Written by: Henry Fong (9712925) |
Date: 26 March 2001 |
This report describes the
technology aspects of a VPN (Virtual Private Network) implementation named
PGPnet developed by Network Associates Inc.[1]
and included in the freely distributed PGP package[2].
This software product is based on two major VPN technologies: IPSec and IETF
IKE. These two technologies are briefly discussed in this report. To make this
PGPnet unique, public key encryption technology is integrated into this
product. This report also investigates the benefits and negative effects of
using VPN products like PGPnet.
When there
is more and more information being transmitted through the Internet, it is
vital to have a way to protect the information. Virtual private network is a
relatively new technology to make this possible. According to Webopedia[3],
“VPN uses encryption and other security mechanisms to ensure that only
authorized users can access the network and that the data cannot be intercepted.”
PGPnet is
one of the implementations of VPN software. It integrates PGP technology into
the product to enhance the security level. In the following sections, the
details of PGPnet will be discussed. However, it is necessary to define some
technical terms being used throughout the document.
·
Security Association (SA) – It
contains the information necessary for establishing a secure connection between
two specific individuals (it could be router, gateway, terminal etc.). For
example, it contains type of encryption, duration of a connection etc)
·
Secure Host – It is a host which has
IPSec-compliant client software running supporting peer-to-peer connection
·
Secure Gateway – It refers to a gateway
which has IPSec-compliant software running which supports tunneling
In this section, the underlying technologies being used by PGPnet are briefly discussed. Each technology itself could be a separate report topic so the details are skipped. For detail information of them please refer to the given sources.
IPSec[5]
IPSec is an open standard
developed by the Internet Engineering Task Force[6]
to define a way to enable VPN-like services. IPSec acts as a network layer,
protecting and authenticating the IP packets between IPSec devices (e.g.
hosts).
IPSec optimally provides the following services:
§
Data Confidentiality – Data sender can encrypts the packets
before sending to the receiver
§
Date Integrity – Receiver can authenticates the incoming
packets to ensure that the data has not been altered
§
Data Origin Authentication—The
IPSec receiver can authenticate the source of the IPSec packets sent. This
service is dependent upon the data integrity service.
§
Anti-Replay—The IPSec receiver
can detect and reject replayed packets.
IPSec supports two transfer modes: transport
mode and tunnel mode.
In
transport mode, the packets are encrypted before sent. The participating secure
hosts shared a single key for encryption/decryption. However, in tunnel mode,
the packets are encrypted and encapsulated in another packet. To transfer data
in tunnel mode, secured gateway is required.
Although
there are two different security protocol used in IPSec (Authentication Header
(AH) and Encapsulation Security Payload (ESP)), they are not discussed in this
document because of their complexities.
Internet Key Exchange (IKE)[7]
IKE is
a protocol that provides key exchange, key management and SA management
mechanisms. IKE uses both ISAKMP[8]
and Oakley key exchange protocol[9]:
§
ISAKMP defines
the management of security associations and keys and the payloads for
exchanging key generation and authentication data
§
Oakley is used with ISAKMP to
update keying material for SA
IKE is used with IPSec in order to provide a complete set of services.
When establishing a secure connection, it is necessary to exchange a secret key
(if encryption is applied) between the two individuals. Since the key should
only be known by those two individual, there should be a mechanism to exchange
the key. PGPnet employs IKE to exchange key, which is most VPN implementations
use.
Since completely explaining IKE involves another great amount of
information, only one interesting topic is discussed under this section. This
is Perfect Forward Secrecy.
PFS is only configurable option related to IKE in PGPnet. PFS means that
compromise of a single key only permit data access by that single key. It
actually means no key should be generated based on another key. It reduces the
information compromised when a key is compromised.
PGPnet’s advantage
over other VPN products: PGP extension
PGPnet is unique VPN software
because it has PGP extension. It means that PGP encryption is supported. The
extension introduces the following advantages:
§
Easy Key
Exchange – Instead of exchanging a secret key, a public key is exchanged when
establishing connection. It eliminates the problem of compromising the secret
key during key exchange
§
Easier Key
Management – Since the key pair used for establishing secure connection can be
reused for other purposes (e.g. email, ssh), the VPN client does not have to
manage different keys for different connections
Nevertheless,
using PGP in PGPnet also introduces the some general PGP problems:
§
Ambiguous
Identity – It is difficult to tell if the name of key holder is really the
person that you want to communicate with.
§
Overhead – It
takes more time to do encryption or decryption with PGP
Other
aspects of PGPnet
Currently PGPnet is only distributed
with Windows version of PGP distribution (ver. 6.5.8+). This restriction greatly
reduces the usability of PGPnet. Since a lot of gateways are not using Windows
operating system which reduces the possibility of using tunnel mode (which is
superior over transport mode). Moreover, most IPSec-compliant router does not
support PGP encryption; this limits the popularity of PGPnet.
On the other hand, although the
interface is user-friendly, it is not easy to setup and use PGPnet. User is
assumed to have basic knowledge of PGP tools and VPNs. But it is actually the
case for most VPN software. However, it is reasonable for a system
administrator to use the PGPnet, though.
Conclusion
In conclusion, PGPnet is a great VPN
software for a small network using Windows. PGPnet is free for non-commercial
use, which is a good choice for home networking where security is a concern.
Despite the fact that it is not for novice user, the user interface is the best
over the same class of products. It supports most common encryption algorithms
with the widely used base technology (IPSec, IKE). It is doubtlessly a good
choice to use PGPnet on company subnet as a first step to implement VPNs on the
corporate networks.
[1] Network Associates Incorporation is a company
specialized in development of anti-virus and network security software
(http://www.nai.com)
[2] http://web.mit.edu/network/pgp.html
[3] http://www.webopedia.com/
[4] PGP Freeware User Guide version 6.5
[5] Kent,
Atkinson, RFC2401, http://www.ietf.org/rfc/rfc2401.txt;
Mitul Tiwari, IP Based Virtual Private Network, http://www.cse.iitb.ernet.in:8000/proxy/everest/~mits/report/report.html
[6] The Internet Engineering Task Force is a self-organized group of people who make technical and other contributions to the Internet and its technologies (http://www.ietf.org)
[7] Mitul Tiwari, IP Based Virtual Private Network, http://www.cse.iitb.ernet.in:8000/proxy/everest/~mits/report/report.html;
Harkins, Carrels, RFC2409, http://www.ietf.org/rfc/rfc2409.txt
[8] Maughan, Schertler, Schneider, Turner, Internet Security Association and Key Management Protocol - RFC2408, http://www.faqs.org/rfcs/rfc2408.html
[9] H. Orman, RFC2412, http://www.faqs.org/rfcs/rfc2412.html