosystem, is used to generate
asymmetric (secret) keys, not encrypt and decrypt messages.
Advanced Encryption Standard (AES): the anticipated replacement for
DES, supports a 128-bit block cipher using a 128-, 192-, or 256-bit key.
RSA signatures: an asymmetric public-key cryptosystem used for
authentication by creating a digital signature.
Describing Public-Key Infrastructure (PKI)
PKI is a scalable platform for secure user authentication, data confidentiality,
integrity, and non-repudiation. PKI can be applied to allow users to use
insecure networks in a secure and private way. PKI relies on the use of public
key cryptography, digital certificates, and a public-private key pair.
Digital Signatures
Encryption and decryption address eavesdropping, one of the three Internet
security issues mentioned at the beginning of this chapter. But encryption and
decryption, by themselves, do not address tampering and impersonation.
Tamper detection and related authentication techniques rely on a
mathematical function called a one-way hash (also called a message digest). A
one-way hash is a number of fixed length with the following characteristics:
The hash value is unique for the hashed data. Any change in the data,
even deleting or altering a single character, results in a different value.
The content of the hashed data cannot, for all practical purposes, be
deduced from the hash - which is why it is called one-way.