This is an old revision of the document!
Table of Contents
Encryption
| Reference | Block Cipher mode |
|---|
Ciphers
| Ciphers By type of key | Description | Example |
|---|---|---|
| Block Cipher | Break messages into fixed length blocks, and encrypt each block using the same key | (3)DES, AES/Rijndael, IDEA |
| Stream Cipher | Break message into fixed length blocks, but use a sequence of keys to encrypt the blocks | Vigenère cipher, RC4, SEAL |
| Stream Cipher | Description |
| Synchronous Stream Ciphers | generates the key string from a source other than the message itself |
| Self-Synchronous Stream Ciphers | obtain a key from the message itself |
| Cipher by the type of input data | Description | |
|---|---|---|
| symmetric key algorithms | the same key is used for encryption and decryption | DES, AES |
| asymmetric key algorithms | two different keys are used for encryption and decryption | RSA |
| Modes of Operation | Descriptions | Examples |
| Electronic Codebook Mode (ECB Mode) | ||
| Cipher-Block Chaining Mode (CBC Mode) | ||
| Counter Mode (CTR Mode) | ||
| Output Feedback Mode (OFB Mode) |
| Cryptographic hash functions |
| digital signatures |
| message authentication codes (MACs) |
IPSEC
IPsec uses two types of algorithms
- authentication algorithms
- encryption algorithms
authentication: use a shared key to verify the identity of the sending IPsec device. The IPsec protocol suite defines two authentication algorithms: MD5 and SHA-1. The Services Router uses an HMAC variant of MD5 and SHA-1 algorithms that provide an additional level of hashing.
Encryption algorithms: use a shared key to verify the authenticity of the IPsec devices.
- DES, 3DES,
- AES-CBC 128, 192, and 256,
- AES-GCM 128, 192, and 256.
Note: AES-GCM is both an integrity and encryption algorithm and is described in the Integrity algorithms section.
Authentication methods: Authentication methods define the way in which a computer or user can securely assert identity to a remote computer. The methods involve sharing credentials that can be cryptographically verified, proving that the sending computer or user is who it claims to be.
- Preshared key
- Kerberos V5
- Certificate
- NTLMv2
- Certificate with ECDSA P-256 and ECDSA P-384
Integrity algorithms:Data integrity algorithms help ensure that a network packet received from a remote computer was not modified in transit. The sending computer calculates a hash value from the data payload of the network packet. This hash is then cryptographically signed and attached to the network packet. The receiving computer performs the same calculation on the data payload of the packet and compares it to the hash that was attached by the sender. If the hashes match, then the data is the same as it was transmitted and the receiving computer accepts the packet. If the hash values do not match, then the packet was altered between the source and the destination and the receiving computer drops the packet. Data integrity algorithms do not encrypt the data; encryption protocols must be used for that purpose.
- MD5
- SHA-1, SHA-256, and SHA-384
- AES-GMAC 128, 192, and 256
- AES-GCM 128, 192, and 256
Common Terms
| DES | Data Encryption Standard |
| AES | Advanced Encryption Standard |
| plaintext | the original message |
| ciphertext | the coded message |
| cipher | algorithm for transforming plaintext to ciphertext |
| key | info used in cipher known only to sender/receiver |
| encipher (encrypt) | converting plaintext to ciphertext |
| decipher (decrypt) | recovering ciphertext from plaintext |
| cryptography | study of encryption principles/methods |
| cryptanalysis (codebreaking) | the study of principles/ methods of deciphering ciphertext without knowing key |
| cryptology | the field of both cryptography and cryptanalysis |