1-2
VPN Acceleration Module Installation and Configuration
OL-3576-02
Chapter 1 Overview
Data Encryption Overview
Data Encryption Overview
This section describes data encryption, including the IPSec, IKE, and Certification Authority (CA)
interoperability features.
Note For additional information on these features, refer to the “IP Security and Encryption” chapter in the
Security Configuration Guide and Security Command Reference publications.
IPSec is a network level open standards framework, developed by the Internet Engineering Task Force
(IETF) that provides secure transmission of sensitive information over unprotected networks such as the
Internet. IPSec includes data authentication, antireplay services and data confidentiality services.
Cisco follows these data encryption standards:
• IPSec—IPSec is an IP layer open standards framework that provides data confidentiality, data
integrity, and data authentication between participating peers. IKE handles negotiation of protocols
and algorithms based on local policy, and generates the encryption and authentication keys to be
used by IPSec. IPSec protects one or more data flows between a pair of hosts, between a pair of
security routers, or between a security router and a host.
• IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme
key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP)
framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers,
negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or
without IKE.
• CA—Certificate Authority (CA) interoperability supports the IPSec standard, using Simple
Certificate Enrollment Protocol (SCEP) and Certificate Enrollment Protocol (CEP). CEP permits
Cisco IOS devices and CAs to communicate to permit your Cisco IOS device to obtain and use
digital certificates from the CA. IPSec can be configured with or without CA. The CA must be
properly configured to issue certificates. For more information, see the “Configuring Certification
Authority Interoperability” chapter of the Security Configuration Guide at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter
09186a00800ca7b2.html
The component technologies implemented for IPSec include:
• DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption
packet data. Cisco IOS implements the 3-key triple DES and DES-CBC with Explicit IV. Cipher
Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPSec packet.
• MD5 (HMAC variant)—MD5 is a hash algorithm. HMAC is a keyed hash variant used to
authenticate data.
• SHA (HMAC variant)—SHA is a hash algorithm. HMAC is a keyed hash variant used to to
authenticate data.
• RSA signatures and RSA encrypted nonces—RSA is the public key cryptographic system developed
by Ron Rivest, Adi Shamir, and Leonard Adleman, hence RSA. RSA signatures provides
non-repudiation while RSA encrypted nonces provide repudiation. For additional information, see
the Exporting and Importing RSA Keys feature module at:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a
00801541cf.html
Comments to this Manuals